T6617: T6618: vpn ipsec remote-access: fix profile generators (backport #3903)

[mergify]

Change Summary

This fixes several issues with the iOS and Windows remote access VPN profile generators (generate ipsec profile) not working correctly in certain scenarios.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

https://vyos.dev/T6617
https://vyos.dev/T6618

Related PR(s)

Component(s) name

vpn ipsec remote-access

Proposed changes

This updates both the iOS and Windows profile generators.

• For both, support for PFS was added
• Windows now appears to support DH groups 19 and 20 (see https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2022-ps), so those were added
• Better error messaging was added for when generation fails because the connection uses an unsupported algorithm or DH group.
• For iOS, the ExtendedAuthEnabled setting is now properly omitted when authentication client-mode x509 is used.

How to test

within edit vpn ipsec:

set ike-group ClientVPN-Client key-exchange 'ikev2'
set ike-group ClientVPN-Client lifetime '0'
set ike-group ClientVPN-Client proposal 1 dh-group '19'
set ike-group ClientVPN-Client proposal 1 encryption 'aes256gcm128'
set ike-group ClientVPN-Client proposal 1 hash 'sha256'
set esp-group ClientVPN-Client lifetime '3600'
set esp-group ClientVPN-Client pfs 'enable'
set esp-group ClientVPN-Client proposal 1 encryption 'aes256gcm128'
set esp-group ClientVPN-Client proposal 1 hash 'sha256'
set remote-access connection ClientVPN authentication client-mode 'x509'
set remote-access connection ClientVPN authentication local-id 'router.test.com'
set remote-access connection ClientVPN authentication server-mode 'x509'
set remote-access connection ClientVPN authentication x509 ca-certificate <CA CERT ID>
set remote-access connection ClientVPN authentication x509 certificate <SERVER CERT ID>
set remote-access connection ClientVPN dhcp-interface 'eth0'
set remote-access connection ClientVPN esp-group 'ClientVPN-Client'
set remote-access connection ClientVPN ike-group 'ClientVPN-Client'
set remote-access connection ClientVPN pool 'Client-Pool-v4'
set remote-access pool Client-Pool-v4 prefix 10.10.10.0/24

commit and then try:
generate ipsec profile ios-remote-access ClientVPN remote router.test.com
generate ipsec profile windows-remote-access ClientVPN remote router.test.com

Smoketest result

N/A

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

---

This is an automatic backport of pull request #3903 done by [Mergify](https://mergify.com).

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

❌
warning: Unused directories imported from vyos.defaults in src/conf_mode/system_console.py:25.