Skip to content

Commit

Permalink
T264: IPsec add base64 encoded secret-type feature
Browse files Browse the repository at this point in the history
Add the ability to configure base64 encoded passwords for
VPN IPSec site-to-site peers

authentication psk PSK secret 'xxxxx=='
authentication psk PSK secret-type <base64|plaintext>
  • Loading branch information
sever-sever committed Nov 20, 2024
1 parent 8f76c96 commit 4d45698
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 2 deletions.
6 changes: 6 additions & 0 deletions data/templates/ipsec/swanctl.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,13 @@ secrets {
id-{{ gen_uuid }} = "{{ id }}"
{% endfor %}
{% endif %}
{% if psk_config.secret_type is vyos_defined('base64') %}
secret = 0s{{ psk_config.secret }}
{% elif psk_config.secret_type is vyos_defined('plaintext') %}
secret = "{{ psk_config.secret }}"
{% else %}
secret = "{{ psk_config.secret }}"
{% endif %}
}
{% endfor %}
{% endif %}
Expand Down
12 changes: 12 additions & 0 deletions interface-definitions/vpn_ipsec.xml.in
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,18 @@
</valueHelp>
</properties>
</leafNode>
<leafNode name="secret-type">
<properties>
<help>Secret type</help>
<completionHelp>
<list>base64 plaintext</list>
</completionHelp>
<constraint>
<regex>(base64|plaintext)</regex>
</constraint>
</properties>
<defaultValue>plaintext</defaultValue>
</leafNode>
</children>
</tagNode>
</children>
Expand Down
33 changes: 31 additions & 2 deletions smoketest/scripts/cli/test_vpn_ipsec.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

import base64
import os
import unittest

Expand Down Expand Up @@ -106,6 +107,32 @@
CERT_PATH = f'{swanctl_dir}/x509/'
CA_PATH = f'{swanctl_dir}/x509ca/'


def _encode_to_base64(input_string):
"""
Encodes a given string to its base64 representation.
Args:
input_string (str): The string to be encoded.
Returns:
str: The base64-encoded version of the input string.
Example:
input_string = "Hello, World!"
encoded_string = _encode_to_base64(input_string)
print(encoded_string) # Output: SGVsbG8sIFdvcmxkIQ==
"""
# Convert the string to bytes
byte_string = input_string.encode('utf-8')

# Encode the byte string to base64
encoded_string = base64.b64encode(byte_string)

# Decode the base64 bytes back to a string
return encoded_string.decode('utf-8')


class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
skip_process_check = False

Expand Down Expand Up @@ -495,6 +522,7 @@ def test_flex_vpn_vips(self):
local_id = 'vyos-r1'
remote_id = 'vyos-r2'
peer_base_path = base_path + ['site-to-site', 'peer', connection_name]
secret_base64 = _encode_to_base64(secret)

self.cli_set(tunnel_path + ['tun1', 'encapsulation', 'gre'])
self.cli_set(tunnel_path + ['tun1', 'source-address', local_address])
Expand All @@ -509,7 +537,8 @@ def test_flex_vpn_vips(self):
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', remote_id])
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', local_address])
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', peer_ip])
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'secret', secret])
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'secret', secret_base64])
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'secret-type', 'base64'])

self.cli_set(peer_base_path + ['authentication', 'local-id', local_id])
self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
Expand Down Expand Up @@ -546,7 +575,7 @@ def test_flex_vpn_vips(self):
f'id-{regex_uuid4} = "{remote_id}"',
f'id-{regex_uuid4} = "{peer_ip}"',
f'id-{regex_uuid4} = "{local_address}"',
f'secret = "{secret}"',
f'secret = 0s{secret_base64}',
]

for line in swanctl_secrets_lines:
Expand Down

0 comments on commit 4d45698

Please sign in to comment.