diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2
index 698a9135ef..36045525f1 100644
--- a/data/templates/ipsec/swanctl.conf.j2
+++ b/data/templates/ipsec/swanctl.conf.j2
@@ -87,7 +87,13 @@ secrets {
id-{{ gen_uuid }} = "{{ id }}"
{% endfor %}
{% endif %}
+{% if psk_config.secret_type is vyos_defined('base64') %}
+ secret = 0s{{ psk_config.secret }}
+{% elif psk_config.secret_type is vyos_defined('plaintext') %}
secret = "{{ psk_config.secret }}"
+{% else %}
+ secret = "{{ psk_config.secret }}"
+{% endif %}
}
{% endfor %}
{% endif %}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index d9d6fd93bb..5540021e23 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -41,6 +41,18 @@
+
+
+ Secret type
+
+ base64 plaintext
+
+
+ (base64|plaintext)
+
+
+ plaintext
+
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index de18d04274..057130578d 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -14,6 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+import base64
import os
import unittest
@@ -106,6 +107,32 @@
CERT_PATH = f'{swanctl_dir}/x509/'
CA_PATH = f'{swanctl_dir}/x509ca/'
+
+def _encode_to_base64(input_string):
+ """
+ Encodes a given string to its base64 representation.
+
+ Args:
+ input_string (str): The string to be encoded.
+
+ Returns:
+ str: The base64-encoded version of the input string.
+
+ Example:
+ input_string = "Hello, World!"
+ encoded_string = _encode_to_base64(input_string)
+ print(encoded_string) # Output: SGVsbG8sIFdvcmxkIQ==
+ """
+ # Convert the string to bytes
+ byte_string = input_string.encode('utf-8')
+
+ # Encode the byte string to base64
+ encoded_string = base64.b64encode(byte_string)
+
+ # Decode the base64 bytes back to a string
+ return encoded_string.decode('utf-8')
+
+
class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
skip_process_check = False
@@ -495,6 +522,7 @@ def test_flex_vpn_vips(self):
local_id = 'vyos-r1'
remote_id = 'vyos-r2'
peer_base_path = base_path + ['site-to-site', 'peer', connection_name]
+ secret_base64 = _encode_to_base64(secret)
self.cli_set(tunnel_path + ['tun1', 'encapsulation', 'gre'])
self.cli_set(tunnel_path + ['tun1', 'source-address', local_address])
@@ -509,7 +537,8 @@ def test_flex_vpn_vips(self):
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', remote_id])
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', local_address])
self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', peer_ip])
- self.cli_set(base_path + ['authentication', 'psk', connection_name, 'secret', secret])
+ self.cli_set(base_path + ['authentication', 'psk', connection_name, 'secret', secret_base64])
+ self.cli_set(base_path + ['authentication', 'psk', connection_name, 'secret-type', 'base64'])
self.cli_set(peer_base_path + ['authentication', 'local-id', local_id])
self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
@@ -546,7 +575,7 @@ def test_flex_vpn_vips(self):
f'id-{regex_uuid4} = "{remote_id}"',
f'id-{regex_uuid4} = "{peer_ip}"',
f'id-{regex_uuid4} = "{local_address}"',
- f'secret = "{secret}"',
+ f'secret = 0s{secret_base64}',
]
for line in swanctl_secrets_lines: