-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
T264: IPsec add base64 encoded secret-type feature #4198
Conversation
👍 |
data/templates/ipsec/swanctl.conf.j2
Outdated
secret = "{{ psk_config.secret }}" | ||
{% else %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If secret_type
has a defaultValue
in XML there is no need for a else
code path.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to play it safe and make a fallback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If
secret_type
has adefaultValue
in XML there is no need for aelse
code path.
done!
@@ -106,6 +107,32 @@ | |||
CERT_PATH = f'{swanctl_dir}/x509/' | |||
CA_PATH = f'{swanctl_dir}/x509ca/' | |||
|
|||
|
|||
def _encode_to_base64(input_string): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably a good candidate for vyos.utils.convert
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It probably is, we can move it there is more use cases for it arise for sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved to vyos.utils.convert
@@ -106,6 +107,32 @@ | |||
CERT_PATH = f'{swanctl_dir}/x509/' | |||
CA_PATH = f'{swanctl_dir}/x509ca/' | |||
|
|||
|
|||
def _encode_to_base64(input_string): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It probably is, we can move it there is more use cases for it arise for sure.
Add the ability to configure base64 encoded passwords for VPN IPSec site-to-site peers authentication psk PSK secret 'xxxxx==' authentication psk PSK secret-type <base64|plaintext>
CI integration 👍 passed! Details
|
Change Summary
Add the ability to configure base64 encoded passwords for VPN IPSec site-to-site peers
Types of changes
Related Task(s)
Related PR(s)
Component(s) name
ipsec
Proposed changes
How to test
Configure base64 encoded password on the
left
node and clear password on theright
node`LEFT node:
RIGHT node:
Check config on the
left
nodeBe sure the connection is working
Smoketest result
Checklist: