Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

T264: IPsec add base64 encoded secret-type feature #4198

Merged
merged 1 commit into from
Nov 26, 2024

Conversation

sever-sever
Copy link
Member

@sever-sever sever-sever commented Nov 19, 2024

Change Summary

Add the ability to configure base64 encoded passwords for VPN IPSec site-to-site peers

set vpn ipsec authentication psk PSK secret 'MTIzNDU2Nzg5MA=='
set vpn ipsec authentication psk PSK secret-type < base64|plaintext >

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

ipsec

Proposed changes

How to test

Configure base64 encoded password on the left node and clear password on the right node`

LEFT node:

set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret 'MTIzNDU2Nzg5MA=='
set vpn ipsec authentication psk PSK secret-type 'base64'
set vpn ipsec esp-group ESP-group lifetime '3600'
set vpn ipsec esp-group ESP-group mode 'tunnel'
set vpn ipsec esp-group ESP-group pfs 'enable'
set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-group proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group key-exchange 'ikev2'
set vpn ipsec ike-group IKE-group lifetime '28800'
set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'initiate'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKE-group'
set vpn ipsec site-to-site peer OFFICE-B local-address '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B remote-address '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'ESP-group'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '100.64.1.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '100.64.2.0/24'

RIGHT node:

set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret '1234567890'
set vpn ipsec esp-group ESP-group lifetime '3600'
set vpn ipsec esp-group ESP-group mode 'tunnel'
set vpn ipsec esp-group ESP-group pfs 'enable'
set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-group proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group key-exchange 'ikev2'
set vpn ipsec ike-group IKE-group lifetime '28800'
set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-A connection-type 'respond'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKE-group'
set vpn ipsec site-to-site peer OFFICE-A local-address '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-A remote-address '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'ESP-group'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '100.64.2.0/24'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '100.64.1.0/24'

Check config on the left node

vyos@r14:~$ cat /etc/swanctl/swanctl.conf | grep secret -A 5
secrets {
    ike-PSK {
        # ID's from auth psk <tag> id xxx
        id-d8e5cef6-0390-40bc-b371-f6f179413112 = "192.0.2.1"
        id-b9696448-1430-4411-b74b-aafc906f90c7 = "192.0.2.2"
        secret = 0sMTIzNDU2Nzg5MA==
    }

}

Be sure the connection is working

Nov 19 17:57:16 r14 charon[41119]: 02[NET] <OFFICE-B|1> received packet: from 192.0.2.2[4500] to 192.0.2.1[4500] (220 bytes)
Nov 19 17:57:16 r14 charon[41119]: 02[ENC] <OFFICE-B|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> authentication of '192.0.2.2' with pre-shared key successful
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> peer supports MOBIKE
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> IKE_SA OFFICE-B[1] established between 192.0.2.1[192.0.2.1]...192.0.2.2[192.0.2.2]
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> scheduling rekeying in 27280s
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> maximum IKE_SA lifetime 30160s
Nov 19 17:57:16 r14 charon[41119]: 02[CFG] <OFFICE-B|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> CHILD_SA OFFICE-B-tunnel-0{1} established with SPIs ca76d43e_i ca6487b5_o and TS 100.64.1.0/24 === 100.64.2.0/24


vyos@r14:~$ show vpn ipsec connections 
Connection         State    Type    Remote address    Local TS       Remote TS      Local id    Remote id    Proposal
-----------------  -------  ------  ----------------  -------------  -------------  ----------  -----------  ----------------------------------
OFFICE-B           up       IKEv2   192.0.2.2         -              -              192.0.2.1   192.0.2.2    AES_CBC/256/HMAC_SHA1_96/MODP_1024
OFFICE-B-tunnel-0  up       IPsec   192.0.2.2         100.64.1.0/24  100.64.2.0/24  192.0.2.1   192.0.2.2    AES_CBC/256/HMAC_SHA1_96/None
vyos@r14:~$ 

Smoketest result

vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_ipsec.py
test_dhcp_fail_handling (__main__.TestVPNIPsec.test_dhcp_fail_handling) ... ok
test_dmvpn (__main__.TestVPNIPsec.test_dmvpn) ... ok
test_flex_vpn_vips (__main__.TestVPNIPsec.test_flex_vpn_vips) ... ok
test_remote_access (__main__.TestVPNIPsec.test_remote_access) ... ok
test_remote_access_dhcp_fail_handling (__main__.TestVPNIPsec.test_remote_access_dhcp_fail_handling) ... ok
test_remote_access_eap_tls (__main__.TestVPNIPsec.test_remote_access_eap_tls) ... ok
test_remote_access_no_rekey (__main__.TestVPNIPsec.test_remote_access_no_rekey) ... ok
test_remote_access_pool_range (__main__.TestVPNIPsec.test_remote_access_pool_range) ... ok
test_remote_access_vti (__main__.TestVPNIPsec.test_remote_access_vti) ... ok
test_remote_access_x509 (__main__.TestVPNIPsec.test_remote_access_x509) ... ok
test_site_to_site (__main__.TestVPNIPsec.test_site_to_site) ... ok
test_site_to_site_vti (__main__.TestVPNIPsec.test_site_to_site_vti) ... ok
test_site_to_site_x509 (__main__.TestVPNIPsec.test_site_to_site_x509) ... ok

----------------------------------------------------------------------
Ran 13 tests in 80.993s

OK
vyos@r14:~$ 

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

Copy link

github-actions bot commented Nov 19, 2024

👍
No issues in PR Title / Commit Title

secret = "{{ psk_config.secret }}"
{% else %}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If secret_type has a defaultValue in XML there is no need for a else code path.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to play it safe and make a fallback.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If secret_type has a defaultValue in XML there is no need for a else code path.

done!

@@ -106,6 +107,32 @@
CERT_PATH = f'{swanctl_dir}/x509/'
CA_PATH = f'{swanctl_dir}/x509ca/'


def _encode_to_base64(input_string):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably a good candidate for vyos.utils.convert?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It probably is, we can move it there is more use cases for it arise for sure.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to vyos.utils.convert

@@ -106,6 +107,32 @@
CERT_PATH = f'{swanctl_dir}/x509/'
CA_PATH = f'{swanctl_dir}/x509ca/'


def _encode_to_base64(input_string):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It probably is, we can move it there is more use cases for it arise for sure.

Add the ability to configure base64 encoded passwords for
VPN IPSec site-to-site peers

authentication psk PSK secret 'xxxxx=='
authentication psk PSK secret-type <base64|plaintext>
Copy link

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

@c-po c-po merged commit f3a46fc into vyos:current Nov 26, 2024
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

3 participants