openstack/neutron-vpnaas
Code Issues Proposed changes
Files
f6033dd2ef544e1fc8b9dcd138e51a94211e61d4
neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.conf.template
Bodo Petermann f6033dd2ef Add support for additional auth, encryption, PFS choices 
Encryption algorithms: add AES CCM mode and AES GCM mode variants
for 128/192/256 bit keys and 8/12/16 octet ICVs.
In the API that will be 9 new choices for AES CCM and 9 for AES GCM,
e.g. aes-256-ccm-16 (aes-{keysize}-ccm-{icv-size}).
Add encrpytion algorithms for AES CTR mode: aes-128-ctr, aes-192-ctr,
aes-256-ctr.
Auth algorithms: add aes-xcbc and aes-cmac.
PFS: add Diffie Hellman groups 15 to 31.

Closes-Bug: #1938284
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/903971
Change-Id: I07f49d8e91f0f16ee4c97e636ab3b62a5692d70c
2025-02-06 10:08:10 +01:00

39 lines
1.9 KiB
Plaintext
Raw Blame History

# Configuration for {{vpnservice.id}}
config setup
conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
mobike=no
{% for ipsec_site_connection in vpnservice.ipsec_site_connections%}
conn {{ipsec_site_connection.id}}
keyexchange={{ipsec_site_connection.ikepolicy.ike_version}}
left={{ipsec_site_connection.external_ip}}
leftsubnet={{ipsec_site_connection['local_cidrs']|join(',')}}
leftid={{ipsec_site_connection.local_id}}
leftfirewall=yes
right={{ipsec_site_connection.peer_address}}
rightsubnet={{ipsec_site_connection['peer_cidrs']|join(',')}}
rightid={{ipsec_site_connection.peer_id}}
auto=route
dpdaction={{ipsec_site_connection.dpd_action}}
dpddelay={{ipsec_site_connection.dpd_interval}}s
dpdtimeout={{ipsec_site_connection.dpd_timeout}}s
ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}}-{{ipsec_site_connection.ikepolicy.pfs}}
ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
{%- if ipsec_site_connection.ikepolicy.phase1_negotiation_mode == "aggressive" %}
aggressive=yes
{%- endif %}
{%- if ipsec_site_connection.ipsecpolicy.transform_protocol == "ah" %}
ah={{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
{%- elif 'cm' in ipsec_site_connection.ipsecpolicy.encryption_algorithm %}
esp={{ipsec_site_connection.ipsecpolicy.encryption_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
{%- else %}
esp={{ipsec_site_connection.ipsecpolicy.encryption_algorithm}}-{{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
{%- endif %}
lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
type={{ipsec_site_connection.ipsecpolicy.encapsulation_mode}}
{% endfor %}
View Git Blame Copy Permalink