T264: IPsec add base64 encoded secret-type feature

[sever-sever]

Change Summary

Add the ability to configure base64 encoded passwords for VPN IPSec site-to-site peers

set vpn ipsec authentication psk PSK secret 'MTIzNDU2Nzg5MA=='
set vpn ipsec authentication psk PSK secret-type < base64|plaintext >

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T264

Related PR(s)

Component(s) name

ipsec

Proposed changes

How to test

Configure base64 encoded password on the left node and clear password on the right node`

LEFT node:

set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret 'MTIzNDU2Nzg5MA=='
set vpn ipsec authentication psk PSK secret-type 'base64'
set vpn ipsec esp-group ESP-group lifetime '3600'
set vpn ipsec esp-group ESP-group mode 'tunnel'
set vpn ipsec esp-group ESP-group pfs 'enable'
set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-group proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group key-exchange 'ikev2'
set vpn ipsec ike-group IKE-group lifetime '28800'
set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'initiate'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKE-group'
set vpn ipsec site-to-site peer OFFICE-B local-address '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B remote-address '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'ESP-group'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '100.64.1.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '100.64.2.0/24'

RIGHT node:

set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret '1234567890'
set vpn ipsec esp-group ESP-group lifetime '3600'
set vpn ipsec esp-group ESP-group mode 'tunnel'
set vpn ipsec esp-group ESP-group pfs 'enable'
set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-group proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group key-exchange 'ikev2'
set vpn ipsec ike-group IKE-group lifetime '28800'
set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-A connection-type 'respond'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKE-group'
set vpn ipsec site-to-site peer OFFICE-A local-address '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-A remote-address '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'ESP-group'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '100.64.2.0/24'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '100.64.1.0/24'

Check config on the left node

vyos@r14:~$ cat /etc/swanctl/swanctl.conf | grep secret -A 5
secrets {
    ike-PSK {
        # ID's from auth psk <tag> id xxx
        id-d8e5cef6-0390-40bc-b371-f6f179413112 = "192.0.2.1"
        id-b9696448-1430-4411-b74b-aafc906f90c7 = "192.0.2.2"
        secret = 0sMTIzNDU2Nzg5MA==
    }

}

Be sure the connection is working

Nov 19 17:57:16 r14 charon[41119]: 02[NET] <OFFICE-B|1> received packet: from 192.0.2.2[4500] to 192.0.2.1[4500] (220 bytes)
Nov 19 17:57:16 r14 charon[41119]: 02[ENC] <OFFICE-B|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> authentication of '192.0.2.2' with pre-shared key successful
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> peer supports MOBIKE
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> IKE_SA OFFICE-B[1] established between 192.0.2.1[192.0.2.1]...192.0.2.2[192.0.2.2]
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> scheduling rekeying in 27280s
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> maximum IKE_SA lifetime 30160s
Nov 19 17:57:16 r14 charon[41119]: 02[CFG] <OFFICE-B|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Nov 19 17:57:16 r14 charon[41119]: 02[IKE] <OFFICE-B|1> CHILD_SA OFFICE-B-tunnel-0{1} established with SPIs ca76d43e_i ca6487b5_o and TS 100.64.1.0/24 === 100.64.2.0/24


vyos@r14:~$ show vpn ipsec connections 
Connection         State    Type    Remote address    Local TS       Remote TS      Local id    Remote id    Proposal
-----------------  -------  ------  ----------------  -------------  -------------  ----------  -----------  ----------------------------------
OFFICE-B           up       IKEv2   192.0.2.2         -              -              192.0.2.1   192.0.2.2    AES_CBC/256/HMAC_SHA1_96/MODP_1024
OFFICE-B-tunnel-0  up       IPsec   192.0.2.2         100.64.1.0/24  100.64.2.0/24  192.0.2.1   192.0.2.2    AES_CBC/256/HMAC_SHA1_96/None
vyos@r14:~$ 

Smoketest result

vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_ipsec.py
test_dhcp_fail_handling (__main__.TestVPNIPsec.test_dhcp_fail_handling) ... ok
test_dmvpn (__main__.TestVPNIPsec.test_dmvpn) ... ok
test_flex_vpn_vips (__main__.TestVPNIPsec.test_flex_vpn_vips) ... ok
test_remote_access (__main__.TestVPNIPsec.test_remote_access) ... ok
test_remote_access_dhcp_fail_handling (__main__.TestVPNIPsec.test_remote_access_dhcp_fail_handling) ... ok
test_remote_access_eap_tls (__main__.TestVPNIPsec.test_remote_access_eap_tls) ... ok
test_remote_access_no_rekey (__main__.TestVPNIPsec.test_remote_access_no_rekey) ... ok
test_remote_access_pool_range (__main__.TestVPNIPsec.test_remote_access_pool_range) ... ok
test_remote_access_vti (__main__.TestVPNIPsec.test_remote_access_vti) ... ok
test_remote_access_x509 (__main__.TestVPNIPsec.test_remote_access_x509) ... ok
test_site_to_site (__main__.TestVPNIPsec.test_site_to_site) ... ok
test_site_to_site_vti (__main__.TestVPNIPsec.test_site_to_site_vti) ... ok
test_site_to_site_x509 (__main__.TestVPNIPsec.test_site_to_site_x509) ... ok

----------------------------------------------------------------------
Ran 13 tests in 80.993s

OK
vyos@r14:~$ 

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[c-po]

If secret_type has a defaultValue in XML there is no need for a else code path.

[sever-sever]

I wanted to play it safe and make a fallback.

[sever-sever]

If secret_type has a defaultValue in XML there is no need for a else code path.

done!

[c-po]

Probably a good candidate for vyos.utils.convert?

[dmbaturin]

It probably is, we can move it there is more use cases for it arise for sure.

[sever-sever]

Moved to vyos.utils.convert

[dmbaturin]

It probably is, we can move it there is more use cases for it arise for sure.

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests (no interfaces) 👍 passed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed