T8136: IPSEC PPK Support

Author: giga1699

data/templates/ipsec/swanctl.conf.j2

@@ -91,13 +91,36 @@ secrets {
 {%         endif %}
 {%         if psk_config.secret_type is vyos_defined('base64') %}
         secret = 0s{{ psk_config.secret }}
+{%         elif psk_config.secret_type is vyos_defined('hex') %}
+        secret = 0x{{ psk_config.secret }}
 {%         elif psk_config.secret_type is vyos_defined('plaintext') %}
         secret = "{{ psk_config.secret }}"
 {%         endif %}
     }
 {%     endfor %}
 {% endif %}
 
+{% if authentication.ppk is vyos_defined %}
+{%     for ppk, ppk_config in authentication.ppk.items() %}
+    ppk-{{ ppk }} {
+{%         if ppk_config.id is vyos_defined %}
+        # ID's from auth ppk <tag> id xxx
+{%             for id in ppk_config.id %}
+{%                 set gen_uuid = '' | generate_uuid4 %}
+        id-{{ gen_uuid }} = "{{ id }}"
+{%             endfor %}
+{%         endif %}
+{%         if ppk_config.secret_type is vyos_defined('base64') %}
+        secret = 0s{{ ppk_config.secret }}
+{%         elif ppk_config.secret_type is vyos_defined('hex') %}
+        secret = 0x{{ ppk_config.secret }}
+{%         elif ppk_config.secret_type is vyos_defined('plaintext') %}
+        secret = "{{ ppk_config.secret }}"
+{%         endif %}
+    }
+{%     endfor %}
+{% endif %}
+
 {% if remote_access.connection is vyos_defined %}
 {%     for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
 {%         if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}

data/templates/ipsec/swanctl/peer.j2

@@ -3,6 +3,15 @@
 {# peer needs to reference the global IKE configuration for certain values #}
 {% set ike = ike_group[peer_conf.ike_group] %}
     {{ name }} {
+{% if peer_conf.ppk.id is vyos_defined %}
+        ppk_id = {{ peer_conf.ppk.id }}
+{% endif %}
+{% if peer_conf.ppk.required is vyos_defined %}
+        ppk_required = yes
+{% endif %}
+{% if peer_conf.childless is vyos_defined %}
+        childless = {{ peer_conf.childless }}
+{% endif %}
         proposals = {{ ike | get_esp_ike_cipher | join(',') }}
         version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
 {% if peer_conf.virtual_address is vyos_defined %}

data/templates/ipsec/swanctl/remote_access.j2

@@ -3,6 +3,15 @@
 {% set ike = ike_group[rw_conf.ike_group] %}
 {% set esp = esp_group[rw_conf.esp_group] %}
     ra-{{ name }} {
+{% if rw_conf.ppk.id is vyos_defined %}
+        ppk_id = {{ rw_conf.ppk.id }}
+{% endif %}
+{% if rw_conf.ppk.required is vyos_defined %}
+        ppk_required = yes
+{% endif %}
+{% if rw_conf.childless is vyos_defined %}
+        childless = {{ rw_conf.childless }}
+{% endif %}
         remote_addrs = %any
         local_addrs = {{ rw_conf.local_address if rw_conf.local_address is not vyos_defined('any') else '%any' }} # dhcp:{{ rw_conf.dhcp_interface if rw_conf.dhcp_interface is vyos_defined else 'no' }}
         proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }}

interface-definitions/include/ipsec/childless.xml.i

@@ -0,0 +1,29 @@
+                  <!-- include start from ipsec/childless.xml.i -->
+                  <leafNode name="childless">
+                      <properties>
+                          <help>Enable support for childless IKE_SA initiation</help>
+                          <completionHelp>
+                            <list>allow prefer force never</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>allow</format>
+                            <description>Responder will allow childless IKE_SA, but initiator will not create childless connection</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>prefer</format>
+                            <description>Responder will allow childless IKE_SA, and initiator will make childless connection if supported by responder</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>force</format>
+                            <description>Require the use of childless IKE_SA</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>never</format>
+                            <description>Disable support for childless IKE_SAs as responder</description>
+                          </valueHelp>
+                          <constraint>
+                            <regex>(allow|prefer|force|never)</regex>
+                          </constraint>
+                      </properties>
+                  </leafNode>
+                  <!-- include end -->

interface-definitions/include/ipsec/ppk.xml.i

@@ -0,0 +1,24 @@
+                  <!-- include start from ipsec/ppk.xml.i -->
+                  <node name="ppk">
+                      <properties>
+                          <help>Post-quantum preshared key</help>
+                      </properties>
+                      <children>
+                          <leafNode name="id">
+                          <properties>
+                              <help>Post-quantum preshared key for this connection</help>
+                              <valueHelp>
+                              <format>txt</format>
+                              <description>ID used for PPK</description>
+                              </valueHelp>
+                          </properties>
+                          </leafNode>
+                          <leafNode name="required">
+                          <properties>
+                              <help>Require a valid PPK for connection to establish</help>
+                              <valueless/>
+                          </properties>
+                          </leafNode>
+                      </children>
+                  </node>
+                  <!-- include end -->

interface-definitions/vpn_ipsec.xml.in

@@ -45,10 +45,48 @@
                     <properties>
                       <help>Secret type</help>
                       <completionHelp>
-                        <list>base64 plaintext</list>
+                        <list>base64 hex plaintext</list>
                       </completionHelp>
                       <constraint>
-                        <regex>(base64|plaintext)</regex>
+                        <regex>(base64|hex|plaintext)</regex>
+                      </constraint>
+                    </properties>
+                    <defaultValue>plaintext</defaultValue>
+                  </leafNode>
+                </children>
+              </tagNode>
+              <tagNode name="ppk">
+                <properties>
+                  <help>Post-quantum preshared key name</help>
+                </properties>
+                <children>
+                  <leafNode name="id">
+                    <properties>
+                      <help>ID for PPK</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>ID used for PPK</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="secret">
+                    <properties>
+                      <help>Post-quantum preshared secret key</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Post-quantum preshared secret key</description>
+                      </valueHelp>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="secret-type">
+                    <properties>
+                      <help>Secret type</help>
+                      <completionHelp>
+                        <list>base64 hex plaintext</list>
+                      </completionHelp>
+                      <constraint>
+                        <regex>(base64|hex|plaintext)</regex>
                       </constraint>
                     </properties>
                     <defaultValue>plaintext</defaultValue>
@@ -899,13 +937,15 @@
                       #include <include/ipsec/authentication-pre-shared-secret.xml.i>
                     </children>
                   </node>
+                  #include <include/ipsec/childless.xml.i>
                   #include <include/generic-description.xml.i>
                   #include <include/generic-disable-node.xml.i>
                   #include <include/ipsec/esp-group.xml.i>
                   #include <include/ipsec/ike-group.xml.i>
                   #include <include/ipsec/local-address.xml.i>
                   #include <include/dhcp-interface.xml.i>
                   #include <include/ipsec/local-traffic-selector.xml.i>
+                  #include <include/ipsec/ppk.xml.i>
                   #include <include/ipsec/replay-window.xml.i>
                   #include <include/ipsec/bind.xml.i>
                   <leafNode name="timeout">
@@ -1156,6 +1196,7 @@
                       </leafNode>
                     </children>
                   </node>
+                  #include <include/ipsec/childless.xml.i>
                   <leafNode name="connection-type">
                     <properties>
                       <help>Connection type</help>
@@ -1220,6 +1261,7 @@
                     </properties>
                   </leafNode>
                   #include <include/ipsec/local-address.xml.i>
+                  #include <include/ipsec/ppk.xml.i>
                   #include <include/ipsec/remote-address.xml.i>
                   #include <include/ipsec/replay-window.xml.i>
                   <tagNode name="tunnel">

smoketest/scripts/cli/test_vpn_ipsec.py

@@ -47,6 +47,7 @@
 esp_group = 'MyESPGroup'
 ike_group = 'MyIKEGroup'
 secret = 'MYSECRETKEY'
+ppk_secret_hex = '55c2ebca1bada7ac0e4e1390a8dbb563cefea0c7bd59f4f2c86a627f5927fb90'
 PROCESS_NAME = 'charon-systemd'
 regex_uuid4 = '[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}'
 
@@ -668,6 +669,104 @@ def test_site_to_site_vti_ts_afi(self):
         for line in swanctl_conf_lines:
             self.assertIn(line, swanctl_conf)
 
+    def test_site_to_site_nist_800_77_cnsa_1_with_ppk(self):
+        # Setup IKE group
+        self.cli_set(base_path + ['ike-group', 'cnsa1-ike', 'key-exchange', 'ikev2'])
+        self.cli_set(base_path + ['ike-group', 'cnsa1-ike', 'lifetime', '86400'])
+        self.cli_set(base_path + ['ike-group', 'cnsa1-ike', 'proposal', '10', 'dh-group', '20'])
+        self.cli_set(base_path + ['ike-group', 'cnsa1-ike', 'proposal', '10', 'encryption', 'aes256gcm128'])
+        self.cli_set(base_path + ['ike-group', 'cnsa1-ike', 'proposal', '10', 'hash', 'sha384'])
+        self.cli_set(base_path + ['ike-group', 'cnsa1-ike', 'proposal', '10', 'prf', 'prfsha384'])
+
+        # Setup ESP group
+        self.cli_set(base_path + ['esp-group', 'cnsa1-esp', 'lifetime', '28800'])
+        self.cli_set(base_path + ['esp-group', 'cnsa1-esp', 'mode', 'tunnel'])
+        self.cli_set(base_path + ['esp-group', 'cnsa1-esp', 'pfs', 'dh-group20'])
+        self.cli_set(base_path + ['esp-group', 'cnsa1-esp', 'proposal', '10', 'encryption', 'aes256gcm128'])
+        self.cli_set(base_path + ['esp-group', 'cnsa1-esp', 'proposal', '10', 'hash', 'sha384'])
+
+        local_address = '192.0.2.10'
+
+        # vpn ipsec auth psk <tag> id <x.x.x.x>
+        self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', local_id])
+        self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', remote_id])
+        self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', local_address])
+        self.cli_set(base_path + ['authentication', 'psk', connection_name, 'id', peer_ip])
+        self.cli_set(base_path + ['authentication', 'psk', connection_name, 'secret', secret])
+
+        # vpn ipsec auth ppk <tag> id <name>
+        self.cli_set(base_path + ['authentication', 'ppk', connection_name, 'id', 'ppk-test'])
+        self.cli_set(base_path + ['authentication', 'ppk', connection_name, 'secret', ppk_secret_hex])
+        self.cli_set(base_path + ['authentication', 'ppk', connection_name, 'secret-type', 'hex'])
+
+        # Site to site
+        peer_base_path = base_path + ['site-to-site', 'peer', connection_name]
+
+        self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
+
+        # Set childless IKE_INIT to prefer
+        self.cli_set(peer_base_path + ['childless', 'prefer'])
+
+        self.cli_set(peer_base_path + ['default-esp-group', 'cnsa1-esp'])
+        self.cli_set(peer_base_path + ['ike-group', 'cnsa1-ike'])
+        self.cli_set(peer_base_path + ['local-address', local_address])
+
+        # Require use of valid PPK
+        self.cli_set(peer_base_path + ['ppk', 'id', 'ppk-test'])
+        self.cli_set(peer_base_path + ['ppk', 'required'])
+
+        self.cli_set(peer_base_path + ['remote-address', peer_ip])
+        self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24'])
+        self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24'])
+
+        self.cli_commit()
+
+        # Verify strongSwan configuration
+        swanctl_conf = read_file(swanctl_file)
+        swanctl_conf_lines = [
+            f'ppk_id = ppk-test',
+            f'ppk_required = yes',
+            f'childless = prefer',
+            f'version = 2',
+            f'auth = psk',
+            f'rekey_time = 86400s',
+            f'proposals = aes256gcm128-sha384-prfsha384-ecp384',
+            f'esp_proposals = aes256gcm128-sha384-ecp384',
+            f'life_time = 28800s', # default value
+            f'local_addrs = {local_address} # dhcp:no',
+            f'remote_addrs = {peer_ip}',
+            f'mode = tunnel',
+            f'{connection_name}-tunnel-1',
+            f'local_ts = 172.16.10.0/24',
+            f'remote_ts = 172.17.10.0/24',
+            f'mode = tunnel',
+            f'replay_window = 32',
+        ]
+        for line in swanctl_conf_lines:
+            self.assertIn(line, swanctl_conf)
+
+        # if dpd is not specified it should not be enabled (see T6599)
+        swanctl_unexpected_lines = [
+            'dpd_timeout',
+            'dpd_delay',
+        ]
+
+        for unexpected_line in swanctl_unexpected_lines:
+            self.assertNotIn(unexpected_line, swanctl_conf)
+
+        swanctl_secrets_lines = [
+            f'id-{regex_uuid4} = "{local_id}"',
+            f'id-{regex_uuid4} = "{remote_id}"',
+            f'id-{regex_uuid4} = "{local_address}"',
+            f'id-{regex_uuid4} = "{peer_ip}"',
+            f'secret = "{secret}"',
+            f'ppk-{connection_name}',
+            f'id-{regex_uuid4} = "ppk-test"',
+            f'secret = 0x{ppk_secret_hex}'
+        ]
+        for line in swanctl_secrets_lines:
+            self.assertRegex(swanctl_conf, fr'{line}')
+
 
     def test_dmvpn(self):
         ike_lifetime = '3600'

src/conf_mode/vpn_ipsec.py

@@ -261,11 +261,23 @@ def verify(ipsec):
     if not ipsec or 'deleted' in ipsec:
         return
 
+    #T8136 PPK support; keep a list of PPK IDs
+    ppk_ids = []
+
     if 'authentication' in ipsec:
         if 'psk' in ipsec['authentication']:
             for psk, psk_config in ipsec['authentication']['psk'].items():
                 if 'id' not in psk_config or 'secret' not in psk_config:
                     raise ConfigError(f'Authentication psk "{psk}" missing "id" or "secret"')
+        #T8136 PPK Support; Check that PPK has an ID and secret defined, and ID is unique
+        if 'ppk' in ipsec['authentication']:
+            for ppk, ppk_config in ipsec['authentication']['ppk'].items():
+                if 'id' not in ppk_config or 'secret' not in ppk_config:
+                    raise ConfigError(f'Authentication PPK "{ppk}" missing "id" or "secret"')
+                for ppkID in ppk_config['id']:
+                    if ppkID in ppk_ids:
+                        raise ConfigError(f'Authentication PPK "{ppk}" has duplicate ID "{ppkID}" from another PPK. IDs should be unique.')
+                    ppk_ids.append(ppkID)
 
     if 'interface' in ipsec:
         tmp = re.compile(dynamic_interface_pattern)
@@ -445,6 +457,17 @@ def verify(ipsec):
                         elif 'pool' not in ipsec['remote_access'] or pool not in ipsec['remote_access']['pool']:
                             raise ConfigError(f'Requested pool "{pool}" does not exist!')
 
+                #T8136 IPSEC PPK Support
+                #PPKs and Childless only works with IKEv2. Check that ike-group is v2 if either option is enabled. Check that PPK ID was actually defined in authentication.
+                if 'ppk' in ra_conf:
+                    ike = ra_conf['ike_group']
+                    if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2':
+                        raise ConfigError(f'Post-quantum preshared keys must be used with IKEv2! IKEv2 key-exchange not set in ike-group "{ike}".')
+                if 'childless' in ra_conf:
+                    ike = ra_conf['ike_group']
+                    if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2':
+                        raise ConfigError(f'Childless IKE SAs be used with IKEv2! IKEv2 key-exchange not set in ike-group "{ike}".')
+
         if 'pool' in ipsec['remote_access']:
             pool_networks = []
             for pool, pool_config in ipsec['remote_access']['pool'].items():
@@ -653,6 +676,17 @@ def verify(ipsec):
                                     f'for ESP proposal {proposal} on tunnel {tunnel} for site-to-site peer {peer} with VPP'
                                 )
 
+            #T8136 IPSEC PPK Support
+            #PPKs and Childless only works with IKEv2. Check that ike-group is v2 if either option is enabled. Check that PPK ID was actually defined in authentication.
+            if 'ppk' in peer_conf:
+                ike = peer_conf['ike_group']
+                if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2':
+                    raise ConfigError(f'Post-quantum preshared keys must be used with IKEv2! IKEv2 key-exchange not set in ike-group "{ike}".')
+            if 'childless' in peer_conf:
+                ike = peer_conf['ike_group']
+                if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2':
+                    raise ConfigError(f'Childless IKE SAs be used with IKEv2! IKEv2 key-exchange not set in ike-group "{ike}".')
+
 
 def cleanup_pki_files():
     for path in [CERT_PATH, CA_PATH, CRL_PATH, KEY_PATH, PUBKEY_PATH]:

src/op_mode/vpn_ike_sa.py

@@ -49,7 +49,13 @@ def ike_sa(peer, nat):
             local_str = f'{s(sa["local-host"])} {s(sa["local-id"])}' if s(sa['local-id']) != '%any' else s(sa["local-host"])
             print(ike_sa_peer_prefix)
             print('%-39s %-39s' % (remote_str, local_str))
-            state = 'up' if 'state' in sa and s(sa['state']) == 'ESTABLISHED' else 'down'
+            if 'state' in sa and s(sa['state']) == 'ESTABLISHED':
+                if 'ppk' in sa and s(sa['ppk']) == 'yes':
+                    state = 'up-ppk'
+                else:
+                    state = 'up'
+            else:
+                state = 'down'
             version = 'IKEv' + s(sa['version'])
             encryption = f'{s(sa["encr-alg"])}' if 'encr-alg' in sa else 'n/a'
             if 'encr-keysize' in sa: