-- seems to be for later, dashboard dies with "Uncaught TypeError: e.indexOf is not a function .... "
This reverts commit 244b70b77193f9c4d5f2912ca3c3cccf65f49d55.
This commit moves all menu and ACL entries from the legacy code of the
IPsec subsystem into the new MVC codebase. Additionally, a small bug in
the current master of OPNsense has been fixed, where the ACL
"page-status-systemlogs-ppp" has been mistakenly labeled as "IPsec VPN"
instead of "PPP".
Signed-off-by: Pascal Mathis <mail@pascalmathis.com>
The current IPsec plugin implementation does not support public key
authentication, which allows for a more secure mutual authentication
than PSK while still not introducing the complexity of X509
certificates. The authentication can easily be set up by generating a
bare RSA keypair chain on both machines, followed by exchanging the
public keys between the two peers.
This commit introduces public key authentication functionality by adding
a new authentication method to phase 1 configuration called "Mutual
Public Key" and adding a menu entry "Key Pairs", which allows adding
public keys + optional private keys. It was successfully tested against
a Linux virtual machine running Strongswan 5 and the entered RSA keys
are automatically verified for correctness.
Useful commands for generating a bare RSA keypair:
$ ipsec pki --gen --type rsa --outform pem --size 4096 > private.pem
$ ipsec pki --pub --outform pem --in private.pem > public.pem
Signed-off-by: Pascal Mathis <mail@pascalmathis.com>
Syslog-NG has a convenient program output, which can be used to execute commands on receiving specific data on syslog. This commit adds functionality to configctl which should allow it to be used as a handler for this feature.
Something like the following should execute carp service events, with a latency of 0.5 seconds to prevent flooding the system.
destination ... {
program("/usr/local/sbin/configctl -e -t 0.5 interface update carp service_status");
}
CARP: optionally promote/demote on service status event handler.
This adds /usr/local/etc/rc.carp_service_status.d/ to register service check scripts, which on failure exit are considered blocking for normal service operation.
A service should emit the following on status change, which in response might lead to change of carp status:
configctl interface update carp service_status
The included early script assures an initial demotion value before interface setup.
ref https://github.com/opnsense/core/issues/3636
In the unfortunate event that the kernel crashes during config save, both config.xml and the last backup might be broken. Let's try to find the last functional config when unable to init()
