-- seems to be for later, dashboard dies with "Uncaught TypeError: e.indexOf is not a function .... "
This reverts commit 244b70b77193f9c4d5f2912ca3c3cccf65f49d55.
This commit moves all menu and ACL entries from the legacy code of the
IPsec subsystem into the new MVC codebase. Additionally, a small bug in
the current master of OPNsense has been fixed, where the ACL
"page-status-systemlogs-ppp" has been mistakenly labeled as "IPsec VPN"
instead of "PPP".
Signed-off-by: Pascal Mathis <mail@pascalmathis.com>
The current IPsec plugin implementation does not support public key
authentication, which allows for a more secure mutual authentication
than PSK while still not introducing the complexity of X509
certificates. The authentication can easily be set up by generating a
bare RSA keypair chain on both machines, followed by exchanging the
public keys between the two peers.
This commit introduces public key authentication functionality by adding
a new authentication method to phase 1 configuration called "Mutual
Public Key" and adding a menu entry "Key Pairs", which allows adding
public keys + optional private keys. It was successfully tested against
a Linux virtual machine running Strongswan 5 and the entered RSA keys
are automatically verified for correctness.
Useful commands for generating a bare RSA keypair:
$ ipsec pki --gen --type rsa --outform pem --size 4096 > private.pem
$ ipsec pki --pub --outform pem --in private.pem > public.pem
Signed-off-by: Pascal Mathis <mail@pascalmathis.com>
Syslog-NG has a convenient program output, which can be used to execute commands on receiving specific data on syslog. This commit adds functionality to configctl which should allow it to be used as a handler for this feature.
Something like the following should execute carp service events, with a latency of 0.5 seconds to prevent flooding the system.
destination ... {
program("/usr/local/sbin/configctl -e -t 0.5 interface update carp service_status");
}
CARP: optionally promote/demote on service status event handler.
This adds /usr/local/etc/rc.carp_service_status.d/ to register service check scripts, which on failure exit are considered blocking for normal service operation.
A service should emit the following on status change, which in response might lead to change of carp status:
configctl interface update carp service_status
The included early script assures an initial demotion value before interface setup.
ref https://github.com/opnsense/core/issues/3636
