use of org.batfish.datamodel.IkePolicy in project batfish by batfish.
the class VpnConnection method applyToVpnGateway.
public void applyToVpnGateway(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
if (!awsConfiguration.getConfigurationNodes().containsKey(_vpnGatewayId)) {
warnings.redFlag(String.format("VPN Gateway \"%s\" referred by VPN connection \"%s\" not found", _vpnGatewayId, _vpnConnectionId));
return;
}
Configuration vpnGatewayCfgNode = awsConfiguration.getConfigurationNodes().get(_vpnGatewayId);
for (int i = 0; i < _ipsecTunnels.size(); i++) {
int idNum = i + 1;
String vpnId = _vpnConnectionId + "-" + idNum;
IpsecTunnel ipsecTunnel = _ipsecTunnels.get(i);
if (ipsecTunnel.getCgwBgpAsn() != -1 && (_staticRoutesOnly || _routes.size() != 0)) {
throw new BatfishException("Unexpected combination of BGP and static routes for VPN connection: \"" + _vpnConnectionId + "\"");
}
// create representation structures and add to configuration node
IpsecVpn ipsecVpn = new IpsecVpn(vpnId, vpnGatewayCfgNode);
vpnGatewayCfgNode.getIpsecVpns().put(vpnId, ipsecVpn);
IpsecPolicy ipsecPolicy = new IpsecPolicy(vpnId);
vpnGatewayCfgNode.getIpsecPolicies().put(vpnId, ipsecPolicy);
ipsecVpn.setIpsecPolicy(ipsecPolicy);
IpsecProposal ipsecProposal = new IpsecProposal(vpnId, -1);
vpnGatewayCfgNode.getIpsecProposals().put(vpnId, ipsecProposal);
ipsecPolicy.getProposals().put(vpnId, ipsecProposal);
IkeGateway ikeGateway = new IkeGateway(vpnId);
vpnGatewayCfgNode.getIkeGateways().put(vpnId, ikeGateway);
ipsecVpn.setIkeGateway(ikeGateway);
IkePolicy ikePolicy = new IkePolicy(vpnId);
vpnGatewayCfgNode.getIkePolicies().put(vpnId, ikePolicy);
ikeGateway.setIkePolicy(ikePolicy);
IkeProposal ikeProposal = new IkeProposal(vpnId, -1);
vpnGatewayCfgNode.getIkeProposals().put(vpnId, ikeProposal);
ikePolicy.getProposals().put(vpnId, ikeProposal);
String externalInterfaceName = "external" + idNum;
InterfaceAddress externalInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwOutsideAddress(), Prefix.MAX_PREFIX_LENGTH);
Interface externalInterface = Utils.newInterface(externalInterfaceName, vpnGatewayCfgNode, externalInterfaceAddress);
String vpnInterfaceName = "vpn" + idNum;
InterfaceAddress vpnInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwInsideAddress(), ipsecTunnel.getVgwInsidePrefixLength());
Interface vpnInterface = Utils.newInterface(vpnInterfaceName, vpnGatewayCfgNode, vpnInterfaceAddress);
// Set fields within representation structures
// ipsec
ipsecVpn.setBindInterface(vpnInterface);
ipsecPolicy.setPfsKeyGroup(toDiffieHellmanGroup(ipsecTunnel.getIpsecPerfectForwardSecrecy()));
ipsecProposal.setAuthenticationAlgorithm(toIpsecAuthenticationAlgorithm(ipsecTunnel.getIpsecAuthProtocol()));
ipsecProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIpsecEncryptionProtocol()));
ipsecProposal.setProtocol(toIpsecProtocol(ipsecTunnel.getIpsecProtocol()));
ipsecProposal.setLifetimeSeconds(ipsecTunnel.getIpsecLifetime());
// ike
ikeGateway.setExternalInterface(externalInterface);
ikeGateway.setAddress(ipsecTunnel.getCgwOutsideAddress());
ikeGateway.setLocalIp(externalInterface.getAddress().getIp());
if (ipsecTunnel.getIkePreSharedKeyHash() != null) {
ikePolicy.setPreSharedKeyHash(ipsecTunnel.getIkePreSharedKeyHash());
ikeProposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS);
}
ikeProposal.setAuthenticationAlgorithm(toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol()));
ikeProposal.setDiffieHellmanGroup(toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy()));
ikeProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol()));
ikeProposal.setLifetimeSeconds(ipsecTunnel.getIkeLifetime());
// bgp (if configured)
if (ipsecTunnel.getVgwBgpAsn() != -1) {
BgpProcess proc = vpnGatewayCfgNode.getDefaultVrf().getBgpProcess();
if (proc == null) {
proc = new BgpProcess();
proc.setRouterId(ipsecTunnel.getVgwInsideAddress());
proc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
vpnGatewayCfgNode.getDefaultVrf().setBgpProcess(proc);
}
BgpNeighbor cgBgpNeighbor = new BgpNeighbor(ipsecTunnel.getCgwInsideAddress(), vpnGatewayCfgNode);
cgBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
proc.getNeighbors().put(cgBgpNeighbor.getPrefix(), cgBgpNeighbor);
cgBgpNeighbor.setRemoteAs(ipsecTunnel.getCgwBgpAsn());
cgBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
cgBgpNeighbor.setLocalIp(ipsecTunnel.getVgwInsideAddress());
cgBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
cgBgpNeighbor.setSendCommunity(false);
VpnGateway vpnGateway = region.getVpnGateways().get(_vpnGatewayId);
List<String> attachmentVpcIds = vpnGateway.getAttachmentVpcIds();
if (attachmentVpcIds.size() != 1) {
throw new BatfishException("Not sure what routes to advertise since VPN Gateway: \"" + _vpnGatewayId + "\" for VPN connection: \"" + _vpnConnectionId + "\" is linked to multiple VPCs");
}
String vpcId = attachmentVpcIds.get(0);
// iBGP connection to VPC
Configuration vpcNode = awsConfiguration.getConfigurationNodes().get(vpcId);
Ip vpcIfaceAddress = vpcNode.getInterfaces().get(_vpnGatewayId).getAddress().getIp();
Ip vgwToVpcIfaceAddress = vpnGatewayCfgNode.getInterfaces().get(vpcId).getAddress().getIp();
BgpNeighbor vgwToVpcBgpNeighbor = new BgpNeighbor(vpcIfaceAddress, vpnGatewayCfgNode);
proc.getNeighbors().put(vgwToVpcBgpNeighbor.getPrefix(), vgwToVpcBgpNeighbor);
vgwToVpcBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
vgwToVpcBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
vgwToVpcBgpNeighbor.setLocalIp(vgwToVpcIfaceAddress);
vgwToVpcBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
vgwToVpcBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
vgwToVpcBgpNeighbor.setSendCommunity(true);
// iBGP connection from VPC
BgpNeighbor vpcToVgwBgpNeighbor = new BgpNeighbor(vgwToVpcIfaceAddress, vpcNode);
BgpProcess vpcProc = new BgpProcess();
vpcNode.getDefaultVrf().setBgpProcess(vpcProc);
vpcProc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
vpcProc.setRouterId(vpcIfaceAddress);
vpcProc.getNeighbors().put(vpcToVgwBgpNeighbor.getPrefix(), vpcToVgwBgpNeighbor);
vpcToVgwBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
vpcToVgwBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
vpcToVgwBgpNeighbor.setLocalIp(vpcIfaceAddress);
vpcToVgwBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
vpcToVgwBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
vpcToVgwBgpNeighbor.setSendCommunity(true);
String rpRejectAllName = "~REJECT_ALL~";
String rpAcceptAllEbgpAndSetNextHopSelfName = "~ACCEPT_ALL_EBGP_AND_SET_NEXT_HOP_SELF~";
If acceptIffEbgp = new If();
acceptIffEbgp.setGuard(new MatchProtocol(RoutingProtocol.BGP));
acceptIffEbgp.setTrueStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
acceptIffEbgp.setFalseStatements(ImmutableList.of(Statements.ExitReject.toStaticStatement()));
RoutingPolicy vgwRpAcceptAllBgp = new RoutingPolicy(rpAcceptAllEbgpAndSetNextHopSelfName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(vgwRpAcceptAllBgp.getName(), vgwRpAcceptAllBgp);
vgwRpAcceptAllBgp.setStatements(ImmutableList.of(new SetNextHop(new SelfNextHop(), false), acceptIffEbgp));
vgwToVpcBgpNeighbor.setExportPolicy(rpAcceptAllEbgpAndSetNextHopSelfName);
RoutingPolicy vgwRpRejectAll = new RoutingPolicy(rpRejectAllName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(rpRejectAllName, vgwRpRejectAll);
vgwToVpcBgpNeighbor.setImportPolicy(rpRejectAllName);
String rpAcceptAllName = "~ACCEPT_ALL~";
RoutingPolicy vpcRpAcceptAll = new RoutingPolicy(rpAcceptAllName, vpcNode);
vpcNode.getRoutingPolicies().put(rpAcceptAllName, vpcRpAcceptAll);
vpcRpAcceptAll.setStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
vpcToVgwBgpNeighbor.setImportPolicy(rpAcceptAllName);
RoutingPolicy vpcRpRejectAll = new RoutingPolicy(rpRejectAllName, vpcNode);
vpcNode.getRoutingPolicies().put(rpRejectAllName, vpcRpRejectAll);
vpcToVgwBgpNeighbor.setExportPolicy(rpRejectAllName);
Vpc vpc = region.getVpcs().get(vpcId);
String originationPolicyName = vpnId + "_origination";
RoutingPolicy originationRoutingPolicy = new RoutingPolicy(originationPolicyName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(originationPolicyName, originationRoutingPolicy);
cgBgpNeighbor.setExportPolicy(originationPolicyName);
If originationIf = new If();
List<Statement> statements = originationRoutingPolicy.getStatements();
statements.add(originationIf);
statements.add(Statements.ExitReject.toStaticStatement());
originationIf.getTrueStatements().add(new SetOrigin(new LiteralOrigin(OriginType.IGP, null)));
originationIf.getTrueStatements().add(Statements.ExitAccept.toStaticStatement());
RouteFilterList originationRouteFilter = new RouteFilterList(originationPolicyName);
vpnGatewayCfgNode.getRouteFilterLists().put(originationPolicyName, originationRouteFilter);
vpc.getCidrBlockAssociations().forEach(prefix -> {
RouteFilterLine matchOutgoingPrefix = new RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefix.getPrefixLength(), prefix.getPrefixLength()));
originationRouteFilter.addLine(matchOutgoingPrefix);
});
Conjunction conj = new Conjunction();
originationIf.setGuard(conj);
conj.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
conj.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(originationPolicyName)));
}
// static routes (if configured)
for (Prefix staticRoutePrefix : _routes) {
StaticRoute staticRoute = StaticRoute.builder().setNetwork(staticRoutePrefix).setNextHopIp(ipsecTunnel.getCgwInsideAddress()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
vpnGatewayCfgNode.getDefaultVrf().getStaticRoutes().add(staticRoute);
}
}
}
use of org.batfish.datamodel.IkePolicy in project batfish by batfish.
the class VyosConfiguration method convertVpns.
private void convertVpns() {
for (Entry<Ip, IpsecPeer> ipsecPeerEntry : _ipsecPeers.entrySet()) {
// create ipsecvpn and ikegateway to correspond roughly to vyos ipsec
// site-to-site peer
Ip peerAddress = ipsecPeerEntry.getKey();
IpsecPeer ipsecPeer = ipsecPeerEntry.getValue();
String newIpsecVpnName = peerAddress.toString();
String newIkeGatewayName = newIpsecVpnName;
IpsecVpn newIpsecVpn = new IpsecVpn(newIpsecVpnName, _c);
_c.getIpsecVpns().put(newIpsecVpnName, newIpsecVpn);
IkeGateway newIkeGateway = new IkeGateway(newIkeGatewayName);
_c.getIkeGateways().put(newIkeGatewayName, newIkeGateway);
newIpsecVpn.setIkeGateway(newIkeGateway);
newIkeGateway.setLocalId(ipsecPeer.getAuthenticationId());
newIkeGateway.setRemoteId(ipsecPeer.getAuthenticationRemoteId());
newIkeGateway.setAddress(peerAddress);
Ip localAddress = ipsecPeer.getLocalAddress();
org.batfish.datamodel.Interface externalInterface = _ipToInterfaceMap.get(localAddress);
if (externalInterface == null) {
_w.redFlag("Could not determine external interface for vpn \"" + newIpsecVpnName + "\" from local-address: " + localAddress);
} else {
newIkeGateway.setExternalInterface(externalInterface);
}
// bind interface
String bindInterfaceName = ipsecPeer.getBindInterface();
org.batfish.datamodel.Interface newBindInterface = _c.getDefaultVrf().getInterfaces().get(bindInterfaceName);
if (newBindInterface != null) {
Interface bindInterface = _interfaces.get(bindInterfaceName);
bindInterface.getReferers().put(ipsecPeer, "bind interface for site-to-site peer \"" + newIpsecVpnName + "\"");
newIpsecVpn.setBindInterface(newBindInterface);
} else {
_w.redFlag("Reference to undefined bind-interface: \"" + bindInterfaceName + "\"");
}
// convert the referenced ike group
String ikeGroupName = ipsecPeer.getIkeGroup();
IkeGroup ikeGroup = _ikeGroups.get(ikeGroupName);
if (ikeGroup == null) {
_w.redFlag("Reference to undefined ike-group: \"" + ikeGroupName + "\"");
} else {
ikeGroup.getReferers().put(ipsecPeer, "ike group for site-to-site peer: \"" + newIpsecVpnName + "\"");
IkePolicy newIkePolicy = new IkePolicy(ikeGroupName);
_c.getIkePolicies().put(ikeGroupName, newIkePolicy);
newIkeGateway.setIkePolicy(newIkePolicy);
newIkePolicy.setPreSharedKeyHash(ipsecPeer.getAuthenticationPreSharedSecretHash());
// convert contained ike proposals
for (Entry<Integer, IkeProposal> ikeProposalEntry : ikeGroup.getProposals().entrySet()) {
String newIkeProposalName = ikeGroupName + ":" + Integer.toString(ikeProposalEntry.getKey());
IkeProposal ikeProposal = ikeProposalEntry.getValue();
org.batfish.datamodel.IkeProposal newIkeProposal = new org.batfish.datamodel.IkeProposal(newIkeProposalName, -1);
_c.getIkeProposals().put(newIkeProposalName, newIkeProposal);
newIkePolicy.getProposals().put(newIkeProposalName, newIkeProposal);
newIkeProposal.setDiffieHellmanGroup(ikeProposal.getDhGroup());
newIkeProposal.setEncryptionAlgorithm(ikeProposal.getEncryptionAlgorithm());
newIkeProposal.setLifetimeSeconds(ikeGroup.getLifetimeSeconds());
newIkeProposal.setAuthenticationAlgorithm(ikeProposal.getHashAlgorithm().toIkeAuthenticationAlgorithm());
newIkeProposal.setAuthenticationMethod(ipsecPeer.getAuthenticationMode());
}
}
// convert the referenced esp group
String espGroupName = ipsecPeer.getEspGroup();
EspGroup espGroup = _espGroups.get(espGroupName);
if (espGroup == null) {
_w.redFlag("Reference to undefined esp-group: \"" + espGroupName + "\"");
} else {
espGroup.getReferers().put(ipsecPeer, "esp-group for ipsec site-to-site peer: \"" + newIpsecVpnName + "\"");
IpsecPolicy newIpsecPolicy = new IpsecPolicy(espGroupName);
_c.getIpsecPolicies().put(espGroupName, newIpsecPolicy);
newIpsecVpn.setIpsecPolicy(newIpsecPolicy);
if (espGroup.getPfsSource() == null) {
espGroup.setPfsSource(PfsSource.IKE_GROUP);
}
switch(espGroup.getPfsSource()) {
case DISABLED:
break;
case ESP_GROUP:
newIpsecPolicy.setPfsKeyGroup(espGroup.getPfsDhGroup());
break;
case IKE_GROUP:
newIpsecPolicy.setPfsKeyGroupDynamicIke(true);
break;
default:
throw new BatfishException("Invalid pfs source");
}
// convert contained esp proposals
for (Entry<Integer, EspProposal> espProposalEntry : espGroup.getProposals().entrySet()) {
String newIpsecProposalName = espGroupName + ":" + Integer.toString(espProposalEntry.getKey());
EspProposal espProposal = espProposalEntry.getValue();
IpsecProposal newIpsecProposal = new IpsecProposal(newIpsecProposalName, -1);
_c.getIpsecProposals().put(newIpsecProposalName, newIpsecProposal);
newIpsecPolicy.getProposals().put(newIpsecProposalName, newIpsecProposal);
newIpsecProposal.setAuthenticationAlgorithm(espProposal.getHashAlgorithm().toIpsecAuthenticationAlgorithm());
newIpsecProposal.setEncryptionAlgorithm(espProposal.getEncryptionAlgorithm());
newIpsecProposal.setLifetimeSeconds(espGroup.getLifetimeSeconds());
newIpsecProposal.setProtocol(IpsecProtocol.ESP);
}
}
}
}
use of org.batfish.datamodel.IkePolicy in project batfish by batfish.
the class IpsecVpnStatusAnswererTest method createIpsecVpn.
private static IpsecVpn createIpsecVpn(String name, IkeProposal ikeProposal, IpsecProposal ipsecProposal, String pskHash) {
IpsecVpn ipsecVpn = new IpsecVpn(name);
ipsecVpn.setOwner(new Configuration(name, ConfigurationFormat.UNKNOWN));
IkeGateway ikeGw = new IkeGateway(name + "-ikeGw");
ipsecVpn.setIkeGateway(ikeGw);
IkePolicy ikePolicy = new IkePolicy(name + "-ikePolicy");
ikeGw.setIkePolicy(ikePolicy);
SortedMap<String, IkeProposal> ikeProposalMap = new TreeMap<>();
ikeProposalMap.put(name + "-ikeproposal", ikeProposal);
ikePolicy.setProposals(ikeProposalMap);
ikePolicy.setPreSharedKeyHash(pskHash);
IpsecPolicy ipsecPolicy = new IpsecPolicy(name + "-ipsecpolicy");
ipsecVpn.setIpsecPolicy(ipsecPolicy);
SortedMap<String, IpsecProposal> ipsecProposalMap = new TreeMap<>();
ipsecProposalMap.put(name + "-ipsecproposal", ipsecProposal);
ipsecPolicy.setProposals(ipsecProposalMap);
return ipsecVpn;
}
use of org.batfish.datamodel.IkePolicy in project batfish by batfish.
the class CiscoConfiguration method addIkePoliciesAndGateways.
private void addIkePoliciesAndGateways(Configuration c) {
// get IKE gateways and policies from Cisco isakmp profiles and keyrings
for (Entry<String, IsakmpProfile> e : _isakmpProfiles.entrySet()) {
String name = e.getKey();
IsakmpProfile isakmpProfile = e.getValue();
IkePolicy ikePolicy = new IkePolicy(name);
c.getIkePolicies().put(name, ikePolicy);
ikePolicy.setProposals(c.getIkeProposals());
String keyringName = isakmpProfile.getKeyring();
if (keyringName == null) {
_w.redFlag("Cannot get PSK hash since keyring not configured for isakmpProfile " + name);
} else if (_keyrings.containsKey(keyringName)) {
Keyring keyring = _keyrings.get(keyringName);
if (keyring.match(isakmpProfile.getLocalAddress(), isakmpProfile.getMatchIdentity())) {
ikePolicy.setPreSharedKeyHash(keyring.getKey());
} else {
_w.redFlag("The addresses of keyring " + keyringName + " do not match isakmpProfile " + name);
}
}
Ip localAddress = isakmpProfile.getLocalAddress();
Prefix remotePrefix = isakmpProfile.getMatchIdentity();
if (localAddress == null || remotePrefix == null) {
_w.redFlag("Can't get IkeGateway: Local or remote address is not set for isakmpProfile " + name);
} else {
IkeGateway ikeGateway = new IkeGateway(e.getKey());
c.getIkeGateways().put(name, ikeGateway);
ikeGateway.setAddress(remotePrefix.getStartIp());
Interface oldIface = getInterfaceByTunnelAddresses(localAddress, remotePrefix);
if (oldIface != null) {
ikeGateway.setExternalInterface(c.getInterfaces().get(oldIface.getName()));
} else {
_w.redFlag("External interface not found for ikeGateway for isakmpProfile " + name);
}
ikeGateway.setIkePolicy(ikePolicy);
ikeGateway.setLocalIp(isakmpProfile.getLocalAddress());
}
}
}
Aggregations