Search in sources :

Example 1 with IkePolicy

use of org.batfish.datamodel.IkePolicy in project batfish by batfish.

the class VpnConnection method applyToVpnGateway.

public void applyToVpnGateway(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
    if (!awsConfiguration.getConfigurationNodes().containsKey(_vpnGatewayId)) {
        warnings.redFlag(String.format("VPN Gateway \"%s\" referred by VPN connection \"%s\" not found", _vpnGatewayId, _vpnConnectionId));
        return;
    }
    Configuration vpnGatewayCfgNode = awsConfiguration.getConfigurationNodes().get(_vpnGatewayId);
    for (int i = 0; i < _ipsecTunnels.size(); i++) {
        int idNum = i + 1;
        String vpnId = _vpnConnectionId + "-" + idNum;
        IpsecTunnel ipsecTunnel = _ipsecTunnels.get(i);
        if (ipsecTunnel.getCgwBgpAsn() != -1 && (_staticRoutesOnly || _routes.size() != 0)) {
            throw new BatfishException("Unexpected combination of BGP and static routes for VPN connection: \"" + _vpnConnectionId + "\"");
        }
        // create representation structures and add to configuration node
        IpsecVpn ipsecVpn = new IpsecVpn(vpnId, vpnGatewayCfgNode);
        vpnGatewayCfgNode.getIpsecVpns().put(vpnId, ipsecVpn);
        IpsecPolicy ipsecPolicy = new IpsecPolicy(vpnId);
        vpnGatewayCfgNode.getIpsecPolicies().put(vpnId, ipsecPolicy);
        ipsecVpn.setIpsecPolicy(ipsecPolicy);
        IpsecProposal ipsecProposal = new IpsecProposal(vpnId, -1);
        vpnGatewayCfgNode.getIpsecProposals().put(vpnId, ipsecProposal);
        ipsecPolicy.getProposals().put(vpnId, ipsecProposal);
        IkeGateway ikeGateway = new IkeGateway(vpnId);
        vpnGatewayCfgNode.getIkeGateways().put(vpnId, ikeGateway);
        ipsecVpn.setIkeGateway(ikeGateway);
        IkePolicy ikePolicy = new IkePolicy(vpnId);
        vpnGatewayCfgNode.getIkePolicies().put(vpnId, ikePolicy);
        ikeGateway.setIkePolicy(ikePolicy);
        IkeProposal ikeProposal = new IkeProposal(vpnId, -1);
        vpnGatewayCfgNode.getIkeProposals().put(vpnId, ikeProposal);
        ikePolicy.getProposals().put(vpnId, ikeProposal);
        String externalInterfaceName = "external" + idNum;
        InterfaceAddress externalInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwOutsideAddress(), Prefix.MAX_PREFIX_LENGTH);
        Interface externalInterface = Utils.newInterface(externalInterfaceName, vpnGatewayCfgNode, externalInterfaceAddress);
        String vpnInterfaceName = "vpn" + idNum;
        InterfaceAddress vpnInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwInsideAddress(), ipsecTunnel.getVgwInsidePrefixLength());
        Interface vpnInterface = Utils.newInterface(vpnInterfaceName, vpnGatewayCfgNode, vpnInterfaceAddress);
        // Set fields within representation structures
        // ipsec
        ipsecVpn.setBindInterface(vpnInterface);
        ipsecPolicy.setPfsKeyGroup(toDiffieHellmanGroup(ipsecTunnel.getIpsecPerfectForwardSecrecy()));
        ipsecProposal.setAuthenticationAlgorithm(toIpsecAuthenticationAlgorithm(ipsecTunnel.getIpsecAuthProtocol()));
        ipsecProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIpsecEncryptionProtocol()));
        ipsecProposal.setProtocol(toIpsecProtocol(ipsecTunnel.getIpsecProtocol()));
        ipsecProposal.setLifetimeSeconds(ipsecTunnel.getIpsecLifetime());
        // ike
        ikeGateway.setExternalInterface(externalInterface);
        ikeGateway.setAddress(ipsecTunnel.getCgwOutsideAddress());
        ikeGateway.setLocalIp(externalInterface.getAddress().getIp());
        if (ipsecTunnel.getIkePreSharedKeyHash() != null) {
            ikePolicy.setPreSharedKeyHash(ipsecTunnel.getIkePreSharedKeyHash());
            ikeProposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS);
        }
        ikeProposal.setAuthenticationAlgorithm(toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol()));
        ikeProposal.setDiffieHellmanGroup(toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy()));
        ikeProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol()));
        ikeProposal.setLifetimeSeconds(ipsecTunnel.getIkeLifetime());
        // bgp (if configured)
        if (ipsecTunnel.getVgwBgpAsn() != -1) {
            BgpProcess proc = vpnGatewayCfgNode.getDefaultVrf().getBgpProcess();
            if (proc == null) {
                proc = new BgpProcess();
                proc.setRouterId(ipsecTunnel.getVgwInsideAddress());
                proc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
                vpnGatewayCfgNode.getDefaultVrf().setBgpProcess(proc);
            }
            BgpNeighbor cgBgpNeighbor = new BgpNeighbor(ipsecTunnel.getCgwInsideAddress(), vpnGatewayCfgNode);
            cgBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            proc.getNeighbors().put(cgBgpNeighbor.getPrefix(), cgBgpNeighbor);
            cgBgpNeighbor.setRemoteAs(ipsecTunnel.getCgwBgpAsn());
            cgBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            cgBgpNeighbor.setLocalIp(ipsecTunnel.getVgwInsideAddress());
            cgBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            cgBgpNeighbor.setSendCommunity(false);
            VpnGateway vpnGateway = region.getVpnGateways().get(_vpnGatewayId);
            List<String> attachmentVpcIds = vpnGateway.getAttachmentVpcIds();
            if (attachmentVpcIds.size() != 1) {
                throw new BatfishException("Not sure what routes to advertise since VPN Gateway: \"" + _vpnGatewayId + "\" for VPN connection: \"" + _vpnConnectionId + "\" is linked to multiple VPCs");
            }
            String vpcId = attachmentVpcIds.get(0);
            // iBGP connection to VPC
            Configuration vpcNode = awsConfiguration.getConfigurationNodes().get(vpcId);
            Ip vpcIfaceAddress = vpcNode.getInterfaces().get(_vpnGatewayId).getAddress().getIp();
            Ip vgwToVpcIfaceAddress = vpnGatewayCfgNode.getInterfaces().get(vpcId).getAddress().getIp();
            BgpNeighbor vgwToVpcBgpNeighbor = new BgpNeighbor(vpcIfaceAddress, vpnGatewayCfgNode);
            proc.getNeighbors().put(vgwToVpcBgpNeighbor.getPrefix(), vgwToVpcBgpNeighbor);
            vgwToVpcBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            vgwToVpcBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            vgwToVpcBgpNeighbor.setLocalIp(vgwToVpcIfaceAddress);
            vgwToVpcBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
            vgwToVpcBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            vgwToVpcBgpNeighbor.setSendCommunity(true);
            // iBGP connection from VPC
            BgpNeighbor vpcToVgwBgpNeighbor = new BgpNeighbor(vgwToVpcIfaceAddress, vpcNode);
            BgpProcess vpcProc = new BgpProcess();
            vpcNode.getDefaultVrf().setBgpProcess(vpcProc);
            vpcProc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
            vpcProc.setRouterId(vpcIfaceAddress);
            vpcProc.getNeighbors().put(vpcToVgwBgpNeighbor.getPrefix(), vpcToVgwBgpNeighbor);
            vpcToVgwBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            vpcToVgwBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            vpcToVgwBgpNeighbor.setLocalIp(vpcIfaceAddress);
            vpcToVgwBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
            vpcToVgwBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            vpcToVgwBgpNeighbor.setSendCommunity(true);
            String rpRejectAllName = "~REJECT_ALL~";
            String rpAcceptAllEbgpAndSetNextHopSelfName = "~ACCEPT_ALL_EBGP_AND_SET_NEXT_HOP_SELF~";
            If acceptIffEbgp = new If();
            acceptIffEbgp.setGuard(new MatchProtocol(RoutingProtocol.BGP));
            acceptIffEbgp.setTrueStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
            acceptIffEbgp.setFalseStatements(ImmutableList.of(Statements.ExitReject.toStaticStatement()));
            RoutingPolicy vgwRpAcceptAllBgp = new RoutingPolicy(rpAcceptAllEbgpAndSetNextHopSelfName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(vgwRpAcceptAllBgp.getName(), vgwRpAcceptAllBgp);
            vgwRpAcceptAllBgp.setStatements(ImmutableList.of(new SetNextHop(new SelfNextHop(), false), acceptIffEbgp));
            vgwToVpcBgpNeighbor.setExportPolicy(rpAcceptAllEbgpAndSetNextHopSelfName);
            RoutingPolicy vgwRpRejectAll = new RoutingPolicy(rpRejectAllName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(rpRejectAllName, vgwRpRejectAll);
            vgwToVpcBgpNeighbor.setImportPolicy(rpRejectAllName);
            String rpAcceptAllName = "~ACCEPT_ALL~";
            RoutingPolicy vpcRpAcceptAll = new RoutingPolicy(rpAcceptAllName, vpcNode);
            vpcNode.getRoutingPolicies().put(rpAcceptAllName, vpcRpAcceptAll);
            vpcRpAcceptAll.setStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
            vpcToVgwBgpNeighbor.setImportPolicy(rpAcceptAllName);
            RoutingPolicy vpcRpRejectAll = new RoutingPolicy(rpRejectAllName, vpcNode);
            vpcNode.getRoutingPolicies().put(rpRejectAllName, vpcRpRejectAll);
            vpcToVgwBgpNeighbor.setExportPolicy(rpRejectAllName);
            Vpc vpc = region.getVpcs().get(vpcId);
            String originationPolicyName = vpnId + "_origination";
            RoutingPolicy originationRoutingPolicy = new RoutingPolicy(originationPolicyName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(originationPolicyName, originationRoutingPolicy);
            cgBgpNeighbor.setExportPolicy(originationPolicyName);
            If originationIf = new If();
            List<Statement> statements = originationRoutingPolicy.getStatements();
            statements.add(originationIf);
            statements.add(Statements.ExitReject.toStaticStatement());
            originationIf.getTrueStatements().add(new SetOrigin(new LiteralOrigin(OriginType.IGP, null)));
            originationIf.getTrueStatements().add(Statements.ExitAccept.toStaticStatement());
            RouteFilterList originationRouteFilter = new RouteFilterList(originationPolicyName);
            vpnGatewayCfgNode.getRouteFilterLists().put(originationPolicyName, originationRouteFilter);
            vpc.getCidrBlockAssociations().forEach(prefix -> {
                RouteFilterLine matchOutgoingPrefix = new RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefix.getPrefixLength(), prefix.getPrefixLength()));
                originationRouteFilter.addLine(matchOutgoingPrefix);
            });
            Conjunction conj = new Conjunction();
            originationIf.setGuard(conj);
            conj.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
            conj.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(originationPolicyName)));
        }
        // static routes (if configured)
        for (Prefix staticRoutePrefix : _routes) {
            StaticRoute staticRoute = StaticRoute.builder().setNetwork(staticRoutePrefix).setNextHopIp(ipsecTunnel.getCgwInsideAddress()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
            vpnGatewayCfgNode.getDefaultVrf().getStaticRoutes().add(staticRoute);
        }
    }
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) Configuration(org.batfish.datamodel.Configuration) BgpProcess(org.batfish.datamodel.BgpProcess) LiteralOrigin(org.batfish.datamodel.routing_policy.expr.LiteralOrigin) NamedPrefixSet(org.batfish.datamodel.routing_policy.expr.NamedPrefixSet) Ip(org.batfish.datamodel.Ip) Prefix(org.batfish.datamodel.Prefix) SelfNextHop(org.batfish.datamodel.routing_policy.expr.SelfNextHop) BgpNeighbor(org.batfish.datamodel.BgpNeighbor) IpsecProposal(org.batfish.datamodel.IpsecProposal) Conjunction(org.batfish.datamodel.routing_policy.expr.Conjunction) SubRange(org.batfish.datamodel.SubRange) SetNextHop(org.batfish.datamodel.routing_policy.statement.SetNextHop) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) IkeProposal(org.batfish.datamodel.IkeProposal) BatfishException(org.batfish.common.BatfishException) StaticRoute(org.batfish.datamodel.StaticRoute) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) Statement(org.batfish.datamodel.routing_policy.statement.Statement) MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet) SetOrigin(org.batfish.datamodel.routing_policy.statement.SetOrigin) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) MatchProtocol(org.batfish.datamodel.routing_policy.expr.MatchProtocol) DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkeGateway(org.batfish.datamodel.IkeGateway) RouteFilterList(org.batfish.datamodel.RouteFilterList) IkePolicy(org.batfish.datamodel.IkePolicy) If(org.batfish.datamodel.routing_policy.statement.If) Interface(org.batfish.datamodel.Interface)

Example 2 with IkePolicy

use of org.batfish.datamodel.IkePolicy in project batfish by batfish.

the class VyosConfiguration method convertVpns.

private void convertVpns() {
    for (Entry<Ip, IpsecPeer> ipsecPeerEntry : _ipsecPeers.entrySet()) {
        // create ipsecvpn and ikegateway to correspond roughly to vyos ipsec
        // site-to-site peer
        Ip peerAddress = ipsecPeerEntry.getKey();
        IpsecPeer ipsecPeer = ipsecPeerEntry.getValue();
        String newIpsecVpnName = peerAddress.toString();
        String newIkeGatewayName = newIpsecVpnName;
        IpsecVpn newIpsecVpn = new IpsecVpn(newIpsecVpnName, _c);
        _c.getIpsecVpns().put(newIpsecVpnName, newIpsecVpn);
        IkeGateway newIkeGateway = new IkeGateway(newIkeGatewayName);
        _c.getIkeGateways().put(newIkeGatewayName, newIkeGateway);
        newIpsecVpn.setIkeGateway(newIkeGateway);
        newIkeGateway.setLocalId(ipsecPeer.getAuthenticationId());
        newIkeGateway.setRemoteId(ipsecPeer.getAuthenticationRemoteId());
        newIkeGateway.setAddress(peerAddress);
        Ip localAddress = ipsecPeer.getLocalAddress();
        org.batfish.datamodel.Interface externalInterface = _ipToInterfaceMap.get(localAddress);
        if (externalInterface == null) {
            _w.redFlag("Could not determine external interface for vpn \"" + newIpsecVpnName + "\" from local-address: " + localAddress);
        } else {
            newIkeGateway.setExternalInterface(externalInterface);
        }
        // bind interface
        String bindInterfaceName = ipsecPeer.getBindInterface();
        org.batfish.datamodel.Interface newBindInterface = _c.getDefaultVrf().getInterfaces().get(bindInterfaceName);
        if (newBindInterface != null) {
            Interface bindInterface = _interfaces.get(bindInterfaceName);
            bindInterface.getReferers().put(ipsecPeer, "bind interface for site-to-site peer \"" + newIpsecVpnName + "\"");
            newIpsecVpn.setBindInterface(newBindInterface);
        } else {
            _w.redFlag("Reference to undefined bind-interface: \"" + bindInterfaceName + "\"");
        }
        // convert the referenced ike group
        String ikeGroupName = ipsecPeer.getIkeGroup();
        IkeGroup ikeGroup = _ikeGroups.get(ikeGroupName);
        if (ikeGroup == null) {
            _w.redFlag("Reference to undefined ike-group: \"" + ikeGroupName + "\"");
        } else {
            ikeGroup.getReferers().put(ipsecPeer, "ike group for site-to-site peer: \"" + newIpsecVpnName + "\"");
            IkePolicy newIkePolicy = new IkePolicy(ikeGroupName);
            _c.getIkePolicies().put(ikeGroupName, newIkePolicy);
            newIkeGateway.setIkePolicy(newIkePolicy);
            newIkePolicy.setPreSharedKeyHash(ipsecPeer.getAuthenticationPreSharedSecretHash());
            // convert contained ike proposals
            for (Entry<Integer, IkeProposal> ikeProposalEntry : ikeGroup.getProposals().entrySet()) {
                String newIkeProposalName = ikeGroupName + ":" + Integer.toString(ikeProposalEntry.getKey());
                IkeProposal ikeProposal = ikeProposalEntry.getValue();
                org.batfish.datamodel.IkeProposal newIkeProposal = new org.batfish.datamodel.IkeProposal(newIkeProposalName, -1);
                _c.getIkeProposals().put(newIkeProposalName, newIkeProposal);
                newIkePolicy.getProposals().put(newIkeProposalName, newIkeProposal);
                newIkeProposal.setDiffieHellmanGroup(ikeProposal.getDhGroup());
                newIkeProposal.setEncryptionAlgorithm(ikeProposal.getEncryptionAlgorithm());
                newIkeProposal.setLifetimeSeconds(ikeGroup.getLifetimeSeconds());
                newIkeProposal.setAuthenticationAlgorithm(ikeProposal.getHashAlgorithm().toIkeAuthenticationAlgorithm());
                newIkeProposal.setAuthenticationMethod(ipsecPeer.getAuthenticationMode());
            }
        }
        // convert the referenced esp group
        String espGroupName = ipsecPeer.getEspGroup();
        EspGroup espGroup = _espGroups.get(espGroupName);
        if (espGroup == null) {
            _w.redFlag("Reference to undefined esp-group: \"" + espGroupName + "\"");
        } else {
            espGroup.getReferers().put(ipsecPeer, "esp-group for ipsec site-to-site peer: \"" + newIpsecVpnName + "\"");
            IpsecPolicy newIpsecPolicy = new IpsecPolicy(espGroupName);
            _c.getIpsecPolicies().put(espGroupName, newIpsecPolicy);
            newIpsecVpn.setIpsecPolicy(newIpsecPolicy);
            if (espGroup.getPfsSource() == null) {
                espGroup.setPfsSource(PfsSource.IKE_GROUP);
            }
            switch(espGroup.getPfsSource()) {
                case DISABLED:
                    break;
                case ESP_GROUP:
                    newIpsecPolicy.setPfsKeyGroup(espGroup.getPfsDhGroup());
                    break;
                case IKE_GROUP:
                    newIpsecPolicy.setPfsKeyGroupDynamicIke(true);
                    break;
                default:
                    throw new BatfishException("Invalid pfs source");
            }
            // convert contained esp proposals
            for (Entry<Integer, EspProposal> espProposalEntry : espGroup.getProposals().entrySet()) {
                String newIpsecProposalName = espGroupName + ":" + Integer.toString(espProposalEntry.getKey());
                EspProposal espProposal = espProposalEntry.getValue();
                IpsecProposal newIpsecProposal = new IpsecProposal(newIpsecProposalName, -1);
                _c.getIpsecProposals().put(newIpsecProposalName, newIpsecProposal);
                newIpsecPolicy.getProposals().put(newIpsecProposalName, newIpsecProposal);
                newIpsecProposal.setAuthenticationAlgorithm(espProposal.getHashAlgorithm().toIpsecAuthenticationAlgorithm());
                newIpsecProposal.setEncryptionAlgorithm(espProposal.getEncryptionAlgorithm());
                newIpsecProposal.setLifetimeSeconds(espGroup.getLifetimeSeconds());
                newIpsecProposal.setProtocol(IpsecProtocol.ESP);
            }
        }
    }
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) BatfishException(org.batfish.common.BatfishException) Ip(org.batfish.datamodel.Ip) IpsecProposal(org.batfish.datamodel.IpsecProposal) IkeGateway(org.batfish.datamodel.IkeGateway) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkePolicy(org.batfish.datamodel.IkePolicy)

Example 3 with IkePolicy

use of org.batfish.datamodel.IkePolicy in project batfish by batfish.

the class IpsecVpnStatusAnswererTest method createIpsecVpn.

private static IpsecVpn createIpsecVpn(String name, IkeProposal ikeProposal, IpsecProposal ipsecProposal, String pskHash) {
    IpsecVpn ipsecVpn = new IpsecVpn(name);
    ipsecVpn.setOwner(new Configuration(name, ConfigurationFormat.UNKNOWN));
    IkeGateway ikeGw = new IkeGateway(name + "-ikeGw");
    ipsecVpn.setIkeGateway(ikeGw);
    IkePolicy ikePolicy = new IkePolicy(name + "-ikePolicy");
    ikeGw.setIkePolicy(ikePolicy);
    SortedMap<String, IkeProposal> ikeProposalMap = new TreeMap<>();
    ikeProposalMap.put(name + "-ikeproposal", ikeProposal);
    ikePolicy.setProposals(ikeProposalMap);
    ikePolicy.setPreSharedKeyHash(pskHash);
    IpsecPolicy ipsecPolicy = new IpsecPolicy(name + "-ipsecpolicy");
    ipsecVpn.setIpsecPolicy(ipsecPolicy);
    SortedMap<String, IpsecProposal> ipsecProposalMap = new TreeMap<>();
    ipsecProposalMap.put(name + "-ipsecproposal", ipsecProposal);
    ipsecPolicy.setProposals(ipsecProposalMap);
    return ipsecVpn;
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) IkeProposal(org.batfish.datamodel.IkeProposal) IpsecProposal(org.batfish.datamodel.IpsecProposal) Configuration(org.batfish.datamodel.Configuration) IkeGateway(org.batfish.datamodel.IkeGateway) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkePolicy(org.batfish.datamodel.IkePolicy) TreeMap(java.util.TreeMap)

Example 4 with IkePolicy

use of org.batfish.datamodel.IkePolicy in project batfish by batfish.

the class CiscoConfiguration method addIkePoliciesAndGateways.

private void addIkePoliciesAndGateways(Configuration c) {
    // get IKE gateways and policies from Cisco isakmp profiles and keyrings
    for (Entry<String, IsakmpProfile> e : _isakmpProfiles.entrySet()) {
        String name = e.getKey();
        IsakmpProfile isakmpProfile = e.getValue();
        IkePolicy ikePolicy = new IkePolicy(name);
        c.getIkePolicies().put(name, ikePolicy);
        ikePolicy.setProposals(c.getIkeProposals());
        String keyringName = isakmpProfile.getKeyring();
        if (keyringName == null) {
            _w.redFlag("Cannot get PSK hash since keyring not configured for isakmpProfile " + name);
        } else if (_keyrings.containsKey(keyringName)) {
            Keyring keyring = _keyrings.get(keyringName);
            if (keyring.match(isakmpProfile.getLocalAddress(), isakmpProfile.getMatchIdentity())) {
                ikePolicy.setPreSharedKeyHash(keyring.getKey());
            } else {
                _w.redFlag("The addresses of keyring " + keyringName + " do not match isakmpProfile " + name);
            }
        }
        Ip localAddress = isakmpProfile.getLocalAddress();
        Prefix remotePrefix = isakmpProfile.getMatchIdentity();
        if (localAddress == null || remotePrefix == null) {
            _w.redFlag("Can't get IkeGateway: Local or remote address is not set for isakmpProfile " + name);
        } else {
            IkeGateway ikeGateway = new IkeGateway(e.getKey());
            c.getIkeGateways().put(name, ikeGateway);
            ikeGateway.setAddress(remotePrefix.getStartIp());
            Interface oldIface = getInterfaceByTunnelAddresses(localAddress, remotePrefix);
            if (oldIface != null) {
                ikeGateway.setExternalInterface(c.getInterfaces().get(oldIface.getName()));
            } else {
                _w.redFlag("External interface not found for ikeGateway for isakmpProfile " + name);
            }
            ikeGateway.setIkePolicy(ikePolicy);
            ikeGateway.setLocalIp(isakmpProfile.getLocalAddress());
        }
    }
}
Also used : IkeGateway(org.batfish.datamodel.IkeGateway) Ip(org.batfish.datamodel.Ip) Prefix(org.batfish.datamodel.Prefix) IkePolicy(org.batfish.datamodel.IkePolicy)

Aggregations

IkeGateway (org.batfish.datamodel.IkeGateway)4 IkePolicy (org.batfish.datamodel.IkePolicy)4 Ip (org.batfish.datamodel.Ip)3 IpsecPolicy (org.batfish.datamodel.IpsecPolicy)3 IpsecProposal (org.batfish.datamodel.IpsecProposal)3 IpsecVpn (org.batfish.datamodel.IpsecVpn)3 BatfishException (org.batfish.common.BatfishException)2 Configuration (org.batfish.datamodel.Configuration)2 IkeProposal (org.batfish.datamodel.IkeProposal)2 Prefix (org.batfish.datamodel.Prefix)2 TreeMap (java.util.TreeMap)1 BgpNeighbor (org.batfish.datamodel.BgpNeighbor)1 BgpProcess (org.batfish.datamodel.BgpProcess)1 Interface (org.batfish.datamodel.Interface)1 InterfaceAddress (org.batfish.datamodel.InterfaceAddress)1 RouteFilterLine (org.batfish.datamodel.RouteFilterLine)1 RouteFilterList (org.batfish.datamodel.RouteFilterList)1 StaticRoute (org.batfish.datamodel.StaticRoute)1 SubRange (org.batfish.datamodel.SubRange)1 RoutingPolicy (org.batfish.datamodel.routing_policy.RoutingPolicy)1