Search in sources :

Example 1 with IpsecVpn

use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.

the class CommonUtil method initRemoteIpsecVpns.

public static void initRemoteIpsecVpns(Map<String, Configuration> configurations) {
    Map<IpsecVpn, Ip> vpnRemoteIps = new IdentityHashMap<>();
    Map<Ip, Set<IpsecVpn>> externalIpVpnMap = new HashMap<>();
    SetMultimap<Ip, IpWildcardSetIpSpace> privateIpsByPublicIp = initPrivateIpsByPublicIp(configurations);
    for (Configuration c : configurations.values()) {
        for (IpsecVpn ipsecVpn : c.getIpsecVpns().values()) {
            Ip remoteIp = ipsecVpn.getIkeGateway().getAddress();
            vpnRemoteIps.put(ipsecVpn, remoteIp);
            Set<InterfaceAddress> externalAddresses = ipsecVpn.getIkeGateway().getExternalInterface().getAllAddresses();
            for (InterfaceAddress address : externalAddresses) {
                Ip ip = address.getIp();
                Set<IpsecVpn> vpnsUsingExternalAddress = externalIpVpnMap.computeIfAbsent(ip, k -> Sets.newIdentityHashSet());
                vpnsUsingExternalAddress.add(ipsecVpn);
            }
        }
    }
    for (Entry<IpsecVpn, Ip> e : vpnRemoteIps.entrySet()) {
        IpsecVpn ipsecVpn = e.getKey();
        Ip remoteIp = e.getValue();
        Ip localIp = ipsecVpn.getIkeGateway().getLocalIp();
        ipsecVpn.initCandidateRemoteVpns();
        Set<IpsecVpn> remoteIpsecVpnCandidates = externalIpVpnMap.get(remoteIp);
        if (remoteIpsecVpnCandidates != null) {
            for (IpsecVpn remoteIpsecVpnCandidate : remoteIpsecVpnCandidates) {
                Ip remoteIpsecVpnLocalAddress = remoteIpsecVpnCandidate.getIkeGateway().getLocalIp();
                if (remoteIpsecVpnLocalAddress != null && !remoteIpsecVpnLocalAddress.equals(remoteIp)) {
                    continue;
                }
                Ip reciprocalRemoteAddress = vpnRemoteIps.get(remoteIpsecVpnCandidate);
                Set<IpsecVpn> reciprocalVpns = externalIpVpnMap.get(reciprocalRemoteAddress);
                if (reciprocalVpns == null) {
                    Set<IpWildcardSetIpSpace> privateIpsBehindReciprocalRemoteAddress = privateIpsByPublicIp.get(reciprocalRemoteAddress);
                    if (privateIpsBehindReciprocalRemoteAddress != null && privateIpsBehindReciprocalRemoteAddress.stream().anyMatch(ipSpace -> ipSpace.containsIp(localIp))) {
                        reciprocalVpns = externalIpVpnMap.get(localIp);
                        ipsecVpn.setRemoteIpsecVpn(remoteIpsecVpnCandidate);
                        ipsecVpn.getCandidateRemoteIpsecVpns().add(remoteIpsecVpnCandidate);
                        remoteIpsecVpnCandidate.initCandidateRemoteVpns();
                        remoteIpsecVpnCandidate.setRemoteIpsecVpn(ipsecVpn);
                        remoteIpsecVpnCandidate.getCandidateRemoteIpsecVpns().add(ipsecVpn);
                    }
                } else if (reciprocalVpns.contains(ipsecVpn)) {
                    ipsecVpn.setRemoteIpsecVpn(remoteIpsecVpnCandidate);
                    ipsecVpn.getCandidateRemoteIpsecVpns().add(remoteIpsecVpnCandidate);
                }
            }
        }
    }
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) SSLEngineConfigurator(org.glassfish.grizzly.ssl.SSLEngineConfigurator) SSLContext(javax.net.ssl.SSLContext) FileTime(java.nio.file.attribute.FileTime) StringUtils(org.apache.commons.lang3.StringUtils) Configurations(org.apache.commons.configuration2.builder.fluent.Configurations) Interface(org.batfish.datamodel.Interface) DirectoryStream(java.nio.file.DirectoryStream) BfConsts(org.batfish.common.BfConsts) Flow(org.batfish.datamodel.Flow) Topology(org.batfish.datamodel.Topology) Map(java.util.Map) ResourceConfig(org.glassfish.jersey.server.ResourceConfig) Pair(org.batfish.common.Pair) Path(java.nio.file.Path) DataPlane(org.batfish.datamodel.DataPlane) VrrpGroup(org.batfish.datamodel.VrrpGroup) ClientTracingFeature(io.opentracing.contrib.jaxrs2.client.ClientTracingFeature) Set(java.util.Set) FileAttribute(java.nio.file.attribute.FileAttribute) StandardCharsets(java.nio.charset.StandardCharsets) DirectoryIteratorException(java.nio.file.DirectoryIteratorException) IOUtils(org.apache.commons.io.IOUtils) Stream(java.util.stream.Stream) Supplier(java.util.function.Supplier) TreeSet(java.util.TreeSet) JSONAssert(org.skyscreamer.jsonassert.JSONAssert) MustBeClosed(com.google.errorprone.annotations.MustBeClosed) SSLSession(javax.net.ssl.SSLSession) FlowProcessor(org.batfish.common.plugin.FlowProcessor) BiConsumer(java.util.function.BiConsumer) SSLContextConfigurator(org.glassfish.grizzly.ssl.SSLContextConfigurator) ImmutableSortedMap(com.google.common.collect.ImmutableSortedMap) Nullable(javax.annotation.Nullable) Files(java.nio.file.Files) Route(org.batfish.datamodel.Route) FileOutputStream(java.io.FileOutputStream) IOException(java.io.IOException) FileUtils(org.apache.commons.io.FileUtils) KeyManager(javax.net.ssl.KeyManager) TreeMap(java.util.TreeMap) Paths(java.nio.file.Paths) X509TrustManager(javax.net.ssl.X509TrustManager) BufferedReader(java.io.BufferedReader) X509Certificate(java.security.cert.X509Certificate) IpsecVpn(org.batfish.datamodel.IpsecVpn) NoSuchFileException(java.nio.file.NoSuchFileException) IpProtocol(org.batfish.datamodel.IpProtocol) SortedSet(java.util.SortedSet) URL(java.net.URL) TrustManager(javax.net.ssl.TrustManager) FlowTrace(org.batfish.datamodel.FlowTrace) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) OspfNeighbor(org.batfish.datamodel.OspfNeighbor) Edge(org.batfish.datamodel.Edge) IpWildcardSetIpSpace(org.batfish.datamodel.IpWildcardSetIpSpace) OspfProcess(org.batfish.datamodel.OspfProcess) URI(java.net.URI) HostnameVerifier(javax.net.ssl.HostnameVerifier) NamedPort(org.batfish.datamodel.NamedPort) Vrf(org.batfish.datamodel.Vrf) OspfArea(org.batfish.datamodel.OspfArea) ImmutableSetMultimap(com.google.common.collect.ImmutableSetMultimap) ImmutableSet(com.google.common.collect.ImmutableSet) IdentityHashMap(java.util.IdentityHashMap) PatternSyntaxException(java.util.regex.PatternSyntaxException) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) ImmutableMap(com.google.common.collect.ImmutableMap) Predicate(java.util.function.Predicate) Collection(java.util.Collection) FlowDisposition(org.batfish.datamodel.FlowDisposition) KeyStore(java.security.KeyStore) Collectors(java.util.stream.Collectors) Sets(com.google.common.collect.Sets) FileNotFoundException(java.io.FileNotFoundException) List(java.util.List) Entry(java.util.Map.Entry) Pattern(java.util.regex.Pattern) BgpNeighbor(org.batfish.datamodel.BgpNeighbor) SortedMap(java.util.SortedMap) IpWildcard(org.batfish.datamodel.IpWildcard) Ip(org.batfish.datamodel.Ip) NodeInterfacePair(org.batfish.datamodel.collections.NodeInterfacePair) Hashing(com.google.common.hash.Hashing) HashMap(java.util.HashMap) BatfishException(org.batfish.common.BatfishException) BgpProcess(org.batfish.datamodel.BgpProcess) Function(java.util.function.Function) HashSet(java.util.HashSet) ClientBuilder(javax.ws.rs.client.ClientBuilder) Configuration(org.batfish.datamodel.Configuration) OutputStreamWriter(java.io.OutputStreamWriter) OutputStream(java.io.OutputStream) IpLink(org.batfish.datamodel.IpLink) Iterator(java.util.Iterator) MalformedURLException(java.net.MalformedURLException) KeyManagerFactory(javax.net.ssl.KeyManagerFactory) GlobalTracer(io.opentracing.util.GlobalTracer) FileInputStream(java.io.FileInputStream) SetMultimap(com.google.common.collect.SetMultimap) Consumer(java.util.function.Consumer) GrizzlyHttpServerFactory(org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory) VisibleForTesting(com.google.common.annotations.VisibleForTesting) Collections(java.util.Collections) InputStream(java.io.InputStream) Prefix(org.batfish.datamodel.Prefix) Set(java.util.Set) TreeSet(java.util.TreeSet) SortedSet(java.util.SortedSet) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) Configuration(org.batfish.datamodel.Configuration) IdentityHashMap(java.util.IdentityHashMap) HashMap(java.util.HashMap) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) Ip(org.batfish.datamodel.Ip) IdentityHashMap(java.util.IdentityHashMap) IpWildcardSetIpSpace(org.batfish.datamodel.IpWildcardSetIpSpace)

Example 2 with IpsecVpn

use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.

the class Batfish method disableUnusableVpnInterfaces.

private void disableUnusableVpnInterfaces(Map<String, Configuration> configurations) {
    CommonUtil.initRemoteIpsecVpns(configurations);
    for (Configuration c : configurations.values()) {
        for (IpsecVpn vpn : c.getIpsecVpns().values()) {
            IpsecVpn remoteVpn = vpn.getRemoteIpsecVpn();
            if (remoteVpn == null || !vpn.compatibleIkeProposals(remoteVpn) || !vpn.compatibleIpsecProposals(remoteVpn) || !vpn.compatiblePreSharedKey(remoteVpn)) {
                String hostname = c.getHostname();
                Interface bindInterface = vpn.getBindInterface();
                if (bindInterface != null) {
                    bindInterface.setActive(false);
                    bindInterface.setBlacklisted(true);
                    String bindInterfaceName = bindInterface.getName();
                    _logger.warnf("WARNING: Disabling unusable vpn interface because we cannot determine remote " + "endpoint: \"%s:%s\"\n", hostname, bindInterfaceName);
                }
            }
        }
    }
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) HostConfiguration(org.batfish.representation.host.HostConfiguration) Configuration(org.batfish.datamodel.Configuration) ImmutableConfiguration(org.apache.commons.configuration2.ImmutableConfiguration) AwsConfiguration(org.batfish.representation.aws.AwsConfiguration) IptablesVendorConfiguration(org.batfish.representation.iptables.IptablesVendorConfiguration) VendorConfiguration(org.batfish.vendor.VendorConfiguration) Interface(org.batfish.datamodel.Interface)

Example 3 with IpsecVpn

use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.

the class CiscoConfiguration method toVendorIndependentConfiguration.

@Override
public Configuration toVendorIndependentConfiguration() {
    final Configuration c = new Configuration(_hostname, _vendor);
    c.getVendorFamily().setCisco(_cf);
    c.setRoles(_roles);
    c.setDefaultInboundAction(LineAction.ACCEPT);
    c.setDefaultCrossZoneAction(LineAction.ACCEPT);
    c.setDnsServers(_dnsServers);
    c.setDnsSourceInterface(_dnsSourceInterface);
    c.setDomainName(_domainName);
    c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
    c.setTacacsServers(_tacacsServers);
    c.setTacacsSourceInterface(_tacacsSourceInterface);
    c.setNtpSourceInterface(_ntpSourceInterface);
    if (_cf.getNtp() != null) {
        c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
    }
    if (_cf.getLogging() != null) {
        c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
        c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
    }
    c.setSnmpSourceInterface(_snmpSourceInterface);
    processLines();
    processFailoverSettings();
    // remove line login authentication lists if they don't exist
    for (Line line : _cf.getLines().values()) {
        String list = line.getLoginAuthentication();
        boolean found = false;
        Aaa aaa = _cf.getAaa();
        if (aaa != null) {
            AaaAuthentication authentication = aaa.getAuthentication();
            if (authentication != null) {
                AaaAuthenticationLogin login = authentication.getLogin();
                if (login != null && login.getLists().containsKey(list)) {
                    found = true;
                }
            }
        }
        if (!found) {
            line.setLoginAuthentication(null);
        }
    }
    // initialize vrfs
    for (String vrfName : _vrfs.keySet()) {
        c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
    }
    // snmp server
    if (_snmpServer != null) {
        String snmpServerVrf = _snmpServer.getVrf();
        c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
    }
    // convert as path access lists to vendor independent format
    for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
        AsPathAccessList apList = toAsPathAccessList(pathList);
        c.getAsPathAccessLists().put(apList.getName(), apList);
    }
    // convert as-path-sets to vendor independent format
    for (AsPathSet asPathSet : _asPathSets.values()) {
        AsPathAccessList apList = toAsPathAccessList(asPathSet);
        c.getAsPathAccessLists().put(apList.getName(), apList);
    }
    // convert standard/expanded community lists to community lists
    for (StandardCommunityList scList : _standardCommunityLists.values()) {
        ExpandedCommunityList ecList = scList.toExpandedCommunityList();
        CommunityList cList = toCommunityList(ecList);
        c.getCommunityLists().put(cList.getName(), cList);
    }
    for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
        CommunityList cList = toCommunityList(ecList);
        c.getCommunityLists().put(cList.getName(), cList);
    }
    // convert prefix lists to route filter lists
    for (PrefixList prefixList : _prefixLists.values()) {
        RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
        c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
    }
    // convert ipv6 prefix lists to route6 filter lists
    for (Prefix6List prefixList : _prefix6Lists.values()) {
        Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
        c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
    }
    // convert standard/extended access lists to access lists or route filter
    // lists
    List<ExtendedAccessList> allACLs = new ArrayList<>();
    for (StandardAccessList saList : _standardAccessLists.values()) {
        ExtendedAccessList eaList = saList.toExtendedAccessList();
        allACLs.add(eaList);
    }
    allACLs.addAll(_extendedAccessLists.values());
    for (ExtendedAccessList eaList : allACLs) {
        if (usedForRouting(eaList)) {
            String msg = "used for routing";
            StandardAccessList parent = eaList.getParent();
            if (parent != null) {
                parent.getReferers().put(this, msg);
            } else {
                eaList.getReferers().put(this, msg);
            }
            RouteFilterList rfList = toRouteFilterList(eaList);
            c.getRouteFilterLists().put(rfList.getName(), rfList);
        }
        IpAccessList ipaList = toIpAccessList(eaList);
        c.getIpAccessLists().put(ipaList.getName(), ipaList);
    }
    // convert standard/extended ipv6 access lists to ipv6 access lists or
    // route6 filter
    // lists
    List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
    for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
        ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
        allIpv6ACLs.add(eaList);
    }
    allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
    for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
        if (usedForRouting(eaList)) {
            String msg = "used for routing";
            StandardIpv6AccessList parent = eaList.getParent();
            if (parent != null) {
                parent.getReferers().put(this, msg);
            } else {
                eaList.getReferers().put(this, msg);
            }
            Route6FilterList rfList = toRoute6FilterList(eaList);
            c.getRoute6FilterLists().put(rfList.getName(), rfList);
        }
        Ip6AccessList ipaList = toIp6AccessList(eaList);
        c.getIp6AccessLists().put(ipaList.getName(), ipaList);
    }
    // convert route maps to policy maps
    Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
    for (RouteMap map : _routeMaps.values()) {
        convertForPurpose(routingRouteMaps, map);
        // convert route maps to RoutingPolicy objects
        RoutingPolicy newPolicy = toRoutingPolicy(c, map);
        c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
    }
    // convert RoutePolicy to RoutingPolicy
    for (RoutePolicy routePolicy : _routePolicies.values()) {
        RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
        c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
    }
    // convert interfaces
    _interfaces.forEach((ifaceName, iface) -> {
        org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
        String vrfName = iface.getVrf();
        if (vrfName == null) {
            throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
        }
        c.getInterfaces().put(ifaceName, newInterface);
        c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
    });
    // apply vrrp settings to interfaces
    applyVrrp(c);
    // get IKE proposals
    for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
        c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
    }
    addIkePoliciesAndGateways(c);
    // ipsec proposals
    for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
        c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
    }
    // ipsec policies
    for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
        String name = e.getKey();
        IpsecProfile profile = e.getValue();
        IpsecPolicy policy = new IpsecPolicy(name);
        policy.setPfsKeyGroup(profile.getPfsGroup());
        String transformSetName = profile.getTransformSet();
        if (c.getIpsecProposals().containsKey(transformSetName)) {
            policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
        }
        c.getIpsecPolicies().put(name, policy);
    }
    // ipsec vpns
    for (Entry<String, Interface> e : _interfaces.entrySet()) {
        String name = e.getKey();
        Interface iface = e.getValue();
        Tunnel tunnel = iface.getTunnel();
        if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
            IpsecVpn ipsecVpn = new IpsecVpn(name, c);
            ipsecVpn.setBindInterface(c.getInterfaces().get(name));
            ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
            Ip source = tunnel.getSource();
            Ip destination = tunnel.getDestination();
            if (source == null || destination == null) {
                _w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
            } else {
                for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
                    if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
                        ipsecVpn.setIkeGateway(ikeGateway);
                    }
                }
                if (ipsecVpn.getIkeGateway() == null) {
                    _w.redFlag("Can't find matching IkeGateway for " + name);
                }
            }
            c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
        }
    }
    // convert routing processes
    _vrfs.forEach((vrfName, vrf) -> {
        org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
        // add snmp trap servers to main list
        if (newVrf.getSnmpServer() != null) {
            c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
        }
        // convert static routes
        for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
            newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
        }
        // convert rip process
        RipProcess ripProcess = vrf.getRipProcess();
        if (ripProcess != null) {
            org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
            newVrf.setRipProcess(newRipProcess);
        }
        // convert ospf process
        OspfProcess ospfProcess = vrf.getOspfProcess();
        if (ospfProcess != null) {
            org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
            newVrf.setOspfProcess(newOspfProcess);
        }
        // convert isis process
        IsisProcess isisProcess = vrf.getIsisProcess();
        if (isisProcess != null) {
            org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
            newVrf.setIsisProcess(newIsisProcess);
        }
        // convert bgp process
        BgpProcess bgpProcess = vrf.getBgpProcess();
        if (bgpProcess != null) {
            org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
            c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
        }
    });
    // warn about references to undefined peer groups
    for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
        String name = e.getKey();
        int line = e.getValue();
        undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
    }
    // mark references to IPv4/6 ACLs that may not appear in data model
    markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
    markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
    markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
    markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
    markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
    markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
    markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
    markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
    markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
    markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
    markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
    markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
    markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
    markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
    markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
    markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
    markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
    markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
    markAcls(CiscoStructureUsage.SSH_ACL);
    markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
    markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
    markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
    markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
    markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
    // mark references to mac-ACLs that may not appear in data model
    // TODO: fill in
    // mark references to route-maps that may not appear in data model
    markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
    markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
    markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
    markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
    // Cable
    markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
    markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
    markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
    markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
    markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
    markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
    // L2tp
    markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
    // Vpn
    markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
    markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
    markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
    // warn about unreferenced data structures
    warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
    warnUnusedCommunityLists();
    warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
    warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
    warnUnusedDocsisPolicies();
    warnUnusedDocsisPolicyRules();
    warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
    warnUnusedIpAccessLists();
    warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
    warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
    warnUnusedIpv6AccessLists();
    warnUnusedKeyrings();
    warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
    warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
    warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
    warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
    warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
    warnUnusedPeerGroups();
    warnUnusedPeerSessions();
    warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
    warnUnusedServiceClasses();
    c.simplifyRoutingPolicies();
    c.computeRoutingPolicySources(_w);
    return c;
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) AaaAuthentication(org.batfish.datamodel.vendor_family.cisco.AaaAuthentication) VendorConfiguration(org.batfish.vendor.VendorConfiguration) Configuration(org.batfish.datamodel.Configuration) ArrayList(java.util.ArrayList) Aaa(org.batfish.datamodel.vendor_family.cisco.Aaa) BatfishException(org.batfish.common.BatfishException) AsPathAccessList(org.batfish.datamodel.AsPathAccessList) CommunityList(org.batfish.datamodel.CommunityList) CommunityListLine(org.batfish.datamodel.CommunityListLine) Ip6AccessListLine(org.batfish.datamodel.Ip6AccessListLine) Route6FilterLine(org.batfish.datamodel.Route6FilterLine) Line(org.batfish.datamodel.vendor_family.cisco.Line) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) AsPathAccessListLine(org.batfish.datamodel.AsPathAccessListLine) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkeGateway(org.batfish.datamodel.IkeGateway) IpAccessList(org.batfish.datamodel.IpAccessList) Ip(org.batfish.datamodel.Ip) SubRange(org.batfish.datamodel.SubRange) Ip6AccessList(org.batfish.datamodel.Ip6AccessList) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) Route6FilterList(org.batfish.datamodel.Route6FilterList) BigInteger(java.math.BigInteger) RouteFilterList(org.batfish.datamodel.RouteFilterList) AaaAuthenticationLogin(org.batfish.datamodel.vendor_family.cisco.AaaAuthenticationLogin)

Example 4 with IpsecVpn

use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.

the class VpnConnection method applyToVpnGateway.

public void applyToVpnGateway(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
    if (!awsConfiguration.getConfigurationNodes().containsKey(_vpnGatewayId)) {
        warnings.redFlag(String.format("VPN Gateway \"%s\" referred by VPN connection \"%s\" not found", _vpnGatewayId, _vpnConnectionId));
        return;
    }
    Configuration vpnGatewayCfgNode = awsConfiguration.getConfigurationNodes().get(_vpnGatewayId);
    for (int i = 0; i < _ipsecTunnels.size(); i++) {
        int idNum = i + 1;
        String vpnId = _vpnConnectionId + "-" + idNum;
        IpsecTunnel ipsecTunnel = _ipsecTunnels.get(i);
        if (ipsecTunnel.getCgwBgpAsn() != -1 && (_staticRoutesOnly || _routes.size() != 0)) {
            throw new BatfishException("Unexpected combination of BGP and static routes for VPN connection: \"" + _vpnConnectionId + "\"");
        }
        // create representation structures and add to configuration node
        IpsecVpn ipsecVpn = new IpsecVpn(vpnId, vpnGatewayCfgNode);
        vpnGatewayCfgNode.getIpsecVpns().put(vpnId, ipsecVpn);
        IpsecPolicy ipsecPolicy = new IpsecPolicy(vpnId);
        vpnGatewayCfgNode.getIpsecPolicies().put(vpnId, ipsecPolicy);
        ipsecVpn.setIpsecPolicy(ipsecPolicy);
        IpsecProposal ipsecProposal = new IpsecProposal(vpnId, -1);
        vpnGatewayCfgNode.getIpsecProposals().put(vpnId, ipsecProposal);
        ipsecPolicy.getProposals().put(vpnId, ipsecProposal);
        IkeGateway ikeGateway = new IkeGateway(vpnId);
        vpnGatewayCfgNode.getIkeGateways().put(vpnId, ikeGateway);
        ipsecVpn.setIkeGateway(ikeGateway);
        IkePolicy ikePolicy = new IkePolicy(vpnId);
        vpnGatewayCfgNode.getIkePolicies().put(vpnId, ikePolicy);
        ikeGateway.setIkePolicy(ikePolicy);
        IkeProposal ikeProposal = new IkeProposal(vpnId, -1);
        vpnGatewayCfgNode.getIkeProposals().put(vpnId, ikeProposal);
        ikePolicy.getProposals().put(vpnId, ikeProposal);
        String externalInterfaceName = "external" + idNum;
        InterfaceAddress externalInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwOutsideAddress(), Prefix.MAX_PREFIX_LENGTH);
        Interface externalInterface = Utils.newInterface(externalInterfaceName, vpnGatewayCfgNode, externalInterfaceAddress);
        String vpnInterfaceName = "vpn" + idNum;
        InterfaceAddress vpnInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwInsideAddress(), ipsecTunnel.getVgwInsidePrefixLength());
        Interface vpnInterface = Utils.newInterface(vpnInterfaceName, vpnGatewayCfgNode, vpnInterfaceAddress);
        // Set fields within representation structures
        // ipsec
        ipsecVpn.setBindInterface(vpnInterface);
        ipsecPolicy.setPfsKeyGroup(toDiffieHellmanGroup(ipsecTunnel.getIpsecPerfectForwardSecrecy()));
        ipsecProposal.setAuthenticationAlgorithm(toIpsecAuthenticationAlgorithm(ipsecTunnel.getIpsecAuthProtocol()));
        ipsecProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIpsecEncryptionProtocol()));
        ipsecProposal.setProtocol(toIpsecProtocol(ipsecTunnel.getIpsecProtocol()));
        ipsecProposal.setLifetimeSeconds(ipsecTunnel.getIpsecLifetime());
        // ike
        ikeGateway.setExternalInterface(externalInterface);
        ikeGateway.setAddress(ipsecTunnel.getCgwOutsideAddress());
        ikeGateway.setLocalIp(externalInterface.getAddress().getIp());
        if (ipsecTunnel.getIkePreSharedKeyHash() != null) {
            ikePolicy.setPreSharedKeyHash(ipsecTunnel.getIkePreSharedKeyHash());
            ikeProposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS);
        }
        ikeProposal.setAuthenticationAlgorithm(toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol()));
        ikeProposal.setDiffieHellmanGroup(toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy()));
        ikeProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol()));
        ikeProposal.setLifetimeSeconds(ipsecTunnel.getIkeLifetime());
        // bgp (if configured)
        if (ipsecTunnel.getVgwBgpAsn() != -1) {
            BgpProcess proc = vpnGatewayCfgNode.getDefaultVrf().getBgpProcess();
            if (proc == null) {
                proc = new BgpProcess();
                proc.setRouterId(ipsecTunnel.getVgwInsideAddress());
                proc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
                vpnGatewayCfgNode.getDefaultVrf().setBgpProcess(proc);
            }
            BgpNeighbor cgBgpNeighbor = new BgpNeighbor(ipsecTunnel.getCgwInsideAddress(), vpnGatewayCfgNode);
            cgBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            proc.getNeighbors().put(cgBgpNeighbor.getPrefix(), cgBgpNeighbor);
            cgBgpNeighbor.setRemoteAs(ipsecTunnel.getCgwBgpAsn());
            cgBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            cgBgpNeighbor.setLocalIp(ipsecTunnel.getVgwInsideAddress());
            cgBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            cgBgpNeighbor.setSendCommunity(false);
            VpnGateway vpnGateway = region.getVpnGateways().get(_vpnGatewayId);
            List<String> attachmentVpcIds = vpnGateway.getAttachmentVpcIds();
            if (attachmentVpcIds.size() != 1) {
                throw new BatfishException("Not sure what routes to advertise since VPN Gateway: \"" + _vpnGatewayId + "\" for VPN connection: \"" + _vpnConnectionId + "\" is linked to multiple VPCs");
            }
            String vpcId = attachmentVpcIds.get(0);
            // iBGP connection to VPC
            Configuration vpcNode = awsConfiguration.getConfigurationNodes().get(vpcId);
            Ip vpcIfaceAddress = vpcNode.getInterfaces().get(_vpnGatewayId).getAddress().getIp();
            Ip vgwToVpcIfaceAddress = vpnGatewayCfgNode.getInterfaces().get(vpcId).getAddress().getIp();
            BgpNeighbor vgwToVpcBgpNeighbor = new BgpNeighbor(vpcIfaceAddress, vpnGatewayCfgNode);
            proc.getNeighbors().put(vgwToVpcBgpNeighbor.getPrefix(), vgwToVpcBgpNeighbor);
            vgwToVpcBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            vgwToVpcBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            vgwToVpcBgpNeighbor.setLocalIp(vgwToVpcIfaceAddress);
            vgwToVpcBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
            vgwToVpcBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            vgwToVpcBgpNeighbor.setSendCommunity(true);
            // iBGP connection from VPC
            BgpNeighbor vpcToVgwBgpNeighbor = new BgpNeighbor(vgwToVpcIfaceAddress, vpcNode);
            BgpProcess vpcProc = new BgpProcess();
            vpcNode.getDefaultVrf().setBgpProcess(vpcProc);
            vpcProc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
            vpcProc.setRouterId(vpcIfaceAddress);
            vpcProc.getNeighbors().put(vpcToVgwBgpNeighbor.getPrefix(), vpcToVgwBgpNeighbor);
            vpcToVgwBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            vpcToVgwBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            vpcToVgwBgpNeighbor.setLocalIp(vpcIfaceAddress);
            vpcToVgwBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
            vpcToVgwBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            vpcToVgwBgpNeighbor.setSendCommunity(true);
            String rpRejectAllName = "~REJECT_ALL~";
            String rpAcceptAllEbgpAndSetNextHopSelfName = "~ACCEPT_ALL_EBGP_AND_SET_NEXT_HOP_SELF~";
            If acceptIffEbgp = new If();
            acceptIffEbgp.setGuard(new MatchProtocol(RoutingProtocol.BGP));
            acceptIffEbgp.setTrueStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
            acceptIffEbgp.setFalseStatements(ImmutableList.of(Statements.ExitReject.toStaticStatement()));
            RoutingPolicy vgwRpAcceptAllBgp = new RoutingPolicy(rpAcceptAllEbgpAndSetNextHopSelfName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(vgwRpAcceptAllBgp.getName(), vgwRpAcceptAllBgp);
            vgwRpAcceptAllBgp.setStatements(ImmutableList.of(new SetNextHop(new SelfNextHop(), false), acceptIffEbgp));
            vgwToVpcBgpNeighbor.setExportPolicy(rpAcceptAllEbgpAndSetNextHopSelfName);
            RoutingPolicy vgwRpRejectAll = new RoutingPolicy(rpRejectAllName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(rpRejectAllName, vgwRpRejectAll);
            vgwToVpcBgpNeighbor.setImportPolicy(rpRejectAllName);
            String rpAcceptAllName = "~ACCEPT_ALL~";
            RoutingPolicy vpcRpAcceptAll = new RoutingPolicy(rpAcceptAllName, vpcNode);
            vpcNode.getRoutingPolicies().put(rpAcceptAllName, vpcRpAcceptAll);
            vpcRpAcceptAll.setStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
            vpcToVgwBgpNeighbor.setImportPolicy(rpAcceptAllName);
            RoutingPolicy vpcRpRejectAll = new RoutingPolicy(rpRejectAllName, vpcNode);
            vpcNode.getRoutingPolicies().put(rpRejectAllName, vpcRpRejectAll);
            vpcToVgwBgpNeighbor.setExportPolicy(rpRejectAllName);
            Vpc vpc = region.getVpcs().get(vpcId);
            String originationPolicyName = vpnId + "_origination";
            RoutingPolicy originationRoutingPolicy = new RoutingPolicy(originationPolicyName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(originationPolicyName, originationRoutingPolicy);
            cgBgpNeighbor.setExportPolicy(originationPolicyName);
            If originationIf = new If();
            List<Statement> statements = originationRoutingPolicy.getStatements();
            statements.add(originationIf);
            statements.add(Statements.ExitReject.toStaticStatement());
            originationIf.getTrueStatements().add(new SetOrigin(new LiteralOrigin(OriginType.IGP, null)));
            originationIf.getTrueStatements().add(Statements.ExitAccept.toStaticStatement());
            RouteFilterList originationRouteFilter = new RouteFilterList(originationPolicyName);
            vpnGatewayCfgNode.getRouteFilterLists().put(originationPolicyName, originationRouteFilter);
            vpc.getCidrBlockAssociations().forEach(prefix -> {
                RouteFilterLine matchOutgoingPrefix = new RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefix.getPrefixLength(), prefix.getPrefixLength()));
                originationRouteFilter.addLine(matchOutgoingPrefix);
            });
            Conjunction conj = new Conjunction();
            originationIf.setGuard(conj);
            conj.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
            conj.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(originationPolicyName)));
        }
        // static routes (if configured)
        for (Prefix staticRoutePrefix : _routes) {
            StaticRoute staticRoute = StaticRoute.builder().setNetwork(staticRoutePrefix).setNextHopIp(ipsecTunnel.getCgwInsideAddress()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
            vpnGatewayCfgNode.getDefaultVrf().getStaticRoutes().add(staticRoute);
        }
    }
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) Configuration(org.batfish.datamodel.Configuration) BgpProcess(org.batfish.datamodel.BgpProcess) LiteralOrigin(org.batfish.datamodel.routing_policy.expr.LiteralOrigin) NamedPrefixSet(org.batfish.datamodel.routing_policy.expr.NamedPrefixSet) Ip(org.batfish.datamodel.Ip) Prefix(org.batfish.datamodel.Prefix) SelfNextHop(org.batfish.datamodel.routing_policy.expr.SelfNextHop) BgpNeighbor(org.batfish.datamodel.BgpNeighbor) IpsecProposal(org.batfish.datamodel.IpsecProposal) Conjunction(org.batfish.datamodel.routing_policy.expr.Conjunction) SubRange(org.batfish.datamodel.SubRange) SetNextHop(org.batfish.datamodel.routing_policy.statement.SetNextHop) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) IkeProposal(org.batfish.datamodel.IkeProposal) BatfishException(org.batfish.common.BatfishException) StaticRoute(org.batfish.datamodel.StaticRoute) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) Statement(org.batfish.datamodel.routing_policy.statement.Statement) MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet) SetOrigin(org.batfish.datamodel.routing_policy.statement.SetOrigin) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) MatchProtocol(org.batfish.datamodel.routing_policy.expr.MatchProtocol) DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkeGateway(org.batfish.datamodel.IkeGateway) RouteFilterList(org.batfish.datamodel.RouteFilterList) IkePolicy(org.batfish.datamodel.IkePolicy) If(org.batfish.datamodel.routing_policy.statement.If) Interface(org.batfish.datamodel.Interface)

Example 5 with IpsecVpn

use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.

the class VyosConfiguration method convertVpns.

private void convertVpns() {
    for (Entry<Ip, IpsecPeer> ipsecPeerEntry : _ipsecPeers.entrySet()) {
        // create ipsecvpn and ikegateway to correspond roughly to vyos ipsec
        // site-to-site peer
        Ip peerAddress = ipsecPeerEntry.getKey();
        IpsecPeer ipsecPeer = ipsecPeerEntry.getValue();
        String newIpsecVpnName = peerAddress.toString();
        String newIkeGatewayName = newIpsecVpnName;
        IpsecVpn newIpsecVpn = new IpsecVpn(newIpsecVpnName, _c);
        _c.getIpsecVpns().put(newIpsecVpnName, newIpsecVpn);
        IkeGateway newIkeGateway = new IkeGateway(newIkeGatewayName);
        _c.getIkeGateways().put(newIkeGatewayName, newIkeGateway);
        newIpsecVpn.setIkeGateway(newIkeGateway);
        newIkeGateway.setLocalId(ipsecPeer.getAuthenticationId());
        newIkeGateway.setRemoteId(ipsecPeer.getAuthenticationRemoteId());
        newIkeGateway.setAddress(peerAddress);
        Ip localAddress = ipsecPeer.getLocalAddress();
        org.batfish.datamodel.Interface externalInterface = _ipToInterfaceMap.get(localAddress);
        if (externalInterface == null) {
            _w.redFlag("Could not determine external interface for vpn \"" + newIpsecVpnName + "\" from local-address: " + localAddress);
        } else {
            newIkeGateway.setExternalInterface(externalInterface);
        }
        // bind interface
        String bindInterfaceName = ipsecPeer.getBindInterface();
        org.batfish.datamodel.Interface newBindInterface = _c.getDefaultVrf().getInterfaces().get(bindInterfaceName);
        if (newBindInterface != null) {
            Interface bindInterface = _interfaces.get(bindInterfaceName);
            bindInterface.getReferers().put(ipsecPeer, "bind interface for site-to-site peer \"" + newIpsecVpnName + "\"");
            newIpsecVpn.setBindInterface(newBindInterface);
        } else {
            _w.redFlag("Reference to undefined bind-interface: \"" + bindInterfaceName + "\"");
        }
        // convert the referenced ike group
        String ikeGroupName = ipsecPeer.getIkeGroup();
        IkeGroup ikeGroup = _ikeGroups.get(ikeGroupName);
        if (ikeGroup == null) {
            _w.redFlag("Reference to undefined ike-group: \"" + ikeGroupName + "\"");
        } else {
            ikeGroup.getReferers().put(ipsecPeer, "ike group for site-to-site peer: \"" + newIpsecVpnName + "\"");
            IkePolicy newIkePolicy = new IkePolicy(ikeGroupName);
            _c.getIkePolicies().put(ikeGroupName, newIkePolicy);
            newIkeGateway.setIkePolicy(newIkePolicy);
            newIkePolicy.setPreSharedKeyHash(ipsecPeer.getAuthenticationPreSharedSecretHash());
            // convert contained ike proposals
            for (Entry<Integer, IkeProposal> ikeProposalEntry : ikeGroup.getProposals().entrySet()) {
                String newIkeProposalName = ikeGroupName + ":" + Integer.toString(ikeProposalEntry.getKey());
                IkeProposal ikeProposal = ikeProposalEntry.getValue();
                org.batfish.datamodel.IkeProposal newIkeProposal = new org.batfish.datamodel.IkeProposal(newIkeProposalName, -1);
                _c.getIkeProposals().put(newIkeProposalName, newIkeProposal);
                newIkePolicy.getProposals().put(newIkeProposalName, newIkeProposal);
                newIkeProposal.setDiffieHellmanGroup(ikeProposal.getDhGroup());
                newIkeProposal.setEncryptionAlgorithm(ikeProposal.getEncryptionAlgorithm());
                newIkeProposal.setLifetimeSeconds(ikeGroup.getLifetimeSeconds());
                newIkeProposal.setAuthenticationAlgorithm(ikeProposal.getHashAlgorithm().toIkeAuthenticationAlgorithm());
                newIkeProposal.setAuthenticationMethod(ipsecPeer.getAuthenticationMode());
            }
        }
        // convert the referenced esp group
        String espGroupName = ipsecPeer.getEspGroup();
        EspGroup espGroup = _espGroups.get(espGroupName);
        if (espGroup == null) {
            _w.redFlag("Reference to undefined esp-group: \"" + espGroupName + "\"");
        } else {
            espGroup.getReferers().put(ipsecPeer, "esp-group for ipsec site-to-site peer: \"" + newIpsecVpnName + "\"");
            IpsecPolicy newIpsecPolicy = new IpsecPolicy(espGroupName);
            _c.getIpsecPolicies().put(espGroupName, newIpsecPolicy);
            newIpsecVpn.setIpsecPolicy(newIpsecPolicy);
            if (espGroup.getPfsSource() == null) {
                espGroup.setPfsSource(PfsSource.IKE_GROUP);
            }
            switch(espGroup.getPfsSource()) {
                case DISABLED:
                    break;
                case ESP_GROUP:
                    newIpsecPolicy.setPfsKeyGroup(espGroup.getPfsDhGroup());
                    break;
                case IKE_GROUP:
                    newIpsecPolicy.setPfsKeyGroupDynamicIke(true);
                    break;
                default:
                    throw new BatfishException("Invalid pfs source");
            }
            // convert contained esp proposals
            for (Entry<Integer, EspProposal> espProposalEntry : espGroup.getProposals().entrySet()) {
                String newIpsecProposalName = espGroupName + ":" + Integer.toString(espProposalEntry.getKey());
                EspProposal espProposal = espProposalEntry.getValue();
                IpsecProposal newIpsecProposal = new IpsecProposal(newIpsecProposalName, -1);
                _c.getIpsecProposals().put(newIpsecProposalName, newIpsecProposal);
                newIpsecPolicy.getProposals().put(newIpsecProposalName, newIpsecProposal);
                newIpsecProposal.setAuthenticationAlgorithm(espProposal.getHashAlgorithm().toIpsecAuthenticationAlgorithm());
                newIpsecProposal.setEncryptionAlgorithm(espProposal.getEncryptionAlgorithm());
                newIpsecProposal.setLifetimeSeconds(espGroup.getLifetimeSeconds());
                newIpsecProposal.setProtocol(IpsecProtocol.ESP);
            }
        }
    }
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) BatfishException(org.batfish.common.BatfishException) Ip(org.batfish.datamodel.Ip) IpsecProposal(org.batfish.datamodel.IpsecProposal) IkeGateway(org.batfish.datamodel.IkeGateway) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkePolicy(org.batfish.datamodel.IkePolicy)

Aggregations

IpsecVpn (org.batfish.datamodel.IpsecVpn)15 Test (org.junit.Test)7 Configuration (org.batfish.datamodel.Configuration)6 BatfishException (org.batfish.common.BatfishException)4 IkeGateway (org.batfish.datamodel.IkeGateway)4 Ip (org.batfish.datamodel.Ip)4 IpsecPolicy (org.batfish.datamodel.IpsecPolicy)4 VisibleForTesting (com.google.common.annotations.VisibleForTesting)3 TreeSet (java.util.TreeSet)3 IkePolicy (org.batfish.datamodel.IkePolicy)3 Interface (org.batfish.datamodel.Interface)3 IpsecProposal (org.batfish.datamodel.IpsecProposal)3 Map (java.util.Map)2 Set (java.util.Set)2 SortedSet (java.util.SortedSet)2 TreeMap (java.util.TreeMap)2 BgpNeighbor (org.batfish.datamodel.BgpNeighbor)2 BgpProcess (org.batfish.datamodel.BgpProcess)2 IkeProposal (org.batfish.datamodel.IkeProposal)2 InterfaceAddress (org.batfish.datamodel.InterfaceAddress)2