use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class CommonUtil method initRemoteIpsecVpns.
public static void initRemoteIpsecVpns(Map<String, Configuration> configurations) {
Map<IpsecVpn, Ip> vpnRemoteIps = new IdentityHashMap<>();
Map<Ip, Set<IpsecVpn>> externalIpVpnMap = new HashMap<>();
SetMultimap<Ip, IpWildcardSetIpSpace> privateIpsByPublicIp = initPrivateIpsByPublicIp(configurations);
for (Configuration c : configurations.values()) {
for (IpsecVpn ipsecVpn : c.getIpsecVpns().values()) {
Ip remoteIp = ipsecVpn.getIkeGateway().getAddress();
vpnRemoteIps.put(ipsecVpn, remoteIp);
Set<InterfaceAddress> externalAddresses = ipsecVpn.getIkeGateway().getExternalInterface().getAllAddresses();
for (InterfaceAddress address : externalAddresses) {
Ip ip = address.getIp();
Set<IpsecVpn> vpnsUsingExternalAddress = externalIpVpnMap.computeIfAbsent(ip, k -> Sets.newIdentityHashSet());
vpnsUsingExternalAddress.add(ipsecVpn);
}
}
}
for (Entry<IpsecVpn, Ip> e : vpnRemoteIps.entrySet()) {
IpsecVpn ipsecVpn = e.getKey();
Ip remoteIp = e.getValue();
Ip localIp = ipsecVpn.getIkeGateway().getLocalIp();
ipsecVpn.initCandidateRemoteVpns();
Set<IpsecVpn> remoteIpsecVpnCandidates = externalIpVpnMap.get(remoteIp);
if (remoteIpsecVpnCandidates != null) {
for (IpsecVpn remoteIpsecVpnCandidate : remoteIpsecVpnCandidates) {
Ip remoteIpsecVpnLocalAddress = remoteIpsecVpnCandidate.getIkeGateway().getLocalIp();
if (remoteIpsecVpnLocalAddress != null && !remoteIpsecVpnLocalAddress.equals(remoteIp)) {
continue;
}
Ip reciprocalRemoteAddress = vpnRemoteIps.get(remoteIpsecVpnCandidate);
Set<IpsecVpn> reciprocalVpns = externalIpVpnMap.get(reciprocalRemoteAddress);
if (reciprocalVpns == null) {
Set<IpWildcardSetIpSpace> privateIpsBehindReciprocalRemoteAddress = privateIpsByPublicIp.get(reciprocalRemoteAddress);
if (privateIpsBehindReciprocalRemoteAddress != null && privateIpsBehindReciprocalRemoteAddress.stream().anyMatch(ipSpace -> ipSpace.containsIp(localIp))) {
reciprocalVpns = externalIpVpnMap.get(localIp);
ipsecVpn.setRemoteIpsecVpn(remoteIpsecVpnCandidate);
ipsecVpn.getCandidateRemoteIpsecVpns().add(remoteIpsecVpnCandidate);
remoteIpsecVpnCandidate.initCandidateRemoteVpns();
remoteIpsecVpnCandidate.setRemoteIpsecVpn(ipsecVpn);
remoteIpsecVpnCandidate.getCandidateRemoteIpsecVpns().add(ipsecVpn);
}
} else if (reciprocalVpns.contains(ipsecVpn)) {
ipsecVpn.setRemoteIpsecVpn(remoteIpsecVpnCandidate);
ipsecVpn.getCandidateRemoteIpsecVpns().add(remoteIpsecVpnCandidate);
}
}
}
}
}
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class Batfish method disableUnusableVpnInterfaces.
private void disableUnusableVpnInterfaces(Map<String, Configuration> configurations) {
CommonUtil.initRemoteIpsecVpns(configurations);
for (Configuration c : configurations.values()) {
for (IpsecVpn vpn : c.getIpsecVpns().values()) {
IpsecVpn remoteVpn = vpn.getRemoteIpsecVpn();
if (remoteVpn == null || !vpn.compatibleIkeProposals(remoteVpn) || !vpn.compatibleIpsecProposals(remoteVpn) || !vpn.compatiblePreSharedKey(remoteVpn)) {
String hostname = c.getHostname();
Interface bindInterface = vpn.getBindInterface();
if (bindInterface != null) {
bindInterface.setActive(false);
bindInterface.setBlacklisted(true);
String bindInterfaceName = bindInterface.getName();
_logger.warnf("WARNING: Disabling unusable vpn interface because we cannot determine remote " + "endpoint: \"%s:%s\"\n", hostname, bindInterfaceName);
}
}
}
}
}
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class CiscoConfiguration method toVendorIndependentConfiguration.
@Override
public Configuration toVendorIndependentConfiguration() {
final Configuration c = new Configuration(_hostname, _vendor);
c.getVendorFamily().setCisco(_cf);
c.setRoles(_roles);
c.setDefaultInboundAction(LineAction.ACCEPT);
c.setDefaultCrossZoneAction(LineAction.ACCEPT);
c.setDnsServers(_dnsServers);
c.setDnsSourceInterface(_dnsSourceInterface);
c.setDomainName(_domainName);
c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
c.setTacacsServers(_tacacsServers);
c.setTacacsSourceInterface(_tacacsSourceInterface);
c.setNtpSourceInterface(_ntpSourceInterface);
if (_cf.getNtp() != null) {
c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
}
if (_cf.getLogging() != null) {
c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
}
c.setSnmpSourceInterface(_snmpSourceInterface);
processLines();
processFailoverSettings();
// remove line login authentication lists if they don't exist
for (Line line : _cf.getLines().values()) {
String list = line.getLoginAuthentication();
boolean found = false;
Aaa aaa = _cf.getAaa();
if (aaa != null) {
AaaAuthentication authentication = aaa.getAuthentication();
if (authentication != null) {
AaaAuthenticationLogin login = authentication.getLogin();
if (login != null && login.getLists().containsKey(list)) {
found = true;
}
}
}
if (!found) {
line.setLoginAuthentication(null);
}
}
// initialize vrfs
for (String vrfName : _vrfs.keySet()) {
c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
}
// snmp server
if (_snmpServer != null) {
String snmpServerVrf = _snmpServer.getVrf();
c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
}
// convert as path access lists to vendor independent format
for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
AsPathAccessList apList = toAsPathAccessList(pathList);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert as-path-sets to vendor independent format
for (AsPathSet asPathSet : _asPathSets.values()) {
AsPathAccessList apList = toAsPathAccessList(asPathSet);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert standard/expanded community lists to community lists
for (StandardCommunityList scList : _standardCommunityLists.values()) {
ExpandedCommunityList ecList = scList.toExpandedCommunityList();
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
// convert prefix lists to route filter lists
for (PrefixList prefixList : _prefixLists.values()) {
RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert ipv6 prefix lists to route6 filter lists
for (Prefix6List prefixList : _prefix6Lists.values()) {
Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert standard/extended access lists to access lists or route filter
// lists
List<ExtendedAccessList> allACLs = new ArrayList<>();
for (StandardAccessList saList : _standardAccessLists.values()) {
ExtendedAccessList eaList = saList.toExtendedAccessList();
allACLs.add(eaList);
}
allACLs.addAll(_extendedAccessLists.values());
for (ExtendedAccessList eaList : allACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardAccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
RouteFilterList rfList = toRouteFilterList(eaList);
c.getRouteFilterLists().put(rfList.getName(), rfList);
}
IpAccessList ipaList = toIpAccessList(eaList);
c.getIpAccessLists().put(ipaList.getName(), ipaList);
}
// convert standard/extended ipv6 access lists to ipv6 access lists or
// route6 filter
// lists
List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
allIpv6ACLs.add(eaList);
}
allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardIpv6AccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
Route6FilterList rfList = toRoute6FilterList(eaList);
c.getRoute6FilterLists().put(rfList.getName(), rfList);
}
Ip6AccessList ipaList = toIp6AccessList(eaList);
c.getIp6AccessLists().put(ipaList.getName(), ipaList);
}
// convert route maps to policy maps
Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
for (RouteMap map : _routeMaps.values()) {
convertForPurpose(routingRouteMaps, map);
// convert route maps to RoutingPolicy objects
RoutingPolicy newPolicy = toRoutingPolicy(c, map);
c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
}
// convert RoutePolicy to RoutingPolicy
for (RoutePolicy routePolicy : _routePolicies.values()) {
RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
}
// convert interfaces
_interfaces.forEach((ifaceName, iface) -> {
org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
String vrfName = iface.getVrf();
if (vrfName == null) {
throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
}
c.getInterfaces().put(ifaceName, newInterface);
c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
});
// apply vrrp settings to interfaces
applyVrrp(c);
// get IKE proposals
for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
}
addIkePoliciesAndGateways(c);
// ipsec proposals
for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
}
// ipsec policies
for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
String name = e.getKey();
IpsecProfile profile = e.getValue();
IpsecPolicy policy = new IpsecPolicy(name);
policy.setPfsKeyGroup(profile.getPfsGroup());
String transformSetName = profile.getTransformSet();
if (c.getIpsecProposals().containsKey(transformSetName)) {
policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
}
c.getIpsecPolicies().put(name, policy);
}
// ipsec vpns
for (Entry<String, Interface> e : _interfaces.entrySet()) {
String name = e.getKey();
Interface iface = e.getValue();
Tunnel tunnel = iface.getTunnel();
if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
IpsecVpn ipsecVpn = new IpsecVpn(name, c);
ipsecVpn.setBindInterface(c.getInterfaces().get(name));
ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
Ip source = tunnel.getSource();
Ip destination = tunnel.getDestination();
if (source == null || destination == null) {
_w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
} else {
for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
ipsecVpn.setIkeGateway(ikeGateway);
}
}
if (ipsecVpn.getIkeGateway() == null) {
_w.redFlag("Can't find matching IkeGateway for " + name);
}
}
c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
}
}
// convert routing processes
_vrfs.forEach((vrfName, vrf) -> {
org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
// add snmp trap servers to main list
if (newVrf.getSnmpServer() != null) {
c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
}
// convert static routes
for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
}
// convert rip process
RipProcess ripProcess = vrf.getRipProcess();
if (ripProcess != null) {
org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
newVrf.setRipProcess(newRipProcess);
}
// convert ospf process
OspfProcess ospfProcess = vrf.getOspfProcess();
if (ospfProcess != null) {
org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
newVrf.setOspfProcess(newOspfProcess);
}
// convert isis process
IsisProcess isisProcess = vrf.getIsisProcess();
if (isisProcess != null) {
org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
newVrf.setIsisProcess(newIsisProcess);
}
// convert bgp process
BgpProcess bgpProcess = vrf.getBgpProcess();
if (bgpProcess != null) {
org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
}
});
// warn about references to undefined peer groups
for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
String name = e.getKey();
int line = e.getValue();
undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
}
// mark references to IPv4/6 ACLs that may not appear in data model
markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
markAcls(CiscoStructureUsage.SSH_ACL);
markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
// mark references to mac-ACLs that may not appear in data model
// TODO: fill in
// mark references to route-maps that may not appear in data model
markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
// Cable
markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
// L2tp
markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
// Vpn
markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
// warn about unreferenced data structures
warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
warnUnusedCommunityLists();
warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
warnUnusedDocsisPolicies();
warnUnusedDocsisPolicyRules();
warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
warnUnusedIpAccessLists();
warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
warnUnusedIpv6AccessLists();
warnUnusedKeyrings();
warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
warnUnusedPeerGroups();
warnUnusedPeerSessions();
warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
warnUnusedServiceClasses();
c.simplifyRoutingPolicies();
c.computeRoutingPolicySources(_w);
return c;
}
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class VpnConnection method applyToVpnGateway.
public void applyToVpnGateway(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
if (!awsConfiguration.getConfigurationNodes().containsKey(_vpnGatewayId)) {
warnings.redFlag(String.format("VPN Gateway \"%s\" referred by VPN connection \"%s\" not found", _vpnGatewayId, _vpnConnectionId));
return;
}
Configuration vpnGatewayCfgNode = awsConfiguration.getConfigurationNodes().get(_vpnGatewayId);
for (int i = 0; i < _ipsecTunnels.size(); i++) {
int idNum = i + 1;
String vpnId = _vpnConnectionId + "-" + idNum;
IpsecTunnel ipsecTunnel = _ipsecTunnels.get(i);
if (ipsecTunnel.getCgwBgpAsn() != -1 && (_staticRoutesOnly || _routes.size() != 0)) {
throw new BatfishException("Unexpected combination of BGP and static routes for VPN connection: \"" + _vpnConnectionId + "\"");
}
// create representation structures and add to configuration node
IpsecVpn ipsecVpn = new IpsecVpn(vpnId, vpnGatewayCfgNode);
vpnGatewayCfgNode.getIpsecVpns().put(vpnId, ipsecVpn);
IpsecPolicy ipsecPolicy = new IpsecPolicy(vpnId);
vpnGatewayCfgNode.getIpsecPolicies().put(vpnId, ipsecPolicy);
ipsecVpn.setIpsecPolicy(ipsecPolicy);
IpsecProposal ipsecProposal = new IpsecProposal(vpnId, -1);
vpnGatewayCfgNode.getIpsecProposals().put(vpnId, ipsecProposal);
ipsecPolicy.getProposals().put(vpnId, ipsecProposal);
IkeGateway ikeGateway = new IkeGateway(vpnId);
vpnGatewayCfgNode.getIkeGateways().put(vpnId, ikeGateway);
ipsecVpn.setIkeGateway(ikeGateway);
IkePolicy ikePolicy = new IkePolicy(vpnId);
vpnGatewayCfgNode.getIkePolicies().put(vpnId, ikePolicy);
ikeGateway.setIkePolicy(ikePolicy);
IkeProposal ikeProposal = new IkeProposal(vpnId, -1);
vpnGatewayCfgNode.getIkeProposals().put(vpnId, ikeProposal);
ikePolicy.getProposals().put(vpnId, ikeProposal);
String externalInterfaceName = "external" + idNum;
InterfaceAddress externalInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwOutsideAddress(), Prefix.MAX_PREFIX_LENGTH);
Interface externalInterface = Utils.newInterface(externalInterfaceName, vpnGatewayCfgNode, externalInterfaceAddress);
String vpnInterfaceName = "vpn" + idNum;
InterfaceAddress vpnInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwInsideAddress(), ipsecTunnel.getVgwInsidePrefixLength());
Interface vpnInterface = Utils.newInterface(vpnInterfaceName, vpnGatewayCfgNode, vpnInterfaceAddress);
// Set fields within representation structures
// ipsec
ipsecVpn.setBindInterface(vpnInterface);
ipsecPolicy.setPfsKeyGroup(toDiffieHellmanGroup(ipsecTunnel.getIpsecPerfectForwardSecrecy()));
ipsecProposal.setAuthenticationAlgorithm(toIpsecAuthenticationAlgorithm(ipsecTunnel.getIpsecAuthProtocol()));
ipsecProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIpsecEncryptionProtocol()));
ipsecProposal.setProtocol(toIpsecProtocol(ipsecTunnel.getIpsecProtocol()));
ipsecProposal.setLifetimeSeconds(ipsecTunnel.getIpsecLifetime());
// ike
ikeGateway.setExternalInterface(externalInterface);
ikeGateway.setAddress(ipsecTunnel.getCgwOutsideAddress());
ikeGateway.setLocalIp(externalInterface.getAddress().getIp());
if (ipsecTunnel.getIkePreSharedKeyHash() != null) {
ikePolicy.setPreSharedKeyHash(ipsecTunnel.getIkePreSharedKeyHash());
ikeProposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS);
}
ikeProposal.setAuthenticationAlgorithm(toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol()));
ikeProposal.setDiffieHellmanGroup(toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy()));
ikeProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol()));
ikeProposal.setLifetimeSeconds(ipsecTunnel.getIkeLifetime());
// bgp (if configured)
if (ipsecTunnel.getVgwBgpAsn() != -1) {
BgpProcess proc = vpnGatewayCfgNode.getDefaultVrf().getBgpProcess();
if (proc == null) {
proc = new BgpProcess();
proc.setRouterId(ipsecTunnel.getVgwInsideAddress());
proc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
vpnGatewayCfgNode.getDefaultVrf().setBgpProcess(proc);
}
BgpNeighbor cgBgpNeighbor = new BgpNeighbor(ipsecTunnel.getCgwInsideAddress(), vpnGatewayCfgNode);
cgBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
proc.getNeighbors().put(cgBgpNeighbor.getPrefix(), cgBgpNeighbor);
cgBgpNeighbor.setRemoteAs(ipsecTunnel.getCgwBgpAsn());
cgBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
cgBgpNeighbor.setLocalIp(ipsecTunnel.getVgwInsideAddress());
cgBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
cgBgpNeighbor.setSendCommunity(false);
VpnGateway vpnGateway = region.getVpnGateways().get(_vpnGatewayId);
List<String> attachmentVpcIds = vpnGateway.getAttachmentVpcIds();
if (attachmentVpcIds.size() != 1) {
throw new BatfishException("Not sure what routes to advertise since VPN Gateway: \"" + _vpnGatewayId + "\" for VPN connection: \"" + _vpnConnectionId + "\" is linked to multiple VPCs");
}
String vpcId = attachmentVpcIds.get(0);
// iBGP connection to VPC
Configuration vpcNode = awsConfiguration.getConfigurationNodes().get(vpcId);
Ip vpcIfaceAddress = vpcNode.getInterfaces().get(_vpnGatewayId).getAddress().getIp();
Ip vgwToVpcIfaceAddress = vpnGatewayCfgNode.getInterfaces().get(vpcId).getAddress().getIp();
BgpNeighbor vgwToVpcBgpNeighbor = new BgpNeighbor(vpcIfaceAddress, vpnGatewayCfgNode);
proc.getNeighbors().put(vgwToVpcBgpNeighbor.getPrefix(), vgwToVpcBgpNeighbor);
vgwToVpcBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
vgwToVpcBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
vgwToVpcBgpNeighbor.setLocalIp(vgwToVpcIfaceAddress);
vgwToVpcBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
vgwToVpcBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
vgwToVpcBgpNeighbor.setSendCommunity(true);
// iBGP connection from VPC
BgpNeighbor vpcToVgwBgpNeighbor = new BgpNeighbor(vgwToVpcIfaceAddress, vpcNode);
BgpProcess vpcProc = new BgpProcess();
vpcNode.getDefaultVrf().setBgpProcess(vpcProc);
vpcProc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
vpcProc.setRouterId(vpcIfaceAddress);
vpcProc.getNeighbors().put(vpcToVgwBgpNeighbor.getPrefix(), vpcToVgwBgpNeighbor);
vpcToVgwBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
vpcToVgwBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
vpcToVgwBgpNeighbor.setLocalIp(vpcIfaceAddress);
vpcToVgwBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
vpcToVgwBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
vpcToVgwBgpNeighbor.setSendCommunity(true);
String rpRejectAllName = "~REJECT_ALL~";
String rpAcceptAllEbgpAndSetNextHopSelfName = "~ACCEPT_ALL_EBGP_AND_SET_NEXT_HOP_SELF~";
If acceptIffEbgp = new If();
acceptIffEbgp.setGuard(new MatchProtocol(RoutingProtocol.BGP));
acceptIffEbgp.setTrueStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
acceptIffEbgp.setFalseStatements(ImmutableList.of(Statements.ExitReject.toStaticStatement()));
RoutingPolicy vgwRpAcceptAllBgp = new RoutingPolicy(rpAcceptAllEbgpAndSetNextHopSelfName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(vgwRpAcceptAllBgp.getName(), vgwRpAcceptAllBgp);
vgwRpAcceptAllBgp.setStatements(ImmutableList.of(new SetNextHop(new SelfNextHop(), false), acceptIffEbgp));
vgwToVpcBgpNeighbor.setExportPolicy(rpAcceptAllEbgpAndSetNextHopSelfName);
RoutingPolicy vgwRpRejectAll = new RoutingPolicy(rpRejectAllName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(rpRejectAllName, vgwRpRejectAll);
vgwToVpcBgpNeighbor.setImportPolicy(rpRejectAllName);
String rpAcceptAllName = "~ACCEPT_ALL~";
RoutingPolicy vpcRpAcceptAll = new RoutingPolicy(rpAcceptAllName, vpcNode);
vpcNode.getRoutingPolicies().put(rpAcceptAllName, vpcRpAcceptAll);
vpcRpAcceptAll.setStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
vpcToVgwBgpNeighbor.setImportPolicy(rpAcceptAllName);
RoutingPolicy vpcRpRejectAll = new RoutingPolicy(rpRejectAllName, vpcNode);
vpcNode.getRoutingPolicies().put(rpRejectAllName, vpcRpRejectAll);
vpcToVgwBgpNeighbor.setExportPolicy(rpRejectAllName);
Vpc vpc = region.getVpcs().get(vpcId);
String originationPolicyName = vpnId + "_origination";
RoutingPolicy originationRoutingPolicy = new RoutingPolicy(originationPolicyName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(originationPolicyName, originationRoutingPolicy);
cgBgpNeighbor.setExportPolicy(originationPolicyName);
If originationIf = new If();
List<Statement> statements = originationRoutingPolicy.getStatements();
statements.add(originationIf);
statements.add(Statements.ExitReject.toStaticStatement());
originationIf.getTrueStatements().add(new SetOrigin(new LiteralOrigin(OriginType.IGP, null)));
originationIf.getTrueStatements().add(Statements.ExitAccept.toStaticStatement());
RouteFilterList originationRouteFilter = new RouteFilterList(originationPolicyName);
vpnGatewayCfgNode.getRouteFilterLists().put(originationPolicyName, originationRouteFilter);
vpc.getCidrBlockAssociations().forEach(prefix -> {
RouteFilterLine matchOutgoingPrefix = new RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefix.getPrefixLength(), prefix.getPrefixLength()));
originationRouteFilter.addLine(matchOutgoingPrefix);
});
Conjunction conj = new Conjunction();
originationIf.setGuard(conj);
conj.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
conj.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(originationPolicyName)));
}
// static routes (if configured)
for (Prefix staticRoutePrefix : _routes) {
StaticRoute staticRoute = StaticRoute.builder().setNetwork(staticRoutePrefix).setNextHopIp(ipsecTunnel.getCgwInsideAddress()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
vpnGatewayCfgNode.getDefaultVrf().getStaticRoutes().add(staticRoute);
}
}
}
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class VyosConfiguration method convertVpns.
private void convertVpns() {
for (Entry<Ip, IpsecPeer> ipsecPeerEntry : _ipsecPeers.entrySet()) {
// create ipsecvpn and ikegateway to correspond roughly to vyos ipsec
// site-to-site peer
Ip peerAddress = ipsecPeerEntry.getKey();
IpsecPeer ipsecPeer = ipsecPeerEntry.getValue();
String newIpsecVpnName = peerAddress.toString();
String newIkeGatewayName = newIpsecVpnName;
IpsecVpn newIpsecVpn = new IpsecVpn(newIpsecVpnName, _c);
_c.getIpsecVpns().put(newIpsecVpnName, newIpsecVpn);
IkeGateway newIkeGateway = new IkeGateway(newIkeGatewayName);
_c.getIkeGateways().put(newIkeGatewayName, newIkeGateway);
newIpsecVpn.setIkeGateway(newIkeGateway);
newIkeGateway.setLocalId(ipsecPeer.getAuthenticationId());
newIkeGateway.setRemoteId(ipsecPeer.getAuthenticationRemoteId());
newIkeGateway.setAddress(peerAddress);
Ip localAddress = ipsecPeer.getLocalAddress();
org.batfish.datamodel.Interface externalInterface = _ipToInterfaceMap.get(localAddress);
if (externalInterface == null) {
_w.redFlag("Could not determine external interface for vpn \"" + newIpsecVpnName + "\" from local-address: " + localAddress);
} else {
newIkeGateway.setExternalInterface(externalInterface);
}
// bind interface
String bindInterfaceName = ipsecPeer.getBindInterface();
org.batfish.datamodel.Interface newBindInterface = _c.getDefaultVrf().getInterfaces().get(bindInterfaceName);
if (newBindInterface != null) {
Interface bindInterface = _interfaces.get(bindInterfaceName);
bindInterface.getReferers().put(ipsecPeer, "bind interface for site-to-site peer \"" + newIpsecVpnName + "\"");
newIpsecVpn.setBindInterface(newBindInterface);
} else {
_w.redFlag("Reference to undefined bind-interface: \"" + bindInterfaceName + "\"");
}
// convert the referenced ike group
String ikeGroupName = ipsecPeer.getIkeGroup();
IkeGroup ikeGroup = _ikeGroups.get(ikeGroupName);
if (ikeGroup == null) {
_w.redFlag("Reference to undefined ike-group: \"" + ikeGroupName + "\"");
} else {
ikeGroup.getReferers().put(ipsecPeer, "ike group for site-to-site peer: \"" + newIpsecVpnName + "\"");
IkePolicy newIkePolicy = new IkePolicy(ikeGroupName);
_c.getIkePolicies().put(ikeGroupName, newIkePolicy);
newIkeGateway.setIkePolicy(newIkePolicy);
newIkePolicy.setPreSharedKeyHash(ipsecPeer.getAuthenticationPreSharedSecretHash());
// convert contained ike proposals
for (Entry<Integer, IkeProposal> ikeProposalEntry : ikeGroup.getProposals().entrySet()) {
String newIkeProposalName = ikeGroupName + ":" + Integer.toString(ikeProposalEntry.getKey());
IkeProposal ikeProposal = ikeProposalEntry.getValue();
org.batfish.datamodel.IkeProposal newIkeProposal = new org.batfish.datamodel.IkeProposal(newIkeProposalName, -1);
_c.getIkeProposals().put(newIkeProposalName, newIkeProposal);
newIkePolicy.getProposals().put(newIkeProposalName, newIkeProposal);
newIkeProposal.setDiffieHellmanGroup(ikeProposal.getDhGroup());
newIkeProposal.setEncryptionAlgorithm(ikeProposal.getEncryptionAlgorithm());
newIkeProposal.setLifetimeSeconds(ikeGroup.getLifetimeSeconds());
newIkeProposal.setAuthenticationAlgorithm(ikeProposal.getHashAlgorithm().toIkeAuthenticationAlgorithm());
newIkeProposal.setAuthenticationMethod(ipsecPeer.getAuthenticationMode());
}
}
// convert the referenced esp group
String espGroupName = ipsecPeer.getEspGroup();
EspGroup espGroup = _espGroups.get(espGroupName);
if (espGroup == null) {
_w.redFlag("Reference to undefined esp-group: \"" + espGroupName + "\"");
} else {
espGroup.getReferers().put(ipsecPeer, "esp-group for ipsec site-to-site peer: \"" + newIpsecVpnName + "\"");
IpsecPolicy newIpsecPolicy = new IpsecPolicy(espGroupName);
_c.getIpsecPolicies().put(espGroupName, newIpsecPolicy);
newIpsecVpn.setIpsecPolicy(newIpsecPolicy);
if (espGroup.getPfsSource() == null) {
espGroup.setPfsSource(PfsSource.IKE_GROUP);
}
switch(espGroup.getPfsSource()) {
case DISABLED:
break;
case ESP_GROUP:
newIpsecPolicy.setPfsKeyGroup(espGroup.getPfsDhGroup());
break;
case IKE_GROUP:
newIpsecPolicy.setPfsKeyGroupDynamicIke(true);
break;
default:
throw new BatfishException("Invalid pfs source");
}
// convert contained esp proposals
for (Entry<Integer, EspProposal> espProposalEntry : espGroup.getProposals().entrySet()) {
String newIpsecProposalName = espGroupName + ":" + Integer.toString(espProposalEntry.getKey());
EspProposal espProposal = espProposalEntry.getValue();
IpsecProposal newIpsecProposal = new IpsecProposal(newIpsecProposalName, -1);
_c.getIpsecProposals().put(newIpsecProposalName, newIpsecProposal);
newIpsecPolicy.getProposals().put(newIpsecProposalName, newIpsecProposal);
newIpsecProposal.setAuthenticationAlgorithm(espProposal.getHashAlgorithm().toIpsecAuthenticationAlgorithm());
newIpsecProposal.setEncryptionAlgorithm(espProposal.getEncryptionAlgorithm());
newIpsecProposal.setLifetimeSeconds(espGroup.getLifetimeSeconds());
newIpsecProposal.setProtocol(IpsecProtocol.ESP);
}
}
}
}
Aggregations