Example 1 with IpsecVpn
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class CommonUtil method initRemoteIpsecVpns.
public static void initRemoteIpsecVpns(Map<String, Configuration> configurations) {
Map<IpsecVpn, Ip> vpnRemoteIps = new IdentityHashMap<>();
Map<Ip, Set<IpsecVpn>> externalIpVpnMap = new HashMap<>();
SetMultimap<Ip, IpWildcardSetIpSpace> privateIpsByPublicIp = initPrivateIpsByPublicIp(configurations);
for (Configuration c : configurations.values()) {
for (IpsecVpn ipsecVpn : c.getIpsecVpns().values()) {
Ip remoteIp = ipsecVpn.getIkeGateway().getAddress();
vpnRemoteIps.put(ipsecVpn, remoteIp);
Set<InterfaceAddress> externalAddresses = ipsecVpn.getIkeGateway().getExternalInterface().getAllAddresses();
for (InterfaceAddress address : externalAddresses) {
Ip ip = address.getIp();
Set<IpsecVpn> vpnsUsingExternalAddress = externalIpVpnMap.computeIfAbsent(ip, k -> Sets.newIdentityHashSet());
vpnsUsingExternalAddress.add(ipsecVpn);
}
}
}
for (Entry<IpsecVpn, Ip> e : vpnRemoteIps.entrySet()) {
IpsecVpn ipsecVpn = e.getKey();
Ip remoteIp = e.getValue();
Ip localIp = ipsecVpn.getIkeGateway().getLocalIp();
ipsecVpn.initCandidateRemoteVpns();
Set<IpsecVpn> remoteIpsecVpnCandidates = externalIpVpnMap.get(remoteIp);
if (remoteIpsecVpnCandidates != null) {
for (IpsecVpn remoteIpsecVpnCandidate : remoteIpsecVpnCandidates) {
Ip remoteIpsecVpnLocalAddress = remoteIpsecVpnCandidate.getIkeGateway().getLocalIp();
if (remoteIpsecVpnLocalAddress != null && !remoteIpsecVpnLocalAddress.equals(remoteIp)) {
continue;
}
Ip reciprocalRemoteAddress = vpnRemoteIps.get(remoteIpsecVpnCandidate);
Set<IpsecVpn> reciprocalVpns = externalIpVpnMap.get(reciprocalRemoteAddress);
if (reciprocalVpns == null) {
Set<IpWildcardSetIpSpace> privateIpsBehindReciprocalRemoteAddress = privateIpsByPublicIp.get(reciprocalRemoteAddress);
if (privateIpsBehindReciprocalRemoteAddress != null && privateIpsBehindReciprocalRemoteAddress.stream().anyMatch(ipSpace -> ipSpace.containsIp(localIp))) {
reciprocalVpns = externalIpVpnMap.get(localIp);
ipsecVpn.setRemoteIpsecVpn(remoteIpsecVpnCandidate);
ipsecVpn.getCandidateRemoteIpsecVpns().add(remoteIpsecVpnCandidate);
remoteIpsecVpnCandidate.initCandidateRemoteVpns();
remoteIpsecVpnCandidate.setRemoteIpsecVpn(ipsecVpn);
remoteIpsecVpnCandidate.getCandidateRemoteIpsecVpns().add(ipsecVpn);
}
} else if (reciprocalVpns.contains(ipsecVpn)) {
ipsecVpn.setRemoteIpsecVpn(remoteIpsecVpnCandidate);
ipsecVpn.getCandidateRemoteIpsecVpns().add(remoteIpsecVpnCandidate);
}
}
}
}
}
Also used :
IpsecVpn(org.batfish.datamodel.IpsecVpn)
SSLEngineConfigurator(org.glassfish.grizzly.ssl.SSLEngineConfigurator)
SSLContext(javax.net.ssl.SSLContext)
FileTime(java.nio.file.attribute.FileTime)
StringUtils(org.apache.commons.lang3.StringUtils)
Configurations(org.apache.commons.configuration2.builder.fluent.Configurations)
Interface(org.batfish.datamodel.Interface)
DirectoryStream(java.nio.file.DirectoryStream)
BfConsts(org.batfish.common.BfConsts)
Flow(org.batfish.datamodel.Flow)
Topology(org.batfish.datamodel.Topology)
Map(java.util.Map)
ResourceConfig(org.glassfish.jersey.server.ResourceConfig)
Pair(org.batfish.common.Pair)
Path(java.nio.file.Path)
DataPlane(org.batfish.datamodel.DataPlane)
VrrpGroup(org.batfish.datamodel.VrrpGroup)
ClientTracingFeature(io.opentracing.contrib.jaxrs2.client.ClientTracingFeature)
Set(java.util.Set)
FileAttribute(java.nio.file.attribute.FileAttribute)
StandardCharsets(java.nio.charset.StandardCharsets)
DirectoryIteratorException(java.nio.file.DirectoryIteratorException)
IOUtils(org.apache.commons.io.IOUtils)
Stream(java.util.stream.Stream)
Supplier(java.util.function.Supplier)
TreeSet(java.util.TreeSet)
JSONAssert(org.skyscreamer.jsonassert.JSONAssert)
MustBeClosed(com.google.errorprone.annotations.MustBeClosed)
SSLSession(javax.net.ssl.SSLSession)
FlowProcessor(org.batfish.common.plugin.FlowProcessor)
BiConsumer(java.util.function.BiConsumer)
SSLContextConfigurator(org.glassfish.grizzly.ssl.SSLContextConfigurator)
ImmutableSortedMap(com.google.common.collect.ImmutableSortedMap)
Nullable(javax.annotation.Nullable)
Files(java.nio.file.Files)
Route(org.batfish.datamodel.Route)
FileOutputStream(java.io.FileOutputStream)
IOException(java.io.IOException)
FileUtils(org.apache.commons.io.FileUtils)
KeyManager(javax.net.ssl.KeyManager)
TreeMap(java.util.TreeMap)
Paths(java.nio.file.Paths)
X509TrustManager(javax.net.ssl.X509TrustManager)
BufferedReader(java.io.BufferedReader)
X509Certificate(java.security.cert.X509Certificate)
IpsecVpn(org.batfish.datamodel.IpsecVpn)
NoSuchFileException(java.nio.file.NoSuchFileException)
IpProtocol(org.batfish.datamodel.IpProtocol)
SortedSet(java.util.SortedSet)
URL(java.net.URL)
TrustManager(javax.net.ssl.TrustManager)
FlowTrace(org.batfish.datamodel.FlowTrace)
InterfaceAddress(org.batfish.datamodel.InterfaceAddress)
OspfNeighbor(org.batfish.datamodel.OspfNeighbor)
Edge(org.batfish.datamodel.Edge)
IpWildcardSetIpSpace(org.batfish.datamodel.IpWildcardSetIpSpace)
OspfProcess(org.batfish.datamodel.OspfProcess)
URI(java.net.URI)
HostnameVerifier(javax.net.ssl.HostnameVerifier)
NamedPort(org.batfish.datamodel.NamedPort)
Vrf(org.batfish.datamodel.Vrf)
OspfArea(org.batfish.datamodel.OspfArea)
ImmutableSetMultimap(com.google.common.collect.ImmutableSetMultimap)
ImmutableSet(com.google.common.collect.ImmutableSet)
IdentityHashMap(java.util.IdentityHashMap)
PatternSyntaxException(java.util.regex.PatternSyntaxException)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
ImmutableMap(com.google.common.collect.ImmutableMap)
Predicate(java.util.function.Predicate)
Collection(java.util.Collection)
FlowDisposition(org.batfish.datamodel.FlowDisposition)
KeyStore(java.security.KeyStore)
Collectors(java.util.stream.Collectors)
Sets(com.google.common.collect.Sets)
FileNotFoundException(java.io.FileNotFoundException)
List(java.util.List)
Entry(java.util.Map.Entry)
Pattern(java.util.regex.Pattern)
BgpNeighbor(org.batfish.datamodel.BgpNeighbor)
SortedMap(java.util.SortedMap)
IpWildcard(org.batfish.datamodel.IpWildcard)
Ip(org.batfish.datamodel.Ip)
NodeInterfacePair(org.batfish.datamodel.collections.NodeInterfacePair)
Hashing(com.google.common.hash.Hashing)
HashMap(java.util.HashMap)
BatfishException(org.batfish.common.BatfishException)
BgpProcess(org.batfish.datamodel.BgpProcess)
Function(java.util.function.Function)
HashSet(java.util.HashSet)
ClientBuilder(javax.ws.rs.client.ClientBuilder)
Configuration(org.batfish.datamodel.Configuration)
OutputStreamWriter(java.io.OutputStreamWriter)
OutputStream(java.io.OutputStream)
IpLink(org.batfish.datamodel.IpLink)
Iterator(java.util.Iterator)
MalformedURLException(java.net.MalformedURLException)
KeyManagerFactory(javax.net.ssl.KeyManagerFactory)
GlobalTracer(io.opentracing.util.GlobalTracer)
FileInputStream(java.io.FileInputStream)
SetMultimap(com.google.common.collect.SetMultimap)
Consumer(java.util.function.Consumer)
GrizzlyHttpServerFactory(org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Collections(java.util.Collections)
InputStream(java.io.InputStream)
Prefix(org.batfish.datamodel.Prefix)
Set(java.util.Set)
TreeSet(java.util.TreeSet)
SortedSet(java.util.SortedSet)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
Configuration(org.batfish.datamodel.Configuration)
IdentityHashMap(java.util.IdentityHashMap)
HashMap(java.util.HashMap)
InterfaceAddress(org.batfish.datamodel.InterfaceAddress)
Ip(org.batfish.datamodel.Ip)
IdentityHashMap(java.util.IdentityHashMap)
IpWildcardSetIpSpace(org.batfish.datamodel.IpWildcardSetIpSpace)
Example 2 with IpsecVpn
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class Batfish method disableUnusableVpnInterfaces.
private void disableUnusableVpnInterfaces(Map<String, Configuration> configurations) {
CommonUtil.initRemoteIpsecVpns(configurations);
for (Configuration c : configurations.values()) {
for (IpsecVpn vpn : c.getIpsecVpns().values()) {
IpsecVpn remoteVpn = vpn.getRemoteIpsecVpn();
if (remoteVpn == null || !vpn.compatibleIkeProposals(remoteVpn) || !vpn.compatibleIpsecProposals(remoteVpn) || !vpn.compatiblePreSharedKey(remoteVpn)) {
String hostname = c.getHostname();
Interface bindInterface = vpn.getBindInterface();
if (bindInterface != null) {
bindInterface.setActive(false);
bindInterface.setBlacklisted(true);
String bindInterfaceName = bindInterface.getName();
_logger.warnf("WARNING: Disabling unusable vpn interface because we cannot determine remote " + "endpoint: \"%s:%s\"\n", hostname, bindInterfaceName);
}
}
}
}
}
Also used :
IpsecVpn(org.batfish.datamodel.IpsecVpn)
HostConfiguration(org.batfish.representation.host.HostConfiguration)
Configuration(org.batfish.datamodel.Configuration)
ImmutableConfiguration(org.apache.commons.configuration2.ImmutableConfiguration)
AwsConfiguration(org.batfish.representation.aws.AwsConfiguration)
IptablesVendorConfiguration(org.batfish.representation.iptables.IptablesVendorConfiguration)
VendorConfiguration(org.batfish.vendor.VendorConfiguration)
Interface(org.batfish.datamodel.Interface)
Example 3 with IpsecVpn
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class CiscoConfiguration method toVendorIndependentConfiguration.
@Override
public Configuration toVendorIndependentConfiguration() {
final Configuration c = new Configuration(_hostname, _vendor);
c.getVendorFamily().setCisco(_cf);
c.setRoles(_roles);
c.setDefaultInboundAction(LineAction.ACCEPT);
c.setDefaultCrossZoneAction(LineAction.ACCEPT);
c.setDnsServers(_dnsServers);
c.setDnsSourceInterface(_dnsSourceInterface);
c.setDomainName(_domainName);
c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
c.setTacacsServers(_tacacsServers);
c.setTacacsSourceInterface(_tacacsSourceInterface);
c.setNtpSourceInterface(_ntpSourceInterface);
if (_cf.getNtp() != null) {
c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
}
if (_cf.getLogging() != null) {
c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
}
c.setSnmpSourceInterface(_snmpSourceInterface);
processLines();
processFailoverSettings();
// remove line login authentication lists if they don't exist
for (Line line : _cf.getLines().values()) {
String list = line.getLoginAuthentication();
boolean found = false;
Aaa aaa = _cf.getAaa();
if (aaa != null) {
AaaAuthentication authentication = aaa.getAuthentication();
if (authentication != null) {
AaaAuthenticationLogin login = authentication.getLogin();
if (login != null && login.getLists().containsKey(list)) {
found = true;
}
}
}
if (!found) {
line.setLoginAuthentication(null);
}
}
// initialize vrfs
for (String vrfName : _vrfs.keySet()) {
c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
}
// snmp server
if (_snmpServer != null) {
String snmpServerVrf = _snmpServer.getVrf();
c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
}
// convert as path access lists to vendor independent format
for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
AsPathAccessList apList = toAsPathAccessList(pathList);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert as-path-sets to vendor independent format
for (AsPathSet asPathSet : _asPathSets.values()) {
AsPathAccessList apList = toAsPathAccessList(asPathSet);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert standard/expanded community lists to community lists
for (StandardCommunityList scList : _standardCommunityLists.values()) {
ExpandedCommunityList ecList = scList.toExpandedCommunityList();
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
// convert prefix lists to route filter lists
for (PrefixList prefixList : _prefixLists.values()) {
RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert ipv6 prefix lists to route6 filter lists
for (Prefix6List prefixList : _prefix6Lists.values()) {
Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert standard/extended access lists to access lists or route filter
// lists
List<ExtendedAccessList> allACLs = new ArrayList<>();
for (StandardAccessList saList : _standardAccessLists.values()) {
ExtendedAccessList eaList = saList.toExtendedAccessList();
allACLs.add(eaList);
}
allACLs.addAll(_extendedAccessLists.values());
for (ExtendedAccessList eaList : allACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardAccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
RouteFilterList rfList = toRouteFilterList(eaList);
c.getRouteFilterLists().put(rfList.getName(), rfList);
}
IpAccessList ipaList = toIpAccessList(eaList);
c.getIpAccessLists().put(ipaList.getName(), ipaList);
}
// convert standard/extended ipv6 access lists to ipv6 access lists or
// route6 filter
// lists
List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
allIpv6ACLs.add(eaList);
}
allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardIpv6AccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
Route6FilterList rfList = toRoute6FilterList(eaList);
c.getRoute6FilterLists().put(rfList.getName(), rfList);
}
Ip6AccessList ipaList = toIp6AccessList(eaList);
c.getIp6AccessLists().put(ipaList.getName(), ipaList);
}
// convert route maps to policy maps
Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
for (RouteMap map : _routeMaps.values()) {
convertForPurpose(routingRouteMaps, map);
// convert route maps to RoutingPolicy objects
RoutingPolicy newPolicy = toRoutingPolicy(c, map);
c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
}
// convert RoutePolicy to RoutingPolicy
for (RoutePolicy routePolicy : _routePolicies.values()) {
RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
}
// convert interfaces
_interfaces.forEach((ifaceName, iface) -> {
org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
String vrfName = iface.getVrf();
if (vrfName == null) {
throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
}
c.getInterfaces().put(ifaceName, newInterface);
c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
});
// apply vrrp settings to interfaces
applyVrrp(c);
// get IKE proposals
for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
}
addIkePoliciesAndGateways(c);
// ipsec proposals
for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
}
// ipsec policies
for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
String name = e.getKey();
IpsecProfile profile = e.getValue();
IpsecPolicy policy = new IpsecPolicy(name);
policy.setPfsKeyGroup(profile.getPfsGroup());
String transformSetName = profile.getTransformSet();
if (c.getIpsecProposals().containsKey(transformSetName)) {
policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
}
c.getIpsecPolicies().put(name, policy);
}
// ipsec vpns
for (Entry<String, Interface> e : _interfaces.entrySet()) {
String name = e.getKey();
Interface iface = e.getValue();
Tunnel tunnel = iface.getTunnel();
if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
IpsecVpn ipsecVpn = new IpsecVpn(name, c);
ipsecVpn.setBindInterface(c.getInterfaces().get(name));
ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
Ip source = tunnel.getSource();
Ip destination = tunnel.getDestination();
if (source == null || destination == null) {
_w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
} else {
for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
ipsecVpn.setIkeGateway(ikeGateway);
}
}
if (ipsecVpn.getIkeGateway() == null) {
_w.redFlag("Can't find matching IkeGateway for " + name);
}
}
c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
}
}
// convert routing processes
_vrfs.forEach((vrfName, vrf) -> {
org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
// add snmp trap servers to main list
if (newVrf.getSnmpServer() != null) {
c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
}
// convert static routes
for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
}
// convert rip process
RipProcess ripProcess = vrf.getRipProcess();
if (ripProcess != null) {
org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
newVrf.setRipProcess(newRipProcess);
}
// convert ospf process
OspfProcess ospfProcess = vrf.getOspfProcess();
if (ospfProcess != null) {
org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
newVrf.setOspfProcess(newOspfProcess);
}
// convert isis process
IsisProcess isisProcess = vrf.getIsisProcess();
if (isisProcess != null) {
org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
newVrf.setIsisProcess(newIsisProcess);
}
// convert bgp process
BgpProcess bgpProcess = vrf.getBgpProcess();
if (bgpProcess != null) {
org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
}
});
// warn about references to undefined peer groups
for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
String name = e.getKey();
int line = e.getValue();
undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
}
// mark references to IPv4/6 ACLs that may not appear in data model
markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
markAcls(CiscoStructureUsage.SSH_ACL);
markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
// mark references to mac-ACLs that may not appear in data model
// TODO: fill in
// mark references to route-maps that may not appear in data model
markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
// Cable
markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
// L2tp
markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
// Vpn
markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
// warn about unreferenced data structures
warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
warnUnusedCommunityLists();
warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
warnUnusedDocsisPolicies();
warnUnusedDocsisPolicyRules();
warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
warnUnusedIpAccessLists();
warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
warnUnusedIpv6AccessLists();
warnUnusedKeyrings();
warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
warnUnusedPeerGroups();
warnUnusedPeerSessions();
warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
warnUnusedServiceClasses();
c.simplifyRoutingPolicies();
c.computeRoutingPolicySources(_w);
return c;
}
Also used :
IpsecVpn(org.batfish.datamodel.IpsecVpn)
AaaAuthentication(org.batfish.datamodel.vendor_family.cisco.AaaAuthentication)
VendorConfiguration(org.batfish.vendor.VendorConfiguration)
Configuration(org.batfish.datamodel.Configuration)
ArrayList(java.util.ArrayList)
Aaa(org.batfish.datamodel.vendor_family.cisco.Aaa)
BatfishException(org.batfish.common.BatfishException)
AsPathAccessList(org.batfish.datamodel.AsPathAccessList)
CommunityList(org.batfish.datamodel.CommunityList)
CommunityListLine(org.batfish.datamodel.CommunityListLine)
Ip6AccessListLine(org.batfish.datamodel.Ip6AccessListLine)
Route6FilterLine(org.batfish.datamodel.Route6FilterLine)
Line(org.batfish.datamodel.vendor_family.cisco.Line)
RouteFilterLine(org.batfish.datamodel.RouteFilterLine)
AsPathAccessListLine(org.batfish.datamodel.AsPathAccessListLine)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpsecPolicy(org.batfish.datamodel.IpsecPolicy)
IkeGateway(org.batfish.datamodel.IkeGateway)
IpAccessList(org.batfish.datamodel.IpAccessList)
Ip(org.batfish.datamodel.Ip)
SubRange(org.batfish.datamodel.SubRange)
Ip6AccessList(org.batfish.datamodel.Ip6AccessList)
RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy)
Route6FilterList(org.batfish.datamodel.Route6FilterList)
BigInteger(java.math.BigInteger)
RouteFilterList(org.batfish.datamodel.RouteFilterList)
AaaAuthenticationLogin(org.batfish.datamodel.vendor_family.cisco.AaaAuthenticationLogin)
Example 4 with IpsecVpn
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class VpnConnection method applyToVpnGateway.
public void applyToVpnGateway(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
if (!awsConfiguration.getConfigurationNodes().containsKey(_vpnGatewayId)) {
warnings.redFlag(String.format("VPN Gateway \"%s\" referred by VPN connection \"%s\" not found", _vpnGatewayId, _vpnConnectionId));
return;
}
Configuration vpnGatewayCfgNode = awsConfiguration.getConfigurationNodes().get(_vpnGatewayId);
for (int i = 0; i < _ipsecTunnels.size(); i++) {
int idNum = i + 1;
String vpnId = _vpnConnectionId + "-" + idNum;
IpsecTunnel ipsecTunnel = _ipsecTunnels.get(i);
if (ipsecTunnel.getCgwBgpAsn() != -1 && (_staticRoutesOnly || _routes.size() != 0)) {
throw new BatfishException("Unexpected combination of BGP and static routes for VPN connection: \"" + _vpnConnectionId + "\"");
}
// create representation structures and add to configuration node
IpsecVpn ipsecVpn = new IpsecVpn(vpnId, vpnGatewayCfgNode);
vpnGatewayCfgNode.getIpsecVpns().put(vpnId, ipsecVpn);
IpsecPolicy ipsecPolicy = new IpsecPolicy(vpnId);
vpnGatewayCfgNode.getIpsecPolicies().put(vpnId, ipsecPolicy);
ipsecVpn.setIpsecPolicy(ipsecPolicy);
IpsecProposal ipsecProposal = new IpsecProposal(vpnId, -1);
vpnGatewayCfgNode.getIpsecProposals().put(vpnId, ipsecProposal);
ipsecPolicy.getProposals().put(vpnId, ipsecProposal);
IkeGateway ikeGateway = new IkeGateway(vpnId);
vpnGatewayCfgNode.getIkeGateways().put(vpnId, ikeGateway);
ipsecVpn.setIkeGateway(ikeGateway);
IkePolicy ikePolicy = new IkePolicy(vpnId);
vpnGatewayCfgNode.getIkePolicies().put(vpnId, ikePolicy);
ikeGateway.setIkePolicy(ikePolicy);
IkeProposal ikeProposal = new IkeProposal(vpnId, -1);
vpnGatewayCfgNode.getIkeProposals().put(vpnId, ikeProposal);
ikePolicy.getProposals().put(vpnId, ikeProposal);
String externalInterfaceName = "external" + idNum;
InterfaceAddress externalInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwOutsideAddress(), Prefix.MAX_PREFIX_LENGTH);
Interface externalInterface = Utils.newInterface(externalInterfaceName, vpnGatewayCfgNode, externalInterfaceAddress);
String vpnInterfaceName = "vpn" + idNum;
InterfaceAddress vpnInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwInsideAddress(), ipsecTunnel.getVgwInsidePrefixLength());
Interface vpnInterface = Utils.newInterface(vpnInterfaceName, vpnGatewayCfgNode, vpnInterfaceAddress);
// Set fields within representation structures
// ipsec
ipsecVpn.setBindInterface(vpnInterface);
ipsecPolicy.setPfsKeyGroup(toDiffieHellmanGroup(ipsecTunnel.getIpsecPerfectForwardSecrecy()));
ipsecProposal.setAuthenticationAlgorithm(toIpsecAuthenticationAlgorithm(ipsecTunnel.getIpsecAuthProtocol()));
ipsecProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIpsecEncryptionProtocol()));
ipsecProposal.setProtocol(toIpsecProtocol(ipsecTunnel.getIpsecProtocol()));
ipsecProposal.setLifetimeSeconds(ipsecTunnel.getIpsecLifetime());
// ike
ikeGateway.setExternalInterface(externalInterface);
ikeGateway.setAddress(ipsecTunnel.getCgwOutsideAddress());
ikeGateway.setLocalIp(externalInterface.getAddress().getIp());
if (ipsecTunnel.getIkePreSharedKeyHash() != null) {
ikePolicy.setPreSharedKeyHash(ipsecTunnel.getIkePreSharedKeyHash());
ikeProposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS);
}
ikeProposal.setAuthenticationAlgorithm(toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol()));
ikeProposal.setDiffieHellmanGroup(toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy()));
ikeProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol()));
ikeProposal.setLifetimeSeconds(ipsecTunnel.getIkeLifetime());
// bgp (if configured)
if (ipsecTunnel.getVgwBgpAsn() != -1) {
BgpProcess proc = vpnGatewayCfgNode.getDefaultVrf().getBgpProcess();
if (proc == null) {
proc = new BgpProcess();
proc.setRouterId(ipsecTunnel.getVgwInsideAddress());
proc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
vpnGatewayCfgNode.getDefaultVrf().setBgpProcess(proc);
}
BgpNeighbor cgBgpNeighbor = new BgpNeighbor(ipsecTunnel.getCgwInsideAddress(), vpnGatewayCfgNode);
cgBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
proc.getNeighbors().put(cgBgpNeighbor.getPrefix(), cgBgpNeighbor);
cgBgpNeighbor.setRemoteAs(ipsecTunnel.getCgwBgpAsn());
cgBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
cgBgpNeighbor.setLocalIp(ipsecTunnel.getVgwInsideAddress());
cgBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
cgBgpNeighbor.setSendCommunity(false);
VpnGateway vpnGateway = region.getVpnGateways().get(_vpnGatewayId);
List<String> attachmentVpcIds = vpnGateway.getAttachmentVpcIds();
if (attachmentVpcIds.size() != 1) {
throw new BatfishException("Not sure what routes to advertise since VPN Gateway: \"" + _vpnGatewayId + "\" for VPN connection: \"" + _vpnConnectionId + "\" is linked to multiple VPCs");
}
String vpcId = attachmentVpcIds.get(0);
// iBGP connection to VPC
Configuration vpcNode = awsConfiguration.getConfigurationNodes().get(vpcId);
Ip vpcIfaceAddress = vpcNode.getInterfaces().get(_vpnGatewayId).getAddress().getIp();
Ip vgwToVpcIfaceAddress = vpnGatewayCfgNode.getInterfaces().get(vpcId).getAddress().getIp();
BgpNeighbor vgwToVpcBgpNeighbor = new BgpNeighbor(vpcIfaceAddress, vpnGatewayCfgNode);
proc.getNeighbors().put(vgwToVpcBgpNeighbor.getPrefix(), vgwToVpcBgpNeighbor);
vgwToVpcBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
vgwToVpcBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
vgwToVpcBgpNeighbor.setLocalIp(vgwToVpcIfaceAddress);
vgwToVpcBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
vgwToVpcBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
vgwToVpcBgpNeighbor.setSendCommunity(true);
// iBGP connection from VPC
BgpNeighbor vpcToVgwBgpNeighbor = new BgpNeighbor(vgwToVpcIfaceAddress, vpcNode);
BgpProcess vpcProc = new BgpProcess();
vpcNode.getDefaultVrf().setBgpProcess(vpcProc);
vpcProc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
vpcProc.setRouterId(vpcIfaceAddress);
vpcProc.getNeighbors().put(vpcToVgwBgpNeighbor.getPrefix(), vpcToVgwBgpNeighbor);
vpcToVgwBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
vpcToVgwBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
vpcToVgwBgpNeighbor.setLocalIp(vpcIfaceAddress);
vpcToVgwBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
vpcToVgwBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
vpcToVgwBgpNeighbor.setSendCommunity(true);
String rpRejectAllName = "~REJECT_ALL~";
String rpAcceptAllEbgpAndSetNextHopSelfName = "~ACCEPT_ALL_EBGP_AND_SET_NEXT_HOP_SELF~";
If acceptIffEbgp = new If();
acceptIffEbgp.setGuard(new MatchProtocol(RoutingProtocol.BGP));
acceptIffEbgp.setTrueStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
acceptIffEbgp.setFalseStatements(ImmutableList.of(Statements.ExitReject.toStaticStatement()));
RoutingPolicy vgwRpAcceptAllBgp = new RoutingPolicy(rpAcceptAllEbgpAndSetNextHopSelfName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(vgwRpAcceptAllBgp.getName(), vgwRpAcceptAllBgp);
vgwRpAcceptAllBgp.setStatements(ImmutableList.of(new SetNextHop(new SelfNextHop(), false), acceptIffEbgp));
vgwToVpcBgpNeighbor.setExportPolicy(rpAcceptAllEbgpAndSetNextHopSelfName);
RoutingPolicy vgwRpRejectAll = new RoutingPolicy(rpRejectAllName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(rpRejectAllName, vgwRpRejectAll);
vgwToVpcBgpNeighbor.setImportPolicy(rpRejectAllName);
String rpAcceptAllName = "~ACCEPT_ALL~";
RoutingPolicy vpcRpAcceptAll = new RoutingPolicy(rpAcceptAllName, vpcNode);
vpcNode.getRoutingPolicies().put(rpAcceptAllName, vpcRpAcceptAll);
vpcRpAcceptAll.setStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
vpcToVgwBgpNeighbor.setImportPolicy(rpAcceptAllName);
RoutingPolicy vpcRpRejectAll = new RoutingPolicy(rpRejectAllName, vpcNode);
vpcNode.getRoutingPolicies().put(rpRejectAllName, vpcRpRejectAll);
vpcToVgwBgpNeighbor.setExportPolicy(rpRejectAllName);
Vpc vpc = region.getVpcs().get(vpcId);
String originationPolicyName = vpnId + "_origination";
RoutingPolicy originationRoutingPolicy = new RoutingPolicy(originationPolicyName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(originationPolicyName, originationRoutingPolicy);
cgBgpNeighbor.setExportPolicy(originationPolicyName);
If originationIf = new If();
List<Statement> statements = originationRoutingPolicy.getStatements();
statements.add(originationIf);
statements.add(Statements.ExitReject.toStaticStatement());
originationIf.getTrueStatements().add(new SetOrigin(new LiteralOrigin(OriginType.IGP, null)));
originationIf.getTrueStatements().add(Statements.ExitAccept.toStaticStatement());
RouteFilterList originationRouteFilter = new RouteFilterList(originationPolicyName);
vpnGatewayCfgNode.getRouteFilterLists().put(originationPolicyName, originationRouteFilter);
vpc.getCidrBlockAssociations().forEach(prefix -> {
RouteFilterLine matchOutgoingPrefix = new RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefix.getPrefixLength(), prefix.getPrefixLength()));
originationRouteFilter.addLine(matchOutgoingPrefix);
});
Conjunction conj = new Conjunction();
originationIf.setGuard(conj);
conj.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
conj.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(originationPolicyName)));
}
// static routes (if configured)
for (Prefix staticRoutePrefix : _routes) {
StaticRoute staticRoute = StaticRoute.builder().setNetwork(staticRoutePrefix).setNextHopIp(ipsecTunnel.getCgwInsideAddress()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
vpnGatewayCfgNode.getDefaultVrf().getStaticRoutes().add(staticRoute);
}
}
}
Also used :
IpsecVpn(org.batfish.datamodel.IpsecVpn)
Configuration(org.batfish.datamodel.Configuration)
BgpProcess(org.batfish.datamodel.BgpProcess)
LiteralOrigin(org.batfish.datamodel.routing_policy.expr.LiteralOrigin)
NamedPrefixSet(org.batfish.datamodel.routing_policy.expr.NamedPrefixSet)
Ip(org.batfish.datamodel.Ip)
Prefix(org.batfish.datamodel.Prefix)
SelfNextHop(org.batfish.datamodel.routing_policy.expr.SelfNextHop)
BgpNeighbor(org.batfish.datamodel.BgpNeighbor)
IpsecProposal(org.batfish.datamodel.IpsecProposal)
Conjunction(org.batfish.datamodel.routing_policy.expr.Conjunction)
SubRange(org.batfish.datamodel.SubRange)
SetNextHop(org.batfish.datamodel.routing_policy.statement.SetNextHop)
RouteFilterLine(org.batfish.datamodel.RouteFilterLine)
IkeProposal(org.batfish.datamodel.IkeProposal)
BatfishException(org.batfish.common.BatfishException)
StaticRoute(org.batfish.datamodel.StaticRoute)
InterfaceAddress(org.batfish.datamodel.InterfaceAddress)
Statement(org.batfish.datamodel.routing_policy.statement.Statement)
MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet)
SetOrigin(org.batfish.datamodel.routing_policy.statement.SetOrigin)
RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy)
MatchProtocol(org.batfish.datamodel.routing_policy.expr.MatchProtocol)
DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork)
IpsecPolicy(org.batfish.datamodel.IpsecPolicy)
IkeGateway(org.batfish.datamodel.IkeGateway)
RouteFilterList(org.batfish.datamodel.RouteFilterList)
IkePolicy(org.batfish.datamodel.IkePolicy)
If(org.batfish.datamodel.routing_policy.statement.If)
Interface(org.batfish.datamodel.Interface)
Example 5 with IpsecVpn
use of org.batfish.datamodel.IpsecVpn in project batfish by batfish.
the class VyosConfiguration method convertVpns.
private void convertVpns() {
for (Entry<Ip, IpsecPeer> ipsecPeerEntry : _ipsecPeers.entrySet()) {
// create ipsecvpn and ikegateway to correspond roughly to vyos ipsec
// site-to-site peer
Ip peerAddress = ipsecPeerEntry.getKey();
IpsecPeer ipsecPeer = ipsecPeerEntry.getValue();
String newIpsecVpnName = peerAddress.toString();
String newIkeGatewayName = newIpsecVpnName;
IpsecVpn newIpsecVpn = new IpsecVpn(newIpsecVpnName, _c);
_c.getIpsecVpns().put(newIpsecVpnName, newIpsecVpn);
IkeGateway newIkeGateway = new IkeGateway(newIkeGatewayName);
_c.getIkeGateways().put(newIkeGatewayName, newIkeGateway);
newIpsecVpn.setIkeGateway(newIkeGateway);
newIkeGateway.setLocalId(ipsecPeer.getAuthenticationId());
newIkeGateway.setRemoteId(ipsecPeer.getAuthenticationRemoteId());
newIkeGateway.setAddress(peerAddress);
Ip localAddress = ipsecPeer.getLocalAddress();
org.batfish.datamodel.Interface externalInterface = _ipToInterfaceMap.get(localAddress);
if (externalInterface == null) {
_w.redFlag("Could not determine external interface for vpn \"" + newIpsecVpnName + "\" from local-address: " + localAddress);
} else {
newIkeGateway.setExternalInterface(externalInterface);
}
// bind interface
String bindInterfaceName = ipsecPeer.getBindInterface();
org.batfish.datamodel.Interface newBindInterface = _c.getDefaultVrf().getInterfaces().get(bindInterfaceName);
if (newBindInterface != null) {
Interface bindInterface = _interfaces.get(bindInterfaceName);
bindInterface.getReferers().put(ipsecPeer, "bind interface for site-to-site peer \"" + newIpsecVpnName + "\"");
newIpsecVpn.setBindInterface(newBindInterface);
} else {
_w.redFlag("Reference to undefined bind-interface: \"" + bindInterfaceName + "\"");
}
// convert the referenced ike group
String ikeGroupName = ipsecPeer.getIkeGroup();
IkeGroup ikeGroup = _ikeGroups.get(ikeGroupName);
if (ikeGroup == null) {
_w.redFlag("Reference to undefined ike-group: \"" + ikeGroupName + "\"");
} else {
ikeGroup.getReferers().put(ipsecPeer, "ike group for site-to-site peer: \"" + newIpsecVpnName + "\"");
IkePolicy newIkePolicy = new IkePolicy(ikeGroupName);
_c.getIkePolicies().put(ikeGroupName, newIkePolicy);
newIkeGateway.setIkePolicy(newIkePolicy);
newIkePolicy.setPreSharedKeyHash(ipsecPeer.getAuthenticationPreSharedSecretHash());
// convert contained ike proposals
for (Entry<Integer, IkeProposal> ikeProposalEntry : ikeGroup.getProposals().entrySet()) {
String newIkeProposalName = ikeGroupName + ":" + Integer.toString(ikeProposalEntry.getKey());
IkeProposal ikeProposal = ikeProposalEntry.getValue();
org.batfish.datamodel.IkeProposal newIkeProposal = new org.batfish.datamodel.IkeProposal(newIkeProposalName, -1);
_c.getIkeProposals().put(newIkeProposalName, newIkeProposal);
newIkePolicy.getProposals().put(newIkeProposalName, newIkeProposal);
newIkeProposal.setDiffieHellmanGroup(ikeProposal.getDhGroup());
newIkeProposal.setEncryptionAlgorithm(ikeProposal.getEncryptionAlgorithm());
newIkeProposal.setLifetimeSeconds(ikeGroup.getLifetimeSeconds());
newIkeProposal.setAuthenticationAlgorithm(ikeProposal.getHashAlgorithm().toIkeAuthenticationAlgorithm());
newIkeProposal.setAuthenticationMethod(ipsecPeer.getAuthenticationMode());
}
}
// convert the referenced esp group
String espGroupName = ipsecPeer.getEspGroup();
EspGroup espGroup = _espGroups.get(espGroupName);
if (espGroup == null) {
_w.redFlag("Reference to undefined esp-group: \"" + espGroupName + "\"");
} else {
espGroup.getReferers().put(ipsecPeer, "esp-group for ipsec site-to-site peer: \"" + newIpsecVpnName + "\"");
IpsecPolicy newIpsecPolicy = new IpsecPolicy(espGroupName);
_c.getIpsecPolicies().put(espGroupName, newIpsecPolicy);
newIpsecVpn.setIpsecPolicy(newIpsecPolicy);
if (espGroup.getPfsSource() == null) {
espGroup.setPfsSource(PfsSource.IKE_GROUP);
}
switch(espGroup.getPfsSource()) {
case DISABLED:
break;
case ESP_GROUP:
newIpsecPolicy.setPfsKeyGroup(espGroup.getPfsDhGroup());
break;
case IKE_GROUP:
newIpsecPolicy.setPfsKeyGroupDynamicIke(true);
break;
default:
throw new BatfishException("Invalid pfs source");
}
// convert contained esp proposals
for (Entry<Integer, EspProposal> espProposalEntry : espGroup.getProposals().entrySet()) {
String newIpsecProposalName = espGroupName + ":" + Integer.toString(espProposalEntry.getKey());
EspProposal espProposal = espProposalEntry.getValue();
IpsecProposal newIpsecProposal = new IpsecProposal(newIpsecProposalName, -1);
_c.getIpsecProposals().put(newIpsecProposalName, newIpsecProposal);
newIpsecPolicy.getProposals().put(newIpsecProposalName, newIpsecProposal);
newIpsecProposal.setAuthenticationAlgorithm(espProposal.getHashAlgorithm().toIpsecAuthenticationAlgorithm());
newIpsecProposal.setEncryptionAlgorithm(espProposal.getEncryptionAlgorithm());
newIpsecProposal.setLifetimeSeconds(espGroup.getLifetimeSeconds());
newIpsecProposal.setProtocol(IpsecProtocol.ESP);
}
}
}
}
Also used :
IpsecVpn(org.batfish.datamodel.IpsecVpn)
BatfishException(org.batfish.common.BatfishException)
Ip(org.batfish.datamodel.Ip)
IpsecProposal(org.batfish.datamodel.IpsecProposal)
IkeGateway(org.batfish.datamodel.IkeGateway)
IpsecPolicy(org.batfish.datamodel.IpsecPolicy)
IkePolicy(org.batfish.datamodel.IkePolicy)
Aggregations
IpsecVpn (org.batfish.datamodel.IpsecVpn)15
Test (org.junit.Test)7
Configuration (org.batfish.datamodel.Configuration)6
BatfishException (org.batfish.common.BatfishException)4
IkeGateway (org.batfish.datamodel.IkeGateway)4
Ip (org.batfish.datamodel.Ip)4
IpsecPolicy (org.batfish.datamodel.IpsecPolicy)4
VisibleForTesting (com.google.common.annotations.VisibleForTesting)3
TreeSet (java.util.TreeSet)3
IkePolicy (org.batfish.datamodel.IkePolicy)3
Interface (org.batfish.datamodel.Interface)3
IpsecProposal (org.batfish.datamodel.IpsecProposal)3
Map (java.util.Map)2
Set (java.util.Set)2
SortedSet (java.util.SortedSet)2
TreeMap (java.util.TreeMap)2
BgpNeighbor (org.batfish.datamodel.BgpNeighbor)2
BgpProcess (org.batfish.datamodel.BgpProcess)2
IkeProposal (org.batfish.datamodel.IkeProposal)2
InterfaceAddress (org.batfish.datamodel.InterfaceAddress)2
