ipsec: T6101: Add validation for proposal option used in IKE group

[natali-rs1985]

Change Summary

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T6101

Related PR(s)

Component(s) name

vpn ipsec

Proposed changes

How to test

set interfaces ethernet eth1 address '192.0.2.14/24'

set interfaces tunnel tun100 address '192.168.250.4/24'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '192.0.2.14'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '30'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut

set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group21'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'aes256gmac'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '24'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'aes256gmac'
set vpn ipsec interface 'eth1'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

vyos@vyos# commit
[ vpn ipsec ]
A PRF algorithm is mandatory in IKE proposal 1

[[vpn ipsec]] failed
Commit failed
[edit]

vyos@vyos# set vpn ipsec ike-group IKE-HUB proposal 1 hash sha256
[edit]
vyos@vyos# commit
[edit]

vyos@vyos# sudo systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
     Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; preset: enabled)
     Active: active (running) since Sat 2024-09-28 04:37:32 UTC; 8s ago
    Process: 17113 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
   Main PID: 17094 (charon-systemd)
     Status: "charon-systemd running, strongSwan 5.9.11, Linux 6.6.51-vyos, x86_64"
      Tasks: 17 (limit: 1134)
     Memory: 5.5M
        CPU: 336ms
     CGroup: /system.slice/strongswan.service
             └─17094 /usr/sbin/charon-systemd

Sep 28 04:37:32 vyos charon[17094]: 14[CFG] loaded IKE shared key with id 'ike-dmvpn-tun100' for: '%any'
Sep 28 04:37:32 vyos charon-systemd[17094]: loaded IKE shared key with id 'ike-dmvpn-tun100' for: '%any'
Sep 28 04:37:32 vyos charon[17094]: 14[CFG] added vici connection: dmvpn-NHRPVPN-tun100
Sep 28 04:37:32 vyos charon-systemd[17094]: added vici connection: dmvpn-NHRPVPN-tun100
Sep 28 04:37:32 vyos swanctl[17113]: loaded ike secret 'ike-dmvpn-tun100'
Sep 28 04:37:32 vyos swanctl[17113]: no authorities found, 0 unloaded
Sep 28 04:37:32 vyos swanctl[17113]: no pools found, 0 unloaded
Sep 28 04:37:32 vyos swanctl[17113]: loaded connection 'dmvpn-NHRPVPN-tun100'
Sep 28 04:37:32 vyos swanctl[17113]: successfully loaded 1 connections, 0 unloaded
Sep 28 04:37:32 vyos systemd[1]: Started strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
[edit]

Smoketest result

vyos@vyos# python3 /usr/libexec/vyos/tests/smoke/cli/test_vpn_ipsec.py
test_dhcp_fail_handling (__main__.TestVPNIPsec.test_dhcp_fail_handling) ... ok
test_dmvpn (__main__.TestVPNIPsec.test_dmvpn) ... ok
test_flex_vpn_vips (__main__.TestVPNIPsec.test_flex_vpn_vips) ... ok
test_remote_access (__main__.TestVPNIPsec.test_remote_access) ... ok
test_remote_access_dhcp_fail_handling (__main__.TestVPNIPsec.test_remote_access_dhcp_fail_handling) ... ok
test_remote_access_eap_tls (__main__.TestVPNIPsec.test_remote_access_eap_tls) ... ok
test_remote_access_no_rekey (__main__.TestVPNIPsec.test_remote_access_no_rekey) ... ok
test_remote_access_pool_range (__main__.TestVPNIPsec.test_remote_access_pool_range) ... ok
test_remote_access_vti (__main__.TestVPNIPsec.test_remote_access_vti) ... ok
test_remote_access_x509 (__main__.TestVPNIPsec.test_remote_access_x509) ... ok
test_site_to_site (__main__.TestVPNIPsec.test_site_to_site) ... ok
test_site_to_site_vti (__main__.TestVPNIPsec.test_site_to_site_vti) ... ok
test_site_to_site_x509 (__main__.TestVPNIPsec.test_site_to_site_x509) ... ok

----------------------------------------------------------------------
Ran 13 tests in 111.062s

OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

✅ No issues found in unused-imports check.. Please refer the workflow run

[c-po]

re-running smoketests...

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests 👍 passed
• Config tests 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed