def _create_gre_transport_mode_66(cls,
name,
local_endpoint,
remote_endpoint,
preshared_key,
monitoring_group=None,
vpn_profile=None,
mtu=0,
ttl=0,
pmtu_discovery=True,
enabled=True,
comment=None):
group = monitoring_group or TunnelMonitoringGroup('Uncategorized')
profile = vpn_profile or VPNProfile('VPN-A Suite')
json = {
'name': name,
'mtu': mtu,
'ttl': ttl,
'preshared_key': preshared_key,
'pmtu_discovery': pmtu_discovery,
'tunnel_group_ref': group.href,
'rbvpn_tunnel_side_a': local_endpoint.data,
'rbvpn_tunnel_side_b': remote_endpoint.data,
'tunnel_encryption': 'transport_mode',
'vpn_profile_ref': profile.href,
'tunnel_mode': 'gre',
'enabled': enabled,
'comment': comment
}
try:
return ElementCreator(cls, json)
except CreateElementFailed as err:
raise CreateVPNFailed(err)
def create(cls,
name,
nat=False,
mobile_vpn_toplogy_mode=None,
vpn_profile=None):
"""
Create a new policy based VPN
:param name: name of vpn policy
:param bool nat: whether to apply NAT to the VPN (default False)
:param mobile_vpn_toplogy_mode: whether to allow remote vpn
:param VPNProfile vpn_profile: reference to VPN profile, or uses default
:rtype: PolicyVPN
"""
vpn_profile = vpn_profile if vpn_profile else VPNProfile('VPN-A Suite')
json = {
'mobile_vpn_topology_mode': mobile_vpn_toplogy_mode,
'name': name,
'nat': nat,
'vpn_profile': vpn_profile.href
}
try:
return ElementCreator(cls, json)
except CreateElementFailed as err:
raise CreatePolicyFailed(err)
def create_gre_transport_mode(cls,
name,
local_endpoint,
remote_endpoint,
preshared_key,
monitoring_group=None,
vpn_profile=None,
mtu=0,
ttl=0,
pmtu_discovery=True,
enabled=True,
comment=None):
"""
Create a transport based route VPN. This VPN type uses IPSEC
for protecting the payload, therefore a VPN Profile is specified.
:param str name: name of VPN
:param TunnelEndpoint local_endpoint: the local side endpoint for
this VPN.
:param TunnelEndpoint remote_endpoint: the remote side endpoint for
this VPN.
:param str preshared_key: preshared key for RBVPN
:param TunnelMonitoringGroup monitoring_group: the group to place
this VPN in for monitoring. (default: 'Uncategorized')
:param VPNProfile vpn_profile: VPN profile for this VPN.
(default: VPN-A Suite)
:param int mtu: Set MTU for this VPN tunnel (default: 0)
:param boolean pmtu_discovery: enable pmtu discovery (default: True)
:param int ttl: ttl for connections on the VPN (default: 0)
:param str comment: optional comment
:raises CreateVPNFailed: failed to create the VPN with reason
:rtype: RouteVPN
"""
group = monitoring_group if monitoring_group else \
TunnelMonitoringGroup('Uncategorized')
profile = vpn_profile if vpn_profile else VPNProfile('VPN-A Suite')
json = {
'name': name,
'mtu': mtu,
'ttl': ttl,
'preshared_key': preshared_key,
'pmtu_discovery': pmtu_discovery,
'monitoring_group_ref': group.href,
'rbvpn_tunnel_side_a': local_endpoint.data,
'rbvpn_tunnel_side_b': remote_endpoint.data,
'tunnel_encryption': 'transport_mode',
'vpn_profile_ref': profile.href,
'tunnel_mode': 'gre',
'enabled': enabled,
'comment': comment
}
try:
return ElementCreator(cls, json)
except CreateElementFailed as err:
raise CreateVPNFailed(err)
def create_ipsec_tunnel(cls,
name,
local_endpoint,
remote_endpoint,
preshared_key,
monitoring_group=None,
vpn_profile=None,
mtu=0,
pmtu_discovery=True,
ttl=0,
enabled=True,
comment=None):
"""
The VPN tunnel type negotiates IPsec tunnels in the same way
as policy-based VPNs, but traffic is selected to be sent into
the tunnel based on routing.
:param str name: name of VPN
:param TunnelEndpoint local_endpoint: the local side endpoint for
this VPN.
:param TunnelEndpoint remote_endpoint: the remote side endpoint for
this VPN.
:param TunnelMonitoringGroup monitoring_group: the group to place
this VPN in for monitoring. Default: 'Uncategorized'.
:param VPNProfile vpn_profile: VPN profile for this VPN.
(default: VPN-A Suite)
:param int mtu: Set MTU for this VPN tunnel (default: 0)
:param boolean pmtu_discovery: enable pmtu discovery (default: True)
:param int ttl: ttl for connections on the VPN (default: 0)
:param bool enabled: enable the RBVPN or leave it disabled
:param str comment: optional comment
:raises CreateVPNFailed: failed to create the VPN with reason
:rtype: RouteVPN
"""
group = monitoring_group if monitoring_group else \
TunnelMonitoringGroup('Uncategorized')
profile = vpn_profile if vpn_profile else VPNProfile('VPN-A Suite')
json = {
'name': name,
'mtu': mtu,
'ttl': ttl,
'enabled': enabled,
'monitoring_group_ref': group.href,
'pmtu_discovery': pmtu_discovery,
'preshared_key': preshared_key,
'rbvpn_tunnel_side_a': local_endpoint.data,
'rbvpn_tunnel_side_b': remote_endpoint.data,
'tunnel_mode': 'vpn',
'comment': comment,
'vpn_profile_ref': profile.href
}
try:
return ElementCreator(cls, json)
except CreateElementFailed as err:
raise CreateVPNFailed(err)
def vpn_create_ipsec(engine_name, interface_id, preshared_key, vpn_name,
vpn_num, remote_gateway):
tunnel_if = Engine(engine_name).tunnel_interface.get(interface_id)
local_gateway = TunnelEndpoint.create_ipsec_endpoint(
Engine(engine_name).vpn.internal_gateway, tunnel_if)
RouteVPN.create_ipsec_tunnel(name=f'{engine_name}-{vpn_name}-{vpn_num}',
preshared_key=preshared_key,
local_endpoint=local_gateway,
remote_endpoint=remote_gateway,
enabled=True,
vpn_profile=VPNProfile('aws_profile'))
def _create_gre_transport_mode_65(
cls,
name,
local_endpoint,
remote_endpoint,
preshared_key,
monitoring_group=None,
vpn_profile=None,
mtu=0,
ttl=0,
pmtu_discovery=True,
enabled=True,
comment=None,
):
group = monitoring_group or RouteVPNTunnelMonitoringGroup(
"Uncategorized")
profile = vpn_profile or VPNProfile("VPN-A Suite")
json = {
"name": name,
"mtu": mtu,
"ttl": ttl,
"preshared_key": preshared_key,
"pmtu_discovery": pmtu_discovery,
"monitoring_group_ref": group.href,
"rbvpn_tunnel_side_a": local_endpoint.data,
"rbvpn_tunnel_side_b": remote_endpoint.data,
"tunnel_encryption": "transport_mode",
"vpn_profile_ref": profile.href,
"tunnel_mode": "gre",
"enabled": enabled,
"comment": comment,
}
try:
return ElementCreator(cls, json)
except CreateElementFailed as err:
raise CreateVPNFailed(err)
def create(cls, name, nat=False, mobile_vpn_toplogy_mode=None, vpn_profile=None):
"""
Create a new policy based VPN
:param name: name of vpn policy
:param bool nat: whether to apply NAT to the VPN (default False)
:param mobile_vpn_toplogy_mode: whether to allow remote vpn
:param VPNProfile vpn_profile: reference to VPN profile, or uses default
:rtype: PolicyVPN
"""
vpn_profile = element_resolver(vpn_profile) or VPNProfile("VPN-A Suite").href
json = {
"mobile_vpn_topology_mode": mobile_vpn_toplogy_mode,
"name": name,
"nat": nat,
"vpn_profile": vpn_profile,
}
try:
return ElementCreator(cls, json)
except CreateElementFailed as err:
raise CreatePolicyFailed(err)
def exec_module(self, **kwargs):
state = kwargs.pop('state', 'present')
for name, value in kwargs.items():
setattr(self, name, value)
for gw in [self.central_gw, self.satellite_gw]:
if gw:
self._validate_subspec(gw)
changed = False
vpn = self.fetch_element(PolicyVPN) #Element or None
try:
if state == 'present':
lock = False # Used to flag whether policy needs to be locked
if self.gateway_tunnel:
self._validate_tunnel(self.gateway_tunnel)
lock = True
if self.central_gw:
self._validate_external_gw(self.central_gw)
self.central_gw = resolve_gw(self.central_gw)
lock = True
if self.satellite_gw:
self._validate_external_gw(self.satellite_gw)
self.satellite_gw = resolve_gw(self.satellite_gw)
lock = True
if not vpn:
vpn = PolicyVPN.create(
name=self.name,
nat=self.apply_nat,
vpn_profile=self.vpn_profile)
changed = True
# Update profile if provided and they are different
if self.vpn_profile:
if vpn.vpn_profile.name != self.vpn_profile:
pf = VPNProfile(self.vpn_profile).href
vpn.update(vpn_profile=pf)
changed = True
# Make sure NAT setting matches
if vpn.nat != self.apply_nat:
vpn.enable_disable_nat()
vpn.update()
changed = True
if lock:
vpn.open()
if add_central_gateway(vpn, self.central_gw):
changed = True
if add_satellite_gateway(vpn, self.satellite_gw):
changed = True
if self.gateway_tunnel:
for gateway in self.gateway_tunnel:
if change_gateway_tunnel(vpn, gateway):
changed = True
vpn.save()
vpn.close()
if self.tags:
if self.add_tags(vpn, self.tags):
changed = True
elif state == 'absent':
# If no gateways are provided, delete the whole VPN
if not self.central_gw and not self.satellite_gw and not self.tags:
if vpn:
vpn.delete()
changed = True
else:
if vpn:
lock = False
if self.central_gw:
self.central_gw = resolve_gw(self.central_gw)
lock = True
if self.satellite_gw:
self.satellite_gw = resolve_gw(self.satellite_gw)
lock = True
if lock:
vpn.open()
if delete_central_gateway(vpn, self.central_gw):
changed = True
if delete_satellite_gateway(vpn, self.satellite_gw):
changed = True
vpn.save()
vpn.close()
if self.tags:
if self.remove_tags(vpn, self.tags):
changed = True
except SMCException as err:
self.fail(msg=str(err), exception=traceback.format_exc())
self.results['changed'] = changed
return self.results
def engine_creation(engine_name, private_ip, public_ip, protected_network,
router_ip, private_network):
session.login(url=get_url(),
api_key=get_api_key(),
api_version=get_api_version(),
verify=pem_dir)
profile = VPNProfile.get_or_create(name=PROFILE_NAME)
profile.update(capabilities={
'ike_v1': True,
'aes128_for_ike': True,
'aggressive_mode': False,
'sha1_for_ike': True,
'dh_group_2_for_ike': True,
'pre_shared_key_for_ike': True,
'rsa_signature_for_ike': False,
'main_mode': True,
'esp_for_ipsec': True,
'aes128_for_ipsec': True,
'sha1_for_ipsec': True,
'sa_per_net': True,
'pfs_dh_group_2_for_ipsec': True,
'rsa_signature_for_ike': True,
'vpn_client_sa_per_net': True
},
sa_life_time=28800,
tunnel_life_time_seconds=3600,
hybrid_authentication_for_mobile_vpn=True,
trust_all_cas=True)
# we should wait for the engine to be present
engine = None
while not engine:
try:
engine = Engine(engine_name)
except smc.api.exceptions.ElementNotFound as e:
print(e)
print(engine)
print("retrying in 3 sec")
time.sleep(3)
interface = engine.interface.get(0)
# set_stream_logger(log_level=logging.DEBUG)
for sub in interface.sub_interfaces():
sub.data['dynamic'] = False
sub.data['address'] = private_ip
if 'dynamic_index' in sub.data:
del sub.data['dynamic_index']
sub.data['network_value'] = private_network
sub.update()
interface.update()
ROUTER_NAME = "aws_default_router-{}".format(router_ip)
if Router.objects.filter(ROUTER_NAME):
router = Router(ROUTER_NAME)
else:
router = Router.create(ROUTER_NAME, router_ip)
# update routing
interface0 = engine.routing.get(0)
for network in interface0:
if network.name == 'Network (IPv4)':
print("{} should be deleted".format(network))
network.delete()
if network.name == "network-{}".format(private_network):
print("{} should be updated".format(network))
interface0.add_static_route(gateway=router,
destination=[Network('Any network')])
# we need to add custom policy routing so advertised BGP routes are not used when
# we source nat the traffic
engine.data['policy_route'].append(
dict(source=private_ip + '/32',
destination=protected_network,
gateway_ip=router_ip))
engine.update()
# print(interface0.as_tree())
ca = engine.contact_addresses.get(0, interface_ip=private_ip)
ca.add_contact_address(public_ip, location='Default')
session.logout()
