def _create_gre_transport_mode_66(cls, name, local_endpoint, remote_endpoint, preshared_key, monitoring_group=None, vpn_profile=None, mtu=0, ttl=0, pmtu_discovery=True, enabled=True, comment=None): group = monitoring_group or TunnelMonitoringGroup('Uncategorized') profile = vpn_profile or VPNProfile('VPN-A Suite') json = { 'name': name, 'mtu': mtu, 'ttl': ttl, 'preshared_key': preshared_key, 'pmtu_discovery': pmtu_discovery, 'tunnel_group_ref': group.href, 'rbvpn_tunnel_side_a': local_endpoint.data, 'rbvpn_tunnel_side_b': remote_endpoint.data, 'tunnel_encryption': 'transport_mode', 'vpn_profile_ref': profile.href, 'tunnel_mode': 'gre', 'enabled': enabled, 'comment': comment } try: return ElementCreator(cls, json) except CreateElementFailed as err: raise CreateVPNFailed(err)
def create(cls, name, nat=False, mobile_vpn_toplogy_mode=None, vpn_profile=None): """ Create a new policy based VPN :param name: name of vpn policy :param bool nat: whether to apply NAT to the VPN (default False) :param mobile_vpn_toplogy_mode: whether to allow remote vpn :param VPNProfile vpn_profile: reference to VPN profile, or uses default :rtype: PolicyVPN """ vpn_profile = vpn_profile if vpn_profile else VPNProfile('VPN-A Suite') json = { 'mobile_vpn_topology_mode': mobile_vpn_toplogy_mode, 'name': name, 'nat': nat, 'vpn_profile': vpn_profile.href } try: return ElementCreator(cls, json) except CreateElementFailed as err: raise CreatePolicyFailed(err)
def create_gre_transport_mode(cls, name, local_endpoint, remote_endpoint, preshared_key, monitoring_group=None, vpn_profile=None, mtu=0, ttl=0, pmtu_discovery=True, enabled=True, comment=None): """ Create a transport based route VPN. This VPN type uses IPSEC for protecting the payload, therefore a VPN Profile is specified. :param str name: name of VPN :param TunnelEndpoint local_endpoint: the local side endpoint for this VPN. :param TunnelEndpoint remote_endpoint: the remote side endpoint for this VPN. :param str preshared_key: preshared key for RBVPN :param TunnelMonitoringGroup monitoring_group: the group to place this VPN in for monitoring. (default: 'Uncategorized') :param VPNProfile vpn_profile: VPN profile for this VPN. (default: VPN-A Suite) :param int mtu: Set MTU for this VPN tunnel (default: 0) :param boolean pmtu_discovery: enable pmtu discovery (default: True) :param int ttl: ttl for connections on the VPN (default: 0) :param str comment: optional comment :raises CreateVPNFailed: failed to create the VPN with reason :rtype: RouteVPN """ group = monitoring_group if monitoring_group else \ TunnelMonitoringGroup('Uncategorized') profile = vpn_profile if vpn_profile else VPNProfile('VPN-A Suite') json = { 'name': name, 'mtu': mtu, 'ttl': ttl, 'preshared_key': preshared_key, 'pmtu_discovery': pmtu_discovery, 'monitoring_group_ref': group.href, 'rbvpn_tunnel_side_a': local_endpoint.data, 'rbvpn_tunnel_side_b': remote_endpoint.data, 'tunnel_encryption': 'transport_mode', 'vpn_profile_ref': profile.href, 'tunnel_mode': 'gre', 'enabled': enabled, 'comment': comment } try: return ElementCreator(cls, json) except CreateElementFailed as err: raise CreateVPNFailed(err)
def create_ipsec_tunnel(cls, name, local_endpoint, remote_endpoint, preshared_key, monitoring_group=None, vpn_profile=None, mtu=0, pmtu_discovery=True, ttl=0, enabled=True, comment=None): """ The VPN tunnel type negotiates IPsec tunnels in the same way as policy-based VPNs, but traffic is selected to be sent into the tunnel based on routing. :param str name: name of VPN :param TunnelEndpoint local_endpoint: the local side endpoint for this VPN. :param TunnelEndpoint remote_endpoint: the remote side endpoint for this VPN. :param TunnelMonitoringGroup monitoring_group: the group to place this VPN in for monitoring. Default: 'Uncategorized'. :param VPNProfile vpn_profile: VPN profile for this VPN. (default: VPN-A Suite) :param int mtu: Set MTU for this VPN tunnel (default: 0) :param boolean pmtu_discovery: enable pmtu discovery (default: True) :param int ttl: ttl for connections on the VPN (default: 0) :param bool enabled: enable the RBVPN or leave it disabled :param str comment: optional comment :raises CreateVPNFailed: failed to create the VPN with reason :rtype: RouteVPN """ group = monitoring_group if monitoring_group else \ TunnelMonitoringGroup('Uncategorized') profile = vpn_profile if vpn_profile else VPNProfile('VPN-A Suite') json = { 'name': name, 'mtu': mtu, 'ttl': ttl, 'enabled': enabled, 'monitoring_group_ref': group.href, 'pmtu_discovery': pmtu_discovery, 'preshared_key': preshared_key, 'rbvpn_tunnel_side_a': local_endpoint.data, 'rbvpn_tunnel_side_b': remote_endpoint.data, 'tunnel_mode': 'vpn', 'comment': comment, 'vpn_profile_ref': profile.href } try: return ElementCreator(cls, json) except CreateElementFailed as err: raise CreateVPNFailed(err)
def vpn_create_ipsec(engine_name, interface_id, preshared_key, vpn_name, vpn_num, remote_gateway): tunnel_if = Engine(engine_name).tunnel_interface.get(interface_id) local_gateway = TunnelEndpoint.create_ipsec_endpoint( Engine(engine_name).vpn.internal_gateway, tunnel_if) RouteVPN.create_ipsec_tunnel(name=f'{engine_name}-{vpn_name}-{vpn_num}', preshared_key=preshared_key, local_endpoint=local_gateway, remote_endpoint=remote_gateway, enabled=True, vpn_profile=VPNProfile('aws_profile'))
def _create_gre_transport_mode_65( cls, name, local_endpoint, remote_endpoint, preshared_key, monitoring_group=None, vpn_profile=None, mtu=0, ttl=0, pmtu_discovery=True, enabled=True, comment=None, ): group = monitoring_group or RouteVPNTunnelMonitoringGroup( "Uncategorized") profile = vpn_profile or VPNProfile("VPN-A Suite") json = { "name": name, "mtu": mtu, "ttl": ttl, "preshared_key": preshared_key, "pmtu_discovery": pmtu_discovery, "monitoring_group_ref": group.href, "rbvpn_tunnel_side_a": local_endpoint.data, "rbvpn_tunnel_side_b": remote_endpoint.data, "tunnel_encryption": "transport_mode", "vpn_profile_ref": profile.href, "tunnel_mode": "gre", "enabled": enabled, "comment": comment, } try: return ElementCreator(cls, json) except CreateElementFailed as err: raise CreateVPNFailed(err)
def create(cls, name, nat=False, mobile_vpn_toplogy_mode=None, vpn_profile=None): """ Create a new policy based VPN :param name: name of vpn policy :param bool nat: whether to apply NAT to the VPN (default False) :param mobile_vpn_toplogy_mode: whether to allow remote vpn :param VPNProfile vpn_profile: reference to VPN profile, or uses default :rtype: PolicyVPN """ vpn_profile = element_resolver(vpn_profile) or VPNProfile("VPN-A Suite").href json = { "mobile_vpn_topology_mode": mobile_vpn_toplogy_mode, "name": name, "nat": nat, "vpn_profile": vpn_profile, } try: return ElementCreator(cls, json) except CreateElementFailed as err: raise CreatePolicyFailed(err)
def exec_module(self, **kwargs): state = kwargs.pop('state', 'present') for name, value in kwargs.items(): setattr(self, name, value) for gw in [self.central_gw, self.satellite_gw]: if gw: self._validate_subspec(gw) changed = False vpn = self.fetch_element(PolicyVPN) #Element or None try: if state == 'present': lock = False # Used to flag whether policy needs to be locked if self.gateway_tunnel: self._validate_tunnel(self.gateway_tunnel) lock = True if self.central_gw: self._validate_external_gw(self.central_gw) self.central_gw = resolve_gw(self.central_gw) lock = True if self.satellite_gw: self._validate_external_gw(self.satellite_gw) self.satellite_gw = resolve_gw(self.satellite_gw) lock = True if not vpn: vpn = PolicyVPN.create( name=self.name, nat=self.apply_nat, vpn_profile=self.vpn_profile) changed = True # Update profile if provided and they are different if self.vpn_profile: if vpn.vpn_profile.name != self.vpn_profile: pf = VPNProfile(self.vpn_profile).href vpn.update(vpn_profile=pf) changed = True # Make sure NAT setting matches if vpn.nat != self.apply_nat: vpn.enable_disable_nat() vpn.update() changed = True if lock: vpn.open() if add_central_gateway(vpn, self.central_gw): changed = True if add_satellite_gateway(vpn, self.satellite_gw): changed = True if self.gateway_tunnel: for gateway in self.gateway_tunnel: if change_gateway_tunnel(vpn, gateway): changed = True vpn.save() vpn.close() if self.tags: if self.add_tags(vpn, self.tags): changed = True elif state == 'absent': # If no gateways are provided, delete the whole VPN if not self.central_gw and not self.satellite_gw and not self.tags: if vpn: vpn.delete() changed = True else: if vpn: lock = False if self.central_gw: self.central_gw = resolve_gw(self.central_gw) lock = True if self.satellite_gw: self.satellite_gw = resolve_gw(self.satellite_gw) lock = True if lock: vpn.open() if delete_central_gateway(vpn, self.central_gw): changed = True if delete_satellite_gateway(vpn, self.satellite_gw): changed = True vpn.save() vpn.close() if self.tags: if self.remove_tags(vpn, self.tags): changed = True except SMCException as err: self.fail(msg=str(err), exception=traceback.format_exc()) self.results['changed'] = changed return self.results
def engine_creation(engine_name, private_ip, public_ip, protected_network, router_ip, private_network): session.login(url=get_url(), api_key=get_api_key(), api_version=get_api_version(), verify=pem_dir) profile = VPNProfile.get_or_create(name=PROFILE_NAME) profile.update(capabilities={ 'ike_v1': True, 'aes128_for_ike': True, 'aggressive_mode': False, 'sha1_for_ike': True, 'dh_group_2_for_ike': True, 'pre_shared_key_for_ike': True, 'rsa_signature_for_ike': False, 'main_mode': True, 'esp_for_ipsec': True, 'aes128_for_ipsec': True, 'sha1_for_ipsec': True, 'sa_per_net': True, 'pfs_dh_group_2_for_ipsec': True, 'rsa_signature_for_ike': True, 'vpn_client_sa_per_net': True }, sa_life_time=28800, tunnel_life_time_seconds=3600, hybrid_authentication_for_mobile_vpn=True, trust_all_cas=True) # we should wait for the engine to be present engine = None while not engine: try: engine = Engine(engine_name) except smc.api.exceptions.ElementNotFound as e: print(e) print(engine) print("retrying in 3 sec") time.sleep(3) interface = engine.interface.get(0) # set_stream_logger(log_level=logging.DEBUG) for sub in interface.sub_interfaces(): sub.data['dynamic'] = False sub.data['address'] = private_ip if 'dynamic_index' in sub.data: del sub.data['dynamic_index'] sub.data['network_value'] = private_network sub.update() interface.update() ROUTER_NAME = "aws_default_router-{}".format(router_ip) if Router.objects.filter(ROUTER_NAME): router = Router(ROUTER_NAME) else: router = Router.create(ROUTER_NAME, router_ip) # update routing interface0 = engine.routing.get(0) for network in interface0: if network.name == 'Network (IPv4)': print("{} should be deleted".format(network)) network.delete() if network.name == "network-{}".format(private_network): print("{} should be updated".format(network)) interface0.add_static_route(gateway=router, destination=[Network('Any network')]) # we need to add custom policy routing so advertised BGP routes are not used when # we source nat the traffic engine.data['policy_route'].append( dict(source=private_ip + '/32', destination=protected_network, gateway_ip=router_ip)) engine.update() # print(interface0.as_tree()) ca = engine.contact_addresses.get(0, interface_ip=private_ip) ca.add_contact_address(public_ip, location='Default') session.logout()