Removed support for EZVPN

hknutzen · Dec 20, 2023 · fa84843 · fa84843
1 parent 00a5a14
commit fa84843
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 505 deletions.
diff --git a/go/pkg/pass1/print-code.go b/go/pkg/pass1/print-code.go
@@ -1241,97 +1241,6 @@ func (c *spoc) genCryptoRules(local, remote []*network) []*groupedRule {
 	)}
 }
 
-func (c *spoc) printEzvpn(fh *os.File, r *router) {
-	interfaces := r.interfaces
-	var tunnelIntf *routerIntf
-	for _, intf := range interfaces {
-		if intf.ipType == tunnelIP {
-			tunnelIntf = intf
-		}
-	}
-	tunNatMap := tunnelIntf.natMap
-	wanIntf := tunnelIntf.realIntf
-	wanHw := wanIntf.hardware
-	wanNatMap := wanHw.natMap
-	var lanIntfs intfList
-	for _, intf := range interfaces {
-		if intf != wanIntf && intf != tunnelIntf {
-			lanIntfs.push(intf)
-		}
-	}
-
-	// Ezvpn configuration.
-	ezvpnName := "vpn"
-	cryptoAclName := "ACL-Split-Tunnel"
-	cryptoFilterName := "ACL-crypto-filter"
-	virtualIntfNumber := 1
-	fmt.Fprintln(fh, "crypto ipsec client ezvpn", ezvpnName)
-	fmt.Fprintln(fh, " connect auto")
-	fmt.Fprintln(fh, " mode network-extension")
-
-	// Unnumbered, negotiated and short interfaces have been
-	// rejected already.
-	peer := tunnelIntf.peer
-	peerIp := prefixCode(peer.realIntf.address(wanNatMap))
-	fmt.Fprintln(fh, " peer", peerIp)
-
-	// Bind split tunnel ACL.
-	fmt.Fprintln(fh, " acl", cryptoAclName)
-
-	// Use virtual template defined above.
-	fmt.Fprintln(fh, " virtual-interface", virtualIntfNumber)
-
-	// xauth is unused, but syntactically needed.
-	fmt.Fprintln(fh, " username test pass test")
-	fmt.Fprintln(fh, " xauth userid mode local")
-
-	// Apply ezvpn to WAN and LAN interface.
-	for _, intf := range lanIntfs {
-		lanHw := intf.hardware
-		lanHw.subcmd.push("crypto ipsec client ezvpn " + ezvpnName + " inside")
-	}
-	wanHw.subcmd.push("crypto ipsec client ezvpn " + ezvpnName)
-
-	// Crypto ACL controls which traffic needs to be encrypted.
-	cryptoRules := c.genCryptoRules(tunnelIntf.peer.peerNetworks,
-		[]*network{c.getNetwork00(r.ipV6)})
-	acls := &aclInfo{
-		name:        cryptoAclName,
-		rules:       cryptoRules,
-		natMap:      tunNatMap,
-		isCryptoACL: true,
-	}
-	r.aclList.push(acls)
-	printAclPlaceholder(fh, r, cryptoAclName)
-
-	// Crypto filter ACL.
-	acls = &aclInfo{
-		name:        cryptoFilterName,
-		rules:       tunnelIntf.rules,
-		intfRules:   tunnelIntf.intfRules,
-		addDeny:     true,
-		protectSelf: true,
-		natMap:      tunNatMap,
-	}
-	tunnelIntf.rules = nil
-	tunnelIntf.intfRules = nil
-	r.aclList.push(acls)
-	printAclPlaceholder(fh, r, cryptoFilterName)
-
-	// Bind crypto filter ACL to virtual template.
-	fmt.Fprintln(fh,
-		"interface Virtual-Template"+strconv.Itoa(virtualIntfNumber),
-		"type tunnel")
-	var prefix string
-	if r.ipV6 {
-		prefix = " ipv6 traffic-filter"
-	} else {
-		prefix = " ip access-group"
-	}
-
-	fmt.Fprintln(fh, prefix, cryptoFilterName, "in")
-}
-
 // Print crypto ACL.
 // It controls which traffic needs to be encrypted.
 func (c *spoc) printCryptoAcl(fh *os.File, intf *routerIntf, suffix string, crypto *crypto) string {
@@ -1627,11 +1536,6 @@ func (c *spoc) printCrypto(fh *os.File, r *router) {
 
 	printHeader(fh, r, "Crypto")
 
-	if cryptoType == "EZVPN" {
-		c.printEzvpn(fh, r)
-		return
-	}
-
 	// Use interface access lists to filter incoming crypto traffic.
 	// Group policy and per-user authorization access list can't be used
 	// because they are stateless.
@@ -1645,12 +1549,6 @@ func (c *spoc) printCrypto(fh *os.File, r *router) {
 		return
 	}
 
-	// Crypto config for ASA as EZVPN client is configured manually once.
-	// No config is generated by netspoc.
-	if cryptoType == "ASA_EZVPN" {
-		return
-	}
-
 	isakmpCount := 0
 	for _, isakmp := range isakmpList {
 

diff --git a/go/pkg/pass1/setup-objects.go b/go/pkg/pass1/setup-objects.go
@@ -2479,8 +2479,6 @@ func (c *spoc) getModel(a *ast.Attribute, ctx string) *model {
 			switch m {
 			case "IOS":
 				switch att {
-				case "EZVPN":
-					info.crypto = "EZVPN"
 				case "FW":
 					info.stateless = false
 				default:
@@ -2493,8 +2491,6 @@ func (c *spoc) getModel(a *ast.Attribute, ctx string) *model {
 					info.doAuth = true
 				case "CONTEXT":
 					info.cryptoInContext = true
-				case "EZVPN":
-					info.crypto = "ASA_EZVPN"
 				default:
 					goto FAIL
 				}
@@ -3613,10 +3609,6 @@ func (c *spoc) linkTunnels() {
 			c.err("%s needs authentication=rsasig in %s", r, isakmp.name)
 		}
 
-		if model.crypto == "EZVPN" {
-			c.err("Must not use %s of model '%s' as crypto hub", r, model.name)
-		}
-
 		// Generate a single tunnel from each spoke to single hub.
 		for _, spokeNet := range tunnels {
 			netName := spokeNet.name[len("network:"):]

diff --git a/go/testdata/crypto.t b/go/testdata/crypto.t
@@ -3346,193 +3346,6 @@ network:lan1 = { ip = 10.99.2.0/24; }
 Error: router:asavpn can't establish crypto tunnel to interface:vpn1.internet with unknown IP
 =END=
 
-############################################################
-=TITLE=VPN ASA to EZVPN router with two local networks
-=TEMPL=input
-[[crypto_vpn]]
-network:intern = { ip = 10.1.1.0/24;}
-router:asavpn = {
- model = ASA, VPN;
- managed;
- general_permit = icmp 3;
- radius_attributes = {
-  trust-point = ASDM_TrustPoint3;
-  banner = Welcome at VPN service;
-  dns-server = 10.1.1.10 10.1.1.11;
-  wins-server = 10.1.1.20;
- }
- interface:intern = {
-  ip = 10.1.1.101;
-  hardware = inside;
- }
- interface:dmz = {
-  ip = 192.168.0.101;
-  hub = crypto:vpn;
-  hardware = outside;
- }
-}
-network:dmz = { ip = 192.168.0.0/24; }
-router:extern = {
- interface:dmz = { ip = 192.168.0.1; }
- interface:internet;
-}
-network:internet = { ip = 0.0.0.0/0; has_subnets; }
-router:vpn = {
- managed;
- model = IOS, EZVPN;
- interface:internet = {
-  negotiated;
-  spoke = crypto:vpn;
-  id = abc@123.45;
-  hardware = e1;
- }
- interface:lan2 = {
-  ip = 10.99.2.1;
-  hardware = e2;
- }
- interface:lan3 = {
-  ip = 10.99.3.1;
-  hardware = e3;
- }
-}
-network:lan2 = { ip = 10.99.2.0/24; }
-network:lan3 = { ip = 10.99.3.0/24; }
-service:test = {
- user = network:lan2, network:lan3;
- permit src = user; dst = network:intern; prt = tcp 80;
- permit src = network:intern; dst = user; prt = udp 123;
-}
-=INPUT=[[input]]
-=OUTPUT=
---asavpn
-tunnel-group VPN-single type remote-access
-tunnel-group VPN-single general-attributes
- authorization-server-group LOCAL
- default-group-policy global
- authorization-required
- username-from-certificate EA
-tunnel-group VPN-single ipsec-attributes
- chain
- ikev1 trust-point ASDM_TrustPoint3
- ikev1 user-authentication none
-tunnel-group VPN-single webvpn-attributes
- authentication certificate
-tunnel-group-map default-group VPN-single
---
-! vpn-filter-abc@123.45
-access-list vpn-filter-abc@123.45 extended permit ip 10.99.2.0 255.255.254.0 any4
-access-list vpn-filter-abc@123.45 extended deny ip any4 any4
-group-policy VPN-router-abc@123.45 internal
-group-policy VPN-router-abc@123.45 attributes
- banner value Welcome at VPN service
- dns-server value 10.1.1.10 10.1.1.11
- wins-server value 10.1.1.20
-username abc@123.45 nopassword
-username abc@123.45 attributes
- service-type remote-access
- vpn-filter value vpn-filter-abc@123.45
- vpn-group-policy VPN-router-abc@123.45
---
-! outside_in
-access-list outside_in extended permit icmp 10.99.2.0 255.255.254.0 any4 3
-access-list outside_in extended permit tcp 10.99.2.0 255.255.254.0 10.1.1.0 255.255.255.0 eq 80
-access-list outside_in extended deny ip any4 any4
-access-group outside_in in interface outside
---vpn
-crypto ipsec client ezvpn vpn
- connect auto
- mode network-extension
- peer 192.168.0.101
- acl ACL-Split-Tunnel
- virtual-interface 1
- username test pass test
- xauth userid mode local
-ip access-list extended ACL-Split-Tunnel
- permit ip 10.99.2.0 0.0.0.255 any
- permit ip 10.99.3.0 0.0.0.255 any
-ip access-list extended ACL-crypto-filter
- deny ip any host 10.99.2.1
- deny ip any host 10.99.3.1
- permit udp 10.1.1.0 0.0.0.255 10.99.2.0 0.0.1.255 eq 123
- permit tcp 10.1.1.0 0.0.0.255 10.99.2.0 0.0.1.255 established
- deny ip any any
-interface Virtual-Template1 type tunnel
- ip access-group ACL-crypto-filter in
---
-ip access-list extended e1_in
- permit 50 host 192.168.0.101 any
- permit udp host 192.168.0.101 eq 500 any eq 500
- deny ip any any
---
-ip access-list extended e2_in
- permit tcp 10.99.2.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 80
- permit udp 10.99.2.0 0.0.0.255 eq 123 10.1.1.0 0.0.0.255
- deny ip any any
---
-interface e1
- ip address negotiated
- crypto ipsec client ezvpn vpn
- ip access-group e1_in in
-interface e2
- ip address 10.99.2.1 255.255.255.0
- crypto ipsec client ezvpn vpn inside
- ip access-group e2_in in
-interface e3
- ip address 10.99.3.1 255.255.255.0
- crypto ipsec client ezvpn vpn inside
- ip access-group e3_in in
-=END=
-
-############################################################
-=TITLE=VPN ASA to EZVPN router with two local networks authenticated only
-# Protocol 50 is also used if only esp_authentication.
-=INPUT=[[input]]
-=SUBST=/esp_encryption = aes256;//
-=OUTPUT=
---vpn
-ip access-list extended e1_in
- permit 50 host 192.168.0.101 any
- permit udp host 192.168.0.101 eq 500 any eq 500
- deny ip any any
-=END=
-
-############################################################
-=TITLE=VPN ASA to EZVPN ASA with two local networks
-=INPUT=[[input]]
-=SUBST=/IOS/ASA/
-=OUTPUT=
---vpn
-! [ Routing ]
-route e1 0.0.0.0 0.0.0.0 e1
---
-! VPN traffic is filtered at interface ACL
-no sysopt connection permit-vpn
---
-! e1_in
-access-list e1_in extended permit udp 10.1.1.0 255.255.255.0 10.99.2.0 255.255.254.0 eq 123
-access-list e1_in extended deny ip any4 any4
-access-group e1_in in interface e1
---
-! e2_in
-access-list e2_in extended permit tcp 10.99.2.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 80
-access-list e2_in extended deny ip any4 any4
-access-group e2_in in interface e2
---
-! e3_in
-access-list e3_in extended permit tcp 10.99.3.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 80
-access-list e3_in extended deny ip any4 any4
-access-group e3_in in interface e3
-=END=
-
-############################################################
-=TITLE=Missing ID at EZVPN router to VPN ASA
-=INPUT=[[input]]
-=SUBST=/IOS/ASA/
-=SUBST=/id =/#id/
-=ERROR=
-Error: interface:vpn.tunnel:vpn needs attribute 'id', because isakmp:aes256SHA has authentication=rsasig
-=END=
-
 ############################################################
 =TITLE=ASA as managed VPN spoke
 =TEMPL=input
@@ -3982,14 +3795,6 @@ interface dmz
  ip access-group dmz_in in
 =END=
 
-############################################################
-=TITLE=Must not use EZVPN as hub
-=INPUT=[[topo]]
-=SUBST=/IOS/IOS, EZVPN/
-=ERROR=
-Error: Must not use router:vpn of model 'IOS, EZVPN' as crypto hub
-=END=
-
 ############################################################
 =TITLE=Unmanaged VPN spoke with unknown ID
 =TEMPL=input