Seiteneigenschaften |
---|
Deutsch | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Beschreibung:Das Add-In nimmt IPSec Konfigurationen auf der LANCOM R&S Unified Firewall vor und schaltet den VPN- Zugriff auf die CLI und das Webinterface über VPN frei. Liste der verwendeten Variablen:
Add-in Code:/** if (fwVersion.major !== 10 || fwVersion.minor !== 13 || fwVersion.build !== 7038) { config.warnLog( "Add-In was originally created for an LCOS FX 10.13.7038RU6 API, but " + "it is being applied to an LCOS FX " + context.device.firmwareVersionString + " device. It might not work as expected." ); } // Activate IPSec Settings ufApi.modifySettings( 'ipsec-settings', { "active": true, } ); // Create IPSecConnection ufApi.createObject( 'ipsec-connections', { "name": vpnConnectionName, "localAddresses": [], "remoteAddresses": [remoteGatewayAddress], "profile": ufApi.lookupField("ipsec-security-profiles", "uniqueId", { "name": "LANCOM LCOS Default IKEv2" }), "localAuth": { "method": "psk", "dataPsk": vpnPassword, "dataCert": "", "dataCa": "", "id": localVPNIdentity }, "remoteAuth": { "method": "psk", "dataPsk": vpnPassword, "dataCert": "", "dataCa": "", "id": remoteVPNIdentity, "authMethodRound2": "none" }, "localNetworkNames": [ localIPNetwork ], "remoteNetworks": [ remoteIPNetwork ], "pool": "", "initiate": true, "ike2CompatTunnels": true, "forceUdpEncap": false, "xfrmInterface": true, "xfrmInterfaceMtu": 1400, "trafficGroup": "", "outgoingDscp": null, "active": true, "keyPassword": "********", "networkConnection": ufApi.lookupField("connections", "uniqueId", { "name": "WAN" }) } ); // Create a VPN Network ufApi.createObject( 'vpnnetworks', { "name": vpnConnectionName, "ipv4": "0.0.0.0", "interface": "vpn", "color": 7891540, "layer": 0, "top": 111, "left": 222, "icon": "vpn-network", "type": "vpnnetwork", "vpnconnection": { "type": "ipsec", "connectionid": ufApi.lookupField("ipsec-connections", "uniqueId", { "name": vpnConnectionName }), "networkType": "all", "networks": [] }, "description": "", "tags": [] } ); // Create Routing Rule ufApi.createObject( 'routing-rules', { "priority": 514, "selectorSourceIpv4address": "", "selectorDestinationIpv4address": remoteIPNetwork, "selectorInputInterface": null, "selectorOutputInterface": null, "selectorTos": 0, "actionGoto": null, "actionTable": 514, "systemRule": false } ); // Create Routing Table ufApi.createObject( 'routing-tables', { "table": 514, "ipv4Routes": [ { "ipv4DestAddress": remoteIPNetwork, "ipv4Nexthops": [ { "ipv4GatewayAddress": "", "interface": "xfrm1", "weight": 0 } ], "active": true, "ipv4PrefsrcAddress": "", "metric": 0, "systemRoute": false, "type": "unicast" } ] } ); // Lookup of Objects for the new Desktop Connection var objectA = ufApi.lookup('networks', { name: localNetworkName }); var objectB = ufApi.lookup('vpnnetworks', { name: vpnConnectionName }); // Create new Desktop Connection ufApi.createObject("desktop-connections", desktopConnection( objectA, objectB, [ predefinedService("internet.http", "none", "both"), predefinedService("internet.https", "none", "both"), predefinedService("standard.ssh", "none", "both"), predefinedService("standard.icmp", "none", "both"), predefinedService("standard.ping", "none", "both") ] )); // Enable SSH Access via VPN ufApi.modifySettings( 'ssh-settings', { "active": true, "port": 22, "passwordAuth": true, "sshKeys": [], "accessList": [ { "source": "LAN", "active": true, "readOnly": true, "comment": "LAN_LABEL", "uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"LAN\")].uniqueId\u0003" }, { "source": "WAN", "active": false, "readOnly": true, "comment": "WAN_LABEL", "uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"WAN\")].uniqueId\u0003" }, { "source": "VPN", "active": true, "readOnly": true, "comment": "VPN_LABEL", "uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"VPN\")].uniqueId\u0003" }, { "source": "212.117.89.9/32", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 1", "uniqueId": "8a9a8cb1-b554-460c-9049-5fefc29563f1" }, { "source": "217.6.21.90/32", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 2", "uniqueId": "f8936fcb-d074-4e91-bb75-86308156d46c" }, { "source": "213.238.47.128/29", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 3", "uniqueId": "dd32c120-d326-404a-91c0-15aa8407f841" }, { "source": "80.246.32.0/24", "active": false, "readOnly": false, "comment": "Rohde & Schwarz Internet Gateway", "uniqueId": "93615715-27f9-4013-af17-b228efe7158d" }, { "comment": "Private Networks Class C", "active": true, "source": "192.168.0.0/16", "readOnly": false, "uniqueId": "7697e59d-544d-49ec-8012-7cb94e037fde" }, { "comment": "Private Networks Class B", "active": true, "source": "172.16.0.0/12", "readOnly": false, "uniqueId": "427030a5-61a8-46e4-beed-751c9c032538" }, { "comment": "Private Network Class A", "active": true, "source": "10.0.0.0/8", "readOnly": false, "uniqueId": "7d6e12be-0c17-449d-a501-81d36e53eb47" } ] } ); // Enable Webinterface Access via VPN ufApi.modifySettings( 'webclient-settings', { "port": 3438, "serverCertUid": ufApi.lookupField("certificates", "uniqueId", { "commonName": "LCOS FX Default Webserver Certificate" }), "accessList": [ { "source": "LAN", "active": true, "readOnly": true, "comment": "LAN_LABEL", "uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"LAN\")].uniqueId\u0003" }, { "source": "WAN", "active": false, "readOnly": true, "comment": "WAN_LABEL", "uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"WAN\")].uniqueId\u0003" }, { "source": "VPN", "active": true, "readOnly": true, "comment": "VPN_LABEL", "uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"VPN\")].uniqueId\u0003" }, { "source": "212.117.89.9/32", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 1", "uniqueId": "3b4eebb3-7b59-4ce4-9f6c-5ef0575de167" }, { "source": "217.6.21.90/32", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 2", "uniqueId": "309031d8-bc4d-448f-94c7-cd62a6beb1a7" }, { "source": "213.238.47.128/29", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 3", "uniqueId": "082b2264-d0d9-496a-9baa-6673d52cc195" }, { "source": "80.246.32.0/24", "active": false, "readOnly": false, "comment": "Rohde & Schwarz Internet Gateway", "uniqueId": "a158e8b6-02a2-4ec1-959c-8c6c7cfe6436" }, { "comment": "Private Networks Class C", "active": true, "source": "192.168.0.0/16", "readOnly": false, "uniqueId": "7725546c-5fca-43f2-8a05-37ee5b0d8aaa" }, { "comment": "Private Networks Class B", "active": true, "source": "172.16.0.0/12", "readOnly": false, "uniqueId": "0b226af3-bd03-478a-bd2b-70becd8faba3" }, { "comment": "Private Network Class A", "active": true, "source": "10.0.0.0/8", "readOnly": false, "uniqueId": "8edf833b-ded7-4618-8493-2d70c97b90fb" } ] } ); // Functions function desktopConnection(obja, objb, rules) { const connectionDefinition = { "objb": objb, "appfilterRoutingProfiles": [], "description": "", "color": 1562591, "rules": rules, "obja": obja, "natactive": "left", "snatip": localIPNetwork, "dmz": true, "dmzip": localIPNetwork, "points": [{ "x": 1350, "type": "linepoint", "y": 222 }, { "x": 1350, "type": "rulepoint", "y": 282 }, { "x": 1320, "type": "linepoint", "y": 338 }], "blockall": false, "trafficshaping": [], "webfiltersettings": [], "applicationfilter": { "mode": "off", "activeprofiles": [] } }; if (fwVersion.major === 10 && fwVersion.minor >= 8) { delete connectionDefinition.trafficshaping; connectionDefinition.trafficShaping = { "trafficGroup": "", "outgoingDscp": null }; } return connectionDefinition; } function userdefinedService(serviceName, natactive, action, externalIP) { return service( ufApi.lookup("userdefined-services", { name: serviceName }), natactive, action, true, externalIP ); } function predefinedService(serviceName, natactive, action, externalIP) { return service( ufApi.lookup("predefined-services", { name: serviceName }), natactive, action, false, externalIP ); } function service(lookup, natactive, action, editable, externalIP) { const serviceDefinition = { "uniqueId": lookup, "dmz": false, //"dmz": true, //"dmzport": mapPort, "dmzip": externalIP, "natactive": natactive, "editable": editable, "timeranges": [{ "endweekday": 0, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 0 }, { "endweekday": 1, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 1 }, { "endweekday": 2, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 2 }, { "endweekday": 3, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 3 }, { "endweekday": 4, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 4 }, { "endweekday": 5, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 5 }, { "endweekday": 6, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 6 }], "action": action, "trafficshaping": [], "log": false, "applicationfilter": { "useconnection": true, "activeprofiles": [] } }; if (fwVersion.major === 10 && fwVersion.minor >= 7) { serviceDefinition.useConnection = true; } if (fwVersion.major === 10 && fwVersion.minor >= 8) { delete serviceDefinition.trafficshaping; serviceDefinition.useConnectionTrafficShaping = false; serviceDefinition.trafficShaping = { "trafficGroup": "", "outgoingDscp": null }; } return serviceDefinition; } }; Add-in als JSON-Datei:
|
Englisch | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Description:The add-in performs IPSec configurations on the LANCOM R&S Unified Firewall and enables access to the CLI and the web interface via VPN. List of used variables:
Add-in code:/** if (fwVersion.major !== 10 || fwVersion.minor !== 13 || fwVersion.build !== 7038) { config.warnLog( "Add-In was originally created for an LCOS FX 10.13.7038RU6 API, but " + "it is being applied to an LCOS FX " + context.device.firmwareVersionString + " device. It might not work as expected." ); } // Activate IPSec Settings ufApi.modifySettings( 'ipsec-settings', { "active": true, } ); // Create IPSecConnection ufApi.createObject( 'ipsec-connections', { "name": vpnConnectionName, "localAddresses": [], "remoteAddresses": [remoteGatewayAddress], "profile": ufApi.lookupField("ipsec-security-profiles", "uniqueId", { "name": "LANCOM LCOS Default IKEv2" }), "localAuth": { "method": "psk", "dataPsk": vpnPassword, "dataCert": "", "dataCa": "", "id": localVPNIdentity }, "remoteAuth": { "method": "psk", "dataPsk": vpnPassword, "dataCert": "", "dataCa": "", "id": remoteVPNIdentity, "authMethodRound2": "none" }, "localNetworkNames": [ localIPNetwork ], "remoteNetworks": [ remoteIPNetwork ], "pool": "", "initiate": true, "ike2CompatTunnels": true, "forceUdpEncap": false, "xfrmInterface": true, "xfrmInterfaceMtu": 1400, "trafficGroup": "", "outgoingDscp": null, "active": true, "keyPassword": "********", "networkConnection": ufApi.lookupField("connections", "uniqueId", { "name": "WAN" }) } ); // Create a VPN Network ufApi.createObject( 'vpnnetworks', { "name": vpnConnectionName, "ipv4": "0.0.0.0", "interface": "vpn", "color": 7891540, "layer": 0, "top": 111, "left": 222, "icon": "vpn-network", "type": "vpnnetwork", "vpnconnection": { "type": "ipsec", "connectionid": ufApi.lookupField("ipsec-connections", "uniqueId", { "name": vpnConnectionName }), "networkType": "all", "networks": [] }, "description": "", "tags": [] } ); // Create Routing Rule ufApi.createObject( 'routing-rules', { "priority": 514, "selectorSourceIpv4address": "", "selectorDestinationIpv4address": remoteIPNetwork, "selectorInputInterface": null, "selectorOutputInterface": null, "selectorTos": 0, "actionGoto": null, "actionTable": 514, "systemRule": false } ); // Create Routing Table ufApi.createObject( 'routing-tables', { "table": 514, "ipv4Routes": [ { "ipv4DestAddress": remoteIPNetwork, "ipv4Nexthops": [ { "ipv4GatewayAddress": "", "interface": "xfrm1", "weight": 0 } ], "active": true, "ipv4PrefsrcAddress": "", "metric": 0, "systemRoute": false, "type": "unicast" } ] } ); // Lookup of Objects for the new Desktop Connection var objectA = ufApi.lookup('networks', { name: localNetworkName }); var objectB = ufApi.lookup('vpnnetworks', { name: vpnConnectionName }); // Create new Desktop Connection ufApi.createObject("desktop-connections", desktopConnection( objectA, objectB, [ predefinedService("internet.http", "none", "both"), predefinedService("internet.https", "none", "both"), predefinedService("standard.ssh", "none", "both"), predefinedService("standard.icmp", "none", "both"), predefinedService("standard.ping", "none", "both") ] )); // Enable SSH Access via VPN ufApi.modifySettings( 'ssh-settings', { "active": true, "port": 22, "passwordAuth": true, "sshKeys": [], "accessList": [ { "source": "LAN", "active": true, "readOnly": true, "comment": "LAN_LABEL", "uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"LAN\")].uniqueId\u0003" }, { "source": "WAN", "active": false, "readOnly": true, "comment": "WAN_LABEL", "uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"WAN\")].uniqueId\u0003" }, { "source": "VPN", "active": true, "readOnly": true, "comment": "VPN_LABEL", "uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"VPN\")].uniqueId\u0003" }, { "source": "212.117.89.9/32", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 1", "uniqueId": "8a9a8cb1-b554-460c-9049-5fefc29563f1" }, { "source": "217.6.21.90/32", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 2", "uniqueId": "f8936fcb-d074-4e91-bb75-86308156d46c" }, { "source": "213.238.47.128/29", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 3", "uniqueId": "dd32c120-d326-404a-91c0-15aa8407f841" }, { "source": "80.246.32.0/24", "active": false, "readOnly": false, "comment": "Rohde & Schwarz Internet Gateway", "uniqueId": "93615715-27f9-4013-af17-b228efe7158d" }, { "comment": "Private Networks Class C", "active": true, "source": "192.168.0.0/16", "readOnly": false, "uniqueId": "7697e59d-544d-49ec-8012-7cb94e037fde" }, { "comment": "Private Networks Class B", "active": true, "source": "172.16.0.0/12", "readOnly": false, "uniqueId": "427030a5-61a8-46e4-beed-751c9c032538" }, { "comment": "Private Network Class A", "active": true, "source": "10.0.0.0/8", "readOnly": false, "uniqueId": "7d6e12be-0c17-449d-a501-81d36e53eb47" } ] } ); // Enable Webinterface Access via VPN ufApi.modifySettings( 'webclient-settings', { "port": 3438, "serverCertUid": ufApi.lookupField("certificates", "uniqueId", { "commonName": "LCOS FX Default Webserver Certificate" }), "accessList": [ { "source": "LAN", "active": true, "readOnly": true, "comment": "LAN_LABEL", "uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"LAN\")].uniqueId\u0003" }, { "source": "WAN", "active": false, "readOnly": true, "comment": "WAN_LABEL", "uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"WAN\")].uniqueId\u0003" }, { "source": "VPN", "active": true, "readOnly": true, "comment": "VPN_LABEL", "uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"VPN\")].uniqueId\u0003" }, { "source": "212.117.89.9/32", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 1", "uniqueId": "3b4eebb3-7b59-4ce4-9f6c-5ef0575de167" }, { "source": "217.6.21.90/32", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 2", "uniqueId": "309031d8-bc4d-448f-94c7-cd62a6beb1a7" }, { "source": "213.238.47.128/29", "active": false, "readOnly": false, "comment": "LANCOM Customer Support 3", "uniqueId": "082b2264-d0d9-496a-9baa-6673d52cc195" }, { "source": "80.246.32.0/24", "active": false, "readOnly": false, "comment": "Rohde & Schwarz Internet Gateway", "uniqueId": "a158e8b6-02a2-4ec1-959c-8c6c7cfe6436" }, { "comment": "Private Networks Class C", "active": true, "source": "192.168.0.0/16", "readOnly": false, "uniqueId": "7725546c-5fca-43f2-8a05-37ee5b0d8aaa" }, { "comment": "Private Networks Class B", "active": true, "source": "172.16.0.0/12", "readOnly": false, "uniqueId": "0b226af3-bd03-478a-bd2b-70becd8faba3" }, { "comment": "Private Network Class A", "active": true, "source": "10.0.0.0/8", "readOnly": false, "uniqueId": "8edf833b-ded7-4618-8493-2d70c97b90fb" } ] } ); // Functions function desktopConnection(obja, objb, rules) { const connectionDefinition = { "objb": objb, "appfilterRoutingProfiles": [], "description": "", "color": 1562591, "rules": rules, "obja": obja, "natactive": "left", "snatip": localIPNetwork, "dmz": true, "dmzip": localIPNetwork, "points": [{ "x": 1350, "type": "linepoint", "y": 222 }, { "x": 1350, "type": "rulepoint", "y": 282 }, { "x": 1320, "type": "linepoint", "y": 338 }], "blockall": false, "trafficshaping": [], "webfiltersettings": [], "applicationfilter": { "mode": "off", "activeprofiles": [] } }; if (fwVersion.major === 10 && fwVersion.minor >= 8) { delete connectionDefinition.trafficshaping; connectionDefinition.trafficShaping = { "trafficGroup": "", "outgoingDscp": null }; } return connectionDefinition; } function userdefinedService(serviceName, natactive, action, externalIP) { return service( ufApi.lookup("userdefined-services", { name: serviceName }), natactive, action, true, externalIP ); } function predefinedService(serviceName, natactive, action, externalIP) { return service( ufApi.lookup("predefined-services", { name: serviceName }), natactive, action, false, externalIP ); } function service(lookup, natactive, action, editable, externalIP) { const serviceDefinition = { "uniqueId": lookup, "dmz": false, //"dmz": true, //"dmzport": mapPort, "dmzip": externalIP, "natactive": natactive, "editable": editable, "timeranges": [{ "endweekday": 0, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 0 }, { "endweekday": 1, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 1 }, { "endweekday": 2, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 2 }, { "endweekday": 3, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 3 }, { "endweekday": 4, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 4 }, { "endweekday": 5, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 5 }, { "endweekday": 6, "repeattype": "weekly", "endtime": "23:59:59", "starttime": "00:00:00", "startweekday": 6 }], "action": action, "trafficshaping": [], "log": false, "applicationfilter": { "useconnection": true, "activeprofiles": [] } }; if (fwVersion.major === 10 && fwVersion.minor >= 7) { serviceDefinition.useConnection = true; } if (fwVersion.major === 10 && fwVersion.minor >= 8) { delete serviceDefinition.trafficshaping; serviceDefinition.useConnectionTrafficShaping = false; serviceDefinition.trafficShaping = { "trafficGroup": "", "outgoingDscp": null }; } return serviceDefinition; } }; Add-in as JSON file:
|
...