Description:
The add-in performs IPSec configurations on the LANCOM R&S Unified Firewall and enables access to the CLI and the web interface via VPN.
List of used variables:
Variable | Description |
---|---|
localNetworkName | Name of the local IP Network on the Unified Firewall |
localIPNetwork | Address Range of the local IP Network on the Unified Firewall |
localVPNIdentity | VPN Identity of the Unified Firewall |
remoteGatewayAddress | WAN IP-Address of the remote VPN Gateway |
remoteIPNetwork | Address Range of the IP Network on the remote VPN Gateway |
remoteVPNIdentity | VPN Identity of the remote VPN Gateway |
vpnConnectionName | Name of the VPN Connection |
vpnPassword | VPN Password |
Add-in code:
/**
* @param {Config} config
* @param {Context} context
*
* Do not edit this comment or parameter types. Required for code suggestions.
*/
exports.main = function (config, context) {
const fwVersion = context.device.firmwareVersionObject;
const ufApi = config.getUfApi();
// VPN Configvariables
const localNetworkName = ""; //Name of the IP Network on the Firewall
const localIPNetwork = ""; //LAN IP Address Range of the Network on the Firewall
const localVPNIdentity = ""; // VPN Identity on the Unified Firewall
const remoteGatewayAddress = ""; // WAN Address of the Remote VPN Gateway
const remoteIPNetwork = ""; // LAN IP Address Range of the Remote VPN Gateway
const remoteVPNIdentity = ""; // VPN Identity of the Remote VPN Gateway
const vpnConnectionName = ""; // Name of the VPN Connection on the Unified Firewall
const vpnPassword = ""; // VPN Password on the Unified Firewall and the Remote VPN Gateway
if (fwVersion.major !== 10 || fwVersion.minor !== 13 || fwVersion.build !== 7038) {
config.warnLog(
"Add-In was originally created for an LCOS FX 10.13.7038RU6 API, but " +
"it is being applied to an LCOS FX " + context.device.firmwareVersionString +
" device. It might not work as expected."
);
}
// Activate IPSec Settings
ufApi.modifySettings(
'ipsec-settings',
{
"active": true,
}
);
// Create IPSecConnection
ufApi.createObject(
'ipsec-connections',
{
"name": vpnConnectionName,
"localAddresses": [],
"remoteAddresses": [remoteGatewayAddress],
"profile": ufApi.lookupField("ipsec-security-profiles", "uniqueId", { "name": "LANCOM LCOS Default IKEv2" }),
"localAuth": {
"method": "psk",
"dataPsk": vpnPassword,
"dataCert": "",
"dataCa": "",
"id": localVPNIdentity
},
"remoteAuth": {
"method": "psk",
"dataPsk": vpnPassword,
"dataCert": "",
"dataCa": "",
"id": remoteVPNIdentity,
"authMethodRound2": "none"
},
"localNetworkNames": [
localIPNetwork
],
"remoteNetworks": [
remoteIPNetwork
],
"pool": "",
"initiate": true,
"ike2CompatTunnels": true,
"forceUdpEncap": false,
"xfrmInterface": true,
"xfrmInterfaceMtu": 1400,
"trafficGroup": "",
"outgoingDscp": null,
"active": true,
"keyPassword": "********",
"networkConnection": ufApi.lookupField("connections", "uniqueId", { "name": "WAN" })
}
);
// Create a VPN Network
ufApi.createObject(
'vpnnetworks',
{
"name": vpnConnectionName,
"ipv4": "0.0.0.0",
"interface": "vpn",
"color": 7891540,
"layer": 0,
"top": 111,
"left": 222,
"icon": "vpn-network",
"type": "vpnnetwork",
"vpnconnection": {
"type": "ipsec",
"connectionid": ufApi.lookupField("ipsec-connections", "uniqueId", { "name": vpnConnectionName }),
"networkType": "all",
"networks": []
},
"description": "",
"tags": []
}
);
// Create Routing Rule
ufApi.createObject(
'routing-rules',
{
"priority": 514,
"selectorSourceIpv4address": "",
"selectorDestinationIpv4address": remoteIPNetwork,
"selectorInputInterface": null,
"selectorOutputInterface": null,
"selectorTos": 0,
"actionGoto": null,
"actionTable": 514,
"systemRule": false
}
);
// Create Routing Table
ufApi.createObject(
'routing-tables',
{
"table": 514,
"ipv4Routes": [
{
"ipv4DestAddress": remoteIPNetwork,
"ipv4Nexthops": [
{
"ipv4GatewayAddress": "",
"interface": "xfrm1",
"weight": 0
}
],
"active": true,
"ipv4PrefsrcAddress": "",
"metric": 0,
"systemRoute": false,
"type": "unicast"
}
]
}
);
// Lookup of Objects for the new Desktop Connection
var objectA = ufApi.lookup('networks', { name: localNetworkName });
var objectB = ufApi.lookup('vpnnetworks', { name: vpnConnectionName });
// Create new Desktop Connection
ufApi.createObject("desktop-connections", desktopConnection(
objectA,
objectB,
[
predefinedService("internet.http", "none", "both"),
predefinedService("internet.https", "none", "both"),
predefinedService("standard.ssh", "none", "both"),
predefinedService("standard.icmp", "none", "both"),
predefinedService("standard.ping", "none", "both")
]
));
// Enable SSH Access via VPN
ufApi.modifySettings(
'ssh-settings',
{
"active": true,
"port": 22,
"passwordAuth": true,
"sshKeys": [],
"accessList": [
{
"source": "LAN",
"active": true,
"readOnly": true,
"comment": "LAN_LABEL",
"uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"LAN\")].uniqueId\u0003"
},
{
"source": "WAN",
"active": false,
"readOnly": true,
"comment": "WAN_LABEL",
"uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"WAN\")].uniqueId\u0003"
},
{
"source": "VPN",
"active": true,
"readOnly": true,
"comment": "VPN_LABEL",
"uniqueId": "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"VPN\")].uniqueId\u0003"
},
{
"source": "212.117.89.9/32",
"active": false,
"readOnly": false,
"comment": "LANCOM Customer Support 1",
"uniqueId": "8a9a8cb1-b554-460c-9049-5fefc29563f1"
},
{
"source": "217.6.21.90/32",
"active": false,
"readOnly": false,
"comment": "LANCOM Customer Support 2",
"uniqueId": "f8936fcb-d074-4e91-bb75-86308156d46c"
},
{
"source": "213.238.47.128/29",
"active": false,
"readOnly": false,
"comment": "LANCOM Customer Support 3",
"uniqueId": "dd32c120-d326-404a-91c0-15aa8407f841"
},
{
"source": "80.246.32.0/24",
"active": false,
"readOnly": false,
"comment": "Rohde & Schwarz Internet Gateway",
"uniqueId": "93615715-27f9-4013-af17-b228efe7158d"
},
{
"comment": "Private Networks Class C",
"active": true,
"source": "192.168.0.0/16",
"readOnly": false,
"uniqueId": "7697e59d-544d-49ec-8012-7cb94e037fde"
},
{
"comment": "Private Networks Class B",
"active": true,
"source": "172.16.0.0/12",
"readOnly": false,
"uniqueId": "427030a5-61a8-46e4-beed-751c9c032538"
},
{
"comment": "Private Network Class A",
"active": true,
"source": "10.0.0.0/8",
"readOnly": false,
"uniqueId": "7d6e12be-0c17-449d-a501-81d36e53eb47"
}
]
}
);
// Enable Webinterface Access via VPN
ufApi.modifySettings(
'webclient-settings',
{
"port": 3438,
"serverCertUid": ufApi.lookupField("certificates", "uniqueId", { "commonName": "LCOS FX Default Webserver Certificate" }),
"accessList": [
{
"source": "LAN",
"active": true,
"readOnly": true,
"comment": "LAN_LABEL",
"uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"LAN\")].uniqueId\u0003"
},
{
"source": "WAN",
"active": false,
"readOnly": true,
"comment": "WAN_LABEL",
"uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"WAN\")].uniqueId\u0003"
},
{
"source": "VPN",
"active": true,
"readOnly": true,
"comment": "VPN_LABEL",
"uniqueId": "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"VPN\")].uniqueId\u0003"
},
{
"source": "212.117.89.9/32",
"active": false,
"readOnly": false,
"comment": "LANCOM Customer Support 1",
"uniqueId": "3b4eebb3-7b59-4ce4-9f6c-5ef0575de167"
},
{
"source": "217.6.21.90/32",
"active": false,
"readOnly": false,
"comment": "LANCOM Customer Support 2",
"uniqueId": "309031d8-bc4d-448f-94c7-cd62a6beb1a7"
},
{
"source": "213.238.47.128/29",
"active": false,
"readOnly": false,
"comment": "LANCOM Customer Support 3",
"uniqueId": "082b2264-d0d9-496a-9baa-6673d52cc195"
},
{
"source": "80.246.32.0/24",
"active": false,
"readOnly": false,
"comment": "Rohde & Schwarz Internet Gateway",
"uniqueId": "a158e8b6-02a2-4ec1-959c-8c6c7cfe6436"
},
{
"comment": "Private Networks Class C",
"active": true,
"source": "192.168.0.0/16",
"readOnly": false,
"uniqueId": "7725546c-5fca-43f2-8a05-37ee5b0d8aaa"
},
{
"comment": "Private Networks Class B",
"active": true,
"source": "172.16.0.0/12",
"readOnly": false,
"uniqueId": "0b226af3-bd03-478a-bd2b-70becd8faba3"
},
{
"comment": "Private Network Class A",
"active": true,
"source": "10.0.0.0/8",
"readOnly": false,
"uniqueId": "8edf833b-ded7-4618-8493-2d70c97b90fb"
}
]
}
);
// Functions
function desktopConnection(obja, objb, rules) {
const connectionDefinition = {
"objb": objb,
"appfilterRoutingProfiles": [],
"description": "",
"color": 1562591,
"rules": rules,
"obja": obja,
"natactive": "left",
"snatip": localIPNetwork,
"dmz": true,
"dmzip": localIPNetwork,
"points": [{ "x": 1350, "type": "linepoint", "y": 222 }, {
"x": 1350,
"type": "rulepoint",
"y": 282
}, { "x": 1320, "type": "linepoint", "y": 338 }],
"blockall": false,
"trafficshaping": [],
"webfiltersettings": [],
"applicationfilter": { "mode": "off", "activeprofiles": [] }
};
if (fwVersion.major === 10 && fwVersion.minor >= 8) {
delete connectionDefinition.trafficshaping;
connectionDefinition.trafficShaping = {
"trafficGroup": "",
"outgoingDscp": null
};
}
return connectionDefinition;
}
function userdefinedService(serviceName, natactive, action, externalIP) {
return service(
ufApi.lookup("userdefined-services", { name: serviceName }),
natactive,
action,
true,
externalIP
);
}
function predefinedService(serviceName, natactive, action, externalIP) {
return service(
ufApi.lookup("predefined-services", { name: serviceName }),
natactive,
action,
false,
externalIP
);
}
function service(lookup, natactive, action, editable, externalIP) {
const serviceDefinition = {
"uniqueId": lookup,
"dmz": false,
//"dmz": true,
//"dmzport": mapPort,
"dmzip": externalIP,
"natactive": natactive,
"editable": editable,
"timeranges": [{
"endweekday": 0,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 0
}, {
"endweekday": 1,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 1
}, {
"endweekday": 2,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 2
}, {
"endweekday": 3,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 3
}, {
"endweekday": 4,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 4
}, {
"endweekday": 5,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 5
}, {
"endweekday": 6,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 6
}],
"action": action,
"trafficshaping": [],
"log": false,
"applicationfilter": { "useconnection": true, "activeprofiles": [] }
};
if (fwVersion.major === 10 && fwVersion.minor >= 7) {
serviceDefinition.useConnection = true;
}
if (fwVersion.major === 10 && fwVersion.minor >= 8) {
delete serviceDefinition.trafficshaping;
serviceDefinition.useConnectionTrafficShaping = false;
serviceDefinition.trafficShaping = {
"trafficGroup": "",
"outgoingDscp": null
};
}
return serviceDefinition;
}
};