Quelle anzeigen

Beschreibung:

Das Add-In nimmt IPSec Konfigurationen auf der LANCOM R&S Unified Firewall vor und schaltet den Zugriff auf die CLI und das Webinterface über VPN frei.

Liste der verwendeten Variablen:

Variable	Beschreibung
localNetworkName	Name des lokalen IP-Netzwerks auf der Unified Firewall
localIPNetwork	Adressbereich des lokalen IP-Netzwerks auf der Unified Firewall
localVPNIdentity	VPN Identity der Unified Firewall
remoteGatewayAddress	WAN IP-Adresse des entfernten VPN Gateways
remoteIPNetwork	Adressbereich des entfernten IP-Netzwerks auf der Unified Firewall
remoteVPNIdentity	VPN Identity des entfernten VPN Gateways
vpnConnectionName	Name der VPN Verbindung
vpnPassword	Password der VPN Verbindung

Add-in Code:

/**
* @param {Config} config
* @param {Context} context
*
* Do not edit this comment or parameter types. Required for code suggestions.
*/
exports.main = function (config, context) {
const fwVersion = context.device.firmwareVersionObject;
const ufApi = config.getUfApi();
// VPN Configvariables
const localNetworkName = "" ; //Name of the IP Network on the Firewall
const localIPNetwork = "" ; //LAN IP Address Range of the Network on the Firewall
const localVPNIdentity = "" ; // VPN Identity on the Unified Firewall
const remoteGatewayAddress = "" ; // WAN Address of the Remote VPN Gateway
const remoteIPNetwork = "" ; // LAN IP Address Range of the Remote VPN Gateway
const remoteVPNIdentity = "" ; // VPN Identity of the Remote VPN Gateway
const vpnConnectionName = "" ; // Name of the VPN Connection on the Unified Firewall
const vpnPassword = "" ; // VPN Password on the Unified Firewall and the Remote VPN Gateway

if (fwVersion.major !== 10 || fwVersion.minor !== 13 || fwVersion.build !== 7038 ) {
config.warnLog(
"Add-In was originally created for an LCOS FX 10.13.7038RU6 API, but " +
"it is being applied to an LCOS FX " + context.device.firmwareVersionString +
" device. It might not work as expected."
);
}
// Activate IPSec Settings
ufApi.modifySettings(
'ipsec-settings' ,
{
"active" : true ,
}
);
// Create IPSecConnection
ufApi.createObject(
'ipsec-connections' ,
{
"name" : vpnConnectionName,
"localAddresses" : [],
"remoteAddresses" : [remoteGatewayAddress],
"profile" : ufApi.lookupField( "ipsec-security-profiles" , "uniqueId" , { "name" : "LANCOM LCOS Default IKEv2" }),
"localAuth" : {
"method" : "psk" ,
"dataPsk" : vpnPassword,
"dataCert" : "" ,
"dataCa" : "" ,
"id" : localVPNIdentity
},
"remoteAuth" : {
"method" : "psk" ,
"dataPsk" : vpnPassword,
"dataCert" : "" ,
"dataCa" : "" ,
"id" : remoteVPNIdentity,
"authMethodRound2" : "none"
},
"localNetworkNames" : [
localIPNetwork
],
"remoteNetworks" : [
remoteIPNetwork
],
"pool" : "" ,
"initiate" : true ,
"ike2CompatTunnels" : true ,
"forceUdpEncap" : false ,
"xfrmInterface" : true ,
"xfrmInterfaceMtu" : 1400 ,
"trafficGroup" : "" ,
"outgoingDscp" : null ,
"active" : true ,
"keyPassword" : "********" ,
"networkConnection" : ufApi.lookupField( "connections" , "uniqueId" , { "name" : "WAN" })
}
);
// Create a VPN Network
ufApi.createObject(
'vpnnetworks' ,
{
"name" : vpnConnectionName,
"ipv4" : "0.0.0.0" ,
"interface" : "vpn" ,
"color" : 7891540 ,
"layer" : 0 ,
"top" : 111 ,
"left" : 222 ,
"icon" : "vpn-network" ,
"type" : "vpnnetwork" ,
"vpnconnection" : {
"type" : "ipsec" ,
"connectionid" : ufApi.lookupField( "ipsec-connections" , "uniqueId" , { "name" : vpnConnectionName }),
"networkType" : "all" ,
"networks" : []
},
"description" : "" ,
"tags" : []
}
);
// Create Routing Rule
ufApi.createObject(
'routing-rules' ,
{
"priority" : 514 ,
"selectorSourceIpv4address" : "" ,
"selectorDestinationIpv4address" : remoteIPNetwork,
"selectorInputInterface" : null ,
"selectorOutputInterface" : null ,
"selectorTos" : 0 ,
"actionGoto" : null ,
"actionTable" : 514 ,
"systemRule" : false
}
);
// Create Routing Table
ufApi.createObject(
'routing-tables' ,
{
"table" : 514 ,
"ipv4Routes" : [
{
"ipv4DestAddress" : remoteIPNetwork,
"ipv4Nexthops" : [
{
"ipv4GatewayAddress" : "" ,
"interface" : "xfrm1" ,
"weight" : 0
}
],
"active" : true ,
"ipv4PrefsrcAddress" : "" ,
"metric" : 0 ,
"systemRoute" : false ,
"type" : "unicast"
}
]
}
);
// Lookup of Objects for the new Desktop Connection
var objectA = ufApi.lookup( 'networks' , { name: localNetworkName });
var objectB = ufApi.lookup( 'vpnnetworks' , { name: vpnConnectionName });
// Create new Desktop Connection
ufApi.createObject( "desktop-connections" , desktopConnection(
objectA,
objectB,
[
predefinedService( "internet.http" , "none" , "both" ),
predefinedService( "internet.https" , "none" , "both" ),
predefinedService( "standard.ssh" , "none" , "both" ),
predefinedService( "standard.icmp" , "none" , "both" ),
predefinedService( "standard.ping" , "none" , "both" )
]
));
// Enable SSH Access via VPN
ufApi.modifySettings(
'ssh-settings' ,
{
"active" : true ,
"port" : 22 ,
"passwordAuth" : true ,
"sshKeys" : [],
"accessList" : [
{
"source" : "LAN" ,
"active" : true ,
"readOnly" : true ,
"comment" : "LAN_LABEL" ,
"uniqueId" : "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"LAN\")].uniqueId\u0003"
},
{
"source" : "WAN" ,
"active" : false ,
"readOnly" : true ,
"comment" : "WAN_LABEL" ,
"uniqueId" : "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"WAN\")].uniqueId\u0003"
},
{
"source" : "VPN" ,
"active" : true ,
"readOnly" : true ,
"comment" : "VPN_LABEL" ,
"uniqueId" : "\u0002/model/ssh-settings\u0005accessList[?(@.source==\"VPN\")].uniqueId\u0003"
},
{
"source" : "212.117.89.9/32" ,
"active" : false ,
"readOnly" : false ,
"comment" : "LANCOM Customer Support 1" ,
"uniqueId" : "8a9a8cb1-b554-460c-9049-5fefc29563f1"
},
{
"source" : "217.6.21.90/32" ,
"active" : false ,
"readOnly" : false ,
"comment" : "LANCOM Customer Support 2" ,
"uniqueId" : "f8936fcb-d074-4e91-bb75-86308156d46c"
},
{
"source" : "213.238.47.128/29" ,
"active" : false ,
"readOnly" : false ,
"comment" : "LANCOM Customer Support 3" ,
"uniqueId" : "dd32c120-d326-404a-91c0-15aa8407f841"
},
{
"source" : "80.246.32.0/24" ,
"active" : false ,
"readOnly" : false ,
"comment" : "Rohde & Schwarz Internet Gateway" ,
"uniqueId" : "93615715-27f9-4013-af17-b228efe7158d"
},
{
"comment" : "Private Networks Class C" ,
"active" : true ,
"source" : "192.168.0.0/16" ,
"readOnly" : false ,
"uniqueId" : "7697e59d-544d-49ec-8012-7cb94e037fde"
},
{
"comment" : "Private Networks Class B" ,
"active" : true ,
"source" : "172.16.0.0/12" ,
"readOnly" : false ,
"uniqueId" : "427030a5-61a8-46e4-beed-751c9c032538"
},
{
"comment" : "Private Network Class A" ,
"active" : true ,
"source" : "10.0.0.0/8" ,
"readOnly" : false ,
"uniqueId" : "7d6e12be-0c17-449d-a501-81d36e53eb47"
}
]
}
);
// Enable Webinterface Access via VPN
ufApi.modifySettings(
'webclient-settings' ,
{
"port" : 3438 ,
"serverCertUid" : ufApi.lookupField( "certificates" , "uniqueId" , { "commonName" : "LCOS FX Default Webserver Certificate" }),
"accessList" : [
{
"source" : "LAN" ,
"active" : true ,
"readOnly" : true ,
"comment" : "LAN_LABEL" ,
"uniqueId" : "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"LAN\")].uniqueId\u0003"
},
{
"source" : "WAN" ,
"active" : false ,
"readOnly" : true ,
"comment" : "WAN_LABEL" ,
"uniqueId" : "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"WAN\")].uniqueId\u0003"
},
{
"source" : "VPN" ,
"active" : true ,
"readOnly" : true ,
"comment" : "VPN_LABEL" ,
"uniqueId" : "\u0002/model/webclient-settings\u0005accessList[?(@.source==\"VPN\")].uniqueId\u0003"
},
{
"source" : "212.117.89.9/32" ,
"active" : false ,
"readOnly" : false ,
"comment" : "LANCOM Customer Support 1" ,
"uniqueId" : "3b4eebb3-7b59-4ce4-9f6c-5ef0575de167"
},
{
"source" : "217.6.21.90/32" ,
"active" : false ,
"readOnly" : false ,
"comment" : "LANCOM Customer Support 2" ,
"uniqueId" : "309031d8-bc4d-448f-94c7-cd62a6beb1a7"
},
{
"source" : "213.238.47.128/29" ,
"active" : false ,
"readOnly" : false ,
"comment" : "LANCOM Customer Support 3" ,
"uniqueId" : "082b2264-d0d9-496a-9baa-6673d52cc195"
},
{
"source" : "80.246.32.0/24" ,
"active" : false ,
"readOnly" : false ,
"comment" : "Rohde & Schwarz Internet Gateway" ,
"uniqueId" : "a158e8b6-02a2-4ec1-959c-8c6c7cfe6436"
},
{
"comment" : "Private Networks Class C" ,
"active" : true ,
"source" : "192.168.0.0/16" ,
"readOnly" : false ,
"uniqueId" : "7725546c-5fca-43f2-8a05-37ee5b0d8aaa"
},
{
"comment" : "Private Networks Class B" ,
"active" : true ,
"source" : "172.16.0.0/12" ,
"readOnly" : false ,
"uniqueId" : "0b226af3-bd03-478a-bd2b-70becd8faba3"
},
{
"comment" : "Private Network Class A" ,
"active" : true ,
"source" : "10.0.0.0/8" ,
"readOnly" : false ,
"uniqueId" : "8edf833b-ded7-4618-8493-2d70c97b90fb"
}
]
}
);
// Functions
function desktopConnection(obja, objb, rules) {
const connectionDefinition = {
"objb" : objb,
"appfilterRoutingProfiles" : [],
"description" : "" ,
"color" : 1562591 ,
"rules" : rules,
"obja" : obja,
"natactive" : "left" ,
"snatip" : localIPNetwork,
"dmz" : true ,
"dmzip" : localIPNetwork,
"points" : [{ "x" : 1350 , "type" : "linepoint" , "y" : 222 }, {
"x" : 1350 ,
"type" : "rulepoint" ,
"y" : 282
}, { "x" : 1320 , "type" : "linepoint" , "y" : 338 }],
"blockall" : false ,
"trafficshaping" : [],
"webfiltersettings" : [],
"applicationfilter" : { "mode" : "off" , "activeprofiles" : [] }
};
if (fwVersion.major === 10 && fwVersion.minor >= 8 ) {
delete connectionDefinition.trafficshaping;
connectionDefinition.trafficShaping = {
"trafficGroup" : "" ,
"outgoingDscp" : null
};
}
return connectionDefinition;
}
function userdefinedService(serviceName, natactive, action, externalIP) {
return service(
ufApi.lookup( "userdefined-services" , { name: serviceName }),
natactive,
action,
true ,
externalIP
);
}
function predefinedService(serviceName, natactive, action, externalIP) {
return service(
ufApi.lookup( "predefined-services" , { name: serviceName }),
natactive,
action,
false ,
externalIP
);
}
function service(lookup, natactive, action, editable, externalIP) {
const serviceDefinition = {
"uniqueId" : lookup,
"dmz" : false ,
//"dmz": true,
//"dmzport": mapPort,
"dmzip" : externalIP,
"natactive" : natactive,
"editable" : editable,
"timeranges" : [{
"endweekday" : 0 ,
"repeattype" : "weekly" ,
"endtime" : "23:59:59" ,
"starttime" : "00:00:00" ,
"startweekday" : 0
}, {
"endweekday" : 1 ,
"repeattype" : "weekly" ,
"endtime" : "23:59:59" ,
"starttime" : "00:00:00" ,
"startweekday" : 1
}, {
"endweekday" : 2 ,
"repeattype" : "weekly" ,
"endtime" : "23:59:59" ,
"starttime" : "00:00:00" ,
"startweekday" : 2
}, {
"endweekday" : 3 ,
"repeattype" : "weekly" ,
"endtime" : "23:59:59" ,
"starttime" : "00:00:00" ,
"startweekday" : 3
}, {
"endweekday" : 4 ,
"repeattype" : "weekly" ,
"endtime" : "23:59:59" ,
"starttime" : "00:00:00" ,
"startweekday" : 4
}, {
"endweekday" : 5 ,
"repeattype" : "weekly" ,
"endtime" : "23:59:59" ,
"starttime" : "00:00:00" ,
"startweekday" : 5
}, {
"endweekday" : 6 ,
"repeattype" : "weekly" ,
"endtime" : "23:59:59" ,
"starttime" : "00:00:00" ,
"startweekday" : 6
}],
"action" : action,
"trafficshaping" : [],
"log" : false ,
"applicationfilter" : { "useconnection" : true , "activeprofiles" : [] }
};
if (fwVersion.major === 10 && fwVersion.minor >= 7 ) {
serviceDefinition.useConnection = true ;
}
if (fwVersion.major === 10 && fwVersion.minor >= 8 ) {
delete serviceDefinition.trafficshaping;
serviceDefinition.useConnectionTrafficShaping = false ;
serviceDefinition.trafficShaping = {
"trafficGroup" : "" ,
"outgoingDscp" : null
};
}
return serviceDefinition;
}
};

Beschreibung:

Liste der verwendeten Variablen:

Add-in Code:

Add-in als JSON-Datei: