summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl/remote_access.j2
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-05-01 19:44:52 +0200
committerChristian Poessinger <christian@poessinger.com>2022-05-01 19:44:52 +0200
commit49b1afc25b73d9c5daae1c76edb88aab42afa83e (patch)
tree64d44eb5425ba0ebb0531f2cb60cef32830f0efa /data/templates/ipsec/swanctl/remote_access.j2
parent992c847493665fd2119636d81582aa80e99e388a (diff)
downloadvyos-1x-49b1afc25b73d9c5daae1c76edb88aab42afa83e.tar.gz
vyos-1x-49b1afc25b73d9c5daae1c76edb88aab42afa83e.zip
ipsec: T4353: fix Jinja2 linting errors
Diffstat (limited to 'data/templates/ipsec/swanctl/remote_access.j2')
-rw-r--r--data/templates/ipsec/swanctl/remote_access.j250
1 files changed, 50 insertions, 0 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
new file mode 100644
index 000000000..676ad88b3
--- /dev/null
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -0,0 +1,50 @@
+{% macro conn(name, rw_conf, ike_group, esp_group) %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[rw_conf.ike_group] %}
+{% set esp = esp_group[rw_conf.esp_group] %}
+ ra-{{ name }} {
+ remote_addrs = %any
+ local_addrs = {{ rw_conf.local_address if rw_conf.local_address is vyos_defined else '%any' }}
+ proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
+ send_certreq = no
+ rekey_time = {{ ike.lifetime }}s
+ keyingtries = 0
+{% if rw_conf.unique is vyos_defined %}
+ unique = {{ rw_conf.unique }}
+{% endif %}
+{% if rw_conf.pool is vyos_defined %}
+ pools = {{ rw_conf.pool | join(',') }}
+{% endif %}
+ local {
+{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %}
+ id = '{{ rw_conf.authentication.id }}'
+{% endif %}
+{% if rw_conf.authentication.server_mode == 'x509' %}
+ auth = pubkey
+ certs = {{ rw_conf.authentication.x509.certificate }}.pem
+{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %}
+ auth = psk
+{% endif %}
+ }
+ remote {
+ auth = {{ rw_conf.authentication.client_mode }}
+{% if rw_conf.authentication.client_mode.startswith("eap") %}
+ eap_id = %any
+{% endif %}
+ }
+ children {
+ ikev2-vpn {
+ esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
+ rekey_time = {{ esp.lifetime }}s
+ rand_time = 540s
+ dpd_action = clear
+ inactivity = {{ rw_conf.timeout }}
+{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %}
+{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %}
+{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
+ local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
+ }
+ }
+ }
+{% endmacro %}