summaryrefslogtreecommitdiff
path: root/data/templates/ipsec
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2023-01-30 10:56:38 +0200
committerGitHub <noreply@github.com>2023-01-30 10:56:38 +0200
commit3c750f9b12b54d872848f6571deb02245ba8e28a (patch)
treee23d8bac780a9787c5763b8618fa7591a8fe8270 /data/templates/ipsec
parent6eea12512e59cc28f5c2e5ca5ec7e9e7b21731da (diff)
parent7ae0b404ad9fdefa856c7e450b224b47d854a4eb (diff)
downloadvyos-1x-3c750f9b12b54d872848f6571deb02245ba8e28a.tar.gz
vyos-1x-3c750f9b12b54d872848f6571deb02245ba8e28a.zip
Merge pull request #1761 from sever-sever/T4916-curr
T4916: Rewrite IPsec peer authentication and psk migration
Diffstat (limited to 'data/templates/ipsec')
-rw-r--r--data/templates/ipsec/swanctl.conf.j234
1 files changed, 16 insertions, 18 deletions
diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2
index 38d7981c6..d44d0f5e4 100644
--- a/data/templates/ipsec/swanctl.conf.j2
+++ b/data/templates/ipsec/swanctl.conf.j2
@@ -58,23 +58,7 @@ secrets {
{% if site_to_site.peer is vyos_defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
-{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
- ike_{{ peer_name }} {
-{% if peer_conf.local_address is vyos_defined %}
- id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
-{% endif %}
-{% for address in peer_conf.remote_address %}
- id-remote_{{ address | dot_colon_to_dash }} = {{ address }}
-{% endfor %}
-{% if peer_conf.authentication.local_id is vyos_defined %}
- id-localid = {{ peer_conf.authentication.local_id }}
-{% endif %}
-{% if peer_conf.authentication.remote_id is vyos_defined %}
- id-remoteid = {{ peer_conf.authentication.remote_id }}
-{% endif %}
- secret = "{{ peer_conf.authentication.pre_shared_secret }}"
- }
-{% elif peer_conf.authentication.mode is vyos_defined('x509') %}
+{% if peer_conf.authentication.mode is vyos_defined('x509') %}
private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
{% if peer_conf.authentication.x509.passphrase is vyos_defined %}
@@ -91,6 +75,21 @@ secrets {
{% endif %}
{% endfor %}
{% endif %}
+{% if authentication.psk is vyos_defined %}
+{% for psk, psk_config in authentication.psk.items() %}
+ ike-{{ psk }} {
+{% if psk_config.id is vyos_defined %}
+ # ID's from auth psk <tag> id xxx
+{% for id in psk_config.id %}
+{% set gen_uuid = '' | generate_uuid4 %}
+ id-{{ gen_uuid }} = "{{ id }}"
+{% endfor %}
+{% endif %}
+ secret = "{{ psk_config.secret }}"
+ }
+{% endfor %}
+{% endif %}
+
{% if remote_access.connection is vyos_defined %}
{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
@@ -130,4 +129,3 @@ secrets {
{% endif %}
{% endif %}
}
-