summaryrefslogtreecommitdiff
path: root/data/templates/ipsec
diff options
context:
space:
mode:
authorLucas Christian <lucas@lucasec.com>2024-07-29 23:22:05 -0700
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-08-01 05:52:51 +0000
commit1171e3d359cc2718afc80fccfc99c7ecccf95dbd (patch)
treed6b3b2c03caa27cc1d07028c2af49651824fc22d /data/templates/ipsec
parent96624c22a41a41bc2bbfa454471cc7d14ed612e8 (diff)
downloadvyos-1x-1171e3d359cc2718afc80fccfc99c7ecccf95dbd.tar.gz
vyos-1x-1171e3d359cc2718afc80fccfc99c7ecccf95dbd.zip
T6617: T6618: vpn ipsec remote-access: fix profile generators
(cherry picked from commit e97d86e619e134f4dfda06efb7df4a3296d17b95)
Diffstat (limited to 'data/templates/ipsec')
-rw-r--r--data/templates/ipsec/ios_profile.j29
-rw-r--r--data/templates/ipsec/windows_profile.j22
2 files changed, 9 insertions, 2 deletions
diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2
index 935acbf8e..966fad433 100644
--- a/data/templates/ipsec/ios_profile.j2
+++ b/data/templates/ipsec/ios_profile.j2
@@ -55,9 +55,11 @@
<!-- The server is authenticated using a certificate -->
<key>AuthenticationMethod</key>
<string>Certificate</string>
+{% if authentication.client_mode.startswith("eap") %}
<!-- The client uses EAP to authenticate -->
<key>ExtendedAuthEnabled</key>
<integer>1</integer>
+{% endif %}
<!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
<key>IKESecurityAssociationParameters</key>
@@ -78,9 +80,14 @@
<string>{{ esp_encryption.encryption }}</string>
<key>IntegrityAlgorithm</key>
<string>{{ esp_encryption.hash }}</string>
+{% if esp_encryption.pfs is vyos_defined %}
<key>DiffieHellmanGroup</key>
- <integer>{{ ike_encryption.dh_group }}</integer>
+ <integer>{{ esp_encryption.pfs }}</integer>
+{% endif %}
</dict>
+ <!-- Controls whether the client offers Perfect Forward Secrecy (PFS). This should be set to match the server. -->
+ <key>EnablePFS</key>
+ <integer>{{ '1' if esp_encryption.pfs is vyos_defined else '0' }}</integer>
</dict>
</dict>
{% if ca_certificates is vyos_defined %}
diff --git a/data/templates/ipsec/windows_profile.j2 b/data/templates/ipsec/windows_profile.j2
index 8c26944be..b5042f987 100644
--- a/data/templates/ipsec/windows_profile.j2
+++ b/data/templates/ipsec/windows_profile.j2
@@ -1,4 +1,4 @@
Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru
Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2"
-Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force
+Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup {{ esp_encryption.pfs }} -DHGroup {{ ike_encryption.dh_group }} -PassThru -Force