summaryrefslogtreecommitdiff
path: root/data/templates/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/ipsec')
-rw-r--r--data/templates/ipsec/ios_profile.j22
-rw-r--r--data/templates/ipsec/swanctl.conf.j212
-rw-r--r--data/templates/ipsec/swanctl/peer.j224
-rw-r--r--data/templates/ipsec/swanctl/remote_access.j24
4 files changed, 22 insertions, 20 deletions
diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2
index c8e17729a..eb74924b8 100644
--- a/data/templates/ipsec/ios_profile.j2
+++ b/data/templates/ipsec/ios_profile.j2
@@ -41,7 +41,7 @@
<!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
<key>RemoteIdentifier</key>
- <string>{{ authentication.id if authentication.id is vyos_defined else 'VyOS' }}</string>
+ <string>{{ authentication.local_id if authentication.local_id is vyos_defined else 'VyOS' }}</string>
<!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
<key>LocalIdentifier</key>
<string></string>
diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2
index bf6b8259c..38d7981c6 100644
--- a/data/templates/ipsec/swanctl.conf.j2
+++ b/data/templates/ipsec/swanctl.conf.j2
@@ -63,9 +63,11 @@ secrets {
{% if peer_conf.local_address is vyos_defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{% endif %}
- id-remote = {{ peer }}
-{% if peer_conf.authentication.id is vyos_defined %}
- id-localid = {{ peer_conf.authentication.id }}
+{% for address in peer_conf.remote_address %}
+ id-remote_{{ address | dot_colon_to_dash }} = {{ address }}
+{% endfor %}
+{% if peer_conf.authentication.local_id is vyos_defined %}
+ id-localid = {{ peer_conf.authentication.local_id }}
{% endif %}
{% if peer_conf.authentication.remote_id is vyos_defined %}
id-remoteid = {{ peer_conf.authentication.remote_id }}
@@ -93,8 +95,8 @@ secrets {
{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
ike_{{ ra }} {
-{% if ra_conf.authentication.id is vyos_defined %}
- id = "{{ ra_conf.authentication.id }}"
+{% if ra_conf.authentication.local_id is vyos_defined %}
+ id = "{{ ra_conf.authentication.local_id }}"
{% elif ra_conf.local_address is vyos_defined %}
id = "{{ ra_conf.local_address }}"
{% endif %}
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index 90d2c774f..d097a04fc 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -2,14 +2,14 @@
{% set name = peer.replace("@", "") | dot_colon_to_dash %}
{# peer needs to reference the global IKE configuration for certain values #}
{% set ike = ike_group[peer_conf.ike_group] %}
- peer_{{ name }} {
+ {{ name }} {
proposals = {{ ike | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
{% if peer_conf.virtual_address is vyos_defined %}
vips = {{ peer_conf.virtual_address | join(', ') }}
{% endif %}
- local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
- remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
+ local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%any' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
+ remote_addrs = {{ peer_conf.remote_address | join(",") if peer_conf.remote_address is vyos_defined and 'any' not in peer_conf.remote_address else '%any' }}
{% if peer_conf.authentication.mode is vyos_defined('x509') %}
send_cert = always
{% endif %}
@@ -21,7 +21,7 @@
aggressive = yes
{% endif %}
rekey_time = {{ ike.lifetime }}s
- mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
+ mobike = {{ "no" if ike.disable_mobike is defined else "yes" }}
{% if peer[0:1] == '@' %}
keyingtries = 0
reauth_time = 0
@@ -30,12 +30,12 @@
{% elif peer_conf.connection_type is vyos_defined('respond') %}
keyingtries = 1
{% endif %}
-{% if peer_conf.force_encapsulation is vyos_defined('enable') %}
+{% if peer_conf.force_udp_encapsulation is vyos_defined %}
encap = yes
{% endif %}
local {
-{% if peer_conf.authentication.id is vyos_defined %}
- id = "{{ peer_conf.authentication.id }}"
+{% if peer_conf.authentication.local_id is vyos_defined %}
+ id = "{{ peer_conf.authentication.local_id }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'x509' %}
@@ -58,7 +58,7 @@
children {
{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %}
{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %}
- peer_{{ name }}_vti {
+ {{ name }}-vti {
esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
{% if vti_esp.life_bytes is vyos_defined %}
life_bytes = {{ vti_esp.life_bytes }}
@@ -75,7 +75,7 @@
{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %}
if_id_in = {{ if_id }}
if_id_out = {{ if_id }}
- ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined('enable') else 'no' }}
+ ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined else 'no' }}
mode = {{ vti_esp.mode }}
{% if peer[0:1] == '@' %}
start_action = none
@@ -101,7 +101,7 @@
{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
- peer_{{ name }}_tunnel_{{ tunnel_id }} {
+ {{ name }}-tunnel-{{ tunnel_id }} {
esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
{% if tunnel_esp.life_bytes is vyos_defined %}
life_bytes = {{ tunnel_esp.life_bytes }}
@@ -126,7 +126,7 @@
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer }}{{ remote_suffix }}
{% endif %}
- ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined('enable') else 'no' }}
+ ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined else 'no' }}
mode = {{ tunnel_esp.mode }}
{% if peer[0:1] == '@' %}
start_action = none
@@ -152,7 +152,7 @@
{% endif %}
}
{% if tunnel_conf.passthrough is vyos_defined %}
- peer_{{ name }}_tunnel_{{ tunnel_id }}_passthrough {
+ {{ name }}-tunnel-{{ tunnel_id }}-passthrough {
local_ts = {{ tunnel_conf.passthrough | join(",") }}
remote_ts = {{ tunnel_conf.passthrough | join(",") }}
start_action = trap
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index d2760ec1f..60d2d1807 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -17,9 +17,9 @@
pools = {{ rw_conf.pool | join(',') }}
{% endif %}
local {
-{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %}
+{% if rw_conf.authentication.local_id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %}
{# please use " quotes - else Apple iOS goes crazy #}
- id = "{{ rw_conf.authentication.id }}"
+ id = "{{ rw_conf.authentication.local_id }}"
{% endif %}
{% if rw_conf.authentication.server_mode == 'x509' %}
auth = pubkey