summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl32
-rw-r--r--data/templates/ipsec/swanctl/remote_access.tmpl40
2 files changed, 72 insertions, 0 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index cafe52e78..0eda8479a 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,6 +1,7 @@
### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
+{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %}
connections {
{% if profile is defined %}
@@ -13,6 +14,25 @@ connections {
{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
+{% if remote_access is defined and remote_access is not none %}
+{% for rw, rw_conf in remote_access.items() if rw_conf.disable is not defined %}
+{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+}
+
+pools {
+{% if remote_access is defined %}
+{% for ra, ra_conf in remote_access.items() if remote_access is defined %}
+ ra-{{ ra }} {
+ addrs = {{ ra_conf.pool.prefix }}
+ dns = {{ ra_conf.pool.name_server | join(",") }}
+{% if ra_conf.pool.exclude is defined %}
+ split_exclude = {{ ra_conf.pool.exclude | join(",") }}
+{% endif %}
+ }
+{% endfor %}
+{% endif %}
}
secrets {
@@ -60,5 +80,17 @@ secrets {
{% endif %}
{% endfor %}
{% endif %}
+{% if remote_access is defined %}
+{% for ra, ra_conf in remote_access.items() if remote_access is defined %}
+{% if ra_conf.authentication is defined and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
+{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %}
+ eap-{{ ra }}-{{ user }} {
+ secret = "{{ user_conf.password }}"
+ id-{{ ra }}-{{ user }} = "{{ user }}"
+ }
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
new file mode 100644
index 000000000..a3a1cf0b2
--- /dev/null
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -0,0 +1,40 @@
+{% macro conn(name, rw_conf, ike_group, esp_group) %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[rw_conf.ike_group] %}
+{% set esp = esp_group[rw_conf.esp_group] %}
+ ra-{{ name }} {
+ remote_addrs = %any
+ local_addrs = {{ rw_conf.local_address if rw_conf.local_address is defined else '%any' }}
+ proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
+ send_certreq = no
+ rekey_time = {{ ike.lifetime }}s
+ keyingtries = 0
+ pools = ra-{{ name }}
+ local {
+ auth = pubkey
+{% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
+ id = "{{ rw_conf.authentication.id }}"
+{% endif %}
+{% if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %}
+ certs = {{ rw_conf.authentication.x509.certificate }}.pem
+{% endif %}
+ }
+ remote {
+ auth = eap-mschapv2
+ eap_id = %any
+ }
+ children {
+ ikev2-vpn {
+ esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
+ rekey_time = {{ esp.lifetime }}s
+ rand_time = 540s
+ dpd_action = clear
+{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %}
+{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %}
+{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
+ local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
+ }
+ }
+ }
+{% endmacro %}