From 32fab6c7c5a7d8ad926513fcc5a5c637b77769e3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 3 Jul 2021 18:05:48 +0200 Subject: ipsec: T2816: provide esp and ike-group XML building block --- data/templates/ipsec/swanctl.conf.tmpl | 22 +++++++++++ .../include/ipsec/esp-group.xml.i | 10 +++++ .../include/ipsec/ike-group.xml.i | 10 +++++ interface-definitions/vpn_ipsec.xml.in | 45 +++------------------- src/conf_mode/vpn_ipsec.py | 2 + 5 files changed, 49 insertions(+), 40 deletions(-) create mode 100644 interface-definitions/include/ipsec/esp-group.xml.i create mode 100644 interface-definitions/include/ipsec/ike-group.xml.i diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index cafe52e78..06fd8e8c2 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -13,6 +13,28 @@ connections { {{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} {% endfor %} {% endif %} +{% if remote_access is defined and remote_access is not none %} +{% set ike = ike_group[peer_conf.ike_group] %} + road_warrior { + proposals = {{ ike | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + local_addrs = 192.168.0.1 + local { + auth = eap-peap + certs = moonCert.pem + } + remote { + auth = eap-peap + } + send_certreq = no + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }} + } + } + } +{% endif %} } secrets { diff --git a/interface-definitions/include/ipsec/esp-group.xml.i b/interface-definitions/include/ipsec/esp-group.xml.i new file mode 100644 index 000000000..5e5d8197b --- /dev/null +++ b/interface-definitions/include/ipsec/esp-group.xml.i @@ -0,0 +1,10 @@ + + + + Encapsulating Security Payloads (ESP) group name + + vpn ipsec esp-group + + + + diff --git a/interface-definitions/include/ipsec/ike-group.xml.i b/interface-definitions/include/ipsec/ike-group.xml.i new file mode 100644 index 000000000..f7649ed30 --- /dev/null +++ b/interface-definitions/include/ipsec/ike-group.xml.i @@ -0,0 +1,10 @@ + + + + Internet Key Exchange (IKE) group name + + vpn ipsec ike-group + + + + diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index fdd091dd9..c301703c3 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -701,22 +701,8 @@ - - - ESP group name [REQUIRED] - - vpn ipsec esp-group - - - - - - IKE group name [REQUIRED] - - vpn ipsec ike-group - - - + #include + #include @@ -878,14 +864,7 @@ - - - Internet Key Exchange (IKE) group name [REQUIRED] - - vpn ipsec ike-group - - - + #include Re-authentication of the remote peer during an IKE re-key. IKEv2 option only @@ -944,14 +923,7 @@ #include - - - ESP group name - - vpn ipsec esp-group - - - + #include Local parameters for interesting traffic @@ -1041,14 +1013,7 @@ VTI tunnel interface associated with this configuration [REQUIRED] - - - ESP group name [REQUIRED] - - vpn ipsec esp-group - - - + #include diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index ff26f875a..d1b29ee9a 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -109,6 +109,8 @@ def get_config(config=None): get_first_key=True, no_tag_node_value_mangle=True) + import pprint + pprint.pprint(ipsec) return ipsec def get_rsa_local_key(ipsec): -- cgit v1.2.3