From 0b93fce06526a2826c19adcbb25874e51cccf68e Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Mon, 5 Jul 2021 16:22:54 +0200 Subject: ipsec: T1210: T1251: Add more features to remote-access connections - Adds client/server authentication methods. - Adds basic verification to remote-access. - Adds DHCP pool and options to remote-access. - Cleanup unused PKI files. --- data/templates/ipsec/charon/dhcp.conf.tmpl | 23 +++++++++++++++++++++++ data/templates/ipsec/swanctl.conf.tmpl | 14 ++++++++++++-- data/templates/ipsec/swanctl/remote_access.tmpl | 16 ++++++++++++---- 3 files changed, 47 insertions(+), 6 deletions(-) create mode 100644 data/templates/ipsec/charon/dhcp.conf.tmpl (limited to 'data/templates') diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl new file mode 100644 index 000000000..2879550a8 --- /dev/null +++ b/data/templates/ipsec/charon/dhcp.conf.tmpl @@ -0,0 +1,23 @@ +dhcp { + load = yes + +{% if options is defined and options.remote_access is defined and options.remote_access.dhcp_pool is defined %} +{% if options.remote_access.dhcp_pool.interface is defined %} + interface = {{ options.remote_access.dhcp_pool.interface }} +{% endif %} +{% if options.remote_access.dhcp_pool.server is defined %} + server = {{ options.remote_access.dhcp_pool.server }} +{% endif %} +{% endif %} + + # Always use the configured server address. + # force_server_address = no + + # Derive user-defined MAC address from hash of IKE identity and send client + # identity DHCP option. + # identity_lease = no + + # Use the DHCP server port (67) as source port when a unicast server address + # is configured. + # use_server_port = no +} diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 0eda8479a..00251d44d 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -23,7 +23,7 @@ connections { pools { {% if remote_access is defined %} -{% for ra, ra_conf in remote_access.items() if remote_access is defined %} +{% for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %} ra-{{ ra }} { addrs = {{ ra_conf.pool.prefix }} dns = {{ ra_conf.pool.name_server | join(",") }} @@ -82,7 +82,17 @@ secrets { {% endif %} {% if remote_access is defined %} {% for ra, ra_conf in remote_access.items() if remote_access is defined %} -{% if ra_conf.authentication is defined and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} +{% if ra_conf.authentication.server_mode == 'pre-shared-secret' %} + ike_{{ ra }} { +{% if ra_conf.authentication.id is defined %} + id = "{{ ra_conf.authentication.id }}" +{% elif ra_conf.local_address is defined %} + id = "{{ ra_conf.local_address }}" +{% endif %} + secret = "{{ ra_conf.authentication.pre_shared_secret }}" + } +{% endif %} +{% if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} {% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %} eap-{{ ra }}-{{ user }} { secret = "{{ user_conf.password }}" diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index a3a1cf0b2..95f2108fb 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -10,19 +10,27 @@ send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 +{% if rw_conf.pool.dhcp_enable is defined %} + pools = dhcp +{% else %} pools = ra-{{ name }} +{% endif %} local { - auth = pubkey -{% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} +{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} id = "{{ rw_conf.authentication.id }}" {% endif %} -{% if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %} +{% if rw_conf.authentication.server_mode == 'x509' %} + auth = pubkey certs = {{ rw_conf.authentication.x509.certificate }}.pem +{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %} + auth = psk {% endif %} } remote { - auth = eap-mschapv2 + auth = {{ rw_conf.authentication.client_mode }} +{% if rw_conf.authentication.client_mode.startswith("eap") %} eap_id = %any +{% endif %} } children { ikev2-vpn { -- cgit v1.2.3