From 7ae0b404ad9fdefa856c7e450b224b47d854a4eb Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Tue, 17 Jan 2023 11:04:08 +0000
Subject: T4916: Rewrite IPsec peer authentication and psk migration

Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed

replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
      => 'ipsec authentication psk <tag> secret xxx'

set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'

Add template filter for Jinja2 'generate_uuid4'
---
 data/templates/ipsec/swanctl.conf.j2 | 34 ++++++++++++++++------------------
 1 file changed, 16 insertions(+), 18 deletions(-)

(limited to 'data')

diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2
index 38d7981c6..d44d0f5e4 100644
--- a/data/templates/ipsec/swanctl.conf.j2
+++ b/data/templates/ipsec/swanctl.conf.j2
@@ -58,23 +58,7 @@ secrets {
 {% if site_to_site.peer is vyos_defined %}
 {%     for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
 {%         set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
-{%         if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
-    ike_{{ peer_name }} {
-{%             if peer_conf.local_address is vyos_defined %}
-        id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
-{%             endif %}
-{%             for address in peer_conf.remote_address %}
-        id-remote_{{ address | dot_colon_to_dash }} = {{ address }}
-{%             endfor %}
-{%             if peer_conf.authentication.local_id is vyos_defined %}
-        id-localid = {{ peer_conf.authentication.local_id }}
-{%             endif %}
-{%             if peer_conf.authentication.remote_id is vyos_defined %}
-        id-remoteid = {{ peer_conf.authentication.remote_id }}
-{%             endif %}
-        secret = "{{ peer_conf.authentication.pre_shared_secret }}"
-    }
-{%         elif peer_conf.authentication.mode is vyos_defined('x509') %}
+{%         if peer_conf.authentication.mode is vyos_defined('x509') %}
     private_{{ peer_name }} {
         file = {{ peer_conf.authentication.x509.certificate }}.pem
 {%             if peer_conf.authentication.x509.passphrase is vyos_defined %}
@@ -91,6 +75,21 @@ secrets {
 {%         endif %}
 {%     endfor %}
 {% endif %}
+{% if authentication.psk is vyos_defined %}
+{%     for psk, psk_config in authentication.psk.items() %}
+    ike-{{ psk }} {
+{%         if psk_config.id is vyos_defined %}
+        # ID's from auth psk <tag> id xxx
+{%             for id in psk_config.id %}
+{%                 set gen_uuid = '' | generate_uuid4 %}
+        id-{{ gen_uuid }} = "{{ id }}"
+{%             endfor %}
+{%         endif %}
+        secret = "{{ psk_config.secret }}"
+    }
+{%     endfor %}
+{% endif %}
+
 {% if remote_access.connection is vyos_defined %}
 {%     for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
 {%         if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
@@ -130,4 +129,3 @@ secrets {
 {%     endif %}
 {% endif %}
 }
-
-- 
cgit v1.2.3