From 48c768abbf53b752a55db2adea1f998cb28da55c Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 18 Jul 2021 21:35:53 +0200
Subject: ipsec: T1210: remote-access pools can not hold both IPv4 and IPv6
 prefixes

... this enables a dual-stack IKEv2 VPN deployment.
---
 data/templates/ipsec/swanctl.conf.tmpl          | 30 ++++++++++++++++++++-----
 data/templates/ipsec/swanctl/remote_access.tmpl | 14 +++++++++---
 2 files changed, 35 insertions(+), 9 deletions(-)

(limited to 'data')

diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 102d7583f..b85fe7d41 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -28,13 +28,31 @@ connections {
 pools {
 {%  if remote_access is defined %}
 {%    for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %}
-    ra-{{ ra }} {
-        addrs = {{ ra_conf.pool.prefix }}
-        dns = {{ ra_conf.pool.name_server | join(",") }}
-{%      if ra_conf.pool.exclude is defined %}
-        split_exclude = {{ ra_conf.pool.exclude | join(",") }}
-{%      endif %}
+{%      if ra_conf.pool is defined and ra_conf.pool.prefix is defined %}
+{%        for prefix in ra_conf.pool.prefix %}
+{%          if prefix | is_ipv4 %}
+    ra-{{ ra }}-ipv4 {
+        addrs = {{ prefix }}
+{%            if ra_conf.pool.name_server_v4 is defined and ra_conf.pool.name_server_v4 is not none %}
+        dns = {{ ra_conf.pool.name_server_v4 | join(',') }}
+{%            endif %}
+{%            if ra_conf.pool.exclude_v4 is defined and ra_conf.pool.exclude_v4 is not none %}
+        split_exclude = {{ ra_conf.pool.exclude_v4 | join(',') }}
+{%            endif %}
+    }
+{%          elif prefix | is_ipv6 %}
+    ra-{{ ra }}-ipv6 {
+        addrs = {{ prefix }}
+{%            if ra_conf.pool.name_server_v6 is defined and ra_conf.pool.name_server_v6 is not none %}
+        dns = {{ ra_conf.pool.name_server_v6 | join(',') }}
+{%            endif %}
+{%            if ra_conf.pool.exclude_v6 is defined and ra_conf.pool.exclude_v6 is not none %}
+        split_exclude = {{ ra_conf.pool.exclude_v6 | join(',') }}
+{%            endif %}
     }
+{%          endif %}
+{%        endfor %}
+{%      endif %}
 {%    endfor %}
 {%  endif %}
 }
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
index 95f2108fb..ea79a6d6b 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -10,10 +10,18 @@
         send_certreq = no
         rekey_time = {{ ike.lifetime }}s
         keyingtries = 0
-{%   if rw_conf.pool.dhcp_enable is defined %}
+{%   if rw_conf.pool is defined and rw_conf.pool.dhcp_enable is defined %}
         pools = dhcp
-{%   else %}
-        pools = ra-{{ name }}
+{%   elif rw_conf.pool is defined and rw_conf.pool.prefix is defined and rw_conf.pool.prefix is not none %}
+{%   set pool = namespace(name='')  %}
+{%     for prefix in rw_conf.pool.prefix %}
+{%       if not loop.first %}
+{%         set pool.name = pool.name ~ ',' %}
+{%       endif %}
+{%       set afi = '-ipv4' if prefix | is_ipv4 else '-ipv6' %}
+{%       set pool.name = pool.name + 'ra-' + name + afi %}
+{%     endfor %}
+        pools = {{ pool.name }}
 {%   endif %}
         local {
 {%   if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
-- 
cgit v1.2.3