From 69614d7d501811164010a83441ea807716903cf1 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Tue, 20 Jul 2021 20:58:05 +0200
Subject: ipsec: T1210: add op-mode command for macOS and iOS profile
 generation

generate ipsec mac-ios-profile <connection> remote <ip|fqdn>

will generate a matching IPSec profile which can be loaded on an iOS device.
---
 data/templates/ipsec/ios_profile.tmpl | 110 ++++++++++++++++++++++++++++++++++
 1 file changed, 110 insertions(+)
 create mode 100644 data/templates/ipsec/ios_profile.tmpl

(limited to 'data')

diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.tmpl
new file mode 100644
index 000000000..508f801d2
--- /dev/null
+++ b/data/templates/ipsec/ios_profile.tmpl
@@ -0,0 +1,110 @@
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- Set the name to whatever you like, it is used in the profile list on the device -->
+    <key>PayloadDisplayName</key>
+    <string>{{ profile_name }}</string>
+    <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles -->
+    <key>PayloadIdentifier</key>
+    <string>{{ rfqdn }}</string>
+    <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
+    <key>PayloadUUID</key>
+    <string>{{ 'random' | get_uuid }}</string>
+    <key>PayloadType</key>
+    <string>Configuration</string>
+    <key>PayloadVersion</key>
+    <integer>1</integer>
+    <key>PayloadContent</key>
+    <array>
+        <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names -->
+        <dict>
+            <!-- This is an extension of the identifier given above -->
+            <key>PayloadIdentifier</key>
+            <string>{{ rfqdn }}.conf1</string>
+            <!-- A globally unique identifier for this payload -->
+            <key>PayloadUUID</key>
+            <string>{{ 'random' | get_uuid }}</string>
+            <key>PayloadType</key>
+            <string>com.apple.vpn.managed</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+            <!-- This is the name of the VPN connection as seen in the VPN application later -->
+            <key>UserDefinedName</key>
+            <string>{{ vpn_name }}</string>
+            <key>VPNType</key>
+            <string>IKEv2</string>
+            <key>IKEv2</key>
+            <dict>
+                <!-- Hostname or IP address of the VPN server -->
+                <key>RemoteAddress</key>
+                <string>{{ remote }}</string>
+                <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
+                     IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
+                <key>RemoteIdentifier</key>
+                <string>{{ authentication.id if authentication.id is defined else 'fooo' }}</string>
+                <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
+                <key>LocalIdentifier</key>
+                <string></string>
+                <!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent
+                     NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate -->
+                <key>ServerCertificateIssuerCommonName</key>
+                <string>{{ ca_cn }}</string>
+                <!-- Optional, the CN or one of the subjectAltNames of the server certificate to verify it, if not set RemoteIdentifier will be used -->
+                <key>ServerCertificateCommonName</key>
+                <string>{{ cert_cn }}</string>
+                <!-- The server is authenticated using a certificate -->
+                <key>AuthenticationMethod</key>
+                <string>Certificate</string>
+                <!-- The client uses EAP to authenticate -->
+                <key>ExtendedAuthEnabled</key>
+                <integer>1</integer>
+{% if ike_proposal is defined and ike_proposal is not none %}
+                <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
+                     IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
+                <key>IKESecurityAssociationParameters</key>
+{%   for ike, ike_config in ike_proposal.items() %}
+                <dict>
+                    <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm -->
+                    <key>EncryptionAlgorithm</key>
+                    <string>{{ ike_config.encryption | upper }}</string>
+                    <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm -->
+                    <key>IntegrityAlgorithm</key>
+                    <string>{{ ike_config.hash | upper }}</string>
+                    <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup -->
+                    <key>DiffieHellmanGroup</key>
+                    <integer>{{ ike_config.dh_group | upper }}
+                </dict>
+{%   endfor %}
+{% endif %}
+{% if esp_proposal is defined and esp_proposal is not none %}
+                <key>ChildSecurityAssociationParameters</key>
+{%   for esp, esp_config in esp_proposal.items() %}
+                <dict>
+                    <key>EncryptionAlgorithm</key>
+                    <string>{{ esp_config.encryption | upper }}</string>
+                    <key>IntegrityAlgorithm</key>
+                    <string>{{ esp_config.hash | upper }}</string>
+                </dict>
+{%   endfor %}
+{% endif %}
+            </dict>
+        </dict>
+        <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
+        <dict>
+            <key>PayloadIdentifier</key>
+            <string>org.example.ca</string>
+            <key>PayloadUUID</key>
+            <string>{{ 'random' | get_uuid }}</string>
+            <key>PayloadType</key>
+            <string>com.apple.security.root</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+            <!-- This is the Base64 (PEM) encoded CA certificate -->
+            <key>PayloadContent</key>
+            <data>
+            {{ ca_cert }}
+            </data>
+        </dict>
+    </array>
+</dict>
+</plist>
-- 
cgit v1.2.3