From f6c2b5e4762e7713c5868bebf8e482ce732e3302 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.i>
Date: Thu, 17 Feb 2022 21:18:37 +0000
Subject: vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options

Ability to set Cisco FlexVPN vendor ID payload:
charon.cisco_flexvpn
charon.install_virtual_ip_on
swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z

set vpn ipsec options flexvpn
set vpn ipsec options virtual-ip
set vpn ipsec options interface tunX
set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
---
 data/templates/ipsec/charon.tmpl       | 11 +++++++++++
 data/templates/ipsec/swanctl/peer.tmpl |  3 +++
 2 files changed, 14 insertions(+)

(limited to 'data')

diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.tmpl
index 4d710921e..b9b020dcd 100644
--- a/data/templates/ipsec/charon.tmpl
+++ b/data/templates/ipsec/charon.tmpl
@@ -20,6 +20,17 @@ charon {
     # Send Cisco Unity vendor ID payload (IKEv1 only).
     # cisco_unity = no
 
+    # Cisco FlexVPN
+{% if options is defined %}
+    cisco_flexvpn = {{ 'yes' if options.flexvpn is defined else 'no' }}
+{%   if options.virtual_ip is defined %}
+    install_virtual_ip = yes
+{%   endif %}
+{%   if options.interface is defined and options.interface is not none %}
+    install_virtual_ip_on = {{ options.interface }}
+{%   endif %}
+{%  endif %}
+
     # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
     # close_ike_on_child_failure = no
 
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index c6b71f2a1..f4e28d818 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -5,6 +5,9 @@
     peer_{{ name }} {
         proposals = {{ ike | get_esp_ike_cipher | join(',') }}
         version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
+{%   if peer_conf.virtual_address is defined and peer_conf.virtual_address is not none %}
+        vips = {{ peer_conf.virtual_address | join(', ') }}
+{%   endif %}
         local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
         remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
 {%   if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %}
-- 
cgit v1.2.3