### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/l2tp.j2' as l2tp_tmpl %}
{% import 'ipsec/swanctl/profile.j2' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.j2' as peer_tmpl %}
{% import 'ipsec/swanctl/remote_access.j2' as remote_access_tmpl %}

connections {
{% if profile is vyos_defined %}
{%     for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %}
{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
{%     endfor %}
{% endif %}
{% if site_to_site.peer is vyos_defined %}
{%     for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{%     endfor %}
{% endif %}
{% if remote_access.connection is vyos_defined %}
{%     for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %}
{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
{%     endfor %}
{% endif %}
{% if l2tp %}
{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }}
{% endif %}
}

pools {
{% if remote_access.pool is vyos_defined %}
{%     for pool, pool_config in remote_access.pool.items() %}
    {{ pool }} {
{%         if pool_config.prefix is vyos_defined %}
        addrs = {{ pool_config.prefix }}
{%         endif %}
{%         if pool_config.name_server is vyos_defined %}
        dns = {{ pool_config.name_server | join(',') }}
{%         endif %}
{%         if pool_config.exclude is vyos_defined %}
        split_exclude = {{ pool_config.exclude | join(',') }}
{%         endif %}
    }
{%     endfor %}
{% endif %}
}

secrets {
{% if profile is vyos_defined %}
{%     for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %}
{%         if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
{%             for interface in profile_conf.bind.tunnel %}
    ike-dmvpn-{{ interface }} {
        secret = {{ profile_conf.authentication.pre_shared_secret }}
    }
{%             endfor %}
{%         endif %}
{%     endfor %}
{% endif %}
{% if site_to_site.peer is vyos_defined %}
{%     for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
{%         set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
{%         if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
    ike_{{ peer_name }} {
{%             if peer_conf.local_address is vyos_defined %}
        id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{%             endif %}
        id-remote = {{ peer }}
{%             if peer_conf.authentication.id is vyos_defined %}
        id-localid = {{ peer_conf.authentication.id }}
{%             endif %}
{%             if peer_conf.authentication.remote_id is vyos_defined %}
        id-remoteid = {{ peer_conf.authentication.remote_id }}
{%             endif %}
        secret = "{{ peer_conf.authentication.pre_shared_secret }}"
    }
{%         elif peer_conf.authentication.mode is vyos_defined('x509') %}
    private_{{ peer_name }} {
        file = {{ peer_conf.authentication.x509.certificate }}.pem
{%             if peer_conf.authentication.x509.passphrase is vyos_defined %}
        secret = "{{ peer_conf.authentication.x509.passphrase }}"
{%             endif %}
    }
{%         elif peer_conf.authentication.mode is vyos_defined('rsa') %}
    rsa_{{ peer_name }}_local {
        file = {{ peer_conf.authentication.rsa.local_key }}.pem
{%             if peer_conf.authentication.rsa.passphrase is vyos_defined %}
        secret = "{{ peer_conf.authentication.rsa.passphrase }}"
{%             endif %}
    }
{%         endif %}
{%     endfor %}
{% endif %}
{% if remote_access.connection is vyos_defined %}
{%     for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
{%         if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
    ike_{{ ra }} {
{%             if ra_conf.authentication.id is vyos_defined %}
        id = "{{ ra_conf.authentication.id }}"
{%             elif ra_conf.local_address is vyos_defined %}
        id = "{{ ra_conf.local_address }}"
{%             endif %}
        secret = "{{ ra_conf.authentication.pre_shared_secret }}"
    }
{%         endif %}
{%         if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %}
{%             for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %}
    eap-{{ ra }}-{{ user }} {
        secret = "{{ user_conf.password }}"
        id-{{ ra }}-{{ user }} = "{{ user }}"
    }
{%             endfor %}
{%         endif %}
{%     endfor %}
{% endif %}
{% if l2tp %}
{%     if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %}
    ike_l2tp_remote_access {
        id = "{{ l2tp_outside_address }}"
        secret = "{{ l2tp.authentication.pre_shared_secret }}"
    }
{%     elif l2tp.authentication.mode is vyos_defined('x509') %}
    private_l2tp_remote_access {
        id = "{{ l2tp_outside_address }}"
        file = {{ l2tp.authentication.x509.certificate }}.pem
{%         if l2tp.authentication.x509.passphrase is vyos_defined %}
        secret = "{{ l2tp.authentication.x509.passphrase }}"
{%         endif %}
    }
{%     endif %}
{% endif %}
}