summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-03 19:08:18 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-03 19:09:47 +0200
commit2aec3e61c9130e942cb766aa0e5f4acf900dc921 (patch)
tree9d04ea091cd62782cfaef40b8f57da228d5f6178
parent32fab6c7c5a7d8ad926513fcc5a5c637b77769e3 (diff)
downloadvyos-1x-2aec3e61c9130e942cb766aa0e5f4acf900dc921.tar.gz
vyos-1x-2aec3e61c9130e942cb766aa0e5f4acf900dc921.zip
ipsec: T2816: provide x509 certificate base auth building blocks
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl2
-rw-r--r--interface-definitions/include/ipsec/authentication-id.xml.i11
-rw-r--r--interface-definitions/include/ipsec/authentication-x509.xml.i11
-rw-r--r--interface-definitions/vpn_ipsec.xml.in20
4 files changed, 25 insertions, 19 deletions
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index b35cd4b60..4ace06701 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -31,7 +31,7 @@
encap = yes
{% endif %}
local {
-{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
+{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
id = "{{ peer_conf.authentication.id }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
diff --git a/interface-definitions/include/ipsec/authentication-id.xml.i b/interface-definitions/include/ipsec/authentication-id.xml.i
new file mode 100644
index 000000000..4967782ec
--- /dev/null
+++ b/interface-definitions/include/ipsec/authentication-id.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from ipsec/authentication-id.xml.i -->
+<leafNode name="id">
+ <properties>
+ <help>ID for peer authentication</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>ID used for peer authentication</description>
+ </valueHelp>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/ipsec/authentication-x509.xml.i b/interface-definitions/include/ipsec/authentication-x509.xml.i
new file mode 100644
index 000000000..db675c0bf
--- /dev/null
+++ b/interface-definitions/include/ipsec/authentication-x509.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from ipsec/authentication-x509.xml.i -->
+<node name="x509">
+ <properties>
+ <help>X.509 certificate</help>
+ </properties>
+ <children>
+ #include <include/pki/certificate-key.xml.i>
+ #include <include/pki/ca-certificate.xml.i>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index c301703c3..ff60bb82f 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -737,15 +737,8 @@
<help>Peer authentication [REQUIRED]</help>
</properties>
<children>
- <leafNode name="id">
- <properties>
- <help>ID for peer authentication</help>
- <valueHelp>
- <format>txt</format>
- <description>ID used for peer authentication</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/authentication-id.xml.i>
+ #include <include/ipsec/authentication-x509.xml.i>
<leafNode name="mode">
<properties>
<help>Authentication mode</help>
@@ -798,15 +791,6 @@
<valueless/>
</properties>
</leafNode>
- <node name="x509">
- <properties>
- <help>X.509 certificate</help>
- </properties>
- <children>
- #include <include/pki/certificate-key.xml.i>
- #include <include/pki/ca-certificate.xml.i>
- </children>
- </node>
</children>
</node>
<leafNode name="connection-type">