diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-05 16:22:54 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-05 22:01:10 +0200 |
commit | 0b93fce06526a2826c19adcbb25874e51cccf68e (patch) | |
tree | 5ca97537d047a2f543144ac8a93c8f04fe69a796 /data/templates/ipsec/swanctl.conf.tmpl | |
parent | da02980779821862eed8966fd9e9258b807eb03d (diff) | |
download | vyos-1x-0b93fce06526a2826c19adcbb25874e51cccf68e.tar.gz vyos-1x-0b93fce06526a2826c19adcbb25874e51cccf68e.zip |
ipsec: T1210: T1251: Add more features to remote-access connections
- Adds client/server authentication methods.
- Adds basic verification to remote-access.
- Adds DHCP pool and options to remote-access.
- Cleanup unused PKI files.
Diffstat (limited to 'data/templates/ipsec/swanctl.conf.tmpl')
-rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 0eda8479a..00251d44d 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -23,7 +23,7 @@ connections { pools { {% if remote_access is defined %} -{% for ra, ra_conf in remote_access.items() if remote_access is defined %} +{% for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %} ra-{{ ra }} { addrs = {{ ra_conf.pool.prefix }} dns = {{ ra_conf.pool.name_server | join(",") }} @@ -82,7 +82,17 @@ secrets { {% endif %} {% if remote_access is defined %} {% for ra, ra_conf in remote_access.items() if remote_access is defined %} -{% if ra_conf.authentication is defined and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} +{% if ra_conf.authentication.server_mode == 'pre-shared-secret' %} + ike_{{ ra }} { +{% if ra_conf.authentication.id is defined %} + id = "{{ ra_conf.authentication.id }}" +{% elif ra_conf.local_address is defined %} + id = "{{ ra_conf.local_address }}" +{% endif %} + secret = "{{ ra_conf.authentication.pre_shared_secret }}" + } +{% endif %} +{% if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} {% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %} eap-{{ ra }}-{{ user }} { secret = "{{ user_conf.password }}" |