ipsec: T2816: rework IKE and ESP key assignment

Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to
string") added a Jinja2 helper function which can be used to transform VyOS CLI
ESP and IKE key proposals into a strongSwan compatible string cipher.

This commit changes the IPSec implementation to make use of this new Jinja2
filter fubction/Python helper. This is required base work for better automated
tests (smoketests) but also for an IKEv2 road-warrior setup.

1 files changed, 13 insertions, 21 deletions

diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 116d62beb..cafe52e78 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,25 +1,17 @@
 ### Autogenerated by vpn_ipsec.py ###
-
 {% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
 {% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
 
-{% if profile is defined or site_to_site is defined %}
 connections {
-{%   if profile is defined %}
-{%     for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{%       set dmvpn_ike = ike_group[profile_conf.ike_group] %}
-{%       set dmvpn_esp = esp_group[profile_conf.esp_group] %}
-{{       profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }}
-{%     endfor %}
-{%   endif %}
-{%   if site_to_site is defined and site_to_site.peer is defined %}
-{%     for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{%       set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
-{%       set peer_ike = ike_group[peer_conf.ike_group] %}
-{%       set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
-{%       set auth_type = authby[peer_conf.authentication.mode] %}
-{{       peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }}
-{%     endfor %}
+{% if profile is defined %}
+{%   for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{{     profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
+{%   endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{%   for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{{     peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
+{%   endfor %}
 {%  endif %}
 }
 
@@ -38,9 +30,9 @@ secrets {
 {%  if site_to_site is defined and site_to_site.peer is defined %}
 {%    set ns = namespace(local_key_set=False) %}
 {%    for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{%      set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
+{%      set peer_name = peer.replace(".", "-").replace("@", "") %}
 {%      if peer_conf.authentication.mode == 'pre-shared-secret' %}
-    ike_{{ peer_conn_name }} {
+    ike_{{ peer_name }} {
 {%        if peer_conf.local_address is defined %}
         id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
 {%        endif %}
@@ -54,7 +46,7 @@ secrets {
         secret = "{{ peer_conf.authentication.pre_shared_secret }}"
     }
 {%      elif peer_conf.authentication.mode == 'x509' %}
-    private_{{ peer_conn_name }} {
+    private_{{ peer_name }} {
         file = {{ peer_conf.authentication.x509.certificate }}.pem
 {%        if peer_conf.authentication.x509.passphrase is defined %}
         secret = "{{ peer_conf.authentication.x509.passphrase }}"
@@ -69,4 +61,4 @@ secrets {
 {%    endfor %}
 {%  endif %}
 }
-{% endif %}
+