ipsec: T1210: remote-access pools can not hold both IPv4 and IPv6 prefixes

... this enables a dual-stack IKEv2 VPN deployment.

1 files changed, 24 insertions, 6 deletions

diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 102d7583f..b85fe7d41 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -28,13 +28,31 @@ connections {
 pools {
 {%  if remote_access is defined %}
 {%    for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %}
-    ra-{{ ra }} {
-        addrs = {{ ra_conf.pool.prefix }}
-        dns = {{ ra_conf.pool.name_server | join(",") }}
-{%      if ra_conf.pool.exclude is defined %}
-        split_exclude = {{ ra_conf.pool.exclude | join(",") }}
-{%      endif %}
+{%      if ra_conf.pool is defined and ra_conf.pool.prefix is defined %}
+{%        for prefix in ra_conf.pool.prefix %}
+{%          if prefix | is_ipv4 %}
+    ra-{{ ra }}-ipv4 {
+        addrs = {{ prefix }}
+{%            if ra_conf.pool.name_server_v4 is defined and ra_conf.pool.name_server_v4 is not none %}
+        dns = {{ ra_conf.pool.name_server_v4 | join(',') }}
+{%            endif %}
+{%            if ra_conf.pool.exclude_v4 is defined and ra_conf.pool.exclude_v4 is not none %}
+        split_exclude = {{ ra_conf.pool.exclude_v4 | join(',') }}
+{%            endif %}
+    }
+{%          elif prefix | is_ipv6 %}
+    ra-{{ ra }}-ipv6 {
+        addrs = {{ prefix }}
+{%            if ra_conf.pool.name_server_v6 is defined and ra_conf.pool.name_server_v6 is not none %}
+        dns = {{ ra_conf.pool.name_server_v6 | join(',') }}
+{%            endif %}
+{%            if ra_conf.pool.exclude_v6 is defined and ra_conf.pool.exclude_v6 is not none %}
+        split_exclude = {{ ra_conf.pool.exclude_v6 | join(',') }}
+{%            endif %}
     }
+{%          endif %}
+{%        endfor %}
+{%      endif %}
 {%    endfor %}
 {%  endif %}
 }