summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl.conf.tmpl
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-03 15:42:03 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-03 15:42:03 +0200
commitdcfeb0de0a510d00c37101da50205b51dd464d72 (patch)
tree4352ed737a931a3d6fbbfb6ecd99cfb84f34661f /data/templates/ipsec/swanctl.conf.tmpl
parent13924804aafa9a43b4a300fb9afbdf29b69603fb (diff)
parent1e74c0df2179c60036e440e15ed9036163039b2a (diff)
downloadvyos-1x-dcfeb0de0a510d00c37101da50205b51dd464d72.tar.gz
vyos-1x-dcfeb0de0a510d00c37101da50205b51dd464d72.zip
Merge branch 'ipsec-ikev2-remote-access' of github.com:c-po/vyos-1x into current
* 'ipsec-ikev2-remote-access' of github.com:c-po/vyos-1x: ipsec: T2816: remove default values from Jinja2 template and place them in XML ipsec: T2816: rework IKE and ESP key assignment ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string ipsec: T2816: adjust Jinja2 template to coding style xml: provide building block for a generic description node
Diffstat (limited to 'data/templates/ipsec/swanctl.conf.tmpl')
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl88
1 files changed, 40 insertions, 48 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 0ff08ee15..cafe52e78 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,72 +1,64 @@
-# Created by VyOS - manual changes will be overwritten
-
+### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
-{% if profile is defined or site_to_site is defined %}
connections {
-{% if profile is defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% set dmvpn_ike = ike_group[profile_conf.ike_group] %}
-{% set dmvpn_esp = esp_group[profile_conf.esp_group] %}
-{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }}
-{% endfor %}
-{% endif %}
-{% if site_to_site is defined and site_to_site.peer is defined %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
-{% set peer_ike = ike_group[peer_conf.ike_group] %}
-{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
-{% set auth_type = authby[peer_conf.authentication.mode] %}
-{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }}
-{% endfor %}
-{% endif %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
}
secrets {
-{% if profile is defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
-{% for interface in profile_conf.bind.tunnel %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
+{% for interface in profile_conf.bind.tunnel %}
ike-dmvpn-{{ interface }} {
secret = {{ profile_conf.authentication.pre_shared_secret }}
}
-{% endfor %}
-{% endif %}
{% endfor %}
-{% endif %}
-{% if site_to_site is defined and site_to_site.peer is defined %}
-{% set ns = namespace(local_key_set=False) %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
-{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
- ike_{{ peer_conn_name }} {
-{% if peer_conf.local_address is defined %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% set ns = namespace(local_key_set=False) %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{% set peer_name = peer.replace(".", "-").replace("@", "") %}
+{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
+ ike_{{ peer_name }} {
+{% if peer_conf.local_address is defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
-{% endif %}
+{% endif %}
id-remote = {{ peer }}
-{% if peer_conf.authentication.id is defined %}
+{% if peer_conf.authentication.id is defined %}
id-localid = {{ peer_conf.authentication.id }}
-{% endif %}
-{% if peer_conf.authentication.remote_id is defined %}
+{% endif %}
+{% if peer_conf.authentication.remote_id is defined %}
id-remoteid = {{ peer_conf.authentication.remote_id }}
-{% endif %}
+{% endif %}
secret = "{{ peer_conf.authentication.pre_shared_secret }}"
}
-{% elif peer_conf.authentication.mode == 'x509' %}
- private_{{ peer_conn_name }} {
+{% elif peer_conf.authentication.mode == 'x509' %}
+ private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
-{% if peer_conf.authentication.x509.passphrase is defined %}
+{% if peer_conf.authentication.x509.passphrase is defined %}
secret = "{{ peer_conf.authentication.x509.passphrase }}"
-{% endif %}
+{% endif %}
}
-{% elif peer_conf.authentication.mode == 'rsa' and not ns.local_key_set %}
-{% set ns.local_key_set = True %}
+{% elif peer_conf.authentication.mode == 'rsa' and not ns.local_key_set %}
+{% set ns.local_key_set = True %}
rsa_local {
file = {{ rsa_local_key }}
}
-{% endif %}
-{% endfor %}
-{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
-{% endif %}
+