diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-06-14 13:04:04 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-06-15 00:16:42 +0200 |
commit | 11b5636519b360074eb2877006f2d8d63d9f6610 (patch) | |
tree | 1ff04e1e0aba2167b746f2f1373544e3d38b055d /data/templates/ipsec/swanctl.conf.tmpl | |
parent | 78099bccc510c90ad7cfa5f56475ba024d5d53a7 (diff) | |
download | vyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.tar.gz vyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.zip |
ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple selectors, and selectors with VTI.
Diffstat (limited to 'data/templates/ipsec/swanctl.conf.tmpl')
-rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 106 |
1 files changed, 62 insertions, 44 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index ce007c1fd..ea6d85743 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -1,54 +1,72 @@ # Created by VyOS - manual changes will be overwritten -{% if profile is defined %} +{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %} +{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %} + +{% if profile is defined or site_to_site is defined %} connections { -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} -{% set dmvpn_ike = ike_group[profile_conf.ike_group] %} -{% set dmvpn_esp = esp_group[profile_conf.esp_group] %} -{% for interface in profile_conf.bind.tunnel %} - dmvpn-{{ name }}-{{ interface }} { - proposals = {{ ciphers.ike[profile_conf.ike_group][:-1] }} - version = {{ dmvpn_ike.key_exchange[4:] if "key_exchange" in dmvpn_ike else "0" }} - rekey_time = {{ dmvpn_ike.lifetime if 'lifetime' in dmvpn_ike else '28800' }}s - keyingtries = 0 -{% if profile_conf.authentication.mode == 'pre-shared-secret' %} - local { - auth = psk - } - remote { - auth = psk - } -{% endif %} - children { - dmvpn { - esp_proposals = {{ ciphers.esp[profile_conf.esp_group][:-1] }} - rekey_time = {{ dmvpn_esp.lifetime if 'lifetime' in dmvpn_esp else '3600' }}s - rand_time = 540s - local_ts = dynamic[gre] - remote_ts = dynamic[gre] - mode = {{ dmvpn_esp.mode if "mode" in dmvpn_esp else "transport" }} -{% if 'dead_peer_detection' in dmvpn_ike and 'action' in dmvpn_ike.dead_peer_detection %} - dpd_action = {{ dmvpn_ike.dead_peer_detection.action }} -{% endif %} -{% if 'compression' in dmvpn_esp and dmvpn_esp['compression'] == 'enable' %} - ipcomp = yes -{% endif %} - } - } - } -{% endfor %} -{% endfor %} +{% if profile is defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{% set dmvpn_ike = ike_group[profile_conf.ike_group] %} +{% set dmvpn_esp = esp_group[profile_conf.esp_group] %} +{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }} +{% endfor %} +{% endif %} +{% if site_to_site is defined and site_to_site.peer is defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %} +{% set peer_ike = ike_group[peer_conf.ike_group] %} +{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %} +{% set auth_type = authby[peer_conf.authentication.mode] %} +{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type, marks) }} +{% endfor %} +{% endif %} } secrets { -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} -{% if profile_conf.authentication.mode == 'pre-shared-secret' %} -{% for interface in profile_conf.bind.tunnel %} +{% if profile is defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{% if profile_conf.authentication.mode == 'pre-shared-secret' %} +{% for interface in profile_conf.bind.tunnel %} ike-dmvpn-{{ interface }} { secret = {{ profile_conf.authentication.pre_shared_secret }} } -{% endfor %} -{% endif %} -{% endfor %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if site_to_site is defined and site_to_site.peer is defined %} +{% set ns = namespace(local_key_set=False) %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %} +{% if peer_conf.authentication.mode == 'pre-shared-secret' %} + ike_{{ peer_conn_name }} { +{% if peer_conf.local_address is defined %} + id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} +{% endif %} + id-remote = {{ peer }} +{% if peer_conf.authentication.id is defined %} + id-localid = {{ peer_conf.authentication.id }} +{% endif %} +{% if peer_conf.authentication.remote_id is defined %} + id-remoteid = {{ peer_conf.authentication.remote_id }} +{% endif %} + secret = "{{ peer_conf.authentication.pre_shared_secret }}" + } +{% elif peer_conf.authentication.mode == 'x509' %} + private_{{ peer_conn_name }} { + file = {{ peer_conf.authentication.x509.key.file }} +{% if "password" in peer_conf.authentication.x509.key and peer_conf.authentication.x509.key.password %} + secret = "{{ peer_conf.authentication.x509.key.password}}" +{% endif %} + } +{% elif peer_conf.authentication.mode == 'rsa' and not ns.local_key_set %} +{% set ns.local_key_set = True %} + rsa_local { + file = {{ rsa_local_key }} + } +{% endif %} +{% endfor %} +{% endif %} } -{% endif %} +{% endif %} |