summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl.conf.tmpl
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2021-06-14 13:04:04 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2021-06-15 00:16:42 +0200
commit11b5636519b360074eb2877006f2d8d63d9f6610 (patch)
tree1ff04e1e0aba2167b746f2f1373544e3d38b055d /data/templates/ipsec/swanctl.conf.tmpl
parent78099bccc510c90ad7cfa5f56475ba024d5d53a7 (diff)
downloadvyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.tar.gz
vyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.zip
ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple selectors, and selectors with VTI.
Diffstat (limited to 'data/templates/ipsec/swanctl.conf.tmpl')
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl106
1 files changed, 62 insertions, 44 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index ce007c1fd..ea6d85743 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,54 +1,72 @@
# Created by VyOS - manual changes will be overwritten
-{% if profile is defined %}
+{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
+{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
+
+{% if profile is defined or site_to_site is defined %}
connections {
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% set dmvpn_ike = ike_group[profile_conf.ike_group] %}
-{% set dmvpn_esp = esp_group[profile_conf.esp_group] %}
-{% for interface in profile_conf.bind.tunnel %}
- dmvpn-{{ name }}-{{ interface }} {
- proposals = {{ ciphers.ike[profile_conf.ike_group][:-1] }}
- version = {{ dmvpn_ike.key_exchange[4:] if "key_exchange" in dmvpn_ike else "0" }}
- rekey_time = {{ dmvpn_ike.lifetime if 'lifetime' in dmvpn_ike else '28800' }}s
- keyingtries = 0
-{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
- local {
- auth = psk
- }
- remote {
- auth = psk
- }
-{% endif %}
- children {
- dmvpn {
- esp_proposals = {{ ciphers.esp[profile_conf.esp_group][:-1] }}
- rekey_time = {{ dmvpn_esp.lifetime if 'lifetime' in dmvpn_esp else '3600' }}s
- rand_time = 540s
- local_ts = dynamic[gre]
- remote_ts = dynamic[gre]
- mode = {{ dmvpn_esp.mode if "mode" in dmvpn_esp else "transport" }}
-{% if 'dead_peer_detection' in dmvpn_ike and 'action' in dmvpn_ike.dead_peer_detection %}
- dpd_action = {{ dmvpn_ike.dead_peer_detection.action }}
-{% endif %}
-{% if 'compression' in dmvpn_esp and dmvpn_esp['compression'] == 'enable' %}
- ipcomp = yes
-{% endif %}
- }
- }
- }
-{% endfor %}
-{% endfor %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{% set dmvpn_ike = ike_group[profile_conf.ike_group] %}
+{% set dmvpn_esp = esp_group[profile_conf.esp_group] %}
+{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
+{% set peer_ike = ike_group[peer_conf.ike_group] %}
+{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
+{% set auth_type = authby[peer_conf.authentication.mode] %}
+{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type, marks) }}
+{% endfor %}
+{% endif %}
}
secrets {
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
-{% for interface in profile_conf.bind.tunnel %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
+{% for interface in profile_conf.bind.tunnel %}
ike-dmvpn-{{ interface }} {
secret = {{ profile_conf.authentication.pre_shared_secret }}
}
-{% endfor %}
-{% endif %}
-{% endfor %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% set ns = namespace(local_key_set=False) %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
+{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
+ ike_{{ peer_conn_name }} {
+{% if peer_conf.local_address is defined %}
+ id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
+{% endif %}
+ id-remote = {{ peer }}
+{% if peer_conf.authentication.id is defined %}
+ id-localid = {{ peer_conf.authentication.id }}
+{% endif %}
+{% if peer_conf.authentication.remote_id is defined %}
+ id-remoteid = {{ peer_conf.authentication.remote_id }}
+{% endif %}
+ secret = "{{ peer_conf.authentication.pre_shared_secret }}"
+ }
+{% elif peer_conf.authentication.mode == 'x509' %}
+ private_{{ peer_conn_name }} {
+ file = {{ peer_conf.authentication.x509.key.file }}
+{% if "password" in peer_conf.authentication.x509.key and peer_conf.authentication.x509.key.password %}
+ secret = "{{ peer_conf.authentication.x509.key.password}}"
+{% endif %}
+ }
+{% elif peer_conf.authentication.mode == 'rsa' and not ns.local_key_set %}
+{% set ns.local_key_set = True %}
+ rsa_local {
+ file = {{ rsa_local_key }}
+ }
+{% endif %}
+{% endfor %}
+{% endif %}
}
-{% endif %}
+{% endif %}