summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl.conf.tmpl
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-03 15:31:38 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-03 15:31:38 +0200
commita1abb118c9eb413f3c78cfb2077f9c0d4b443c3a (patch)
tree7e44119b3054f54d18e216a8f63e84346e92073d /data/templates/ipsec/swanctl.conf.tmpl
parent2d79a5000c8a02fd7570f629c3182fd55fdb8c86 (diff)
downloadvyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.tar.gz
vyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.zip
ipsec: T2816: rework IKE and ESP key assignment
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string") added a Jinja2 helper function which can be used to transform VyOS CLI ESP and IKE key proposals into a strongSwan compatible string cipher. This commit changes the IPSec implementation to make use of this new Jinja2 filter fubction/Python helper. This is required base work for better automated tests (smoketests) but also for an IKEv2 road-warrior setup.
Diffstat (limited to 'data/templates/ipsec/swanctl.conf.tmpl')
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl34
1 files changed, 13 insertions, 21 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 116d62beb..cafe52e78 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,25 +1,17 @@
### Autogenerated by vpn_ipsec.py ###
-
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
-{% if profile is defined or site_to_site is defined %}
connections {
-{% if profile is defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
-{% set dmvpn_ike = ike_group[profile_conf.ike_group] %}
-{% set dmvpn_esp = esp_group[profile_conf.esp_group] %}
-{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }}
-{% endfor %}
-{% endif %}
-{% if site_to_site is defined and site_to_site.peer is defined %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
-{% set peer_ike = ike_group[peer_conf.ike_group] %}
-{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
-{% set auth_type = authby[peer_conf.authentication.mode] %}
-{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }}
-{% endfor %}
+{% if profile is defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
+{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
+{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
+{% endfor %}
{% endif %}
}
@@ -38,9 +30,9 @@ secrets {
{% if site_to_site is defined and site_to_site.peer is defined %}
{% set ns = namespace(local_key_set=False) %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %}
+{% set peer_name = peer.replace(".", "-").replace("@", "") %}
{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
- ike_{{ peer_conn_name }} {
+ ike_{{ peer_name }} {
{% if peer_conf.local_address is defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{% endif %}
@@ -54,7 +46,7 @@ secrets {
secret = "{{ peer_conf.authentication.pre_shared_secret }}"
}
{% elif peer_conf.authentication.mode == 'x509' %}
- private_{{ peer_conn_name }} {
+ private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
{% if peer_conf.authentication.x509.passphrase is defined %}
secret = "{{ peer_conf.authentication.x509.passphrase }}"
@@ -69,4 +61,4 @@ secrets {
{% endfor %}
{% endif %}
}
-{% endif %}
+