diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-07-03 15:52:26 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-07-04 11:57:15 +0200 |
| commit | b2bf1592189fb9298f2a68272418a132a73f37bf (patch) | |
| tree | 20599766a0c4d23bc0defb1add6e28221669836a /data/templates/ipsec/swanctl/remote_access.tmpl | |
| parent | ce3847239493d76bd0462e2a7b1f5cca41c57457 (diff) | |
| download | vyos-1x-b2bf1592189fb9298f2a68272418a132a73f37bf.tar.gz vyos-1x-b2bf1592189fb9298f2a68272418a132a73f37bf.zip | |
ipsec: T1210: T1251: IKEv2 road-warrior support
set vpn ipsec esp-group ESP-RW compression 'disable'
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '10800'
set vpn ipsec ike-group IKE-RW mobike 'enable'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128'
set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn ipsec remote-access rw authentication id 'vyos'
set vpn ipsec remote-access rw authentication local-users username vyos password vyos
set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw description 'asdf'
set vpn ipsec remote-access rw esp-group 'ESP-RW'
set vpn ipsec remote-access rw ike-group 'IKE-RW'
Diffstat (limited to 'data/templates/ipsec/swanctl/remote_access.tmpl')
| -rw-r--r-- | data/templates/ipsec/swanctl/remote_access.tmpl | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl new file mode 100644 index 000000000..89f6e343e --- /dev/null +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -0,0 +1,37 @@ +{% macro conn(name, rw_conf, ike_group, esp_group) %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[rw_conf.ike_group] %} +{% set esp = esp_group[rw_conf.esp_group] %} + ra-{{ name }} { + remote_addrs = %any + local_addrs = %any + proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + send_certreq = no + rekey_time = {{ ike.lifetime }}s + keyingtries = 0 + local { + auth = pubkey +{% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} + id = "{{ rw_conf.authentication.id }}" +{% endif %} +{% if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %} + certs = {{ rw_conf.authentication.x509.certificate }}.pem +{% endif %} + } + remote { + auth = eap-mschapv2 + id = %any + eap_id = %any + } + children { + ikev2-vpn { + esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} + rekey_time = {{ esp.lifetime }}s + rand_time = 540s + local_ts = 0.0.0.0/0 + dpd_action = clear + } + } + } +{% endmacro %} |