summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl/remote_access.tmpl
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2021-07-05 16:22:54 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2021-07-05 22:01:10 +0200
commit0b93fce06526a2826c19adcbb25874e51cccf68e (patch)
tree5ca97537d047a2f543144ac8a93c8f04fe69a796 /data/templates/ipsec/swanctl/remote_access.tmpl
parentda02980779821862eed8966fd9e9258b807eb03d (diff)
downloadvyos-1x-0b93fce06526a2826c19adcbb25874e51cccf68e.tar.gz
vyos-1x-0b93fce06526a2826c19adcbb25874e51cccf68e.zip
ipsec: T1210: T1251: Add more features to remote-access connections
- Adds client/server authentication methods. - Adds basic verification to remote-access. - Adds DHCP pool and options to remote-access. - Cleanup unused PKI files.
Diffstat (limited to 'data/templates/ipsec/swanctl/remote_access.tmpl')
-rw-r--r--data/templates/ipsec/swanctl/remote_access.tmpl16
1 files changed, 12 insertions, 4 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
index a3a1cf0b2..95f2108fb 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -10,19 +10,27 @@
send_certreq = no
rekey_time = {{ ike.lifetime }}s
keyingtries = 0
+{% if rw_conf.pool.dhcp_enable is defined %}
+ pools = dhcp
+{% else %}
pools = ra-{{ name }}
+{% endif %}
local {
- auth = pubkey
-{% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
+{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
id = "{{ rw_conf.authentication.id }}"
{% endif %}
-{% if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %}
+{% if rw_conf.authentication.server_mode == 'x509' %}
+ auth = pubkey
certs = {{ rw_conf.authentication.x509.certificate }}.pem
+{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %}
+ auth = psk
{% endif %}
}
remote {
- auth = eap-mschapv2
+ auth = {{ rw_conf.authentication.client_mode }}
+{% if rw_conf.authentication.client_mode.startswith("eap") %}
eap_id = %any
+{% endif %}
}
children {
ikev2-vpn {