summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-06 12:21:46 +0200
committerGitHub <noreply@github.com>2021-07-06 12:21:46 +0200
commit511253635a9b67396788d24bacafd237594e0e12 (patch)
tree32a97fa2f6bf334f22d6a7e255f438af2777e3a8 /data/templates/ipsec/swanctl
parent50b8d38abdb1525243a78896eff784744cfd5c44 (diff)
parenta5cd877a0a4a43644a6d91e6b95fe938b9b2726b (diff)
downloadvyos-1x-511253635a9b67396788d24bacafd237594e0e12.tar.gz
vyos-1x-511253635a9b67396788d24bacafd237594e0e12.zip
Merge pull request #911 from sarthurdev/pki_san
pki: ipsec: T3642: T1210: T2816: Add SANs to generated certificates, more IPSec remote-access features and fixes
Diffstat (limited to 'data/templates/ipsec/swanctl')
-rw-r--r--data/templates/ipsec/swanctl/remote_access.tmpl16
1 files changed, 12 insertions, 4 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
index a3a1cf0b2..95f2108fb 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -10,19 +10,27 @@
send_certreq = no
rekey_time = {{ ike.lifetime }}s
keyingtries = 0
+{% if rw_conf.pool.dhcp_enable is defined %}
+ pools = dhcp
+{% else %}
pools = ra-{{ name }}
+{% endif %}
local {
- auth = pubkey
-{% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
+{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
id = "{{ rw_conf.authentication.id }}"
{% endif %}
-{% if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %}
+{% if rw_conf.authentication.server_mode == 'x509' %}
+ auth = pubkey
certs = {{ rw_conf.authentication.x509.certificate }}.pem
+{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %}
+ auth = psk
{% endif %}
}
remote {
- auth = eap-mschapv2
+ auth = {{ rw_conf.authentication.client_mode }}
+{% if rw_conf.authentication.client_mode.startswith("eap") %}
eap_id = %any
+{% endif %}
}
children {
ikev2-vpn {