diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-05 16:22:54 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-05 22:01:10 +0200 |
commit | 0b93fce06526a2826c19adcbb25874e51cccf68e (patch) | |
tree | 5ca97537d047a2f543144ac8a93c8f04fe69a796 /data/templates/ipsec/swanctl | |
parent | da02980779821862eed8966fd9e9258b807eb03d (diff) | |
download | vyos-1x-0b93fce06526a2826c19adcbb25874e51cccf68e.tar.gz vyos-1x-0b93fce06526a2826c19adcbb25874e51cccf68e.zip |
ipsec: T1210: T1251: Add more features to remote-access connections
- Adds client/server authentication methods.
- Adds basic verification to remote-access.
- Adds DHCP pool and options to remote-access.
- Cleanup unused PKI files.
Diffstat (limited to 'data/templates/ipsec/swanctl')
-rw-r--r-- | data/templates/ipsec/swanctl/remote_access.tmpl | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index a3a1cf0b2..95f2108fb 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -10,19 +10,27 @@ send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 +{% if rw_conf.pool.dhcp_enable is defined %} + pools = dhcp +{% else %} pools = ra-{{ name }} +{% endif %} local { - auth = pubkey -{% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} +{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} id = "{{ rw_conf.authentication.id }}" {% endif %} -{% if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %} +{% if rw_conf.authentication.server_mode == 'x509' %} + auth = pubkey certs = {{ rw_conf.authentication.x509.certificate }}.pem +{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %} + auth = psk {% endif %} } remote { - auth = eap-mschapv2 + auth = {{ rw_conf.authentication.client_mode }} +{% if rw_conf.authentication.client_mode.startswith("eap") %} eap_id = %any +{% endif %} } children { ikev2-vpn { |