pki: ipsec: l2tp: T2816: T3642: Move IPSec/L2TP code into vpn_ipsec.py and update to use PKI.

1 files changed, 30 insertions, 0 deletions

diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.tmpl
new file mode 100644
index 000000000..2df5c2a4d
--- /dev/null
+++ b/data/templates/ipsec/swanctl/l2tp.tmpl
@@ -0,0 +1,30 @@
+{% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %}
+{%   set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is defined else None %}
+{%   set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is defined else None %}
+    l2tp_remote_access {
+        proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }}
+        local_addrs = {{ l2tp_outside_address }}
+        dpd_delay = 15s
+        dpd_timeout = 45s
+        rekey_time = {{ l2tp_ike.lifetime if l2tp_ike else l2tp.ike_lifetime }}s
+        reauth_time = 0
+        local {
+            auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
+{%   if l2tp.authentication.mode == 'x509' %}
+            certs = {{ l2tp.authentication.x509.certificate }}.pem
+{%   endif %}
+        }
+        remote {
+            auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
+        }
+        children {
+            l2tp_remote_access_esp {
+                mode = transport
+                esp_proposals = {{ l2tp_esp | get_esp_ike_cipher | join(',') if l2tp_esp else l2tp_esp_default }}
+                life_time = {{ l2tp_esp.lifetime if l2tp_esp else l2tp.lifetime }}s
+                local_ts = dynamic[/1701]
+                remote_ts = dynamic
+            }
+        }
+    }
+{% endmacro %}