Merge pull request #911 from sarthurdev/pki_san

pki: ipsec: T3642: T1210: T2816: Add SANs to generated certificates, more IPSec remote-access features and fixes
author: Christian Poessinger <christian@poessinger.com> 2021-07-06 12:21:46 +0200
committer: GitHub <noreply@github.com> 2021-07-06 12:21:46 +0200
commit: 511253635a9b67396788d24bacafd237594e0e12 (patch)
tree: 32a97fa2f6bf334f22d6a7e255f438af2777e3a8 /data/templates/ipsec
parent: 50b8d38abdb1525243a78896eff784744cfd5c44 (diff)
parent: a5cd877a0a4a43644a6d91e6b95fe938b9b2726b (diff)
download: vyos-1x-511253635a9b67396788d24bacafd237594e0e12.tar.gz
vyos-1x-511253635a9b67396788d24bacafd237594e0e12.zip
3 files changed, 47 insertions, 6 deletions
diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl
new file mode 100644
index 000000000..2879550a8
--- /dev/null
+++ b/data/templates/ipsec/charon/dhcp.conf.tmpl
@@ -0,0 +1,23 @@
+dhcp {
+    load = yes
+
+{% if options is defined and options.remote_access is defined and options.remote_access.dhcp_pool is defined %}
+{%   if options.remote_access.dhcp_pool.interface is defined %}
+    interface = {{ options.remote_access.dhcp_pool.interface }}
+{%   endif %}
+{%   if options.remote_access.dhcp_pool.server is defined %}
+    server = {{ options.remote_access.dhcp_pool.server }}
+{%   endif %}
+{% endif %}
+
+    # Always use the configured server address.
+    # force_server_address = no
+
+    # Derive user-defined MAC address from hash of IKE identity and send client
+    # identity DHCP option.
+    # identity_lease = no
+
+    # Use the DHCP server port (67) as source port when a unicast server address
+    # is configured.
+    # use_server_port = no
+}
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 0eda8479a..00251d44d 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -23,7 +23,7 @@ connections {
 
 pools {
 {%  if remote_access is defined %}
-{%    for ra, ra_conf in remote_access.items() if remote_access is defined %}
+{%    for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %}
     ra-{{ ra }} {
         addrs = {{ ra_conf.pool.prefix }}
         dns = {{ ra_conf.pool.name_server | join(",") }}
@@ -82,7 +82,17 @@ secrets {
 {%  endif %}
 {%  if remote_access is defined %}
 {%    for ra, ra_conf in remote_access.items() if remote_access is defined %}
-{%      if ra_conf.authentication is defined and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
+{%      if ra_conf.authentication.server_mode == 'pre-shared-secret' %}
+    ike_{{ ra }} {
+{%        if ra_conf.authentication.id is defined %}
+        id = "{{ ra_conf.authentication.id }}"
+{%        elif ra_conf.local_address is defined %}
+        id = "{{ ra_conf.local_address }}"
+{%        endif %}
+        secret = "{{ ra_conf.authentication.pre_shared_secret }}"
+    }
+{%      endif %}
+{%      if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
 {%        for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %}
     eap-{{ ra }}-{{ user }} {
         secret = "{{ user_conf.password }}"
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
index a3a1cf0b2..95f2108fb 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -10,19 +10,27 @@
         send_certreq = no
         rekey_time = {{ ike.lifetime }}s
         keyingtries = 0
+{%   if rw_conf.pool.dhcp_enable is defined %}
+        pools = dhcp
+{%   else %}
         pools = ra-{{ name }}
+{%   endif %}
         local {
-            auth = pubkey
-{%   if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
+{%   if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
             id = "{{ rw_conf.authentication.id }}"
 {%   endif %}
-{%   if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %}
+{%   if rw_conf.authentication.server_mode == 'x509' %}
+            auth = pubkey
             certs = {{ rw_conf.authentication.x509.certificate }}.pem
+{%   elif rw_conf.authentication.server_mode == 'pre-shared-secret' %}
+            auth = psk
 {%   endif %}
         }
         remote {
-            auth = eap-mschapv2
+            auth = {{ rw_conf.authentication.client_mode }}
+{%   if rw_conf.authentication.client_mode.startswith("eap") %}
             eap_id = %any
+{%   endif %}
         }
         children {
             ikev2-vpn  {
author	Christian Poessinger <christian@poessinger.com>	2021-07-06 12:21:46 +0200
committer	GitHub <noreply@github.com>	2021-07-06 12:21:46 +0200
commit	511253635a9b67396788d24bacafd237594e0e12 (patch)
tree	32a97fa2f6bf334f22d6a7e255f438af2777e3a8 /data/templates/ipsec
parent	50b8d38abdb1525243a78896eff784744cfd5c44 (diff)
parent	a5cd877a0a4a43644a6d91e6b95fe938b9b2726b (diff)
download	vyos-1x-511253635a9b67396788d24bacafd237594e0e12.tar.gz vyos-1x-511253635a9b67396788d24bacafd237594e0e12.zip