summaryrefslogtreecommitdiff
path: root/data/templates/ipsec
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-06-28 22:58:24 +0200
committerChristian Poessinger <christian@poessinger.com>2021-06-28 22:58:24 +0200
commit0751065ffa2161bedd040197dd51ad6ece5ab19b (patch)
tree7fcbdbe7dbc35e1f2b71b383485fd3017ac83fb7 /data/templates/ipsec
parent5a5c0cd2e6f5d6c459a7f0e2da777834fb4362b2 (diff)
downloadvyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.tar.gz
vyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.zip
ipsec: T1441: switch from vti to xfrm interfaces
XFRM interfaces are similar to VTI devices in their basic functionality but offer several advantages: * No tunnel endpoint addresses have to be configured on the interfaces. Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints, this resolves issues with wildcard addresses (only one VTI with wildcard endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and easily allows SAs with multiple peers to share the same interface. * Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on the same interface (VTI devices only support one address family). * IPsec modes other than tunnel are supported (VTI devices only support tunnel mode). * No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier (XFRM interface ID) links policies and SAs with XFRM interfaces.
Diffstat (limited to 'data/templates/ipsec')
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl2
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl10
2 files changed, 6 insertions, 6 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index ea6d85743..d082729cb 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -18,7 +18,7 @@ connections {
{% set peer_ike = ike_group[peer_conf.ike_group] %}
{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
{% set auth_type = authby[peer_conf.authentication.mode] %}
-{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type, marks) }}
+{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }}
{% endfor %}
{% endif %}
}
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 0d01cd546..68284d7d9 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -1,4 +1,4 @@
-{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type, marks) %}
+{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type) %}
peer_{{ name }} {
proposals = {{ ciphers.ike[peer_conf.ike_group] }}
version = {{ ike['key_exchange'][4:] if "key_exchange" in ike else "0" }}
@@ -61,8 +61,8 @@
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
- mark_in = {{ marks[peer_conf.vti.bind] }}
- mark_out = {{ marks[peer_conf.vti.bind] }}
+ if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
+ if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
ipcomp = {{ 'yes' if "compression" in vti_esp and vti_esp.compression == 'enable' else 'no' }}
mode = {{ vti_esp.mode if "mode" in vti_esp else "tunnel" }}
{% if peer[0:1] == '@' %}
@@ -117,8 +117,8 @@
{% endif %}
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
- mark_in = {{ marks[peer_conf.vti.bind] }}
- mark_out = {{ marks[peer_conf.vti.bind] }}
+ if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
+ if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
{% endif %}
}
{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}