diff options
author | Lucas Christian <lucas@lucasec.com> | 2024-07-29 23:22:05 -0700 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-08-01 05:52:33 +0000 |
commit | ca12e0bc07ea31d1a6515c0352ae732cfc3674be (patch) | |
tree | d4e7e772580ad13b807760e130df03cd6884a960 /data/templates | |
parent | e61a175838f226f49d131783d831f2fab5bd9eaf (diff) | |
download | vyos-1x-ca12e0bc07ea31d1a6515c0352ae732cfc3674be.tar.gz vyos-1x-ca12e0bc07ea31d1a6515c0352ae732cfc3674be.zip |
T6617: T6618: vpn ipsec remote-access: fix profile generatorsmergify/bp/sagitta/pr-3903
(cherry picked from commit e97d86e619e134f4dfda06efb7df4a3296d17b95)
Diffstat (limited to 'data/templates')
-rw-r--r-- | data/templates/ipsec/ios_profile.j2 | 9 | ||||
-rw-r--r-- | data/templates/ipsec/windows_profile.j2 | 2 |
2 files changed, 9 insertions, 2 deletions
diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2 index 935acbf8e..966fad433 100644 --- a/data/templates/ipsec/ios_profile.j2 +++ b/data/templates/ipsec/ios_profile.j2 @@ -55,9 +55,11 @@ <!-- The server is authenticated using a certificate --> <key>AuthenticationMethod</key> <string>Certificate</string> +{% if authentication.client_mode.startswith("eap") %} <!-- The client uses EAP to authenticate --> <key>ExtendedAuthEnabled</key> <integer>1</integer> +{% endif %} <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES. IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration --> <key>IKESecurityAssociationParameters</key> @@ -78,9 +80,14 @@ <string>{{ esp_encryption.encryption }}</string> <key>IntegrityAlgorithm</key> <string>{{ esp_encryption.hash }}</string> +{% if esp_encryption.pfs is vyos_defined %} <key>DiffieHellmanGroup</key> - <integer>{{ ike_encryption.dh_group }}</integer> + <integer>{{ esp_encryption.pfs }}</integer> +{% endif %} </dict> + <!-- Controls whether the client offers Perfect Forward Secrecy (PFS). This should be set to match the server. --> + <key>EnablePFS</key> + <integer>{{ '1' if esp_encryption.pfs is vyos_defined else '0' }}</integer> </dict> </dict> {% if ca_certificates is vyos_defined %} diff --git a/data/templates/ipsec/windows_profile.j2 b/data/templates/ipsec/windows_profile.j2 index 8c26944be..b5042f987 100644 --- a/data/templates/ipsec/windows_profile.j2 +++ b/data/templates/ipsec/windows_profile.j2 @@ -1,4 +1,4 @@ Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2" -Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force +Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup {{ esp_encryption.pfs }} -DHGroup {{ ike_encryption.dh_group }} -PassThru -Force |