summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2023-01-17 11:04:08 +0000
committerViacheslav Hletenko <v.gletenko@vyos.io>2023-01-26 11:28:03 +0000
commit7ae0b404ad9fdefa856c7e450b224b47d854a4eb (patch)
treeaa8fca32cc1f6a83cc8d5bfaccde866338bf3b6c /data
parentfc1c93a141bd095884088a8fa6f935d642bf6528 (diff)
downloadvyos-1x-7ae0b404ad9fdefa856c7e450b224b47d854a4eb.tar.gz
vyos-1x-7ae0b404ad9fdefa856c7e450b224b47d854a4eb.zip
T4916: Rewrite IPsec peer authentication and psk migration
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4'
Diffstat (limited to 'data')
-rw-r--r--data/templates/ipsec/swanctl.conf.j234
1 files changed, 16 insertions, 18 deletions
diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2
index 38d7981c6..d44d0f5e4 100644
--- a/data/templates/ipsec/swanctl.conf.j2
+++ b/data/templates/ipsec/swanctl.conf.j2
@@ -58,23 +58,7 @@ secrets {
{% if site_to_site.peer is vyos_defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
-{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
- ike_{{ peer_name }} {
-{% if peer_conf.local_address is vyos_defined %}
- id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
-{% endif %}
-{% for address in peer_conf.remote_address %}
- id-remote_{{ address | dot_colon_to_dash }} = {{ address }}
-{% endfor %}
-{% if peer_conf.authentication.local_id is vyos_defined %}
- id-localid = {{ peer_conf.authentication.local_id }}
-{% endif %}
-{% if peer_conf.authentication.remote_id is vyos_defined %}
- id-remoteid = {{ peer_conf.authentication.remote_id }}
-{% endif %}
- secret = "{{ peer_conf.authentication.pre_shared_secret }}"
- }
-{% elif peer_conf.authentication.mode is vyos_defined('x509') %}
+{% if peer_conf.authentication.mode is vyos_defined('x509') %}
private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
{% if peer_conf.authentication.x509.passphrase is vyos_defined %}
@@ -91,6 +75,21 @@ secrets {
{% endif %}
{% endfor %}
{% endif %}
+{% if authentication.psk is vyos_defined %}
+{% for psk, psk_config in authentication.psk.items() %}
+ ike-{{ psk }} {
+{% if psk_config.id is vyos_defined %}
+ # ID's from auth psk <tag> id xxx
+{% for id in psk_config.id %}
+{% set gen_uuid = '' | generate_uuid4 %}
+ id-{{ gen_uuid }} = "{{ id }}"
+{% endfor %}
+{% endif %}
+ secret = "{{ psk_config.secret }}"
+ }
+{% endfor %}
+{% endif %}
+
{% if remote_access.connection is vyos_defined %}
{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
@@ -130,4 +129,3 @@ secrets {
{% endif %}
{% endif %}
}
-