diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-04-13 22:51:42 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-04-13 22:51:42 +0200 |
commit | e8a637eec0cc398f78a877ece6b9c7cdca418970 (patch) | |
tree | d5950ea33e209a3a290b617d501807959102a9d0 /data | |
parent | fc36d67b051bad776a5b1d6e9a04f1205487f01f (diff) | |
download | vyos-1x-e8a637eec0cc398f78a877ece6b9c7cdca418970.tar.gz vyos-1x-e8a637eec0cc398f78a877ece6b9c7cdca418970.zip |
ipsec: T4333: migrate to new vyos_defined Jinja2 test
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/ipsec/charon.tmpl | 8 | ||||
-rw-r--r-- | data/templates/ipsec/charon/dhcp.conf.tmpl | 8 | ||||
-rw-r--r-- | data/templates/ipsec/charon/eap-radius.conf.tmpl | 8 | ||||
-rw-r--r-- | data/templates/ipsec/interfaces_use.conf.tmpl | 2 | ||||
-rw-r--r-- | data/templates/ipsec/ios_profile.tmpl | 2 | ||||
-rw-r--r-- | data/templates/ipsec/ipsec.conf.tmpl | 6 | ||||
-rw-r--r-- | data/templates/ipsec/ipsec.secrets.tmpl | 2 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 66 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/l2tp.tmpl | 4 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/peer.tmpl | 72 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/profile.tmpl | 10 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/remote_access.tmpl | 16 |
12 files changed, 101 insertions, 103 deletions
diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.tmpl index b9b020dcd..2eac24eaa 100644 --- a/data/templates/ipsec/charon.tmpl +++ b/data/templates/ipsec/charon.tmpl @@ -21,12 +21,12 @@ charon { # cisco_unity = no # Cisco FlexVPN -{% if options is defined %} - cisco_flexvpn = {{ 'yes' if options.flexvpn is defined else 'no' }} -{% if options.virtual_ip is defined %} +{% if options is vyos_defined %} + cisco_flexvpn = {{ 'yes' if options.flexvpn is vyos_defined else 'no' }} +{% if options.virtual_ip is vyos_defined %} install_virtual_ip = yes {% endif %} -{% if options.interface is defined and options.interface is not none %} +{% if options.interface is vyos_defined %} install_virtual_ip_on = {{ options.interface }} {% endif %} {% endif %} diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl index 92774b275..aaa5613fb 100644 --- a/data/templates/ipsec/charon/dhcp.conf.tmpl +++ b/data/templates/ipsec/charon/dhcp.conf.tmpl @@ -1,12 +1,10 @@ dhcp { load = yes -{% if remote_access is defined and remote_access.dhcp is defined %} -{% if remote_access.dhcp.interface is defined %} +{% if remote_access.dhcp.interface is vyos_defined %} interface = {{ remote_access.dhcp.interface }} -{% endif %} -{% if remote_access.dhcp.server is defined %} +{% endif %} +{% if remote_access.dhcp.server is vyos_defined %} server = {{ remote_access.dhcp.server }} -{% endif %} {% endif %} # Always use the configured server address. diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.tmpl index 5ec35c988..b58022521 100644 --- a/data/templates/ipsec/charon/eap-radius.conf.tmpl +++ b/data/templates/ipsec/charon/eap-radius.conf.tmpl @@ -41,7 +41,7 @@ eap-radius { load = yes # NAS-Identifier to include in RADIUS messages. - nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }} + nas_identifier = {{ remote_access.radius.nas_identifier if remote_access.radius.nas_identifier is vyos_defined else 'strongSwan' }} # Port of RADIUS server (authentication). # port = 1812 @@ -94,13 +94,13 @@ eap-radius { # Section to specify multiple RADIUS servers. servers { -{% if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %} -{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %} +{% if remote_access.radius.server is vyos_defined %} +{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %} {{ server | replace('.', '-') }} { address = {{ server }} secret = {{ server_options.key }} auth_port = {{ server_options.port }} -{% if server_options.disable_accounting is not defined %} +{% if server_options.disable_accounting is not vyos_defined %} acct_port = {{ server_options.port | int +1 }} {% endif %} sockets = 20 diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.tmpl index a77102396..55c3ce4f3 100644 --- a/data/templates/ipsec/interfaces_use.conf.tmpl +++ b/data/templates/ipsec/interfaces_use.conf.tmpl @@ -1,4 +1,4 @@ -{% if interface is defined %} +{% if interface is vyos_defined %} charon { interfaces_use = {{ ', '.join(interface) }} } diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.tmpl index af6c79d6e..c8e17729a 100644 --- a/data/templates/ipsec/ios_profile.tmpl +++ b/data/templates/ipsec/ios_profile.tmpl @@ -41,7 +41,7 @@ <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> <key>RemoteIdentifier</key> - <string>{{ authentication.id if authentication.id is defined else 'fooo' }}</string> + <string>{{ authentication.id if authentication.id is vyos_defined else 'VyOS' }}</string> <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> <key>LocalIdentifier</key> <string></string> diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index 1cb531e76..0f7131dff 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -2,7 +2,7 @@ config setup {% set charondebug = '' %} -{% if log is defined and log.subsystem is defined and log.subsystem is not none %} +{% if log.subsystem is vyos_defined %} {% set subsystem = log.subsystem %} {% if 'any' in log.subsystem %} {% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', @@ -11,8 +11,8 @@ config setup {% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} {% endif %} charondebug = "{{ charondebug }}" - uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }} + uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }} -{% if include_ipsec_conf is defined %} +{% if include_ipsec_conf is vyos_defined %} include {{ include_ipsec_conf }} {% endif %} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.tmpl index 057e291ed..865c1ab17 100644 --- a/data/templates/ipsec/ipsec.secrets.tmpl +++ b/data/templates/ipsec/ipsec.secrets.tmpl @@ -1,5 +1,5 @@ # Created by VyOS - manual changes will be overwritten -{% if include_ipsec_secrets is defined %} +{% if include_ipsec_secrets is vyos_defined %} include {{ include_ipsec_secrets }} {% endif %} diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 68b108365..6ba93dd1f 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -5,18 +5,18 @@ {% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %} connections { -{% if profile is defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} {{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} {% endfor %} {% endif %} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} {{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} {% endfor %} {% endif %} -{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} -{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not defined %} +{% if remote_access.connection is vyos_defined %} +{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %} {{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} {% endfor %} {% endif %} @@ -26,16 +26,16 @@ connections { } pools { -{% if remote_access is defined and remote_access.pool is defined and remote_access.pool is not none %} +{% if remote_access.pool is vyos_defined %} {% for pool, pool_config in remote_access.pool.items() %} {{ pool }} { -{% if pool_config.prefix is defined and pool_config.prefix is not none %} +{% if pool_config.prefix is vyos_defined %} addrs = {{ pool_config.prefix }} {% endif %} -{% if pool_config.name_server is defined and pool_config.name_server is not none %} +{% if pool_config.name_server is vyos_defined %} dns = {{ pool_config.name_server | join(',') }} {% endif %} -{% if pool_config.exclude is defined and pool_config.exclude is not none %} +{% if pool_config.exclude is vyos_defined %} split_exclude = {{ pool_config.exclude | join(',') }} {% endif %} } @@ -44,9 +44,9 @@ pools { } secrets { -{% if profile is defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} -{% if profile_conf.authentication.mode == 'pre-shared-secret' %} +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} {% for interface in profile_conf.bind.tunnel %} ike-dmvpn-{{ interface }} { secret = {{ profile_conf.authentication.pre_shared_secret }} @@ -55,54 +55,54 @@ secrets { {% endif %} {% endfor %} {% endif %} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} {% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} -{% if peer_conf.authentication.mode == 'pre-shared-secret' %} +{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %} ike_{{ peer_name }} { -{% if peer_conf.local_address is defined %} +{% if peer_conf.local_address is vyos_defined %} id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} {% endif %} id-remote = {{ peer }} -{% if peer_conf.authentication.id is defined %} +{% if peer_conf.authentication.id is vyos_defined %} id-localid = {{ peer_conf.authentication.id }} {% endif %} -{% if peer_conf.authentication.remote_id is defined %} +{% if peer_conf.authentication.remote_id is vyos_defined %} id-remoteid = {{ peer_conf.authentication.remote_id }} {% endif %} secret = "{{ peer_conf.authentication.pre_shared_secret }}" } -{% elif peer_conf.authentication.mode == 'x509' %} +{% elif peer_conf.authentication.mode is vyos_defined('x509') %} private_{{ peer_name }} { file = {{ peer_conf.authentication.x509.certificate }}.pem -{% if peer_conf.authentication.x509.passphrase is defined %} +{% if peer_conf.authentication.x509.passphrase is vyos_defined %} secret = "{{ peer_conf.authentication.x509.passphrase }}" {% endif %} } -{% elif peer_conf.authentication.mode == 'rsa' %} +{% elif peer_conf.authentication.mode is vyos_defined('rsa') %} rsa_{{ peer_name }}_local { file = {{ peer_conf.authentication.rsa.local_key }}.pem -{% if peer_conf.authentication.rsa.passphrase is defined %} +{% if peer_conf.authentication.rsa.passphrase is vyos_defined %} secret = "{{ peer_conf.authentication.rsa.passphrase }}" {% endif %} } {% endif %} {% endfor %} {% endif %} -{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} -{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not defined %} -{% if ra_conf.authentication.server_mode == 'pre-shared-secret' %} +{% if remote_access.connection is vyos_defined %} +{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %} +{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %} ike_{{ ra }} { -{% if ra_conf.authentication.id is defined %} +{% if ra_conf.authentication.id is vyos_defined %} id = "{{ ra_conf.authentication.id }}" -{% elif ra_conf.local_address is defined %} +{% elif ra_conf.local_address is vyos_defined %} id = "{{ ra_conf.local_address }}" {% endif %} secret = "{{ ra_conf.authentication.pre_shared_secret }}" } {% endif %} -{% if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} -{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %} +{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %} +{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %} eap-{{ ra }}-{{ user }} { secret = "{{ user_conf.password }}" id-{{ ra }}-{{ user }} = "{{ user }}" @@ -112,16 +112,16 @@ secrets { {% endfor %} {% endif %} {% if l2tp %} -{% if l2tp.authentication.mode == 'pre-shared-secret' %} +{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %} ike_l2tp_remote_access { id = "{{ l2tp_outside_address }}" secret = "{{ l2tp.authentication.pre_shared_secret }}" } -{% elif l2tp.authentication.mode == 'x509' %} +{% elif l2tp.authentication.mode is vyos_defined('x509') %} private_l2tp_remote_access { id = "{{ l2tp_outside_address }}" file = {{ l2tp.authentication.x509.certificate }}.pem -{% if l2tp.authentication.x509.passphrase is defined %} +{% if l2tp.authentication.x509.passphrase is vyos_defined %} secret = "{{ l2tp.authentication.x509.passphrase }}" {% endif %} } diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.tmpl index 4cd1b4af3..c0e81e0aa 100644 --- a/data/templates/ipsec/swanctl/l2tp.tmpl +++ b/data/templates/ipsec/swanctl/l2tp.tmpl @@ -1,6 +1,6 @@ {% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %} -{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is defined else None %} -{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is defined else None %} +{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is vyos_defined else None %} +{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is vyos_defined else None %} l2tp_remote_access { proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }} local_addrs = {{ l2tp_outside_address }} diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index a622cbf74..b21dce9f0 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -4,20 +4,20 @@ {% set ike = ike_group[peer_conf.ike_group] %} peer_{{ name }} { proposals = {{ ike | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} -{% if peer_conf.virtual_address is defined and peer_conf.virtual_address is not none %} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} +{% if peer_conf.virtual_address is vyos_defined %} vips = {{ peer_conf.virtual_address | join(', ') }} {% endif %} local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} -{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %} +{% if peer_conf.authentication.mode is vyos_defined('x509') %} send_cert = always {% endif %} -{% if ike.dead_peer_detection is defined %} +{% if ike.dead_peer_detection is vyos_defined %} dpd_timeout = {{ ike.dead_peer_detection.timeout }} dpd_delay = {{ ike.dead_peer_detection.interval }} {% endif %} -{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %} +{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %} aggressive = yes {% endif %} rekey_time = {{ ike.lifetime }}s @@ -25,16 +25,16 @@ {% if peer[0:1] == '@' %} keyingtries = 0 reauth_time = 0 -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} keyingtries = 0 -{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %} +{% elif peer_conf.connection_type is vyos_defined('respond') %} keyingtries = 1 {% endif %} -{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %} +{% if peer_conf.force_encapsulation is vyos_defined('enable') %} encap = yes {% endif %} local { -{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.id is not none %} +{% if peer_conf.authentication.id is vyos_defined %} id = "{{ peer_conf.authentication.id }}" {% endif %} auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} @@ -45,7 +45,7 @@ {% endif %} } remote { -{% if peer_conf.authentication is defined and peer_conf.authentication.remote_id is defined and peer_conf.authentication.remote_id is not none %} +{% if peer_conf.authentication.remote_id is vyos_defined %} id = "{{ peer_conf.authentication.remote_id }}" {% else %} id = "{{ peer }}" @@ -56,14 +56,14 @@ {% endif %} } children { -{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %} -{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %} +{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %} +{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %} peer_{{ name }}_vti { esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} -{% if vti_esp.life_bytes is defined and vti_esp.life_bytes is not none %} +{% if vti_esp.life_bytes is vyos_defined %} life_bytes = {{ vti_esp.life_bytes }} {% endif %} -{% if vti_esp.life_packets is defined and vti_esp.life_packets is not none %} +{% if vti_esp.life_packets is vyos_defined %} life_packets = {{ vti_esp.life_packets }} {% endif %} life_time = {{ vti_esp.lifetime }}s @@ -75,74 +75,74 @@ {% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} if_id_in = {{ if_id }} if_id_out = {{ if_id }} - ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }} + ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined('enable') else 'no' }} mode = {{ vti_esp.mode }} {% if peer[0:1] == '@' %} start_action = none -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} start_action = start -{% elif peer_conf.connection_type == 'respond' %} +{% elif peer_conf.connection_type is vyos_defined('respond') %} start_action = trap -{% elif peer_conf.connection_type == 'none' %} +{% elif peer_conf.connection_type is vyos_defined('none') %} start_action = none {% endif %} -{% if ike.dead_peer_detection is defined %} +{% if ike.dead_peer_detection is vyos_defined %} {% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} } -{% elif peer_conf.tunnel is defined %} +{% elif peer_conf.tunnel is vyos_defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} -{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %} +{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %} {% set tunnel_esp = esp_group[tunnel_esp_name] %} -{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is defined else '' %} -{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %} +{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %} +{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %} {% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} -{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %} +{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %} {% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} peer_{{ name }}_tunnel_{{ tunnel_id }} { esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} -{% if tunnel_esp.life_bytes is defined and tunnel_esp.life_bytes is not none %} +{% if tunnel_esp.life_bytes is vyos_defined %} life_bytes = {{ tunnel_esp.life_bytes }} {% endif %} -{% if tunnel_esp.life_packets is defined and tunnel_esp.life_packets is not none %} +{% if tunnel_esp.life_packets is vyos_defined %} life_packets = {{ tunnel_esp.life_packets }} {% endif %} life_time = {{ tunnel_esp.lifetime }}s {% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} -{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} +{% if tunnel_conf.local.prefix is vyos_defined %} {% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} {% endif %} -{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %} +{% if tunnel_conf.remote.prefix is vyos_defined %} {% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} {% endif %} -{% if tunnel_conf.priority is defined and tunnel_conf.priority is not none %} +{% if tunnel_conf.priority is vyos_defined %} priority = {{ tunnel_conf.priority }} {% endif %} {% elif tunnel_esp.mode == 'transport' %} local_ts = {{ peer_conf.local_address }}{{ local_suffix }} remote_ts = {{ peer }}{{ remote_suffix }} {% endif %} - ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }} + ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined('enable') else 'no' }} mode = {{ tunnel_esp.mode }} {% if peer[0:1] == '@' %} start_action = none -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} start_action = start -{% elif peer_conf.connection_type == 'respond' %} +{% elif peer_conf.connection_type is vyos_defined('respond') %} start_action = trap -{% elif peer_conf.connection_type == 'none' %} +{% elif peer_conf.connection_type is vyos_defined('none') %} start_action = none {% endif %} -{% if ike.dead_peer_detection is defined %} +{% if ike.dead_peer_detection is vyos_defined %} {% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} -{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} +{% if peer_conf.vti.bind is vyos_defined %} updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} @@ -151,7 +151,7 @@ if_id_out = {{ if_id }} {% endif %} } -{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %} +{% if tunnel_conf.passthrough is vyos_defined %} peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough { local_ts = {{ tunnel_conf.passthrough | join(",") }} remote_ts = {{ tunnel_conf.passthrough | join(",") }} diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl index a5cae31c0..0f1c2fda2 100644 --- a/data/templates/ipsec/swanctl/profile.tmpl +++ b/data/templates/ipsec/swanctl/profile.tmpl @@ -2,14 +2,14 @@ {# peer needs to reference the global IKE configuration for certain values #} {% set ike = ike_group[profile_conf.ike_group] %} {% set esp = esp_group[profile_conf.esp_group] %} -{% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{% if profile_conf.bind.tunnel is vyos_defined %} {% for interface in profile_conf.bind.tunnel %} dmvpn-{{ name }}-{{ interface }} { proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} local { auth = psk } @@ -25,10 +25,10 @@ local_ts = dynamic[gre] remote_ts = dynamic[gre] mode = {{ esp.mode }} -{% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %} +{% if ike.dead_peer_detection.action is vyos_defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} -{% if esp.compression is defined and esp.compression == 'enable' %} +{% if esp.compression is vyos_defined('enable') %} ipcomp = yes {% endif %} } diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index 6354c60b1..059984139 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -4,21 +4,21 @@ {% set esp = esp_group[rw_conf.esp_group] %} ra-{{ name }} { remote_addrs = %any - local_addrs = {{ rw_conf.local_address if rw_conf.local_address is defined else '%any' }} + local_addrs = {{ rw_conf.local_address if rw_conf.local_address is vyos_defined else '%any' }} proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if rw_conf.unique is defined and rw_conf.unique is not none %} +{% if rw_conf.unique is vyos_defined %} unique = {{ rw_conf.unique }} {% endif %} -{% if rw_conf.pool is defined and rw_conf.pool is not none %} +{% if rw_conf.pool is vyos_defined %} pools = {{ rw_conf.pool | join(',') }} {% endif %} local { -{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} - id = "{{ rw_conf.authentication.id }}" +{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %} + id = '{{ rw_conf.authentication.id }}' {% endif %} {% if rw_conf.authentication.server_mode == 'x509' %} auth = pubkey @@ -40,8 +40,8 @@ rand_time = 540s dpd_action = clear inactivity = {{ rw_conf.timeout }} -{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %} -{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %} +{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} {% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} } |