diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-06-28 22:58:24 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-06-28 22:58:24 +0200 |
| commit | 0751065ffa2161bedd040197dd51ad6ece5ab19b (patch) | |
| tree | 7fcbdbe7dbc35e1f2b71b383485fd3017ac83fb7 /data | |
| parent | 5a5c0cd2e6f5d6c459a7f0e2da777834fb4362b2 (diff) | |
| download | vyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.tar.gz vyos-1x-0751065ffa2161bedd040197dd51ad6ece5ab19b.zip | |
ipsec: T1441: switch from vti to xfrm interfaces
XFRM interfaces are similar to VTI devices in their basic functionality but
offer several advantages:
* No tunnel endpoint addresses have to be configured on the interfaces.
Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints,
this resolves issues with wildcard addresses (only one VTI with wildcard
endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and
easily allows SAs with multiple peers to share the same interface.
* Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on
the same interface (VTI devices only support one address family).
* IPsec modes other than tunnel are supported (VTI devices only support
tunnel mode).
* No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier
(XFRM interface ID) links policies and SAs with XFRM interfaces.
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 2 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl/peer.tmpl | 10 |
2 files changed, 6 insertions, 6 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index ea6d85743..d082729cb 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -18,7 +18,7 @@ connections { {% set peer_ike = ike_group[peer_conf.ike_group] %} {% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %} {% set auth_type = authby[peer_conf.authentication.mode] %} -{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type, marks) }} +{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }} {% endfor %} {% endif %} } diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 0d01cd546..68284d7d9 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -1,4 +1,4 @@ -{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type, marks) %} +{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type) %} peer_{{ name }} { proposals = {{ ciphers.ike[peer_conf.ike_group] }} version = {{ ike['key_exchange'][4:] if "key_exchange" in ike else "0" }} @@ -61,8 +61,8 @@ local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" - mark_in = {{ marks[peer_conf.vti.bind] }} - mark_out = {{ marks[peer_conf.vti.bind] }} + if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }} + if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }} ipcomp = {{ 'yes' if "compression" in vti_esp and vti_esp.compression == 'enable' else 'no' }} mode = {{ vti_esp.mode if "mode" in vti_esp else "tunnel" }} {% if peer[0:1] == '@' %} @@ -117,8 +117,8 @@ {% endif %} {% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" - mark_in = {{ marks[peer_conf.vti.bind] }} - mark_out = {{ marks[peer_conf.vti.bind] }} + if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }} + if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }} {% endif %} } {% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %} |