diff options
| -rw-r--r-- | data/templates/ipsec/charon/dhcp.conf.tmpl | 11 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 46 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl/remote_access.tmpl | 17 | ||||
| -rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 194 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 153 | 
5 files changed, 216 insertions, 205 deletions
| diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl index 2879550a8..96dfd7633 100644 --- a/data/templates/ipsec/charon/dhcp.conf.tmpl +++ b/data/templates/ipsec/charon/dhcp.conf.tmpl @@ -1,12 +1,11 @@  dhcp {      load = yes - -{% if options is defined and options.remote_access is defined and options.remote_access.dhcp_pool is defined %} -{%   if options.remote_access.dhcp_pool.interface is defined %} -    interface = {{ options.remote_access.dhcp_pool.interface }} +{% if options is defined and options.remote_access is defined and options.remote_access.dhcp is defined %} +{%   if options.remote_access.dhcp.interface is defined %} +    interface = {{ options.remote_access.dhcp.interface }}  {%   endif %} -{%   if options.remote_access.dhcp_pool.server is defined %} -    server = {{ options.remote_access.dhcp_pool.server }} +{%   if options.remote_access.dhcp.server is defined %} +    server = {{ options.remote_access.dhcp.server }}  {%   endif %}  {% endif %} diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index b85fe7d41..161f19f95 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -15,8 +15,8 @@ connections {  {{     peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}  {%   endfor %}  {%  endif %} -{% if remote_access is defined and remote_access is not none %} -{%   for rw, rw_conf in remote_access.items() if rw_conf.disable is not defined %} +{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} +{%   for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not defined %}  {{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}  {%   endfor %}  {% endif %} @@ -26,33 +26,19 @@ connections {  }  pools { -{%  if remote_access is defined %} -{%    for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %} -{%      if ra_conf.pool is defined and ra_conf.pool.prefix is defined %} -{%        for prefix in ra_conf.pool.prefix %} -{%          if prefix | is_ipv4 %} -    ra-{{ ra }}-ipv4 { -        addrs = {{ prefix }} -{%            if ra_conf.pool.name_server_v4 is defined and ra_conf.pool.name_server_v4 is not none %} -        dns = {{ ra_conf.pool.name_server_v4 | join(',') }} -{%            endif %} -{%            if ra_conf.pool.exclude_v4 is defined and ra_conf.pool.exclude_v4 is not none %} -        split_exclude = {{ ra_conf.pool.exclude_v4 | join(',') }} -{%            endif %} -    } -{%          elif prefix | is_ipv6 %} -    ra-{{ ra }}-ipv6 { -        addrs = {{ prefix }} -{%            if ra_conf.pool.name_server_v6 is defined and ra_conf.pool.name_server_v6 is not none %} -        dns = {{ ra_conf.pool.name_server_v6 | join(',') }} -{%            endif %} -{%            if ra_conf.pool.exclude_v6 is defined and ra_conf.pool.exclude_v6 is not none %} -        split_exclude = {{ ra_conf.pool.exclude_v6 | join(',') }} -{%            endif %} -    } -{%          endif %} -{%        endfor %} +{%  if remote_access is defined and remote_access.pool is defined and remote_access.pool is not none %} +{%    for pool, pool_config in remote_access.pool.items() %} +    {{ pool }} { +{%      if pool_config.prefix is defined and pool_config.prefix is not none %} +        addrs = {{ pool_config.prefix }}  {%      endif %} +{%      if pool_config.name_server is defined and pool_config.name_server is not none %} +        dns = {{ pool_config.name_server | join(',') }} +{%      endif %} +{%      if pool_config.exclude is defined and pool_config.exclude is not none %} +        split_exclude = {{ pool_config.exclude | join(',') }} +{%      endif %} +    }  {%    endfor %}  {%  endif %}  } @@ -103,8 +89,8 @@ secrets {  {%      endif %}  {%    endfor %}  {%  endif %} -{%  if remote_access is defined %} -{%    for ra, ra_conf in remote_access.items() if remote_access is defined %} +{%  if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} +{%    for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not defined %}  {%      if ra_conf.authentication.server_mode == 'pre-shared-secret' %}      ike_{{ ra }} {  {%        if ra_conf.authentication.id is defined %} diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index ea79a6d6b..456842488 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -10,18 +10,9 @@          send_certreq = no          rekey_time = {{ ike.lifetime }}s          keyingtries = 0 -{%   if rw_conf.pool is defined and rw_conf.pool.dhcp_enable is defined %} -        pools = dhcp -{%   elif rw_conf.pool is defined and rw_conf.pool.prefix is defined and rw_conf.pool.prefix is not none %} -{%   set pool = namespace(name='')  %} -{%     for prefix in rw_conf.pool.prefix %} -{%       if not loop.first %} -{%         set pool.name = pool.name ~ ',' %} -{%       endif %} -{%       set afi = '-ipv4' if prefix | is_ipv4 else '-ipv6' %} -{%       set pool.name = pool.name + 'ra-' + name + afi %} -{%     endfor %} -        pools = {{ pool.name }} +        unique = {{ rw_conf.unique }} +{%   if rw_conf.pool is defined and rw_conf.pool is not none %} +        pools = {{ rw_conf.pool | join(',') }}  {%   endif %}          local {  {%   if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} @@ -42,7 +33,7 @@          }          children {              ikev2-vpn  { -                esp_proposals = {{ esp | get_esp_ike_cipher | join(',')  }} +                esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}                  rekey_time = {{ esp.lifetime }}s                  rand_time = 540s                  dpd_action = clear diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 14063091d..093a677e9 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -647,7 +647,7 @@                    <help>remote-access global options</help>                  </properties>                  <children> -                  <node name="dhcp-pool"> +                  <node name="dhcp">                      <properties>                        <help>DHCP pool options for remote-access</help>                      </properties> @@ -665,8 +665,11 @@                            <help>DHCP server address</help>                            <valueHelp>                              <format>ipv4</format> -                            <description>IPv4 address of the DHCP server</description> +                            <description>DHCP server IPv4 address</description>                            </valueHelp> +                          <constraint> +                            <validator name="ipv4-address"/> +                          </constraint>                          </properties>                        </leafNode>                      </children> @@ -725,98 +728,149 @@                #include <include/ipsec/ike-group.xml.i>              </children>            </tagNode> -          <tagNode name="remote-access"> +          <node name="remote-access">              <properties> -              <help>Remote access IKEv2 VPN </help> +              <help>IKEv2 remote access VPN</help>              </properties>              <children> -              <node name="authentication"> +              <tagNode name="connection">                  <properties> -                  <help>Authentication for remote access</help> +                  <help>IKEv2 VPN connection name</help>                  </properties>                  <children> -                  #include <include/ipsec/authentication-id.xml.i> -                  #include <include/ipsec/authentication-x509.xml.i> -                  <leafNode name="client-mode"> -                    <properties> -                      <help>Client authentication mode</help> -                      <completionHelp> -                        <list>eap-tls eap-mschapv2</list> -                      </completionHelp> -                      <valueHelp> -                        <format>eap-tls</format> -                        <description>EAP-TLS</description> -                      </valueHelp> -                      <valueHelp> -                        <format>eap-mschapv2</format> -                        <description>EAP-MSCHAPv2</description> -                      </valueHelp> -                      <constraint> -                        <regex>^(eap-tls|eap-mschapv2)$</regex> -                      </constraint> -                    </properties> -                    <defaultValue>eap-mschapv2</defaultValue> -                  </leafNode> -                  <node name="local-users"> +                  <node name="authentication">                      <properties> -                      <help>Local user authentication for PPPoE server</help> +                      <help>Authentication for remote access</help>                      </properties>                      <children> -                      <tagNode name="username"> +                      #include <include/ipsec/authentication-id.xml.i> +                      #include <include/ipsec/authentication-x509.xml.i> +                      <leafNode name="client-mode"> +                        <properties> +                          <help>Client authentication mode</help> +                          <completionHelp> +                            <list>eap-tls eap-mschapv2</list> +                          </completionHelp> +                          <valueHelp> +                            <format>eap-tls</format> +                            <description>EAP-TLS</description> +                          </valueHelp> +                          <valueHelp> +                            <format>eap-mschapv2</format> +                            <description>EAP-MSCHAPv2</description> +                          </valueHelp> +                          <constraint> +                            <regex>^(eap-tls|eap-mschapv2)$</regex> +                          </constraint> +                        </properties> +                        <defaultValue>eap-mschapv2</defaultValue> +                      </leafNode> +                      <node name="local-users">                          <properties> -                          <help>User name for authentication</help> +                          <help>Local user authentication for PPPoE server</help>                          </properties>                          <children> -                          #include <include/generic-disable-node.xml.i> -                          <leafNode name="password"> +                          <tagNode name="username">                              <properties> -                              <help>Password for authentication</help> +                              <help>User name for authentication</help>                              </properties> -                          </leafNode> +                            <children> +                              #include <include/generic-disable-node.xml.i> +                              <leafNode name="password"> +                                <properties> +                                  <help>Password for authentication</help> +                                </properties> +                              </leafNode> +                            </children> +                          </tagNode>                          </children> -                      </tagNode> +                      </node> +                      <leafNode name="server-mode"> +                        <properties> +                          <help>Server authentication mode</help> +                          <completionHelp> +                            <list>pre-shared-secret x509</list> +                          </completionHelp> +                          <valueHelp> +                            <format>pre-shared-secret</format> +                            <description>pre-shared-secret_description</description> +                          </valueHelp> +                          <valueHelp> +                            <format>x509</format> +                            <description>x509_description</description> +                          </valueHelp> +                          <constraint> +                            <regex>^(pre-shared-secret|x509)$</regex> +                          </constraint> +                        </properties> +                        <defaultValue>x509</defaultValue> +                      </leafNode> +                      #include <include/ipsec/authentication-pre-shared-secret.xml.i>                      </children>                    </node> -                  <leafNode name="server-mode"> +                  #include <include/generic-description.xml.i> +                  #include <include/generic-disable-node.xml.i> +                  #include <include/ipsec/esp-group.xml.i> +                  #include <include/ipsec/ike-group.xml.i> +                  #include <include/ipsec/local-address.xml.i> +                  #include <include/ipsec/local-traffic-selector.xml.i> +                  <leafNode name="timeout"> +                    <properties> +                      <help>Timeout to close connection if no data is transmitted</help> +                      <valueHelp> +                        <format>u32:10-86400</format> +                        <description>Timeout in seconds (default 28800)</description> +                      </valueHelp> +                      <constraint> +                        <validator name="numeric" argument="--range 10-86400"/> +                      </constraint> +                    </properties> +                    <defaultValue>28800</defaultValue> +                  </leafNode> +                  <leafNode name="pool">                      <properties> -                      <help>Server authentication mode</help> +                      <help>Pool name used for IP address assignments</help>                        <completionHelp> -                        <list>pre-shared-secret x509</list> +                        <path>vpn ipsec remote-access pool</path> +                        <list>dhcp</list>                        </completionHelp>                        <valueHelp> -                        <format>pre-shared-secret</format> -                        <description>pre-shared-secret_description</description> +                        <format>txt</format> +                        <description>Pool name</description> +                      </valueHelp> +                      <multi/> +                    </properties> +                  </leafNode> +                  <leafNode name="unique"> +                    <properties> +                      <help>Connection uniqueness policy to enforce</help> +                      <completionHelp> +                        <list>never keep replace</list> +                      </completionHelp> +                      <valueHelp> +                        <format>never</format> +                        <description>Never enforce connection uniqueness policy</description> +                      </valueHelp> +                      <valueHelp> +                        <format>keep</format> +                        <description>Rejects new connection attempts if the same user already has an active connection</description>                        </valueHelp>                        <valueHelp> -                        <format>x509</format> -                        <description>x509_description</description> +                        <format>replace</format> +                        <description>Delete any existing connection if a new one for the same user gets established</description>                        </valueHelp>                        <constraint> -                        <regex>^(pre-shared-secret|x509)$</regex> +                        <regex>^(never|keep|replace)$</regex>                        </constraint>                      </properties> -                    <defaultValue>x509</defaultValue>                    </leafNode> -                  #include <include/ipsec/authentication-pre-shared-secret.xml.i>                  </children> -              </node> -              #include <include/generic-description.xml.i> -              #include <include/generic-disable-node.xml.i> -              #include <include/ipsec/esp-group.xml.i> -              #include <include/ipsec/ike-group.xml.i> -              #include <include/ipsec/local-address.xml.i> -              #include <include/ipsec/local-traffic-selector.xml.i> -              <node name="pool"> +              </tagNode> +              <tagNode name="pool">                  <properties>                    <help>IP address pool for remote-access users</help>                  </properties>                  <children> -                  <leafNode name="dhcp-enable"> -                    <properties> -                      <help>Enable DHCP pool for clients on this connection</help> -                      <valueless/> -                    </properties> -                  </leafNode>                    <leafNode name="exclude">                      <properties>                        <help>Local IPv4 or IPv6 pool prefix exclusions</help> @@ -850,28 +904,14 @@                          <validator name="ipv4-prefix"/>                          <validator name="ipv6-prefix"/>                        </constraint> -                      <multi/>                      </properties>                    </leafNode>                    <!-- Include Accel-PPP definition here, maybe time for a rename? -->                    #include <include/accel-ppp/name-server.xml.i>                  </children> -              </node> -              <leafNode name="timeout"> -                <properties> -                  <help>Timeout to close connection if no data is transmitted</help> -                  <valueHelp> -                    <format>u32:10-86400</format> -                    <description>Timeout in seconds (default 28800)</description> -                  </valueHelp> -                  <constraint> -                    <validator name="numeric" argument="--range 10-86400"/> -                  </constraint> -                </properties> -                <defaultValue>28800</defaultValue> -              </leafNode> +              </tagNode>              </children> -          </tagNode> +          </node>            <node name="site-to-site">              <properties>                <help>Site-to-site VPN</help> diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 49c6c6a2d..c50724592 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -34,9 +34,11 @@ from vyos.pki import wrap_public_key  from vyos.pki import wrap_private_key  from vyos.template import ip_from_cidr  from vyos.template import is_ipv4 +from vyos.template import is_ipv6  from vyos.template import render  from vyos.validate import is_ipv6_link_local  from vyos.util import call +from vyos.util import dict_search  from vyos.util import dict_search_args  from vyos.util import run  from vyos.xml import defaults @@ -102,11 +104,11 @@ def get_config(config=None):          for group in ipsec['ike_group']:              ipsec['ike_group'][group] = dict_merge(default_values,                                                     ipsec['ike_group'][group]) -    if 'remote_access' in ipsec: -        default_values = defaults(base + ['remote-access']) -        for rw in ipsec['remote_access']: -            ipsec['remote_access'][rw] = dict_merge(default_values, -                                                    ipsec['remote_access'][rw]) +    if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']: +        default_values = defaults(base + ['remote-access', 'connection']) +        for rw in ipsec['remote_access']['connection']: +            ipsec['remote_access']['connection'][rw] = dict_merge(default_values, +              ipsec['remote_access']['connection'][rw])      ipsec['dhcp_no_address'] = {}      ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes @@ -127,33 +129,6 @@ def get_config(config=None):          ipsec['l2tp_ike_default'] = 'aes256-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024'          ipsec['l2tp_esp_default'] = 'aes256-sha1,3des-sha1' -    if 'remote_access' in ipsec: -        for name, ra_conf in ipsec['remote_access'].items(): -            if 'pool' in ra_conf: -                if 'name_server' in ra_conf['pool']: -                    ns_v4 = [] -                    ns_v6 = [] -                    for ns in ra_conf['pool']['name_server']: -                        if is_ipv4(ns): ns_v4.append(ns) -                        else: ns_v6.append(ns) - -                    # Only update nameserver keys if there are address-family specific name-servers -                    if ns_v4: -                        ipsec['remote_access'][name]['pool'].update({'name_server_v4' : ns_v4}) -                    if ns_v6: -                        ipsec['remote_access'][name]['pool'].update({'name_server_v6' : ns_v6}) -                    del ipsec['remote_access'][name]['pool']['name_server'] - -                if 'exclude' in ra_conf['pool']: -                    exclude_v4 = [] -                    exclude_v6 = [] -                    for exclude in ra_conf['pool']['exclude']: -                        if is_ipv4(exclude): exclude_v4.append(exclude) -                        else: exclude_v6.append(exclude) - -                    ipsec['remote_access'][name]['pool'].update({'exclude_v4' : ns_v4, 'exclude_v6' : ns_v6}) -                    del ipsec['remote_access'][name]['pool']['exclude'] -      return ipsec  def get_dhcp_address(iface): @@ -257,52 +232,71 @@ def verify(ipsec):                  raise ConfigError(f"Missing authentication on {profile} profile")      if 'remote_access' in ipsec: -        for name, ra_conf in ipsec['remote_access'].items(): -            if 'esp_group' in ra_conf: -                if 'esp_group' not in ipsec or ra_conf['esp_group'] not in ipsec['esp_group']: -                    raise ConfigError(f"Invalid esp-group on {name} remote-access config") -            else: -                raise ConfigError(f"Missing esp-group on {name} remote-access config") - -            if 'ike_group' in ra_conf: -                if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']: -                    raise ConfigError(f"Invalid ike-group on {name} remote-access config") -            else: -                raise ConfigError(f"Missing ike-group on {name} remote-access config") - -            if 'authentication' not in ra_conf: -                raise ConfigError(f"Missing authentication on {name} remote-access config") +        if 'connection' in ipsec['remote_access']: +            for name, ra_conf in ipsec['remote_access']['connection'].items(): +                if 'esp_group' in ra_conf: +                    if 'esp_group' not in ipsec or ra_conf['esp_group'] not in ipsec['esp_group']: +                        raise ConfigError(f"Invalid esp-group on {name} remote-access config") +                else: +                    raise ConfigError(f"Missing esp-group on {name} remote-access config") + +                if 'ike_group' in ra_conf: +                    if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']: +                        raise ConfigError(f"Invalid ike-group on {name} remote-access config") +                else: +                    raise ConfigError(f"Missing ike-group on {name} remote-access config") + +                if 'authentication' not in ra_conf: +                    raise ConfigError(f"Missing authentication on {name} remote-access config") + +                if ra_conf['authentication']['server_mode'] == 'x509': +                    if 'x509' not in ra_conf['authentication']: +                        raise ConfigError(f"Missing x509 settings on {name} remote-access config") + +                    x509 = ra_conf['authentication']['x509'] + +                    if 'ca_certificate' not in x509 or 'certificate' not in x509: +                        raise ConfigError(f"Missing x509 certificates on {name} remote-access config") + +                    verify_pki_x509(ipsec['pki'], x509) +                elif ra_conf['authentication']['server_mode'] == 'pre-shared-secret': +                    if 'pre_shared_secret' not in ra_conf['authentication']: +                        raise ConfigError(f"Missing pre-shared-key on {name} remote-access config") + +                if 'pool' in ra_conf: +                    if 'dhcp' in ra_conf['pool'] and len(ra_conf['pool']) > 1: +                        raise ConfigError(f'Can not use both DHCP and a predefined address pool for "{name}"!') + +                    for pool in ra_conf['pool']: +                        if pool == 'dhcp': +                            if dict_search('options.remote_access.dhcp.server', ipsec) == None: +                                raise ConfigError('IPSec DHCP server is not configured!') + +                        elif 'pool' not in ipsec['remote_access'] or pool not in ipsec['remote_access']['pool']: +                            raise ConfigError(f'Requested pool "{pool}" does not exist!') + +        if 'pool' in ipsec['remote_access']: +            for pool, pool_config in ipsec['remote_access']['pool'].items(): +                if 'prefix' not in pool_config: +                    raise ConfigError(f'Missing madatory prefix option for pool "{pool}"!') + +                if 'name_server' in pool_config: +                    if len(pool_config['name_server']) > 2: +                        raise ConfigError(f'Only two name-servers are supported for remote-access pool "{pool}"!') + +                    for ns in pool_config['name_server']: +                        v4_addr_and_ns = is_ipv4(ns) and not is_ipv4(pool_config['prefix']) +                        v6_addr_and_ns = is_ipv6(ns) and not is_ipv6(pool_config['prefix']) +                        if v4_addr_and_ns or v6_addr_and_ns: +                           raise ConfigError('Must use both IPv4 or IPv6 addresses for pool prefix and name-server adresses!') + +                if 'exclude' in pool_config: +                    for exclude in pool_config['exclude']: +                        v4_addr_and_exclude = is_ipv4(exclude) and not is_ipv4(pool_config['prefix']) +                        v6_addr_and_exclude = is_ipv6(exclude) and not is_ipv6(pool_config['prefix']) +                        if v4_addr_and_exclude or v6_addr_and_exclude: +                           raise ConfigError('Must use both IPv4 or IPv6 addresses for pool prefix and exclude prefixes!') -            if ra_conf['authentication']['server_mode'] == 'x509': -                if 'x509' not in ra_conf['authentication']: -                    raise ConfigError(f"Missing x509 settings on {name} remote-access config") - -                x509 = ra_conf['authentication']['x509'] - -                if 'ca_certificate' not in x509 or 'certificate' not in x509: -                    raise ConfigError(f"Missing x509 certificates on {name} remote-access config") - -                verify_pki_x509(ipsec['pki'], x509) -            elif ra_conf['authentication']['server_mode'] == 'pre-shared-secret': -                if 'pre_shared_secret' not in ra_conf['authentication']: -                    raise ConfigError(f"Missing pre-shared-key on {name} remote-access config") - -            if 'pool' in ra_conf: -                if 'name_server_ipv4' in ra_conf['pool'] and len(ra_conf['pool']['name_server_ipv4']) > 2: -                    raise ConfigError(f'IPSec remote-access "{name}" supports only two IPv4 name-servers!') -                if 'name_server_ipv6' in ra_conf['pool'] and len(ra_conf['pool']['name_server_ipv6']) > 2: -                    raise ConfigError(f'IPSec remote-access "{name}" supports only two IPv6 name-servers!') - -                if 'prefix' in ra_conf['pool']: -                    prefix_v4 = [] -                    prefix_v6 = [] -                    for prefix in ra_conf['pool']['prefix']: -                        if is_ipv4(prefix): prefix_v4.append(prefix) -                        else: prefix_v6.append(prefix) -                    if len(prefix_v4) > 1: -                        raise ConfigError(f'IPSec remote-access "{name}" supports only one IPv4 prefix!') -                    if len(prefix_v6) > 1: -                        raise ConfigError(f'IPSec remote-access "{name}" supports only one IPv6 prefix!')      if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']:          for peer, peer_conf in ipsec['site_to_site']['peer'].items(): @@ -476,8 +470,9 @@ def generate(ipsec):          if 'authentication' in ipsec['l2tp'] and 'x509' in ipsec['l2tp']['authentication']:              generate_pki_files_x509(ipsec['pki'], ipsec['l2tp']['authentication']['x509']) -    if 'remote_access' in ipsec: -        for rw, rw_conf in ipsec['remote_access'].items(): +    if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']: +        for rw, rw_conf in ipsec['remote_access']['connection'].items(): +              if 'authentication' in rw_conf and 'x509' in rw_conf['authentication']:                  generate_pki_files_x509(ipsec['pki'], rw_conf['authentication']['x509']) | 
