summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/ipsec/swanctl')
-rw-r--r--data/templates/ipsec/swanctl/l2tp.tmpl2
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl32
-rw-r--r--data/templates/ipsec/swanctl/profile.tmpl4
-rw-r--r--data/templates/ipsec/swanctl/remote_access.tmpl5
4 files changed, 27 insertions, 16 deletions
diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.tmpl
index 2df5c2a4d..4cd1b4af3 100644
--- a/data/templates/ipsec/swanctl/l2tp.tmpl
+++ b/data/templates/ipsec/swanctl/l2tp.tmpl
@@ -20,7 +20,7 @@
children {
l2tp_remote_access_esp {
mode = transport
- esp_proposals = {{ l2tp_esp | get_esp_ike_cipher | join(',') if l2tp_esp else l2tp_esp_default }}
+ esp_proposals = {{ l2tp_esp | get_esp_ike_cipher(l2tp_ike) | join(',') if l2tp_esp else l2tp_esp_default }}
life_time = {{ l2tp_esp.lifetime if l2tp_esp else l2tp.lifetime }}s
local_ts = dynamic[/1701]
remote_ts = dynamic
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index dd29ea7d4..8c3776bf1 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -17,10 +17,10 @@
{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %}
aggressive = yes
{% endif %}
+ rekey_time = {{ ike.lifetime }}s
mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
{% if peer[0:1] == '@' %}
keyingtries = 0
- rekey_time = 0
reauth_time = 0
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
keyingtries = 0
@@ -31,7 +31,7 @@
encap = yes
{% endif %}
local {
-{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
+{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.id is not none %}
id = "{{ peer_conf.authentication.id }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
@@ -42,9 +42,9 @@
{% endif %}
}
remote {
-{% if peer_conf.authentication.remote_id is defined %}
+{% if peer_conf.authentication is defined and peer_conf.authentication.remote_id is defined and peer_conf.authentication.remote_id is not none %}
id = "{{ peer_conf.authentication.remote_id }}"
-{% elif peer[0:1] == '@' %}
+{% else %}
id = "{{ peer }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
@@ -56,12 +56,16 @@
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %}
peer_{{ name }}_vti {
- esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
+ esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
+ life_time = {{ vti_esp.lifetime }}s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
- updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
- if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
- if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
+ updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
+ {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
+ {# Thus we simply shift the key by one to also support a vti0 interface #}
+{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
+ if_id_in = {{ if_id }}
+ if_id_out = {{ if_id }}
ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }}
mode = {{ vti_esp.mode }}
{% if peer[0:1] == '@' %}
@@ -86,7 +90,8 @@
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
- esp_proposals = {{ tunnel_esp | get_esp_ike_cipher | join(',') }}
+ esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
+ life_time = {{ tunnel_esp.lifetime }}s
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
@@ -114,9 +119,12 @@
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
- updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
- if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
- if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
+ updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
+ {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
+ {# Thus we simply shift the key by one to also support a vti0 interface #}
+{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
+ if_id_in = {{ if_id }}
+ if_id_out = {{ if_id }}
{% endif %}
}
{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}
diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl
index 0a7268405..948dd8f87 100644
--- a/data/templates/ipsec/swanctl/profile.tmpl
+++ b/data/templates/ipsec/swanctl/profile.tmpl
@@ -7,7 +7,7 @@
dmvpn-{{ name }}-{{ interface }} {
proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
- rekey_time = {{ ike.lifetime }}s
+ life_time = {{ ike.lifetime }}s
keyingtries = 0
{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %}
local {
@@ -19,7 +19,7 @@
{% endif %}
children {
dmvpn {
- esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
+ esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
rekey_time = {{ esp.lifetime }}s
rand_time = 540s
local_ts = dynamic[gre]
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
index 456842488..6354c60b1 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -10,7 +10,9 @@
send_certreq = no
rekey_time = {{ ike.lifetime }}s
keyingtries = 0
+{% if rw_conf.unique is defined and rw_conf.unique is not none %}
unique = {{ rw_conf.unique }}
+{% endif %}
{% if rw_conf.pool is defined and rw_conf.pool is not none %}
pools = {{ rw_conf.pool | join(',') }}
{% endif %}
@@ -33,10 +35,11 @@
}
children {
ikev2-vpn {
- esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
+ esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
rekey_time = {{ esp.lifetime }}s
rand_time = 540s
dpd_action = clear
+ inactivity = {{ rw_conf.timeout }}
{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %}
{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %}
{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}