5 files changed, 132 insertions, 19 deletions
diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl
index 96dfd7633..92774b275 100644
--- a/data/templates/ipsec/charon/dhcp.conf.tmpl
+++ b/data/templates/ipsec/charon/dhcp.conf.tmpl
@@ -1,11 +1,11 @@
 dhcp {
     load = yes
-{% if options is defined and options.remote_access is defined and options.remote_access.dhcp is defined %}
-{%   if options.remote_access.dhcp.interface is defined %}
-    interface = {{ options.remote_access.dhcp.interface }}
+{% if remote_access is defined and remote_access.dhcp is defined %}
+{%   if remote_access.dhcp.interface is defined %}
+    interface = {{ remote_access.dhcp.interface }}
 {%   endif %}
-{%   if options.remote_access.dhcp.server is defined %}
-    server = {{ options.remote_access.dhcp.server }}
+{%   if remote_access.dhcp.server is defined %}
+    server = {{ remote_access.dhcp.server }}
 {%   endif %}
 {% endif %}
 
diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.tmpl
new file mode 100644
index 000000000..5ec35c988
--- /dev/null
+++ b/data/templates/ipsec/charon/eap-radius.conf.tmpl
@@ -0,0 +1,115 @@
+eap-radius {
+    # Send RADIUS accounting information to RADIUS servers.
+    # accounting = no
+
+    # Close the IKE_SA if there is a timeout during interim RADIUS accounting
+    # updates.
+    # accounting_close_on_timeout = yes
+
+    # Interval in seconds for interim RADIUS accounting updates, if not
+    # specified by the RADIUS server in the Access-Accept message.
+    # accounting_interval = 0
+
+    # If enabled, accounting is disabled unless an IKE_SA has at least one
+    # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
+    # accounting_requires_vip = no
+
+    # If enabled, adds the Class attributes received in Access-Accept message to
+    # the RADIUS accounting messages.
+    # accounting_send_class = no
+
+    # Use class attributes in Access-Accept messages as group membership
+    # information.
+    # class_group = no
+
+    # Closes all IKE_SAs if communication with the RADIUS server times out. If
+    # it is not set only the current IKE_SA is closed.
+    # close_all_on_timeout = no
+
+    # Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
+    # eap_start = no
+
+    # Use filter_id attribute as group membership information.
+    # filter_id = no
+
+    # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+    # EAP method.
+    # id_prefix =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # NAS-Identifier to include in RADIUS messages.
+    nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }}
+
+    # Port of RADIUS server (authentication).
+    # port = 1812
+
+    # Base to use for calculating exponential back off.
+    # retransmit_base = 1.4
+
+    # Timeout in seconds before sending first retransmit.
+    # retransmit_timeout = 2.0
+
+    # Number of times to retransmit a packet before giving up.
+    # retransmit_tries = 4
+
+    # Shared secret between RADIUS and NAS. If set, make sure to adjust the
+    # permissions of the config file accordingly.
+    # secret =
+
+    # IP/Hostname of RADIUS server.
+    # server =
+
+    # Number of sockets (ports) to use, increase for high load.
+    # sockets = 1
+
+    # Whether to include the UDP port in the Called- and Calling-Station-Id
+    # RADIUS attributes.
+    # station_id_with_port = yes
+
+    dae {
+        # Enables support for the Dynamic Authorization Extension (RFC 5176).
+        # enable = no
+
+        # Address to listen for DAE messages from the RADIUS server.
+        # listen = 0.0.0.0
+
+        # Port to listen for DAE requests.
+        # port = 3799
+
+        # Shared secret used to verify/sign DAE messages. If set, make sure to
+        # adjust the permissions of the config file accordingly.
+        # secret =
+    }
+
+    forward {
+        # RADIUS attributes to be forwarded from IKEv2 to RADIUS.
+        # ike_to_radius =
+
+        # Same as ike_to_radius but from RADIUS to IKEv2.
+        # radius_to_ike =
+    }
+
+    # Section to specify multiple RADIUS servers.
+    servers {
+{%  if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %}
+{%    for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %}
+        {{ server | replace('.', '-') }} {
+            address = {{ server }}
+            secret = {{ server_options.key }}
+            auth_port = {{ server_options.port }}
+{%      if server_options.disable_accounting is not defined %}
+            acct_port = {{ server_options.port | int +1 }}
+{%  endif %}
+            sockets = 20
+        }
+{%    endfor %}
+{%  endif %}
+    }
+
+    # Section to configure multiple XAuth authentication rounds via RADIUS.
+    xauth {
+    }
+}
diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.tmpl
index 49e8b0992..af6c79d6e 100644
--- a/data/templates/ipsec/ios_profile.tmpl
+++ b/data/templates/ipsec/ios_profile.tmpl
@@ -58,35 +58,29 @@
                 <!-- The client uses EAP to authenticate -->
                 <key>ExtendedAuthEnabled</key>
                 <integer>1</integer>
-{% if ike_proposal is defined and ike_proposal is not none %}
                 <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
                      IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
                 <key>IKESecurityAssociationParameters</key>
-{%   for ike, ike_config in ike_proposal.items() %}
                 <dict>
                     <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm -->
                     <key>EncryptionAlgorithm</key>
-                    <string>{{ ike_config.encryption | upper }}</string>
+                    <string>{{ ike_encryption.encryption }}</string>
                     <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm -->
                     <key>IntegrityAlgorithm</key>
-                    <string>{{ ike_config.hash | upper }}</string>
+                    <string>{{ ike_encryption.hash }}</string>
                     <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup -->
                     <key>DiffieHellmanGroup</key>
-                    <integer>{{ ike_config.dh_group | upper }}
+                    <integer>{{ ike_encryption.dh_group }}</integer>
                 </dict>
-{%   endfor %}
-{% endif %}
-{% if esp_proposal is defined and esp_proposal is not none %}
                 <key>ChildSecurityAssociationParameters</key>
-{%   for esp, esp_config in esp_proposal.items() %}
                 <dict>
                     <key>EncryptionAlgorithm</key>
-                    <string>{{ esp_config.encryption | upper }}</string>
+                    <string>{{ esp_encryption.encryption }}</string>
                     <key>IntegrityAlgorithm</key>
-                    <string>{{ esp_config.hash | upper }}</string>
+                    <string>{{ esp_encryption.hash }}</string>
+                    <key>DiffieHellmanGroup</key>
+                    <integer>{{ ike_encryption.dh_group }}</integer>
                 </dict>
-{%   endfor %}
-{% endif %}
             </dict>
         </dict>
         <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 8e46e8892..32ead9e60 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -54,7 +54,7 @@
         }
         children {
 {%   if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
-{%     set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
+{%     set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %}
             peer_{{ name }}_vti {
                 esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
                 local_ts = 0.0.0.0/0,::/0
diff --git a/data/templates/ipsec/windows_profile.tmpl b/data/templates/ipsec/windows_profile.tmpl
new file mode 100644
index 000000000..8c26944be
--- /dev/null
+++ b/data/templates/ipsec/windows_profile.tmpl
@@ -0,0 +1,4 @@
+Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru
+
+Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2"
+Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force