diff options
Diffstat (limited to 'data/templates/ipsec')
-rw-r--r-- | data/templates/ipsec/charon.j2 (renamed from data/templates/ipsec/charon.tmpl) | 11 | ||||
-rw-r--r-- | data/templates/ipsec/charon/dhcp.conf.j2 (renamed from data/templates/ipsec/charon/dhcp.conf.tmpl) | 0 | ||||
-rw-r--r-- | data/templates/ipsec/charon/eap-radius.conf.j2 (renamed from data/templates/ipsec/charon/eap-radius.conf.tmpl) | 14 | ||||
-rw-r--r-- | data/templates/ipsec/interfaces_use.conf.j2 (renamed from data/templates/ipsec/interfaces_use.conf.tmpl) | 4 | ||||
-rw-r--r-- | data/templates/ipsec/ios_profile.j2 (renamed from data/templates/ipsec/ios_profile.tmpl) | 0 | ||||
-rw-r--r-- | data/templates/ipsec/ipsec.conf.j2 | 19 | ||||
-rw-r--r-- | data/templates/ipsec/ipsec.conf.tmpl | 18 | ||||
-rw-r--r-- | data/templates/ipsec/ipsec.secrets.j2 (renamed from data/templates/ipsec/ipsec.secrets.tmpl) | 4 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl.conf.j2 | 131 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 131 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/l2tp.j2 (renamed from data/templates/ipsec/swanctl/l2tp.tmpl) | 8 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/peer.j2 (renamed from data/templates/ipsec/swanctl/peer.tmpl) | 152 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/profile.j2 (renamed from data/templates/ipsec/swanctl/profile.tmpl) | 24 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/remote_access.j2 (renamed from data/templates/ipsec/swanctl/remote_access.tmpl) | 37 | ||||
-rw-r--r-- | data/templates/ipsec/windows_profile.j2 (renamed from data/templates/ipsec/windows_profile.tmpl) | 0 |
15 files changed, 277 insertions, 276 deletions
diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.j2 index 2eac24eaa..388559af8 100644 --- a/data/templates/ipsec/charon.tmpl +++ b/data/templates/ipsec/charon.j2 @@ -1,6 +1,5 @@ # Options for the charon IKE daemon. charon { - # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. # accept_unencrypted_mainmode_messages = no @@ -23,13 +22,13 @@ charon { # Cisco FlexVPN {% if options is vyos_defined %} cisco_flexvpn = {{ 'yes' if options.flexvpn is vyos_defined else 'no' }} -{% if options.virtual_ip is vyos_defined %} +{% if options.virtual_ip is vyos_defined %} install_virtual_ip = yes -{% endif %} -{% if options.interface is vyos_defined %} +{% endif %} +{% if options.interface is vyos_defined %} install_virtual_ip_on = {{ options.interface }} -{% endif %} -{% endif %} +{% endif %} +{% endif %} # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. # close_ike_on_child_failure = no diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.j2 index aaa5613fb..aaa5613fb 100644 --- a/data/templates/ipsec/charon/dhcp.conf.tmpl +++ b/data/templates/ipsec/charon/dhcp.conf.j2 diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.j2 index b58022521..8495011fe 100644 --- a/data/templates/ipsec/charon/eap-radius.conf.tmpl +++ b/data/templates/ipsec/charon/eap-radius.conf.j2 @@ -94,19 +94,19 @@ eap-radius { # Section to specify multiple RADIUS servers. servers { -{% if remote_access.radius.server is vyos_defined %} -{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %} +{% if remote_access.radius.server is vyos_defined %} +{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %} {{ server | replace('.', '-') }} { address = {{ server }} secret = {{ server_options.key }} auth_port = {{ server_options.port }} -{% if server_options.disable_accounting is not vyos_defined %} - acct_port = {{ server_options.port | int +1 }} -{% endif %} +{% if server_options.disable_accounting is not vyos_defined %} + acct_port = {{ server_options.port | int + 1 }} +{% endif %} sockets = 20 } -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} } # Section to configure multiple XAuth authentication rounds via RADIUS. diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.j2 index 55c3ce4f3..c1bf8270d 100644 --- a/data/templates/ipsec/interfaces_use.conf.tmpl +++ b/data/templates/ipsec/interfaces_use.conf.j2 @@ -1,5 +1,5 @@ -{% if interface is vyos_defined %} +{% if interface is vyos_defined %} charon { interfaces_use = {{ ', '.join(interface) }} } -{% endif %}
\ No newline at end of file +{% endif %}
\ No newline at end of file diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.j2 index c8e17729a..c8e17729a 100644 --- a/data/templates/ipsec/ios_profile.tmpl +++ b/data/templates/ipsec/ios_profile.j2 diff --git a/data/templates/ipsec/ipsec.conf.j2 b/data/templates/ipsec/ipsec.conf.j2 new file mode 100644 index 000000000..f63995b38 --- /dev/null +++ b/data/templates/ipsec/ipsec.conf.j2 @@ -0,0 +1,19 @@ +# Created by VyOS - manual changes will be overwritten + +config setup +{% set charondebug = '' %} +{% if log.subsystem is vyos_defined %} +{% set subsystem = log.subsystem %} +{% if 'any' in log.subsystem %} +{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', + 'net', 'asn', 'enc', 'lib', 'esp', 'tls', 'tnc', + 'imc', 'imv', 'pts'] %} +{% endif %} +{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} +{% endif %} + charondebug = "{{ charondebug }}" + uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }} + +{% if include_ipsec_conf is vyos_defined %} +include {{ include_ipsec_conf }} +{% endif %} diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl deleted file mode 100644 index 0f7131dff..000000000 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ /dev/null @@ -1,18 +0,0 @@ -# Created by VyOS - manual changes will be overwritten - -config setup -{% set charondebug = '' %} -{% if log.subsystem is vyos_defined %} -{% set subsystem = log.subsystem %} -{% if 'any' in log.subsystem %} -{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', - 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'] %} -{% endif %} -{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} -{% endif %} - charondebug = "{{ charondebug }}" - uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }} - -{% if include_ipsec_conf is vyos_defined %} -include {{ include_ipsec_conf }} -{% endif %} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.j2 index 865c1ab17..a87ac9bc7 100644 --- a/data/templates/ipsec/ipsec.secrets.tmpl +++ b/data/templates/ipsec/ipsec.secrets.j2 @@ -1,5 +1,5 @@ # Created by VyOS - manual changes will be overwritten -{% if include_ipsec_secrets is vyos_defined %} +{% if include_ipsec_secrets is vyos_defined %} include {{ include_ipsec_secrets }} -{% endif %} +{% endif %} diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2 new file mode 100644 index 000000000..bf6b8259c --- /dev/null +++ b/data/templates/ipsec/swanctl.conf.j2 @@ -0,0 +1,131 @@ +### Autogenerated by vpn_ipsec.py ### +{% import 'ipsec/swanctl/l2tp.j2' as l2tp_tmpl %} +{% import 'ipsec/swanctl/profile.j2' as profile_tmpl %} +{% import 'ipsec/swanctl/peer.j2' as peer_tmpl %} +{% import 'ipsec/swanctl/remote_access.j2' as remote_access_tmpl %} + +connections { +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} +{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} +{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if remote_access.connection is vyos_defined %} +{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %} +{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if l2tp %} +{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }} +{% endif %} +} + +pools { +{% if remote_access.pool is vyos_defined %} +{% for pool, pool_config in remote_access.pool.items() %} + {{ pool }} { +{% if pool_config.prefix is vyos_defined %} + addrs = {{ pool_config.prefix }} +{% endif %} +{% if pool_config.name_server is vyos_defined %} + dns = {{ pool_config.name_server | join(',') }} +{% endif %} +{% if pool_config.exclude is vyos_defined %} + split_exclude = {{ pool_config.exclude | join(',') }} +{% endif %} + } +{% endfor %} +{% endif %} +} + +secrets { +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} +{% for interface in profile_conf.bind.tunnel %} + ike-dmvpn-{{ interface }} { + secret = {{ profile_conf.authentication.pre_shared_secret }} + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} +{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} +{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %} + ike_{{ peer_name }} { +{% if peer_conf.local_address is vyos_defined %} + id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} +{% endif %} + id-remote = {{ peer }} +{% if peer_conf.authentication.id is vyos_defined %} + id-localid = {{ peer_conf.authentication.id }} +{% endif %} +{% if peer_conf.authentication.remote_id is vyos_defined %} + id-remoteid = {{ peer_conf.authentication.remote_id }} +{% endif %} + secret = "{{ peer_conf.authentication.pre_shared_secret }}" + } +{% elif peer_conf.authentication.mode is vyos_defined('x509') %} + private_{{ peer_name }} { + file = {{ peer_conf.authentication.x509.certificate }}.pem +{% if peer_conf.authentication.x509.passphrase is vyos_defined %} + secret = "{{ peer_conf.authentication.x509.passphrase }}" +{% endif %} + } +{% elif peer_conf.authentication.mode is vyos_defined('rsa') %} + rsa_{{ peer_name }}_local { + file = {{ peer_conf.authentication.rsa.local_key }}.pem +{% if peer_conf.authentication.rsa.passphrase is vyos_defined %} + secret = "{{ peer_conf.authentication.rsa.passphrase }}" +{% endif %} + } +{% endif %} +{% endfor %} +{% endif %} +{% if remote_access.connection is vyos_defined %} +{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %} +{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %} + ike_{{ ra }} { +{% if ra_conf.authentication.id is vyos_defined %} + id = "{{ ra_conf.authentication.id }}" +{% elif ra_conf.local_address is vyos_defined %} + id = "{{ ra_conf.local_address }}" +{% endif %} + secret = "{{ ra_conf.authentication.pre_shared_secret }}" + } +{% endif %} +{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %} +{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %} + eap-{{ ra }}-{{ user }} { + secret = "{{ user_conf.password }}" + id-{{ ra }}-{{ user }} = "{{ user }}" + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if l2tp %} +{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %} + ike_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + secret = "{{ l2tp.authentication.pre_shared_secret }}" + } +{% elif l2tp.authentication.mode is vyos_defined('x509') %} + private_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + file = {{ l2tp.authentication.x509.certificate }}.pem +{% if l2tp.authentication.x509.passphrase is vyos_defined %} + secret = "{{ l2tp.authentication.x509.passphrase }}" +{% endif %} + } +{% endif %} +{% endif %} +} + diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl deleted file mode 100644 index 6ba93dd1f..000000000 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ /dev/null @@ -1,131 +0,0 @@ -### Autogenerated by vpn_ipsec.py ### -{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %} -{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %} -{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %} -{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %} - -connections { -{% if profile is vyos_defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} -{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} -{% endfor %} -{% endif %} -{% if site_to_site.peer is vyos_defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} -{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} -{% endfor %} -{% endif %} -{% if remote_access.connection is vyos_defined %} -{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %} -{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} -{% endfor %} -{% endif %} -{% if l2tp %} -{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }} -{% endif %} -} - -pools { -{% if remote_access.pool is vyos_defined %} -{% for pool, pool_config in remote_access.pool.items() %} - {{ pool }} { -{% if pool_config.prefix is vyos_defined %} - addrs = {{ pool_config.prefix }} -{% endif %} -{% if pool_config.name_server is vyos_defined %} - dns = {{ pool_config.name_server | join(',') }} -{% endif %} -{% if pool_config.exclude is vyos_defined %} - split_exclude = {{ pool_config.exclude | join(',') }} -{% endif %} - } -{% endfor %} -{% endif %} -} - -secrets { -{% if profile is vyos_defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} -{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} -{% for interface in profile_conf.bind.tunnel %} - ike-dmvpn-{{ interface }} { - secret = {{ profile_conf.authentication.pre_shared_secret }} - } -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -{% if site_to_site.peer is vyos_defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} -{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} -{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %} - ike_{{ peer_name }} { -{% if peer_conf.local_address is vyos_defined %} - id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} -{% endif %} - id-remote = {{ peer }} -{% if peer_conf.authentication.id is vyos_defined %} - id-localid = {{ peer_conf.authentication.id }} -{% endif %} -{% if peer_conf.authentication.remote_id is vyos_defined %} - id-remoteid = {{ peer_conf.authentication.remote_id }} -{% endif %} - secret = "{{ peer_conf.authentication.pre_shared_secret }}" - } -{% elif peer_conf.authentication.mode is vyos_defined('x509') %} - private_{{ peer_name }} { - file = {{ peer_conf.authentication.x509.certificate }}.pem -{% if peer_conf.authentication.x509.passphrase is vyos_defined %} - secret = "{{ peer_conf.authentication.x509.passphrase }}" -{% endif %} - } -{% elif peer_conf.authentication.mode is vyos_defined('rsa') %} - rsa_{{ peer_name }}_local { - file = {{ peer_conf.authentication.rsa.local_key }}.pem -{% if peer_conf.authentication.rsa.passphrase is vyos_defined %} - secret = "{{ peer_conf.authentication.rsa.passphrase }}" -{% endif %} - } -{% endif %} -{% endfor %} -{% endif %} -{% if remote_access.connection is vyos_defined %} -{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %} -{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %} - ike_{{ ra }} { -{% if ra_conf.authentication.id is vyos_defined %} - id = "{{ ra_conf.authentication.id }}" -{% elif ra_conf.local_address is vyos_defined %} - id = "{{ ra_conf.local_address }}" -{% endif %} - secret = "{{ ra_conf.authentication.pre_shared_secret }}" - } -{% endif %} -{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %} -{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %} - eap-{{ ra }}-{{ user }} { - secret = "{{ user_conf.password }}" - id-{{ ra }}-{{ user }} = "{{ user }}" - } -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -{% if l2tp %} -{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %} - ike_l2tp_remote_access { - id = "{{ l2tp_outside_address }}" - secret = "{{ l2tp.authentication.pre_shared_secret }}" - } -{% elif l2tp.authentication.mode is vyos_defined('x509') %} - private_l2tp_remote_access { - id = "{{ l2tp_outside_address }}" - file = {{ l2tp.authentication.x509.certificate }}.pem -{% if l2tp.authentication.x509.passphrase is vyos_defined %} - secret = "{{ l2tp.authentication.x509.passphrase }}" -{% endif %} - } -{% endif %} -{% endif %} -} - diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.j2 index c0e81e0aa..7e63865cc 100644 --- a/data/templates/ipsec/swanctl/l2tp.tmpl +++ b/data/templates/ipsec/swanctl/l2tp.j2 @@ -1,6 +1,6 @@ {% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %} -{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is vyos_defined else None %} -{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is vyos_defined else None %} +{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is vyos_defined else None %} +{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is vyos_defined else None %} l2tp_remote_access { proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }} local_addrs = {{ l2tp_outside_address }} @@ -10,9 +10,9 @@ reauth_time = 0 local { auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} -{% if l2tp.authentication.mode == 'x509' %} +{% if l2tp.authentication.mode == 'x509' %} certs = {{ l2tp.authentication.x509.certificate }}.pem -{% endif %} +{% endif %} } remote { auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.j2 index b21dce9f0..90d2c774f 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -1,78 +1,78 @@ {% macro conn(peer, peer_conf, ike_group, esp_group) %} -{% set name = peer.replace("@", "") | dot_colon_to_dash %} -{# peer needs to reference the global IKE configuration for certain values #} -{% set ike = ike_group[peer_conf.ike_group] %} +{% set name = peer.replace("@", "") | dot_colon_to_dash %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[peer_conf.ike_group] %} peer_{{ name }} { proposals = {{ ike | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} -{% if peer_conf.virtual_address is vyos_defined %} +{% if peer_conf.virtual_address is vyos_defined %} vips = {{ peer_conf.virtual_address | join(', ') }} -{% endif %} +{% endif %} local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} -{% if peer_conf.authentication.mode is vyos_defined('x509') %} +{% if peer_conf.authentication.mode is vyos_defined('x509') %} send_cert = always -{% endif %} -{% if ike.dead_peer_detection is vyos_defined %} +{% endif %} +{% if ike.dead_peer_detection is vyos_defined %} dpd_timeout = {{ ike.dead_peer_detection.timeout }} dpd_delay = {{ ike.dead_peer_detection.interval }} -{% endif %} -{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %} +{% endif %} +{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %} aggressive = yes -{% endif %} +{% endif %} rekey_time = {{ ike.lifetime }}s mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }} -{% if peer[0:1] == '@' %} +{% if peer[0:1] == '@' %} keyingtries = 0 reauth_time = 0 -{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} keyingtries = 0 -{% elif peer_conf.connection_type is vyos_defined('respond') %} +{% elif peer_conf.connection_type is vyos_defined('respond') %} keyingtries = 1 -{% endif %} -{% if peer_conf.force_encapsulation is vyos_defined('enable') %} +{% endif %} +{% if peer_conf.force_encapsulation is vyos_defined('enable') %} encap = yes -{% endif %} +{% endif %} local { -{% if peer_conf.authentication.id is vyos_defined %} +{% if peer_conf.authentication.id is vyos_defined %} id = "{{ peer_conf.authentication.id }}" -{% endif %} +{% endif %} auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} -{% if peer_conf.authentication.mode == 'x509' %} +{% if peer_conf.authentication.mode == 'x509' %} certs = {{ peer_conf.authentication.x509.certificate }}.pem -{% elif peer_conf.authentication.mode == 'rsa' %} +{% elif peer_conf.authentication.mode == 'rsa' %} pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem -{% endif %} +{% endif %} } remote { -{% if peer_conf.authentication.remote_id is vyos_defined %} +{% if peer_conf.authentication.remote_id is vyos_defined %} id = "{{ peer_conf.authentication.remote_id }}" -{% else %} +{% else %} id = "{{ peer }}" -{% endif %} +{% endif %} auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} -{% if peer_conf.authentication.mode == 'rsa' %} +{% if peer_conf.authentication.mode == 'rsa' %} pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem -{% endif %} +{% endif %} } children { -{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %} +{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %} {% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %} peer_{{ name }}_vti { esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} -{% if vti_esp.life_bytes is vyos_defined %} +{% if vti_esp.life_bytes is vyos_defined %} life_bytes = {{ vti_esp.life_bytes }} -{% endif %} -{% if vti_esp.life_packets is vyos_defined %} +{% endif %} +{% if vti_esp.life_packets is vyos_defined %} life_packets = {{ vti_esp.life_packets }} -{% endif %} +{% endif %} life_time = {{ vti_esp.lifetime }}s local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" - {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} - {# Thus we simply shift the key by one to also support a vti0 interface #} -{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} +{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} +{# Thus we simply shift the key by one to also support a vti0 interface #} +{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %} if_id_in = {{ if_id }} if_id_out = {{ if_id }} ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined('enable') else 'no' }} @@ -87,80 +87,80 @@ start_action = none {% endif %} {% if ike.dead_peer_detection is vyos_defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} } -{% elif peer_conf.tunnel is vyos_defined %} +{% elif peer_conf.tunnel is vyos_defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} -{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %} -{% set tunnel_esp = esp_group[tunnel_esp_name] %} -{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %} -{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %} -{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} -{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %} -{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} +{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %} +{% set tunnel_esp = esp_group[tunnel_esp_name] %} +{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %} +{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %} +{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} +{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %} +{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} peer_{{ name }}_tunnel_{{ tunnel_id }} { esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} -{% if tunnel_esp.life_bytes is vyos_defined %} +{% if tunnel_esp.life_bytes is vyos_defined %} life_bytes = {{ tunnel_esp.life_bytes }} -{% endif %} -{% if tunnel_esp.life_packets is vyos_defined %} +{% endif %} +{% if tunnel_esp.life_packets is vyos_defined %} life_packets = {{ tunnel_esp.life_packets }} -{% endif %} +{% endif %} life_time = {{ tunnel_esp.lifetime }}s -{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} -{% if tunnel_conf.local.prefix is vyos_defined %} -{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} +{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} +{% if tunnel_conf.local.prefix is vyos_defined %} +{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} -{% endif %} -{% if tunnel_conf.remote.prefix is vyos_defined %} -{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} +{% endif %} +{% if tunnel_conf.remote.prefix is vyos_defined %} +{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} -{% endif %} -{% if tunnel_conf.priority is vyos_defined %} +{% endif %} +{% if tunnel_conf.priority is vyos_defined %} priority = {{ tunnel_conf.priority }} -{% endif %} -{% elif tunnel_esp.mode == 'transport' %} +{% endif %} +{% elif tunnel_esp.mode == 'transport' %} local_ts = {{ peer_conf.local_address }}{{ local_suffix }} remote_ts = {{ peer }}{{ remote_suffix }} -{% endif %} +{% endif %} ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined('enable') else 'no' }} mode = {{ tunnel_esp.mode }} -{% if peer[0:1] == '@' %} +{% if peer[0:1] == '@' %} start_action = none -{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} start_action = start -{% elif peer_conf.connection_type is vyos_defined('respond') %} +{% elif peer_conf.connection_type is vyos_defined('respond') %} start_action = trap -{% elif peer_conf.connection_type is vyos_defined('none') %} +{% elif peer_conf.connection_type is vyos_defined('none') %} start_action = none -{% endif %} -{% if ike.dead_peer_detection is vyos_defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} +{% endif %} +{% if ike.dead_peer_detection is vyos_defined %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} -{% endif %} +{% endif %} close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} -{% if peer_conf.vti.bind is vyos_defined %} +{% if peer_conf.vti.bind is vyos_defined %} +{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} +{# Thus we simply shift the key by one to also support a vti0 interface #} +{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %} updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" - {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} - {# Thus we simply shift the key by one to also support a vti0 interface #} -{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} if_id_in = {{ if_id }} if_id_out = {{ if_id }} -{% endif %} +{% endif %} } -{% if tunnel_conf.passthrough is vyos_defined %} - peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough { +{% if tunnel_conf.passthrough is vyos_defined %} + peer_{{ name }}_tunnel_{{ tunnel_id }}_passthrough { local_ts = {{ tunnel_conf.passthrough | join(",") }} remote_ts = {{ tunnel_conf.passthrough | join(",") }} start_action = trap mode = pass } -{% endif %} +{% endif %} {% endfor %} -{% endif %} +{% endif %} } } {% endmacro %} diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.j2 index 0f1c2fda2..d4f417378 100644 --- a/data/templates/ipsec/swanctl/profile.tmpl +++ b/data/templates/ipsec/swanctl/profile.j2 @@ -1,39 +1,39 @@ {% macro conn(name, profile_conf, ike_group, esp_group) %} -{# peer needs to reference the global IKE configuration for certain values #} -{% set ike = ike_group[profile_conf.ike_group] %} -{% set esp = esp_group[profile_conf.esp_group] %} -{% if profile_conf.bind.tunnel is vyos_defined %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[profile_conf.ike_group] %} +{% set esp = esp_group[profile_conf.esp_group] %} +{% if profile_conf.bind.tunnel is vyos_defined %} {% for interface in profile_conf.bind.tunnel %} dmvpn-{{ name }}-{{ interface }} { proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} local { auth = psk } remote { auth = psk } -{% endif %} +{% endif %} children { dmvpn { - esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }} + esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }} rekey_time = {{ esp.lifetime }}s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] mode = {{ esp.mode }} -{% if ike.dead_peer_detection.action is vyos_defined %} +{% if ike.dead_peer_detection.action is vyos_defined %} dpd_action = {{ ike.dead_peer_detection.action }} -{% endif %} -{% if esp.compression is vyos_defined('enable') %} +{% endif %} +{% if esp.compression is vyos_defined('enable') %} ipcomp = yes -{% endif %} +{% endif %} } } } {% endfor %} -{% endif %} +{% endif %} {% endmacro %} diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.j2 index 059984139..d2760ec1f 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -1,7 +1,7 @@ {% macro conn(name, rw_conf, ike_group, esp_group) %} -{# peer needs to reference the global IKE configuration for certain values #} -{% set ike = ike_group[rw_conf.ike_group] %} -{% set esp = esp_group[rw_conf.esp_group] %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[rw_conf.ike_group] %} +{% set esp = esp_group[rw_conf.esp_group] %} ra-{{ name }} { remote_addrs = %any local_addrs = {{ rw_conf.local_address if rw_conf.local_address is vyos_defined else '%any' }} @@ -10,28 +10,29 @@ send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if rw_conf.unique is vyos_defined %} +{% if rw_conf.unique is vyos_defined %} unique = {{ rw_conf.unique }} -{% endif %} -{% if rw_conf.pool is vyos_defined %} +{% endif %} +{% if rw_conf.pool is vyos_defined %} pools = {{ rw_conf.pool | join(',') }} -{% endif %} +{% endif %} local { -{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %} - id = '{{ rw_conf.authentication.id }}' -{% endif %} -{% if rw_conf.authentication.server_mode == 'x509' %} +{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %} +{# please use " quotes - else Apple iOS goes crazy #} + id = "{{ rw_conf.authentication.id }}" +{% endif %} +{% if rw_conf.authentication.server_mode == 'x509' %} auth = pubkey certs = {{ rw_conf.authentication.x509.certificate }}.pem -{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %} +{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %} auth = psk -{% endif %} +{% endif %} } remote { auth = {{ rw_conf.authentication.client_mode }} -{% if rw_conf.authentication.client_mode.startswith("eap") %} +{% if rw_conf.authentication.client_mode.startswith("eap") %} eap_id = %any -{% endif %} +{% endif %} } children { ikev2-vpn { @@ -40,9 +41,9 @@ rand_time = 540s dpd_action = clear inactivity = {{ rw_conf.timeout }} -{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} -{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} -{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} +{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} +{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} } } diff --git a/data/templates/ipsec/windows_profile.tmpl b/data/templates/ipsec/windows_profile.j2 index 8c26944be..8c26944be 100644 --- a/data/templates/ipsec/windows_profile.tmpl +++ b/data/templates/ipsec/windows_profile.j2 |