summaryrefslogtreecommitdiff
path: root/data/templates/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/ipsec')
-rw-r--r--data/templates/ipsec/charon.j2 (renamed from data/templates/ipsec/charon.tmpl)11
-rw-r--r--data/templates/ipsec/charon/dhcp.conf.j2 (renamed from data/templates/ipsec/charon/dhcp.conf.tmpl)0
-rw-r--r--data/templates/ipsec/charon/eap-radius.conf.j2 (renamed from data/templates/ipsec/charon/eap-radius.conf.tmpl)14
-rw-r--r--data/templates/ipsec/interfaces_use.conf.j2 (renamed from data/templates/ipsec/interfaces_use.conf.tmpl)4
-rw-r--r--data/templates/ipsec/ios_profile.j2 (renamed from data/templates/ipsec/ios_profile.tmpl)0
-rw-r--r--data/templates/ipsec/ipsec.conf.j219
-rw-r--r--data/templates/ipsec/ipsec.conf.tmpl18
-rw-r--r--data/templates/ipsec/ipsec.secrets.j2 (renamed from data/templates/ipsec/ipsec.secrets.tmpl)4
-rw-r--r--data/templates/ipsec/swanctl.conf.j2131
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl131
-rw-r--r--data/templates/ipsec/swanctl/l2tp.j2 (renamed from data/templates/ipsec/swanctl/l2tp.tmpl)8
-rw-r--r--data/templates/ipsec/swanctl/peer.j2 (renamed from data/templates/ipsec/swanctl/peer.tmpl)152
-rw-r--r--data/templates/ipsec/swanctl/profile.j2 (renamed from data/templates/ipsec/swanctl/profile.tmpl)24
-rw-r--r--data/templates/ipsec/swanctl/remote_access.j2 (renamed from data/templates/ipsec/swanctl/remote_access.tmpl)37
-rw-r--r--data/templates/ipsec/windows_profile.j2 (renamed from data/templates/ipsec/windows_profile.tmpl)0
15 files changed, 277 insertions, 276 deletions
diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.j2
index 2eac24eaa..388559af8 100644
--- a/data/templates/ipsec/charon.tmpl
+++ b/data/templates/ipsec/charon.j2
@@ -1,6 +1,5 @@
# Options for the charon IKE daemon.
charon {
-
# Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
# accept_unencrypted_mainmode_messages = no
@@ -23,13 +22,13 @@ charon {
# Cisco FlexVPN
{% if options is vyos_defined %}
cisco_flexvpn = {{ 'yes' if options.flexvpn is vyos_defined else 'no' }}
-{% if options.virtual_ip is vyos_defined %}
+{% if options.virtual_ip is vyos_defined %}
install_virtual_ip = yes
-{% endif %}
-{% if options.interface is vyos_defined %}
+{% endif %}
+{% if options.interface is vyos_defined %}
install_virtual_ip_on = {{ options.interface }}
-{% endif %}
-{% endif %}
+{% endif %}
+{% endif %}
# Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
# close_ike_on_child_failure = no
diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.j2
index aaa5613fb..aaa5613fb 100644
--- a/data/templates/ipsec/charon/dhcp.conf.tmpl
+++ b/data/templates/ipsec/charon/dhcp.conf.j2
diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.j2
index b58022521..8495011fe 100644
--- a/data/templates/ipsec/charon/eap-radius.conf.tmpl
+++ b/data/templates/ipsec/charon/eap-radius.conf.j2
@@ -94,19 +94,19 @@ eap-radius {
# Section to specify multiple RADIUS servers.
servers {
-{% if remote_access.radius.server is vyos_defined %}
-{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %}
+{% if remote_access.radius.server is vyos_defined %}
+{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %}
{{ server | replace('.', '-') }} {
address = {{ server }}
secret = {{ server_options.key }}
auth_port = {{ server_options.port }}
-{% if server_options.disable_accounting is not vyos_defined %}
- acct_port = {{ server_options.port | int +1 }}
-{% endif %}
+{% if server_options.disable_accounting is not vyos_defined %}
+ acct_port = {{ server_options.port | int + 1 }}
+{% endif %}
sockets = 20
}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
# Section to configure multiple XAuth authentication rounds via RADIUS.
diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.j2
index 55c3ce4f3..c1bf8270d 100644
--- a/data/templates/ipsec/interfaces_use.conf.tmpl
+++ b/data/templates/ipsec/interfaces_use.conf.j2
@@ -1,5 +1,5 @@
-{% if interface is vyos_defined %}
+{% if interface is vyos_defined %}
charon {
interfaces_use = {{ ', '.join(interface) }}
}
-{% endif %} \ No newline at end of file
+{% endif %} \ No newline at end of file
diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.j2
index c8e17729a..c8e17729a 100644
--- a/data/templates/ipsec/ios_profile.tmpl
+++ b/data/templates/ipsec/ios_profile.j2
diff --git a/data/templates/ipsec/ipsec.conf.j2 b/data/templates/ipsec/ipsec.conf.j2
new file mode 100644
index 000000000..f63995b38
--- /dev/null
+++ b/data/templates/ipsec/ipsec.conf.j2
@@ -0,0 +1,19 @@
+# Created by VyOS - manual changes will be overwritten
+
+config setup
+{% set charondebug = '' %}
+{% if log.subsystem is vyos_defined %}
+{% set subsystem = log.subsystem %}
+{% if 'any' in log.subsystem %}
+{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl',
+ 'net', 'asn', 'enc', 'lib', 'esp', 'tls', 'tnc',
+ 'imc', 'imv', 'pts'] %}
+{% endif %}
+{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %}
+{% endif %}
+ charondebug = "{{ charondebug }}"
+ uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }}
+
+{% if include_ipsec_conf is vyos_defined %}
+include {{ include_ipsec_conf }}
+{% endif %}
diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl
deleted file mode 100644
index 0f7131dff..000000000
--- a/data/templates/ipsec/ipsec.conf.tmpl
+++ /dev/null
@@ -1,18 +0,0 @@
-# Created by VyOS - manual changes will be overwritten
-
-config setup
-{% set charondebug = '' %}
-{% if log.subsystem is vyos_defined %}
-{% set subsystem = log.subsystem %}
-{% if 'any' in log.subsystem %}
-{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn',
- 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'] %}
-{% endif %}
-{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %}
-{% endif %}
- charondebug = "{{ charondebug }}"
- uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }}
-
-{% if include_ipsec_conf is vyos_defined %}
-include {{ include_ipsec_conf }}
-{% endif %}
diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.j2
index 865c1ab17..a87ac9bc7 100644
--- a/data/templates/ipsec/ipsec.secrets.tmpl
+++ b/data/templates/ipsec/ipsec.secrets.j2
@@ -1,5 +1,5 @@
# Created by VyOS - manual changes will be overwritten
-{% if include_ipsec_secrets is vyos_defined %}
+{% if include_ipsec_secrets is vyos_defined %}
include {{ include_ipsec_secrets }}
-{% endif %}
+{% endif %}
diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2
new file mode 100644
index 000000000..bf6b8259c
--- /dev/null
+++ b/data/templates/ipsec/swanctl.conf.j2
@@ -0,0 +1,131 @@
+### Autogenerated by vpn_ipsec.py ###
+{% import 'ipsec/swanctl/l2tp.j2' as l2tp_tmpl %}
+{% import 'ipsec/swanctl/profile.j2' as profile_tmpl %}
+{% import 'ipsec/swanctl/peer.j2' as peer_tmpl %}
+{% import 'ipsec/swanctl/remote_access.j2' as remote_access_tmpl %}
+
+connections {
+{% if profile is vyos_defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %}
+{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if site_to_site.peer is vyos_defined %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
+{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if remote_access.connection is vyos_defined %}
+{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %}
+{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
+{% if l2tp %}
+{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }}
+{% endif %}
+}
+
+pools {
+{% if remote_access.pool is vyos_defined %}
+{% for pool, pool_config in remote_access.pool.items() %}
+ {{ pool }} {
+{% if pool_config.prefix is vyos_defined %}
+ addrs = {{ pool_config.prefix }}
+{% endif %}
+{% if pool_config.name_server is vyos_defined %}
+ dns = {{ pool_config.name_server | join(',') }}
+{% endif %}
+{% if pool_config.exclude is vyos_defined %}
+ split_exclude = {{ pool_config.exclude | join(',') }}
+{% endif %}
+ }
+{% endfor %}
+{% endif %}
+}
+
+secrets {
+{% if profile is vyos_defined %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %}
+{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
+{% for interface in profile_conf.bind.tunnel %}
+ ike-dmvpn-{{ interface }} {
+ secret = {{ profile_conf.authentication.pre_shared_secret }}
+ }
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if site_to_site.peer is vyos_defined %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
+{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
+{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
+ ike_{{ peer_name }} {
+{% if peer_conf.local_address is vyos_defined %}
+ id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
+{% endif %}
+ id-remote = {{ peer }}
+{% if peer_conf.authentication.id is vyos_defined %}
+ id-localid = {{ peer_conf.authentication.id }}
+{% endif %}
+{% if peer_conf.authentication.remote_id is vyos_defined %}
+ id-remoteid = {{ peer_conf.authentication.remote_id }}
+{% endif %}
+ secret = "{{ peer_conf.authentication.pre_shared_secret }}"
+ }
+{% elif peer_conf.authentication.mode is vyos_defined('x509') %}
+ private_{{ peer_name }} {
+ file = {{ peer_conf.authentication.x509.certificate }}.pem
+{% if peer_conf.authentication.x509.passphrase is vyos_defined %}
+ secret = "{{ peer_conf.authentication.x509.passphrase }}"
+{% endif %}
+ }
+{% elif peer_conf.authentication.mode is vyos_defined('rsa') %}
+ rsa_{{ peer_name }}_local {
+ file = {{ peer_conf.authentication.rsa.local_key }}.pem
+{% if peer_conf.authentication.rsa.passphrase is vyos_defined %}
+ secret = "{{ peer_conf.authentication.rsa.passphrase }}"
+{% endif %}
+ }
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if remote_access.connection is vyos_defined %}
+{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
+{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
+ ike_{{ ra }} {
+{% if ra_conf.authentication.id is vyos_defined %}
+ id = "{{ ra_conf.authentication.id }}"
+{% elif ra_conf.local_address is vyos_defined %}
+ id = "{{ ra_conf.local_address }}"
+{% endif %}
+ secret = "{{ ra_conf.authentication.pre_shared_secret }}"
+ }
+{% endif %}
+{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %}
+{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %}
+ eap-{{ ra }}-{{ user }} {
+ secret = "{{ user_conf.password }}"
+ id-{{ ra }}-{{ user }} = "{{ user }}"
+ }
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if l2tp %}
+{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %}
+ ike_l2tp_remote_access {
+ id = "{{ l2tp_outside_address }}"
+ secret = "{{ l2tp.authentication.pre_shared_secret }}"
+ }
+{% elif l2tp.authentication.mode is vyos_defined('x509') %}
+ private_l2tp_remote_access {
+ id = "{{ l2tp_outside_address }}"
+ file = {{ l2tp.authentication.x509.certificate }}.pem
+{% if l2tp.authentication.x509.passphrase is vyos_defined %}
+ secret = "{{ l2tp.authentication.x509.passphrase }}"
+{% endif %}
+ }
+{% endif %}
+{% endif %}
+}
+
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
deleted file mode 100644
index 6ba93dd1f..000000000
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ /dev/null
@@ -1,131 +0,0 @@
-### Autogenerated by vpn_ipsec.py ###
-{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %}
-{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
-{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
-{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %}
-
-connections {
-{% if profile is vyos_defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %}
-{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
-{% endfor %}
-{% endif %}
-{% if site_to_site.peer is vyos_defined %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
-{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
-{% endfor %}
-{% endif %}
-{% if remote_access.connection is vyos_defined %}
-{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %}
-{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
-{% endfor %}
-{% endif %}
-{% if l2tp %}
-{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }}
-{% endif %}
-}
-
-pools {
-{% if remote_access.pool is vyos_defined %}
-{% for pool, pool_config in remote_access.pool.items() %}
- {{ pool }} {
-{% if pool_config.prefix is vyos_defined %}
- addrs = {{ pool_config.prefix }}
-{% endif %}
-{% if pool_config.name_server is vyos_defined %}
- dns = {{ pool_config.name_server | join(',') }}
-{% endif %}
-{% if pool_config.exclude is vyos_defined %}
- split_exclude = {{ pool_config.exclude | join(',') }}
-{% endif %}
- }
-{% endfor %}
-{% endif %}
-}
-
-secrets {
-{% if profile is vyos_defined %}
-{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %}
-{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
-{% for interface in profile_conf.bind.tunnel %}
- ike-dmvpn-{{ interface }} {
- secret = {{ profile_conf.authentication.pre_shared_secret }}
- }
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if site_to_site.peer is vyos_defined %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
-{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
-{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
- ike_{{ peer_name }} {
-{% if peer_conf.local_address is vyos_defined %}
- id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
-{% endif %}
- id-remote = {{ peer }}
-{% if peer_conf.authentication.id is vyos_defined %}
- id-localid = {{ peer_conf.authentication.id }}
-{% endif %}
-{% if peer_conf.authentication.remote_id is vyos_defined %}
- id-remoteid = {{ peer_conf.authentication.remote_id }}
-{% endif %}
- secret = "{{ peer_conf.authentication.pre_shared_secret }}"
- }
-{% elif peer_conf.authentication.mode is vyos_defined('x509') %}
- private_{{ peer_name }} {
- file = {{ peer_conf.authentication.x509.certificate }}.pem
-{% if peer_conf.authentication.x509.passphrase is vyos_defined %}
- secret = "{{ peer_conf.authentication.x509.passphrase }}"
-{% endif %}
- }
-{% elif peer_conf.authentication.mode is vyos_defined('rsa') %}
- rsa_{{ peer_name }}_local {
- file = {{ peer_conf.authentication.rsa.local_key }}.pem
-{% if peer_conf.authentication.rsa.passphrase is vyos_defined %}
- secret = "{{ peer_conf.authentication.rsa.passphrase }}"
-{% endif %}
- }
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if remote_access.connection is vyos_defined %}
-{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
-{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
- ike_{{ ra }} {
-{% if ra_conf.authentication.id is vyos_defined %}
- id = "{{ ra_conf.authentication.id }}"
-{% elif ra_conf.local_address is vyos_defined %}
- id = "{{ ra_conf.local_address }}"
-{% endif %}
- secret = "{{ ra_conf.authentication.pre_shared_secret }}"
- }
-{% endif %}
-{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %}
-{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %}
- eap-{{ ra }}-{{ user }} {
- secret = "{{ user_conf.password }}"
- id-{{ ra }}-{{ user }} = "{{ user }}"
- }
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if l2tp %}
-{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %}
- ike_l2tp_remote_access {
- id = "{{ l2tp_outside_address }}"
- secret = "{{ l2tp.authentication.pre_shared_secret }}"
- }
-{% elif l2tp.authentication.mode is vyos_defined('x509') %}
- private_l2tp_remote_access {
- id = "{{ l2tp_outside_address }}"
- file = {{ l2tp.authentication.x509.certificate }}.pem
-{% if l2tp.authentication.x509.passphrase is vyos_defined %}
- secret = "{{ l2tp.authentication.x509.passphrase }}"
-{% endif %}
- }
-{% endif %}
-{% endif %}
-}
-
diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.j2
index c0e81e0aa..7e63865cc 100644
--- a/data/templates/ipsec/swanctl/l2tp.tmpl
+++ b/data/templates/ipsec/swanctl/l2tp.j2
@@ -1,6 +1,6 @@
{% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %}
-{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is vyos_defined else None %}
-{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is vyos_defined else None %}
+{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is vyos_defined else None %}
+{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is vyos_defined else None %}
l2tp_remote_access {
proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }}
local_addrs = {{ l2tp_outside_address }}
@@ -10,9 +10,9 @@
reauth_time = 0
local {
auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
-{% if l2tp.authentication.mode == 'x509' %}
+{% if l2tp.authentication.mode == 'x509' %}
certs = {{ l2tp.authentication.x509.certificate }}.pem
-{% endif %}
+{% endif %}
}
remote {
auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.j2
index b21dce9f0..90d2c774f 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -1,78 +1,78 @@
{% macro conn(peer, peer_conf, ike_group, esp_group) %}
-{% set name = peer.replace("@", "") | dot_colon_to_dash %}
-{# peer needs to reference the global IKE configuration for certain values #}
-{% set ike = ike_group[peer_conf.ike_group] %}
+{% set name = peer.replace("@", "") | dot_colon_to_dash %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[peer_conf.ike_group] %}
peer_{{ name }} {
proposals = {{ ike | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
-{% if peer_conf.virtual_address is vyos_defined %}
+{% if peer_conf.virtual_address is vyos_defined %}
vips = {{ peer_conf.virtual_address | join(', ') }}
-{% endif %}
+{% endif %}
local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
-{% if peer_conf.authentication.mode is vyos_defined('x509') %}
+{% if peer_conf.authentication.mode is vyos_defined('x509') %}
send_cert = always
-{% endif %}
-{% if ike.dead_peer_detection is vyos_defined %}
+{% endif %}
+{% if ike.dead_peer_detection is vyos_defined %}
dpd_timeout = {{ ike.dead_peer_detection.timeout }}
dpd_delay = {{ ike.dead_peer_detection.interval }}
-{% endif %}
-{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %}
+{% endif %}
+{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %}
aggressive = yes
-{% endif %}
+{% endif %}
rekey_time = {{ ike.lifetime }}s
mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
-{% if peer[0:1] == '@' %}
+{% if peer[0:1] == '@' %}
keyingtries = 0
reauth_time = 0
-{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
+{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
keyingtries = 0
-{% elif peer_conf.connection_type is vyos_defined('respond') %}
+{% elif peer_conf.connection_type is vyos_defined('respond') %}
keyingtries = 1
-{% endif %}
-{% if peer_conf.force_encapsulation is vyos_defined('enable') %}
+{% endif %}
+{% if peer_conf.force_encapsulation is vyos_defined('enable') %}
encap = yes
-{% endif %}
+{% endif %}
local {
-{% if peer_conf.authentication.id is vyos_defined %}
+{% if peer_conf.authentication.id is vyos_defined %}
id = "{{ peer_conf.authentication.id }}"
-{% endif %}
+{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
-{% if peer_conf.authentication.mode == 'x509' %}
+{% if peer_conf.authentication.mode == 'x509' %}
certs = {{ peer_conf.authentication.x509.certificate }}.pem
-{% elif peer_conf.authentication.mode == 'rsa' %}
+{% elif peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem
-{% endif %}
+{% endif %}
}
remote {
-{% if peer_conf.authentication.remote_id is vyos_defined %}
+{% if peer_conf.authentication.remote_id is vyos_defined %}
id = "{{ peer_conf.authentication.remote_id }}"
-{% else %}
+{% else %}
id = "{{ peer }}"
-{% endif %}
+{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
-{% if peer_conf.authentication.mode == 'rsa' %}
+{% if peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem
-{% endif %}
+{% endif %}
}
children {
-{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %}
+{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %}
{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %}
peer_{{ name }}_vti {
esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
-{% if vti_esp.life_bytes is vyos_defined %}
+{% if vti_esp.life_bytes is vyos_defined %}
life_bytes = {{ vti_esp.life_bytes }}
-{% endif %}
-{% if vti_esp.life_packets is vyos_defined %}
+{% endif %}
+{% if vti_esp.life_packets is vyos_defined %}
life_packets = {{ vti_esp.life_packets }}
-{% endif %}
+{% endif %}
life_time = {{ vti_esp.lifetime }}s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
- {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
- {# Thus we simply shift the key by one to also support a vti0 interface #}
-{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
+{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
+{# Thus we simply shift the key by one to also support a vti0 interface #}
+{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %}
if_id_in = {{ if_id }}
if_id_out = {{ if_id }}
ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined('enable') else 'no' }}
@@ -87,80 +87,80 @@
start_action = none
{% endif %}
{% if ike.dead_peer_detection is vyos_defined %}
-{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
+{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
}
-{% elif peer_conf.tunnel is vyos_defined %}
+{% elif peer_conf.tunnel is vyos_defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
-{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %}
-{% set tunnel_esp = esp_group[tunnel_esp_name] %}
-{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %}
-{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %}
-{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
-{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %}
-{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
+{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %}
+{% set tunnel_esp = esp_group[tunnel_esp_name] %}
+{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %}
+{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %}
+{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
+{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %}
+{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
-{% if tunnel_esp.life_bytes is vyos_defined %}
+{% if tunnel_esp.life_bytes is vyos_defined %}
life_bytes = {{ tunnel_esp.life_bytes }}
-{% endif %}
-{% if tunnel_esp.life_packets is vyos_defined %}
+{% endif %}
+{% if tunnel_esp.life_packets is vyos_defined %}
life_packets = {{ tunnel_esp.life_packets }}
-{% endif %}
+{% endif %}
life_time = {{ tunnel_esp.lifetime }}s
-{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
-{% if tunnel_conf.local.prefix is vyos_defined %}
-{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
+{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
+{% if tunnel_conf.local.prefix is vyos_defined %}
+{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
-{% endif %}
-{% if tunnel_conf.remote.prefix is vyos_defined %}
-{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
+{% endif %}
+{% if tunnel_conf.remote.prefix is vyos_defined %}
+{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }}
-{% endif %}
-{% if tunnel_conf.priority is vyos_defined %}
+{% endif %}
+{% if tunnel_conf.priority is vyos_defined %}
priority = {{ tunnel_conf.priority }}
-{% endif %}
-{% elif tunnel_esp.mode == 'transport' %}
+{% endif %}
+{% elif tunnel_esp.mode == 'transport' %}
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer }}{{ remote_suffix }}
-{% endif %}
+{% endif %}
ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined('enable') else 'no' }}
mode = {{ tunnel_esp.mode }}
-{% if peer[0:1] == '@' %}
+{% if peer[0:1] == '@' %}
start_action = none
-{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
+{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
start_action = start
-{% elif peer_conf.connection_type is vyos_defined('respond') %}
+{% elif peer_conf.connection_type is vyos_defined('respond') %}
start_action = trap
-{% elif peer_conf.connection_type is vyos_defined('none') %}
+{% elif peer_conf.connection_type is vyos_defined('none') %}
start_action = none
-{% endif %}
-{% if ike.dead_peer_detection is vyos_defined %}
-{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
+{% endif %}
+{% if ike.dead_peer_detection is vyos_defined %}
+{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
-{% endif %}
+{% endif %}
close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
-{% if peer_conf.vti.bind is vyos_defined %}
+{% if peer_conf.vti.bind is vyos_defined %}
+{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
+{# Thus we simply shift the key by one to also support a vti0 interface #}
+{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
- {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
- {# Thus we simply shift the key by one to also support a vti0 interface #}
-{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
if_id_in = {{ if_id }}
if_id_out = {{ if_id }}
-{% endif %}
+{% endif %}
}
-{% if tunnel_conf.passthrough is vyos_defined %}
- peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough {
+{% if tunnel_conf.passthrough is vyos_defined %}
+ peer_{{ name }}_tunnel_{{ tunnel_id }}_passthrough {
local_ts = {{ tunnel_conf.passthrough | join(",") }}
remote_ts = {{ tunnel_conf.passthrough | join(",") }}
start_action = trap
mode = pass
}
-{% endif %}
+{% endif %}
{% endfor %}
-{% endif %}
+{% endif %}
}
}
{% endmacro %}
diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.j2
index 0f1c2fda2..d4f417378 100644
--- a/data/templates/ipsec/swanctl/profile.tmpl
+++ b/data/templates/ipsec/swanctl/profile.j2
@@ -1,39 +1,39 @@
{% macro conn(name, profile_conf, ike_group, esp_group) %}
-{# peer needs to reference the global IKE configuration for certain values #}
-{% set ike = ike_group[profile_conf.ike_group] %}
-{% set esp = esp_group[profile_conf.esp_group] %}
-{% if profile_conf.bind.tunnel is vyos_defined %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[profile_conf.ike_group] %}
+{% set esp = esp_group[profile_conf.esp_group] %}
+{% if profile_conf.bind.tunnel is vyos_defined %}
{% for interface in profile_conf.bind.tunnel %}
dmvpn-{{ name }}-{{ interface }} {
proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
rekey_time = {{ ike.lifetime }}s
keyingtries = 0
-{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
+{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
local {
auth = psk
}
remote {
auth = psk
}
-{% endif %}
+{% endif %}
children {
dmvpn {
- esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
+ esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
rekey_time = {{ esp.lifetime }}s
rand_time = 540s
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
mode = {{ esp.mode }}
-{% if ike.dead_peer_detection.action is vyos_defined %}
+{% if ike.dead_peer_detection.action is vyos_defined %}
dpd_action = {{ ike.dead_peer_detection.action }}
-{% endif %}
-{% if esp.compression is vyos_defined('enable') %}
+{% endif %}
+{% if esp.compression is vyos_defined('enable') %}
ipcomp = yes
-{% endif %}
+{% endif %}
}
}
}
{% endfor %}
-{% endif %}
+{% endif %}
{% endmacro %}
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.j2
index 059984139..d2760ec1f 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -1,7 +1,7 @@
{% macro conn(name, rw_conf, ike_group, esp_group) %}
-{# peer needs to reference the global IKE configuration for certain values #}
-{% set ike = ike_group[rw_conf.ike_group] %}
-{% set esp = esp_group[rw_conf.esp_group] %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[rw_conf.ike_group] %}
+{% set esp = esp_group[rw_conf.esp_group] %}
ra-{{ name }} {
remote_addrs = %any
local_addrs = {{ rw_conf.local_address if rw_conf.local_address is vyos_defined else '%any' }}
@@ -10,28 +10,29 @@
send_certreq = no
rekey_time = {{ ike.lifetime }}s
keyingtries = 0
-{% if rw_conf.unique is vyos_defined %}
+{% if rw_conf.unique is vyos_defined %}
unique = {{ rw_conf.unique }}
-{% endif %}
-{% if rw_conf.pool is vyos_defined %}
+{% endif %}
+{% if rw_conf.pool is vyos_defined %}
pools = {{ rw_conf.pool | join(',') }}
-{% endif %}
+{% endif %}
local {
-{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %}
- id = '{{ rw_conf.authentication.id }}'
-{% endif %}
-{% if rw_conf.authentication.server_mode == 'x509' %}
+{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %}
+{# please use " quotes - else Apple iOS goes crazy #}
+ id = "{{ rw_conf.authentication.id }}"
+{% endif %}
+{% if rw_conf.authentication.server_mode == 'x509' %}
auth = pubkey
certs = {{ rw_conf.authentication.x509.certificate }}.pem
-{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %}
+{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %}
auth = psk
-{% endif %}
+{% endif %}
}
remote {
auth = {{ rw_conf.authentication.client_mode }}
-{% if rw_conf.authentication.client_mode.startswith("eap") %}
+{% if rw_conf.authentication.client_mode.startswith("eap") %}
eap_id = %any
-{% endif %}
+{% endif %}
}
children {
ikev2-vpn {
@@ -40,9 +41,9 @@
rand_time = 540s
dpd_action = clear
inactivity = {{ rw_conf.timeout }}
-{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %}
-{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %}
-{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
+{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %}
+{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %}
+{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
}
}
diff --git a/data/templates/ipsec/windows_profile.tmpl b/data/templates/ipsec/windows_profile.j2
index 8c26944be..8c26944be 100644
--- a/data/templates/ipsec/windows_profile.tmpl
+++ b/data/templates/ipsec/windows_profile.j2