5 files changed, 41 insertions, 10 deletions

diff --git a/data/templates/ipsec/charon_systemd.conf.j2 b/data/templates/ipsec/charon_systemd.conf.j2
new file mode 100644
index 000000000..368aa1ae3
--- /dev/null
+++ b/data/templates/ipsec/charon_systemd.conf.j2
@@ -0,0 +1,18 @@
+# Generated by ${vyos_conf_scripts_dir}/vpn_ipsec.py
+
+charon-systemd {
+
+    # Section to configure native systemd journal logger, very similar to the
+    # syslog logger as described in LOGGER CONFIGURATION in strongswan.conf(5).
+    journal {
+
+        # Loglevel for a specific subsystem.
+        # <subsystem> = <default>
+
+{% if log.level is vyos_defined %}
+        # Default loglevel.
+        default = {{ log.level }}
+{% endif %}
+    }
+
+}
diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2
index 966fad433..6993f82bf 100644
--- a/data/templates/ipsec/ios_profile.j2
+++ b/data/templates/ipsec/ios_profile.j2
@@ -55,11 +55,9 @@
                 <!-- The server is authenticated using a certificate -->
                 <key>AuthenticationMethod</key>
                 <string>Certificate</string>
-{% if authentication.client_mode.startswith("eap") %}
                 <!-- The client uses EAP to authenticate -->
                 <key>ExtendedAuthEnabled</key>
                 <integer>1</integer>
-{% endif %}
                 <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
                      IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
                 <key>IKESecurityAssociationParameters</key>
@@ -80,9 +78,9 @@
                     <string>{{ esp_encryption.encryption }}</string>
                     <key>IntegrityAlgorithm</key>
                     <string>{{ esp_encryption.hash }}</string>
-{% if esp_encryption.pfs is vyos_defined %}
+{% if ike_encryption.dh_group is vyos_defined %}
                     <key>DiffieHellmanGroup</key>
-                    <integer>{{ esp_encryption.pfs }}</integer>
+                    <integer>{{ ike_encryption.dh_group }}</integer>
 {% endif %}
                 </dict>
                 <!-- Controls whether the client offers Perfect Forward Secrecy (PFS). This should be set to match the server. -->
diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2
index 698a9135e..64e7ea860 100644
--- a/data/templates/ipsec/swanctl.conf.j2
+++ b/data/templates/ipsec/swanctl.conf.j2
@@ -87,7 +87,11 @@ secrets {
         id-{{ gen_uuid }} = "{{ id }}"
 {%             endfor %}
 {%         endif %}
+{%         if psk_config.secret_type is vyos_defined('base64') %}
+        secret = 0s{{ psk_config.secret }}
+{%         elif psk_config.secret_type is vyos_defined('plaintext') %}
         secret = "{{ psk_config.secret }}"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index 3a9af2c94..cf0865c88 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -68,8 +68,19 @@
                 rekey_packets = 0
                 rekey_time = 0s
 {%     endif %}
-                local_ts = 0.0.0.0/0,::/0
-                remote_ts = 0.0.0.0/0,::/0
+{#     set default traffic-selectors #}
+{%     set local_ts = '0.0.0.0/0,::/0' %}
+{%     set remote_ts = '0.0.0.0/0,::/0' %}
+{%     if peer_conf.vti.traffic_selector is vyos_defined %}
+{%         if peer_conf.vti.traffic_selector.local is vyos_defined and peer_conf.vti.traffic_selector.local.prefix is vyos_defined %}
+{%             set local_ts = peer_conf.vti.traffic_selector.local.prefix | join(',') %}
+{%         endif %}
+{%         if peer_conf.vti.traffic_selector.remote is vyos_defined and peer_conf.vti.traffic_selector.remote.prefix is vyos_defined %}
+{%             set remote_ts = peer_conf.vti.traffic_selector.remote.prefix | join(',') %}
+{%         endif %}
+{%     endif %}
+                local_ts = {{ local_ts }}
+                remote_ts = {{ remote_ts }}
                 updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
 {#              The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
 {#              Thus we simply shift the key by one to also support a vti0 interface #}
diff --git a/data/templates/ipsec/swanctl/profile.j2 b/data/templates/ipsec/swanctl/profile.j2
index 8519a84f8..6a04b038a 100644
--- a/data/templates/ipsec/swanctl/profile.j2
+++ b/data/templates/ipsec/swanctl/profile.j2
@@ -22,16 +22,16 @@
         }
 {%         endif %}
         children {
-            dmvpn {
+            dmvpn-{{ name }}-{{ interface }}-child {
                 esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
                 rekey_time = {{ esp.lifetime }}s
                 rand_time = 540s
                 local_ts = dynamic[gre]
                 remote_ts = dynamic[gre]
                 mode = {{ esp.mode }}
-{%         if ike.dead_peer_detection.action is vyos_defined %}
-                dpd_action = {{ ike.dead_peer_detection.action }}
-{%         endif %}
+                dpd_action = clear
+                close_action = none
+                start_action = none
 {%         if esp.compression is vyos_defined('enable') %}
                 ipcomp = yes
 {%         endif %}