summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl18
-rw-r--r--data/templates/ipsec/swanctl/remote_access.tmpl37
2 files changed, 55 insertions, 0 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index cafe52e78..15c035688 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -1,6 +1,7 @@
### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
+{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %}
connections {
{% if profile is defined %}
@@ -13,6 +14,11 @@ connections {
{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
+{% if remote_access is defined and remote_access is not none %}
+{% for rw, rw_conf in remote_access.items() if rw_conf.disable is not defined %}
+{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
+{% endfor %}
+{% endif %}
}
secrets {
@@ -60,5 +66,17 @@ secrets {
{% endif %}
{% endfor %}
{% endif %}
+{% if remote_access is defined %}
+{% for ra, ra_conf in remote_access.items() if remote_access is defined %}
+{% if ra_conf.authentication is defined and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
+{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %}
+ eap-{{ ra }}-{{ user }} {
+ secret = "{{ user_conf.password }}"
+ id-{{ ra }}-{{ user }} = "{{ user }}"
+ }
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
new file mode 100644
index 000000000..89f6e343e
--- /dev/null
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -0,0 +1,37 @@
+{% macro conn(name, rw_conf, ike_group, esp_group) %}
+{# peer needs to reference the global IKE configuration for certain values #}
+{% set ike = ike_group[rw_conf.ike_group] %}
+{% set esp = esp_group[rw_conf.esp_group] %}
+ ra-{{ name }} {
+ remote_addrs = %any
+ local_addrs = %any
+ proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }}
+ version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
+ send_certreq = no
+ rekey_time = {{ ike.lifetime }}s
+ keyingtries = 0
+ local {
+ auth = pubkey
+{% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
+ id = "{{ rw_conf.authentication.id }}"
+{% endif %}
+{% if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %}
+ certs = {{ rw_conf.authentication.x509.certificate }}.pem
+{% endif %}
+ }
+ remote {
+ auth = eap-mschapv2
+ id = %any
+ eap_id = %any
+ }
+ children {
+ ikev2-vpn {
+ esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
+ rekey_time = {{ esp.lifetime }}s
+ rand_time = 540s
+ local_ts = 0.0.0.0/0
+ dpd_action = clear
+ }
+ }
+ }
+{% endmacro %}