7 files changed, 178 insertions, 56 deletions

diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl
index c21e7f234..aa297876b 100644
--- a/data/templates/frr/bgpd.frr.tmpl
+++ b/data/templates/frr/bgpd.frr.tmpl
@@ -65,6 +65,9 @@
 {%   if config.shutdown is defined %}
  neighbor {{ neighbor }} shutdown
 {%   endif %}
+{%   if config.solo is defined %}
+ neighbor {{ neighbor }} solo
+{%   endif %}
 {%   if config.strict_capability_match is defined %}
  neighbor {{ neighbor }} strict-capability-match
 {%   endif %}
diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl
index 96dfd7633..92774b275 100644
--- a/data/templates/ipsec/charon/dhcp.conf.tmpl
+++ b/data/templates/ipsec/charon/dhcp.conf.tmpl
@@ -1,11 +1,11 @@
 dhcp {
     load = yes
-{% if options is defined and options.remote_access is defined and options.remote_access.dhcp is defined %}
-{%   if options.remote_access.dhcp.interface is defined %}
-    interface = {{ options.remote_access.dhcp.interface }}
+{% if remote_access is defined and remote_access.dhcp is defined %}
+{%   if remote_access.dhcp.interface is defined %}
+    interface = {{ remote_access.dhcp.interface }}
 {%   endif %}
-{%   if options.remote_access.dhcp.server is defined %}
-    server = {{ options.remote_access.dhcp.server }}
+{%   if remote_access.dhcp.server is defined %}
+    server = {{ remote_access.dhcp.server }}
 {%   endif %}
 {% endif %}
 
diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.tmpl
new file mode 100644
index 000000000..5ec35c988
--- /dev/null
+++ b/data/templates/ipsec/charon/eap-radius.conf.tmpl
@@ -0,0 +1,115 @@
+eap-radius {
+    # Send RADIUS accounting information to RADIUS servers.
+    # accounting = no
+
+    # Close the IKE_SA if there is a timeout during interim RADIUS accounting
+    # updates.
+    # accounting_close_on_timeout = yes
+
+    # Interval in seconds for interim RADIUS accounting updates, if not
+    # specified by the RADIUS server in the Access-Accept message.
+    # accounting_interval = 0
+
+    # If enabled, accounting is disabled unless an IKE_SA has at least one
+    # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
+    # accounting_requires_vip = no
+
+    # If enabled, adds the Class attributes received in Access-Accept message to
+    # the RADIUS accounting messages.
+    # accounting_send_class = no
+
+    # Use class attributes in Access-Accept messages as group membership
+    # information.
+    # class_group = no
+
+    # Closes all IKE_SAs if communication with the RADIUS server times out. If
+    # it is not set only the current IKE_SA is closed.
+    # close_all_on_timeout = no
+
+    # Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
+    # eap_start = no
+
+    # Use filter_id attribute as group membership information.
+    # filter_id = no
+
+    # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+    # EAP method.
+    # id_prefix =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # NAS-Identifier to include in RADIUS messages.
+    nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }}
+
+    # Port of RADIUS server (authentication).
+    # port = 1812
+
+    # Base to use for calculating exponential back off.
+    # retransmit_base = 1.4
+
+    # Timeout in seconds before sending first retransmit.
+    # retransmit_timeout = 2.0
+
+    # Number of times to retransmit a packet before giving up.
+    # retransmit_tries = 4
+
+    # Shared secret between RADIUS and NAS. If set, make sure to adjust the
+    # permissions of the config file accordingly.
+    # secret =
+
+    # IP/Hostname of RADIUS server.
+    # server =
+
+    # Number of sockets (ports) to use, increase for high load.
+    # sockets = 1
+
+    # Whether to include the UDP port in the Called- and Calling-Station-Id
+    # RADIUS attributes.
+    # station_id_with_port = yes
+
+    dae {
+        # Enables support for the Dynamic Authorization Extension (RFC 5176).
+        # enable = no
+
+        # Address to listen for DAE messages from the RADIUS server.
+        # listen = 0.0.0.0
+
+        # Port to listen for DAE requests.
+        # port = 3799
+
+        # Shared secret used to verify/sign DAE messages. If set, make sure to
+        # adjust the permissions of the config file accordingly.
+        # secret =
+    }
+
+    forward {
+        # RADIUS attributes to be forwarded from IKEv2 to RADIUS.
+        # ike_to_radius =
+
+        # Same as ike_to_radius but from RADIUS to IKEv2.
+        # radius_to_ike =
+    }
+
+    # Section to specify multiple RADIUS servers.
+    servers {
+{%  if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %}
+{%    for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %}
+        {{ server | replace('.', '-') }} {
+            address = {{ server }}
+            secret = {{ server_options.key }}
+            auth_port = {{ server_options.port }}
+{%      if server_options.disable_accounting is not defined %}
+            acct_port = {{ server_options.port | int +1 }}
+{%  endif %}
+            sockets = 20
+        }
+{%    endfor %}
+{%  endif %}
+    }
+
+    # Section to configure multiple XAuth authentication rounds via RADIUS.
+    xauth {
+    }
+}
diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.tmpl
index 49e8b0992..af6c79d6e 100644
--- a/data/templates/ipsec/ios_profile.tmpl
+++ b/data/templates/ipsec/ios_profile.tmpl
@@ -58,35 +58,29 @@
                 <!-- The client uses EAP to authenticate -->
                 <key>ExtendedAuthEnabled</key>
                 <integer>1</integer>
-{% if ike_proposal is defined and ike_proposal is not none %}
                 <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
                      IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
                 <key>IKESecurityAssociationParameters</key>
-{%   for ike, ike_config in ike_proposal.items() %}
                 <dict>
                     <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm -->
                     <key>EncryptionAlgorithm</key>
-                    <string>{{ ike_config.encryption | upper }}</string>
+                    <string>{{ ike_encryption.encryption }}</string>
                     <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm -->
                     <key>IntegrityAlgorithm</key>
-                    <string>{{ ike_config.hash | upper }}</string>
+                    <string>{{ ike_encryption.hash }}</string>
                     <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup -->
                     <key>DiffieHellmanGroup</key>
-                    <integer>{{ ike_config.dh_group | upper }}
+                    <integer>{{ ike_encryption.dh_group }}</integer>
                 </dict>
-{%   endfor %}
-{% endif %}
-{% if esp_proposal is defined and esp_proposal is not none %}
                 <key>ChildSecurityAssociationParameters</key>
-{%   for esp, esp_config in esp_proposal.items() %}
                 <dict>
                     <key>EncryptionAlgorithm</key>
-                    <string>{{ esp_config.encryption | upper }}</string>
+                    <string>{{ esp_encryption.encryption }}</string>
                     <key>IntegrityAlgorithm</key>
-                    <string>{{ esp_config.hash | upper }}</string>
+                    <string>{{ esp_encryption.hash }}</string>
+                    <key>DiffieHellmanGroup</key>
+                    <integer>{{ ike_encryption.dh_group }}</integer>
                 </dict>
-{%   endfor %}
-{% endif %}
             </dict>
         </dict>
         <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 8e46e8892..32ead9e60 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -54,7 +54,7 @@
         }
         children {
 {%   if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
-{%     set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
+{%     set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %}
             peer_{{ name }}_vti {
                 esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
                 local_ts = 0.0.0.0/0,::/0
diff --git a/data/templates/ipsec/windows_profile.tmpl b/data/templates/ipsec/windows_profile.tmpl
new file mode 100644
index 000000000..8c26944be
--- /dev/null
+++ b/data/templates/ipsec/windows_profile.tmpl
@@ -0,0 +1,4 @@
+Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru
+
+Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2"
+Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force
diff --git a/data/templates/router-advert/radvd.conf.tmpl b/data/templates/router-advert/radvd.conf.tmpl
index 9cc237512..88d066491 100644
--- a/data/templates/router-advert/radvd.conf.tmpl
+++ b/data/templates/router-advert/radvd.conf.tmpl
@@ -1,58 +1,64 @@
 ### Autogenerated by service_router-advert.py ###
 
 {% if interface is defined and interface is not none %}
-{%   for iface in interface %}
+{%   for iface, iface_config in interface.items() %}
 interface {{ iface }} {
     IgnoreIfMissing on;
-{%     if interface[iface].default_preference is defined and interface[iface].default_preference is not none %}
-    AdvDefaultPreference {{ interface[iface].default_preference }};
+{%     if iface_config.default_preference is defined and iface_config.default_preference is not none %}
+    AdvDefaultPreference {{ iface_config.default_preference }};
 {%     endif %}
-{%     if interface[iface].managed_flag is defined and interface[iface].managed_flag is not none %}
-    AdvManagedFlag {{ 'on' if interface[iface].managed_flag is defined else 'off' }};
+{%     if iface_config.managed_flag is defined and iface_config.managed_flag is not none %}
+    AdvManagedFlag {{ 'on' if iface_config.managed_flag is defined else 'off' }};
 {%     endif %}
-{%     if interface[iface].interval.max is defined and interface[iface].interval.max is not none %}
-    MaxRtrAdvInterval {{ interface[iface].interval.max }};
+{%     if iface_config.interval.max is defined and iface_config.interval.max is not none %}
+    MaxRtrAdvInterval {{ iface_config.interval.max }};
 {%     endif %}
-{%     if interface[iface].interval.min is defined and interface[iface].interval.min is not none %}
-    MinRtrAdvInterval {{ interface[iface].interval.min }};
+{%     if iface_config.interval.min is defined and iface_config.interval.min is not none %}
+    MinRtrAdvInterval {{ iface_config.interval.min }};
 {%   endif %}
-{%     if interface[iface].reachable_time is defined and interface[iface].reachable_time is not none %}
-    AdvReachableTime {{ interface[iface].reachable_time }};
+{%     if iface_config.reachable_time is defined and iface_config.reachable_time is not none %}
+    AdvReachableTime {{ iface_config.reachable_time }};
 {%   endif %}
-    AdvIntervalOpt {{ 'off' if interface[iface].no_send_advert is defined else 'on' }};
-    AdvSendAdvert {{ 'off' if interface[iface].no_send_advert is defined else 'on' }};
-{%     if interface[iface].default_lifetime is defined %}
-    AdvDefaultLifetime {{ interface[iface].default_lifetime }};
-{%     endif %}
-{%     if interface[iface].link_mtu is defined %}
-    AdvLinkMTU {{ interface[iface].link_mtu }};
-{%     endif %}
-    AdvOtherConfigFlag {{ 'on' if interface[iface].other_config_flag is defined else 'off' }};
-    AdvRetransTimer {{ interface[iface].retrans_timer }};
-    AdvCurHopLimit {{ interface[iface].hop_limit }};
-{%     if interface[iface].route is defined %}
-{%       for route in interface[iface].route %}
+    AdvIntervalOpt {{ 'off' if iface_config.no_send_advert is defined else 'on' }};
+    AdvSendAdvert {{ 'off' if iface_config.no_send_advert is defined else 'on' }};
+{%     if iface_config.default_lifetime is defined %}
+    AdvDefaultLifetime {{ iface_config.default_lifetime }};
+{%     endif %}
+{%     if iface_config.link_mtu is defined %}
+    AdvLinkMTU {{ iface_config.link_mtu }};
+{%     endif %}
+    AdvOtherConfigFlag {{ 'on' if iface_config.other_config_flag is defined else 'off' }};
+    AdvRetransTimer {{ iface_config.retrans_timer }};
+    AdvCurHopLimit {{ iface_config.hop_limit }};
+{%     if iface_config.route is defined %}
+{%       for route, route_options in iface_config.route.items() %}
     route {{ route }} {
-{%         if interface[iface].route[route].valid_lifetime is defined %}
-        AdvRouteLifetime {{ interface[iface].route[route].valid_lifetime }};
+{%         if route_options.valid_lifetime is defined %}
+        AdvRouteLifetime {{ route_options.valid_lifetime }};
 {%         endif %}
-{%         if interface[iface].route[route].route_preference is defined %}
-        AdvRoutePreference {{ interface[iface].route[route].route_preference }};
+{%         if route_options.route_preference is defined %}
+        AdvRoutePreference {{ route_options.route_preference }};
 {%         endif %}
-        RemoveRoute {{ 'off' if interface[iface].route[route].no_remove_route is defined else 'on' }};
+        RemoveRoute {{ 'off' if route_options.no_remove_route is defined else 'on' }};
     };
 {%       endfor %}
 {%     endif %}
-{%     for prefix in interface[iface].prefix %}
+{%     if iface_config.prefix is defined and iface_config.prefix is not none %}
+{%       for prefix, prefix_options in iface_config.prefix.items() %}
     prefix {{ prefix }} {
-        AdvAutonomous {{ 'off' if interface[iface].prefix[prefix].no_autonomous_flag is defined else 'on' }};
-        AdvValidLifetime {{ interface[iface].prefix[prefix].valid_lifetime }};
-        AdvOnLink {{ 'off' if interface[iface].prefix[prefix].no_on_link_flag is defined else 'on' }};
-        AdvPreferredLifetime {{ interface[iface].prefix[prefix].preferred_lifetime }};
+        AdvAutonomous {{ 'off' if prefix_options.no_autonomous_flag is defined else 'on' }};
+        AdvValidLifetime {{ prefix_options.valid_lifetime }};
+        AdvOnLink {{ 'off' if prefix_options.no_on_link_flag is defined else 'on' }};
+        AdvPreferredLifetime {{ prefix_options.preferred_lifetime }};
+    };
+{%       endfor %}
+{%     endif %}
+{%     if iface_config.name_server is defined %}
+    RDNSS {{ iface_config.name_server | join(" ") }} {
     };
-{%     endfor %}
-{%     if interface[iface].name_server is defined %}
-    RDNSS {{ interface[iface].name_server | join(" ") }} {
+{%     endif %}
+{%     if iface_config.dnssl is defined %}
+    DNSSL {{ iface_config.dnssl | join(" ") }} {
     };
 {%     endif %}
 };