summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/frr/bgpd.frr.tmpl3
-rw-r--r--data/templates/ipsec/charon/dhcp.conf.tmpl10
-rw-r--r--data/templates/ipsec/charon/eap-radius.conf.tmpl115
-rw-r--r--data/templates/ipsec/ios_profile.tmpl20
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl2
-rw-r--r--data/templates/ipsec/windows_profile.tmpl4
-rw-r--r--data/templates/router-advert/radvd.conf.tmpl80
7 files changed, 178 insertions, 56 deletions
diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl
index c21e7f234..aa297876b 100644
--- a/data/templates/frr/bgpd.frr.tmpl
+++ b/data/templates/frr/bgpd.frr.tmpl
@@ -65,6 +65,9 @@
{% if config.shutdown is defined %}
neighbor {{ neighbor }} shutdown
{% endif %}
+{% if config.solo is defined %}
+ neighbor {{ neighbor }} solo
+{% endif %}
{% if config.strict_capability_match is defined %}
neighbor {{ neighbor }} strict-capability-match
{% endif %}
diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl
index 96dfd7633..92774b275 100644
--- a/data/templates/ipsec/charon/dhcp.conf.tmpl
+++ b/data/templates/ipsec/charon/dhcp.conf.tmpl
@@ -1,11 +1,11 @@
dhcp {
load = yes
-{% if options is defined and options.remote_access is defined and options.remote_access.dhcp is defined %}
-{% if options.remote_access.dhcp.interface is defined %}
- interface = {{ options.remote_access.dhcp.interface }}
+{% if remote_access is defined and remote_access.dhcp is defined %}
+{% if remote_access.dhcp.interface is defined %}
+ interface = {{ remote_access.dhcp.interface }}
{% endif %}
-{% if options.remote_access.dhcp.server is defined %}
- server = {{ options.remote_access.dhcp.server }}
+{% if remote_access.dhcp.server is defined %}
+ server = {{ remote_access.dhcp.server }}
{% endif %}
{% endif %}
diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.tmpl
new file mode 100644
index 000000000..5ec35c988
--- /dev/null
+++ b/data/templates/ipsec/charon/eap-radius.conf.tmpl
@@ -0,0 +1,115 @@
+eap-radius {
+ # Send RADIUS accounting information to RADIUS servers.
+ # accounting = no
+
+ # Close the IKE_SA if there is a timeout during interim RADIUS accounting
+ # updates.
+ # accounting_close_on_timeout = yes
+
+ # Interval in seconds for interim RADIUS accounting updates, if not
+ # specified by the RADIUS server in the Access-Accept message.
+ # accounting_interval = 0
+
+ # If enabled, accounting is disabled unless an IKE_SA has at least one
+ # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
+ # accounting_requires_vip = no
+
+ # If enabled, adds the Class attributes received in Access-Accept message to
+ # the RADIUS accounting messages.
+ # accounting_send_class = no
+
+ # Use class attributes in Access-Accept messages as group membership
+ # information.
+ # class_group = no
+
+ # Closes all IKE_SAs if communication with the RADIUS server times out. If
+ # it is not set only the current IKE_SA is closed.
+ # close_all_on_timeout = no
+
+ # Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
+ # eap_start = no
+
+ # Use filter_id attribute as group membership information.
+ # filter_id = no
+
+ # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+ # EAP method.
+ # id_prefix =
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # NAS-Identifier to include in RADIUS messages.
+ nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }}
+
+ # Port of RADIUS server (authentication).
+ # port = 1812
+
+ # Base to use for calculating exponential back off.
+ # retransmit_base = 1.4
+
+ # Timeout in seconds before sending first retransmit.
+ # retransmit_timeout = 2.0
+
+ # Number of times to retransmit a packet before giving up.
+ # retransmit_tries = 4
+
+ # Shared secret between RADIUS and NAS. If set, make sure to adjust the
+ # permissions of the config file accordingly.
+ # secret =
+
+ # IP/Hostname of RADIUS server.
+ # server =
+
+ # Number of sockets (ports) to use, increase for high load.
+ # sockets = 1
+
+ # Whether to include the UDP port in the Called- and Calling-Station-Id
+ # RADIUS attributes.
+ # station_id_with_port = yes
+
+ dae {
+ # Enables support for the Dynamic Authorization Extension (RFC 5176).
+ # enable = no
+
+ # Address to listen for DAE messages from the RADIUS server.
+ # listen = 0.0.0.0
+
+ # Port to listen for DAE requests.
+ # port = 3799
+
+ # Shared secret used to verify/sign DAE messages. If set, make sure to
+ # adjust the permissions of the config file accordingly.
+ # secret =
+ }
+
+ forward {
+ # RADIUS attributes to be forwarded from IKEv2 to RADIUS.
+ # ike_to_radius =
+
+ # Same as ike_to_radius but from RADIUS to IKEv2.
+ # radius_to_ike =
+ }
+
+ # Section to specify multiple RADIUS servers.
+ servers {
+{% if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %}
+{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %}
+ {{ server | replace('.', '-') }} {
+ address = {{ server }}
+ secret = {{ server_options.key }}
+ auth_port = {{ server_options.port }}
+{% if server_options.disable_accounting is not defined %}
+ acct_port = {{ server_options.port | int +1 }}
+{% endif %}
+ sockets = 20
+ }
+{% endfor %}
+{% endif %}
+ }
+
+ # Section to configure multiple XAuth authentication rounds via RADIUS.
+ xauth {
+ }
+}
diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.tmpl
index 49e8b0992..af6c79d6e 100644
--- a/data/templates/ipsec/ios_profile.tmpl
+++ b/data/templates/ipsec/ios_profile.tmpl
@@ -58,35 +58,29 @@
<!-- The client uses EAP to authenticate -->
<key>ExtendedAuthEnabled</key>
<integer>1</integer>
-{% if ike_proposal is defined and ike_proposal is not none %}
<!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
<key>IKESecurityAssociationParameters</key>
-{% for ike, ike_config in ike_proposal.items() %}
<dict>
<!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm -->
<key>EncryptionAlgorithm</key>
- <string>{{ ike_config.encryption | upper }}</string>
+ <string>{{ ike_encryption.encryption }}</string>
<!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm -->
<key>IntegrityAlgorithm</key>
- <string>{{ ike_config.hash | upper }}</string>
+ <string>{{ ike_encryption.hash }}</string>
<!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup -->
<key>DiffieHellmanGroup</key>
- <integer>{{ ike_config.dh_group | upper }}
+ <integer>{{ ike_encryption.dh_group }}</integer>
</dict>
-{% endfor %}
-{% endif %}
-{% if esp_proposal is defined and esp_proposal is not none %}
<key>ChildSecurityAssociationParameters</key>
-{% for esp, esp_config in esp_proposal.items() %}
<dict>
<key>EncryptionAlgorithm</key>
- <string>{{ esp_config.encryption | upper }}</string>
+ <string>{{ esp_encryption.encryption }}</string>
<key>IntegrityAlgorithm</key>
- <string>{{ esp_config.hash | upper }}</string>
+ <string>{{ esp_encryption.hash }}</string>
+ <key>DiffieHellmanGroup</key>
+ <integer>{{ ike_encryption.dh_group }}</integer>
</dict>
-{% endfor %}
-{% endif %}
</dict>
</dict>
<!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 8e46e8892..32ead9e60 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -54,7 +54,7 @@
}
children {
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
-{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
+{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %}
peer_{{ name }}_vti {
esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
local_ts = 0.0.0.0/0,::/0
diff --git a/data/templates/ipsec/windows_profile.tmpl b/data/templates/ipsec/windows_profile.tmpl
new file mode 100644
index 000000000..8c26944be
--- /dev/null
+++ b/data/templates/ipsec/windows_profile.tmpl
@@ -0,0 +1,4 @@
+Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru
+
+Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2"
+Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force
diff --git a/data/templates/router-advert/radvd.conf.tmpl b/data/templates/router-advert/radvd.conf.tmpl
index 9cc237512..88d066491 100644
--- a/data/templates/router-advert/radvd.conf.tmpl
+++ b/data/templates/router-advert/radvd.conf.tmpl
@@ -1,58 +1,64 @@
### Autogenerated by service_router-advert.py ###
{% if interface is defined and interface is not none %}
-{% for iface in interface %}
+{% for iface, iface_config in interface.items() %}
interface {{ iface }} {
IgnoreIfMissing on;
-{% if interface[iface].default_preference is defined and interface[iface].default_preference is not none %}
- AdvDefaultPreference {{ interface[iface].default_preference }};
+{% if iface_config.default_preference is defined and iface_config.default_preference is not none %}
+ AdvDefaultPreference {{ iface_config.default_preference }};
{% endif %}
-{% if interface[iface].managed_flag is defined and interface[iface].managed_flag is not none %}
- AdvManagedFlag {{ 'on' if interface[iface].managed_flag is defined else 'off' }};
+{% if iface_config.managed_flag is defined and iface_config.managed_flag is not none %}
+ AdvManagedFlag {{ 'on' if iface_config.managed_flag is defined else 'off' }};
{% endif %}
-{% if interface[iface].interval.max is defined and interface[iface].interval.max is not none %}
- MaxRtrAdvInterval {{ interface[iface].interval.max }};
+{% if iface_config.interval.max is defined and iface_config.interval.max is not none %}
+ MaxRtrAdvInterval {{ iface_config.interval.max }};
{% endif %}
-{% if interface[iface].interval.min is defined and interface[iface].interval.min is not none %}
- MinRtrAdvInterval {{ interface[iface].interval.min }};
+{% if iface_config.interval.min is defined and iface_config.interval.min is not none %}
+ MinRtrAdvInterval {{ iface_config.interval.min }};
{% endif %}
-{% if interface[iface].reachable_time is defined and interface[iface].reachable_time is not none %}
- AdvReachableTime {{ interface[iface].reachable_time }};
+{% if iface_config.reachable_time is defined and iface_config.reachable_time is not none %}
+ AdvReachableTime {{ iface_config.reachable_time }};
{% endif %}
- AdvIntervalOpt {{ 'off' if interface[iface].no_send_advert is defined else 'on' }};
- AdvSendAdvert {{ 'off' if interface[iface].no_send_advert is defined else 'on' }};
-{% if interface[iface].default_lifetime is defined %}
- AdvDefaultLifetime {{ interface[iface].default_lifetime }};
-{% endif %}
-{% if interface[iface].link_mtu is defined %}
- AdvLinkMTU {{ interface[iface].link_mtu }};
-{% endif %}
- AdvOtherConfigFlag {{ 'on' if interface[iface].other_config_flag is defined else 'off' }};
- AdvRetransTimer {{ interface[iface].retrans_timer }};
- AdvCurHopLimit {{ interface[iface].hop_limit }};
-{% if interface[iface].route is defined %}
-{% for route in interface[iface].route %}
+ AdvIntervalOpt {{ 'off' if iface_config.no_send_advert is defined else 'on' }};
+ AdvSendAdvert {{ 'off' if iface_config.no_send_advert is defined else 'on' }};
+{% if iface_config.default_lifetime is defined %}
+ AdvDefaultLifetime {{ iface_config.default_lifetime }};
+{% endif %}
+{% if iface_config.link_mtu is defined %}
+ AdvLinkMTU {{ iface_config.link_mtu }};
+{% endif %}
+ AdvOtherConfigFlag {{ 'on' if iface_config.other_config_flag is defined else 'off' }};
+ AdvRetransTimer {{ iface_config.retrans_timer }};
+ AdvCurHopLimit {{ iface_config.hop_limit }};
+{% if iface_config.route is defined %}
+{% for route, route_options in iface_config.route.items() %}
route {{ route }} {
-{% if interface[iface].route[route].valid_lifetime is defined %}
- AdvRouteLifetime {{ interface[iface].route[route].valid_lifetime }};
+{% if route_options.valid_lifetime is defined %}
+ AdvRouteLifetime {{ route_options.valid_lifetime }};
{% endif %}
-{% if interface[iface].route[route].route_preference is defined %}
- AdvRoutePreference {{ interface[iface].route[route].route_preference }};
+{% if route_options.route_preference is defined %}
+ AdvRoutePreference {{ route_options.route_preference }};
{% endif %}
- RemoveRoute {{ 'off' if interface[iface].route[route].no_remove_route is defined else 'on' }};
+ RemoveRoute {{ 'off' if route_options.no_remove_route is defined else 'on' }};
};
{% endfor %}
{% endif %}
-{% for prefix in interface[iface].prefix %}
+{% if iface_config.prefix is defined and iface_config.prefix is not none %}
+{% for prefix, prefix_options in iface_config.prefix.items() %}
prefix {{ prefix }} {
- AdvAutonomous {{ 'off' if interface[iface].prefix[prefix].no_autonomous_flag is defined else 'on' }};
- AdvValidLifetime {{ interface[iface].prefix[prefix].valid_lifetime }};
- AdvOnLink {{ 'off' if interface[iface].prefix[prefix].no_on_link_flag is defined else 'on' }};
- AdvPreferredLifetime {{ interface[iface].prefix[prefix].preferred_lifetime }};
+ AdvAutonomous {{ 'off' if prefix_options.no_autonomous_flag is defined else 'on' }};
+ AdvValidLifetime {{ prefix_options.valid_lifetime }};
+ AdvOnLink {{ 'off' if prefix_options.no_on_link_flag is defined else 'on' }};
+ AdvPreferredLifetime {{ prefix_options.preferred_lifetime }};
+ };
+{% endfor %}
+{% endif %}
+{% if iface_config.name_server is defined %}
+ RDNSS {{ iface_config.name_server | join(" ") }} {
};
-{% endfor %}
-{% if interface[iface].name_server is defined %}
- RDNSS {{ interface[iface].name_server | join(" ") }} {
+{% endif %}
+{% if iface_config.dnssl is defined %}
+ DNSSL {{ iface_config.dnssl | join(" ") }} {
};
{% endif %}
};