From 2aec3e61c9130e942cb766aa0e5f4acf900dc921 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sat, 3 Jul 2021 19:08:18 +0200
Subject: ipsec: T2816: provide x509 certificate base auth building blocks

---
 data/templates/ipsec/swanctl/peer.tmpl               |  2 +-
 .../include/ipsec/authentication-id.xml.i            | 11 +++++++++++
 .../include/ipsec/authentication-x509.xml.i          | 11 +++++++++++
 interface-definitions/vpn_ipsec.xml.in               | 20 ++------------------
 4 files changed, 25 insertions(+), 19 deletions(-)
 create mode 100644 interface-definitions/include/ipsec/authentication-id.xml.i
 create mode 100644 interface-definitions/include/ipsec/authentication-x509.xml.i

diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index b35cd4b60..4ace06701 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -31,7 +31,7 @@
         encap = yes
 {%   endif %}
         local {
-{%   if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
+{%   if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
             id = "{{ peer_conf.authentication.id }}"
 {%   endif %}
             auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
diff --git a/interface-definitions/include/ipsec/authentication-id.xml.i b/interface-definitions/include/ipsec/authentication-id.xml.i
new file mode 100644
index 000000000..4967782ec
--- /dev/null
+++ b/interface-definitions/include/ipsec/authentication-id.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from ipsec/authentication-id.xml.i -->
+<leafNode name="id">
+  <properties>
+    <help>ID for peer authentication</help>
+    <valueHelp>
+      <format>txt</format>
+      <description>ID used for peer authentication</description>
+    </valueHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/ipsec/authentication-x509.xml.i b/interface-definitions/include/ipsec/authentication-x509.xml.i
new file mode 100644
index 000000000..db675c0bf
--- /dev/null
+++ b/interface-definitions/include/ipsec/authentication-x509.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from ipsec/authentication-x509.xml.i -->
+<node name="x509">
+  <properties>
+    <help>X.509 certificate</help>
+  </properties>
+  <children>
+    #include <include/pki/certificate-key.xml.i>
+    #include <include/pki/ca-certificate.xml.i>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index c301703c3..ff60bb82f 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -737,15 +737,8 @@
                       <help>Peer authentication [REQUIRED]</help>
                     </properties>
                     <children>
-                      <leafNode name="id">
-                        <properties>
-                          <help>ID for peer authentication</help>
-                          <valueHelp>
-                            <format>txt</format>
-                            <description>ID used for peer authentication</description>
-                          </valueHelp>
-                        </properties>
-                      </leafNode>
+                      #include <include/ipsec/authentication-id.xml.i>
+                      #include <include/ipsec/authentication-x509.xml.i>
                       <leafNode name="mode">
                         <properties>
                           <help>Authentication mode</help>
@@ -798,15 +791,6 @@
                           <valueless/>
                         </properties>
                       </leafNode>
-                      <node name="x509">
-                        <properties>
-                          <help>X.509 certificate</help>
-                        </properties>
-                        <children>
-                          #include <include/pki/certificate-key.xml.i>
-                          #include <include/pki/ca-certificate.xml.i>
-                        </children>
-                      </node>
                     </children>
                   </node>
                   <leafNode name="connection-type">
-- 
cgit v1.2.3