From 11b5636519b360074eb2877006f2d8d63d9f6610 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Mon, 14 Jun 2021 13:04:04 +0200 Subject: ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple selectors, and selectors with VTI. --- data/templates/ipsec/ipsec.conf.tmpl | 104 ----------------------------------- 1 file changed, 104 deletions(-) (limited to 'data/templates/ipsec/ipsec.conf.tmpl') diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index 18f6c0988..6550ea419 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -1,113 +1,9 @@ # Created by VyOS - manual changes will be overwritten -{% import 'ipsec/ike-esp.tmpl' as ike_esp %} - config setup charondebug = "{{ charondebug }}" uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} -{% set peer_index = loop.index %} -{% set peer_ike = ike_group[peer_conf.ike_group] %} -{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %} -conn peer-{{ peer }} -{% if peer_conf.authentication.mode in authby %} - authby = {{ authby[peer_conf.authentication.mode] }} -{% endif %} -{% if peer_conf.authentication.mode == 'x509' %} -{% set cert_file = peer_conf.authentication.x509.cert_file %} - leftcert = {{ cert_file if cert_file.startswith(x509_path) else (x509_path + cert_file) }} - leftsendcert = always - rightca = %same -{% elif peer_conf.authentication.mode == 'rsa' %} - leftsigkey = localhost.pub - rightsigkey = {{ peer_conf.authentication.rsa_key_name }}.pub -{% endif %} - left = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%defaultroute' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} -{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %} - leftid = "{{ peer_conf.authentication.id }}" -{% endif %} - right = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '%any' }} -{% if peer_conf.authentication.remote_id is defined %} - rightid = "{{ peer_conf.authentication.remote_id }}" -{% elif peer[0:1] == '@' %} - rightid = "{{ peer }}" -{% endif %} - keylife = 3600s - rekeymargin = 540s -{{ ike_esp.conn(peer_ike, ciphers.ike[peer_conf.ike_group], peer_esp, ciphers.esp[peer_conf.default_esp_group] if peer_esp else None) }} -{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} -{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %} -conn peer-{{ peer }}-vti - also = peer-{{ peer }} - leftsubnet = 0.0.0.0/0 - leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" - rightsubnet = 0.0.0.0/0 - mark = {{ marks[peer_conf.vti.bind] }} -{{ ike_esp.conn(None, None, vti_esp, ciphers.esp[peer_conf.vti.esp_group] if vti_esp else None) }} -{% if peer[0:1] == '@' %} - rekey = no - auto = add - keyingtries = %forever -{% else %} -{% if peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} - auto = start - keyingtries = %forever -{% elif peer_conf.connection_type == 'respond' %} - auto = route - keyingtries = 1 -{% endif %} -{% endif %} -{% elif peer_conf.tunnel is defined %} -{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} -{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %} -{% set tunnel_esp = esp_group[tunnel_esp_name] %} -{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '%any' %} -conn peer-{{ peer }}-tunnel-{{tunnel_id}} - also = peer-{{ peer }} -{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} -{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} - leftsubnet = {{ tunnel_conf.local.prefix if tunnel_conf.local.prefix != 'any' else '0.0.0.0/0' }}[{{ proto }}/{{ tunnel_conf.local.port if "port" in tunnel_conf.local else '%any' }}] -{% endif %} -{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %} - rightsubnet = {{ tunnel_conf.remote.prefix if tunnel_conf.remote.prefix != 'any' else '0.0.0.0/0' }}[{{ proto }}/{{ tunnel_conf.remote.port if "port" in tunnel_conf.remote else '%any' }}] -{% endif %} -{% elif tunnel_esp.mode == 'transport' %} - leftsubnet = {{ peer_conf.local_address }}[{{ proto }}/{{ tunnel_conf.local.port if "local" in tunnel_conf and "port" in tunnel_conf.local else '%any' }}] - rightsubnet = {{ peer }}[{{ proto }}/{{ tunnel_conf.local.port if "local" in tunnel_conf and "port" in tunnel_conf.local else '%any' }}] -{% endif %} -{% if tunnel_conf.esp_group is defined %} -{{ ike_esp.conn(None, None, tunnel_esp, ciphers.esp[tunnel_esp_name]) }} -{% endif %} -{% if peer[0:1] == '@' %} - rekey = no - auto = add - keyingtries = %forever -{% else %} -{% if peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} - auto = start - keyingtries = %forever -{% elif peer_conf.connection_type == 'respond' %} - auto = route - keyingtries = 1 -{% endif %} -{% endif %} -{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough is not none %} -conn peer-{{ peer }}-tunnel-{{ tunnel_id }}-passthough - left = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%defaultroute' }} - right = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '%any' }} - leftsubnet = {{ tunnel_conf.local.prefix }} - rightsubnet = {{ tunnel_conf.local.prefix }} - type = passthrough - authby = never - auto = route -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} - {% if include_ipsec_conf is defined %} include {{ include_ipsec_conf }} {% endif %} -- cgit v1.2.3