From 11b5636519b360074eb2877006f2d8d63d9f6610 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Mon, 14 Jun 2021 13:04:04 +0200 Subject: ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple selectors, and selectors with VTI. --- data/templates/ipsec/swanctl/peer.tmpl | 136 +++++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 data/templates/ipsec/swanctl/peer.tmpl (limited to 'data/templates/ipsec/swanctl/peer.tmpl') diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl new file mode 100644 index 000000000..0d01cd546 --- /dev/null +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -0,0 +1,136 @@ +{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type, marks) %} + peer_{{ name }} { + proposals = {{ ciphers.ike[peer_conf.ike_group] }} + version = {{ ike['key_exchange'][4:] if "key_exchange" in ike else "0" }} + local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} + remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} +{% if peer_conf.authentication.mode == 'x509' %} + send_cert = always +{% endif %} +{% if "dead_peer_detection" in ike %} + dpd_timeout = {{ ike.dead_peer_detection.timeout }} + dpd_delay = {{ ike.dead_peer_detection.interval }} +{% endif %} +{% if "key_exchange" in ike and ike.key_exchange == "ikev1" and "mode" in ike and ike.mode == "aggressive" %} + aggressive = yes +{% endif %} + mobike = {{ "yes" if "mobike" not in ike or ike.mobike == "enable" else "no" }} +{% if peer[0:1] == '@' %} + keyingtries = 0 + rekey_time = 0 + reauth_time = 0 +{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} + keyingtries = 0 +{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %} + keyingtries = 1 +{% endif %} +{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %} + encap = yes +{% endif %} + local { +{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %} + id = "{{ peer_conf.authentication.id }}" +{% endif %} +{% if auth_type %} + auth = {{ auth_type }} +{% endif %} +{% if peer_conf.authentication.mode == 'x509' %} + certs = {{ peer_conf.authentication.x509.cert_file }} +{% elif peer_conf.authentication.mode == 'rsa' %} + pubkeys = localhost.pub +{% endif %} + } + remote { +{% if peer_conf.authentication.remote_id is defined %} + id = "{{ peer_conf.authentication.remote_id }}" +{% elif peer[0:1] == '@' %} + id = "{{ peer }}" +{% endif %} +{% if auth_type %} + auth = {{ auth_type }} +{% endif %} +{% if peer_conf.authentication.mode == 'rsa' %} + pubkeys = {{ peer_conf.authentication.rsa_key_name }}.pub +{% endif %} + } + children { +{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %} +{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %} + peer_{{ name }}_vti { + esp_proposals = {{ ciphers.esp[peer_conf.vti.esp_group] }} + local_ts = 0.0.0.0/0,::/0 + remote_ts = 0.0.0.0/0,::/0 + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" + mark_in = {{ marks[peer_conf.vti.bind] }} + mark_out = {{ marks[peer_conf.vti.bind] }} + ipcomp = {{ 'yes' if "compression" in vti_esp and vti_esp.compression == 'enable' else 'no' }} + mode = {{ vti_esp.mode if "mode" in vti_esp else "tunnel" }} +{% if peer[0:1] == '@' %} + start_action = none +{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} + start_action = start +{% elif peer_conf.connection_type == 'respond' %} + start_action = trap +{% endif %} +{% if "dead_peer_detection" in ike %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} + dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} +{% endif %} + } +{% endif %} +{% if peer_conf.tunnel is defined %} +{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} +{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %} +{% set tunnel_esp = esp_group[tunnel_esp_name] %} +{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '' %} +{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %} +{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} +{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %} +{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} + peer_{{ name }}_tunnel_{{ tunnel_id }} { + esp_proposals = {{ ciphers.esp[tunnel_esp_name] }} +{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} +{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} +{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} + local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} +{% endif %} +{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %} +{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} + remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} +{% endif %} +{% elif tunnel_esp.mode == 'transport' %} + local_ts = {{ peer_conf.local_address }}{{ local_suffix }} + remote_ts = {{ peer }}{{ remote_suffix }} +{% endif %} + ipcomp = {{ 'yes' if "compression" in tunnel_esp and tunnel_esp.compression == 'enable' else 'no' }} + mode = {{ tunnel_esp.mode if "mode" in tunnel_esp else "tunnel" }} +{% if peer[0:1] == '@' %} + start_action = none +{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} + start_action = start +{% elif peer_conf.connection_type == 'respond' %} + start_action = trap +{% endif %} +{% if "dead_peer_detection" in ike %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} + dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} +{% endif %} +{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" + mark_in = {{ marks[peer_conf.vti.bind] }} + mark_out = {{ marks[peer_conf.vti.bind] }} +{% endif %} + } +{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %} + peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough { + local_ts = {{ tunnel_conf.passthrough | join(",") }} + remote_ts = {{ tunnel_conf.passthrough | join(",") }} + start_action = trap + mode = pass + } +{% endif %} +{% endfor %} +{% endif %} + } + } +{% endmacro %} -- cgit v1.2.3