From ca12e0bc07ea31d1a6515c0352ae732cfc3674be Mon Sep 17 00:00:00 2001 From: Lucas Christian Date: Mon, 29 Jul 2024 23:22:05 -0700 Subject: T6617: T6618: vpn ipsec remote-access: fix profile generators (cherry picked from commit e97d86e619e134f4dfda06efb7df4a3296d17b95) --- data/templates/ipsec/ios_profile.j2 | 9 ++++++++- data/templates/ipsec/windows_profile.j2 | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'data') diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2 index 935acbf8e..966fad433 100644 --- a/data/templates/ipsec/ios_profile.j2 +++ b/data/templates/ipsec/ios_profile.j2 @@ -55,9 +55,11 @@ AuthenticationMethod Certificate +{% if authentication.client_mode.startswith("eap") %} ExtendedAuthEnabled 1 +{% endif %} IKESecurityAssociationParameters @@ -78,9 +80,14 @@ {{ esp_encryption.encryption }} IntegrityAlgorithm {{ esp_encryption.hash }} +{% if esp_encryption.pfs is vyos_defined %} DiffieHellmanGroup - {{ ike_encryption.dh_group }} + {{ esp_encryption.pfs }} +{% endif %} + + EnablePFS + {{ '1' if esp_encryption.pfs is vyos_defined else '0' }} {% if ca_certificates is vyos_defined %} diff --git a/data/templates/ipsec/windows_profile.j2 b/data/templates/ipsec/windows_profile.j2 index 8c26944be..b5042f987 100644 --- a/data/templates/ipsec/windows_profile.j2 +++ b/data/templates/ipsec/windows_profile.j2 @@ -1,4 +1,4 @@ Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2" -Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force +Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup {{ esp_encryption.pfs }} -DHGroup {{ ike_encryption.dh_group }} -PassThru -Force -- cgit v1.2.3