### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %}
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %}

connections {
{% if profile is defined %}
{%   for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{{     profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
{%   endfor %}
{% endif %}
{% if site_to_site is defined and site_to_site.peer is defined %}
{%   for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{{     peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{%   endfor %}
{%  endif %}
{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %}
{%   for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not defined %}
{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
{%   endfor %}
{% endif %}
{% if l2tp %}
{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }}
{% endif %}
}

pools {
{%  if remote_access is defined and remote_access.pool is defined and remote_access.pool is not none %}
{%    for pool, pool_config in remote_access.pool.items() %}
    {{ pool }} {
{%      if pool_config.prefix is defined and pool_config.prefix is not none %}
        addrs = {{ pool_config.prefix }}
{%      endif %}
{%      if pool_config.name_server is defined and pool_config.name_server is not none %}
        dns = {{ pool_config.name_server | join(',') }}
{%      endif %}
{%      if pool_config.exclude is defined and pool_config.exclude is not none %}
        split_exclude = {{ pool_config.exclude | join(',') }}
{%      endif %}
    }
{%    endfor %}
{%  endif %}
}

secrets {
{%  if profile is defined %}
{%    for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{%      if profile_conf.authentication.mode == 'pre-shared-secret' %}
{%        for interface in profile_conf.bind.tunnel %}
    ike-dmvpn-{{ interface }} {
        secret = {{ profile_conf.authentication.pre_shared_secret }}
    }
{%        endfor %}
{%      endif %}
{%    endfor %}
{%  endif %}
{%  if site_to_site is defined and site_to_site.peer is defined %}
{%    for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{%      set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
{%      if peer_conf.authentication.mode == 'pre-shared-secret' %}
    ike_{{ peer_name }} {
{%        if peer_conf.local_address is defined %}
        id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{%        endif %}
        id-remote = {{ peer }}
{%        if peer_conf.authentication.id is defined %}
        id-localid = {{ peer_conf.authentication.id }}
{%        endif %}
{%        if peer_conf.authentication.remote_id is defined %}
        id-remoteid = {{ peer_conf.authentication.remote_id }}
{%        endif %}
        secret = "{{ peer_conf.authentication.pre_shared_secret }}"
    }
{%      elif peer_conf.authentication.mode == 'x509' %}
    private_{{ peer_name }} {
        file = {{ peer_conf.authentication.x509.certificate }}.pem
{%        if peer_conf.authentication.x509.passphrase is defined %}
        secret = "{{ peer_conf.authentication.x509.passphrase }}"
{%        endif %}
    }
{%      elif peer_conf.authentication.mode == 'rsa' %}
    rsa_{{ peer_name }}_local {
        file = {{ peer_conf.authentication.rsa.local_key }}.pem
{%        if peer_conf.authentication.rsa.passphrase is defined %}
        secret = "{{ peer_conf.authentication.rsa.passphrase }}"
{%        endif %}
    }
{%      endif %}
{%    endfor %}
{%  endif %}
{%  if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %}
{%    for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not defined %}
{%      if ra_conf.authentication.server_mode == 'pre-shared-secret' %}
    ike_{{ ra }} {
{%        if ra_conf.authentication.id is defined %}
        id = "{{ ra_conf.authentication.id }}"
{%        elif ra_conf.local_address is defined %}
        id = "{{ ra_conf.local_address }}"
{%        endif %}
        secret = "{{ ra_conf.authentication.pre_shared_secret }}"
    }
{%      endif %}
{%      if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
{%        for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %}
    eap-{{ ra }}-{{ user }} {
        secret = "{{ user_conf.password }}"
        id-{{ ra }}-{{ user }} = "{{ user }}"
    }
{%        endfor %}
{%      endif %}
{%    endfor %}
{%  endif %}
{%  if l2tp %}
{%    if l2tp.authentication.mode == 'pre-shared-secret' %}
    ike_l2tp_remote_access {
        id = "{{ l2tp_outside_address }}"
        secret = "{{ l2tp.authentication.pre_shared_secret }}"
    }
{%    elif l2tp.authentication.mode == 'x509' %}
    private_l2tp_remote_access {
        id = "{{ l2tp_outside_address }}"
        file = {{ l2tp.authentication.x509.certificate }}.pem
{%      if l2tp.authentication.x509.passphrase is defined %}
        secret = "{{ l2tp.authentication.x509.passphrase }}"
{%      endif %}
    }
{%    endif %}
{%  endif %}
}