1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/l2tp.j2' as l2tp_tmpl %}
{% import 'ipsec/swanctl/profile.j2' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.j2' as peer_tmpl %}
{% import 'ipsec/swanctl/remote_access.j2' as remote_access_tmpl %}
connections {
{% if profile is vyos_defined %}
{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %}
{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if site_to_site.peer is vyos_defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if remote_access.connection is vyos_defined %}
{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %}
{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if l2tp %}
{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }}
{% endif %}
}
pools {
{% if remote_access.pool is vyos_defined %}
{% for pool, pool_config in remote_access.pool.items() %}
{{ pool }} {
{% if pool_config.prefix is vyos_defined %}
addrs = {{ pool_config.prefix }}
{% elif pool_config.range is vyos_defined %}
addrs = {{ pool_config.range.start }}-{{ pool_config.range.stop }}
{% endif %}
{% if pool_config.name_server is vyos_defined %}
dns = {{ pool_config.name_server | join(',') }}
{% endif %}
{% if pool_config.exclude is vyos_defined %}
split_exclude = {{ pool_config.exclude | join(',') }}
{% endif %}
}
{% endfor %}
{% endif %}
}
secrets {
{% if profile is vyos_defined %}
{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %}
{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %}
{% for interface in profile_conf.bind.tunnel %}
ike-dmvpn-{{ interface }} {
secret = {{ profile_conf.authentication.pre_shared_secret }}
}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if site_to_site.peer is vyos_defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %}
{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
{% if peer_conf.authentication.mode is vyos_defined('x509') %}
private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
{% if peer_conf.authentication.x509.passphrase is vyos_defined %}
secret = "{{ peer_conf.authentication.x509.passphrase }}"
{% endif %}
}
{% elif peer_conf.authentication.mode is vyos_defined('rsa') %}
rsa_{{ peer_name }}_local {
file = {{ peer_conf.authentication.rsa.local_key }}.pem
{% if peer_conf.authentication.rsa.passphrase is vyos_defined %}
secret = "{{ peer_conf.authentication.rsa.passphrase }}"
{% endif %}
}
{% endif %}
{% endfor %}
{% endif %}
{% if authentication.psk is vyos_defined %}
{% for psk, psk_config in authentication.psk.items() %}
ike-{{ psk }} {
{% if psk_config.id is vyos_defined %}
# ID's from auth psk <tag> id xxx
{% for id in psk_config.id %}
{% set gen_uuid = '' | generate_uuid4 %}
id-{{ gen_uuid }} = "{{ id }}"
{% endfor %}
{% endif %}
{% if psk_config.secret_type is vyos_defined('base64') %}
secret = 0s{{ psk_config.secret }}
{% elif psk_config.secret_type is vyos_defined('plaintext') %}
secret = "{{ psk_config.secret }}"
{% endif %}
}
{% endfor %}
{% endif %}
{% if remote_access.connection is vyos_defined %}
{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %}
{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %}
ike_{{ ra }} {
{% if ra_conf.authentication.local_id is vyos_defined %}
id = "{{ ra_conf.authentication.local_id }}"
{% elif ra_conf.local_address is vyos_defined %}
id = "{{ ra_conf.local_address }}"
{% endif %}
secret = "{{ ra_conf.authentication.pre_shared_secret }}"
}
{% endif %}
{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %}
{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %}
eap-{{ ra }}-{{ user }} {
secret = "{{ user_conf.password }}"
id-{{ ra }}-{{ user }} = "{{ user }}"
}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if l2tp %}
{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %}
ike_l2tp_remote_access {
id = "{{ l2tp_outside_address }}"
secret = "{{ l2tp.authentication.pre_shared_secret }}"
}
{% elif l2tp.authentication.mode is vyos_defined('x509') %}
private_l2tp_remote_access {
id = "{{ l2tp_outside_address }}"
file = {{ l2tp.authentication.x509.certificate }}.pem
{% if l2tp.authentication.x509.passphrase is vyos_defined %}
secret = "{{ l2tp.authentication.x509.passphrase }}"
{% endif %}
}
{% endif %}
{% endif %}
}
|