1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %}
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %}
connections {
{% if profile is defined %}
{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if site_to_site is defined and site_to_site.peer is defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if remote_access is defined and remote_access is not none %}
{% for rw, rw_conf in remote_access.items() if rw_conf.disable is not defined %}
{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if l2tp %}
{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }}
{% endif %}
}
pools {
{% if remote_access is defined %}
{% for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %}
ra-{{ ra }} {
addrs = {{ ra_conf.pool.prefix }}
dns = {{ ra_conf.pool.name_server | join(",") }}
{% if ra_conf.pool.exclude is defined %}
split_exclude = {{ ra_conf.pool.exclude | join(",") }}
{% endif %}
}
{% endfor %}
{% endif %}
}
secrets {
{% if profile is defined %}
{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
{% for interface in profile_conf.bind.tunnel %}
ike-dmvpn-{{ interface }} {
secret = {{ profile_conf.authentication.pre_shared_secret }}
}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if site_to_site is defined and site_to_site.peer is defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{% set peer_name = peer.replace(".", "-").replace("@", "") %}
{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
ike_{{ peer_name }} {
{% if peer_conf.local_address is defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{% endif %}
id-remote = {{ peer }}
{% if peer_conf.authentication.id is defined %}
id-localid = {{ peer_conf.authentication.id }}
{% endif %}
{% if peer_conf.authentication.remote_id is defined %}
id-remoteid = {{ peer_conf.authentication.remote_id }}
{% endif %}
secret = "{{ peer_conf.authentication.pre_shared_secret }}"
}
{% elif peer_conf.authentication.mode == 'x509' %}
private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
{% if peer_conf.authentication.x509.passphrase is defined %}
secret = "{{ peer_conf.authentication.x509.passphrase }}"
{% endif %}
}
{% elif peer_conf.authentication.mode == 'rsa' %}
rsa_{{ peer_name }}_local {
file = {{ peer_conf.authentication.rsa.local_key }}.pem
{% if peer_conf.authentication.rsa.passphrase is defined %}
secret = "{{ peer_conf.authentication.rsa.passphrase }}"
{% endif %}
}
{% endif %}
{% endfor %}
{% endif %}
{% if remote_access is defined %}
{% for ra, ra_conf in remote_access.items() if remote_access is defined %}
{% if ra_conf.authentication.server_mode == 'pre-shared-secret' %}
ike_{{ ra }} {
{% if ra_conf.authentication.id is defined %}
id = "{{ ra_conf.authentication.id }}"
{% elif ra_conf.local_address is defined %}
id = "{{ ra_conf.local_address }}"
{% endif %}
secret = "{{ ra_conf.authentication.pre_shared_secret }}"
}
{% endif %}
{% if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %}
eap-{{ ra }}-{{ user }} {
secret = "{{ user_conf.password }}"
id-{{ ra }}-{{ user }} = "{{ user }}"
}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if l2tp %}
{% if l2tp.authentication.mode == 'pre-shared-secret' %}
ike_l2tp_remote_access {
id = "{{ l2tp_outside_address }}"
secret = "{{ l2tp.authentication.pre_shared_secret }}"
}
{% elif l2tp.authentication.mode == 'x509' %}
private_l2tp_remote_access {
id = "{{ l2tp_outside_address }}"
file = {{ l2tp.authentication.x509.certificate }}.pem
{% if l2tp.authentication.x509.passphrase is defined %}
secret = "{{ l2tp.authentication.x509.passphrase }}"
{% endif %}
}
{% endif %}
{% endif %}
}
|