summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl.conf.tmpl
blob: b85fe7d41f31ee3cce4dd39ef0c3c4704c8e999c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %}
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %}

connections {
{% if profile is defined %}
{%   for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{{     profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
{%   endfor %}
{% endif %}
{% if site_to_site is defined and site_to_site.peer is defined %}
{%   for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{{     peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{%   endfor %}
{%  endif %}
{% if remote_access is defined and remote_access is not none %}
{%   for rw, rw_conf in remote_access.items() if rw_conf.disable is not defined %}
{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
{%   endfor %}
{% endif %}
{% if l2tp %}
{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }}
{% endif %}
}

pools {
{%  if remote_access is defined %}
{%    for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %}
{%      if ra_conf.pool is defined and ra_conf.pool.prefix is defined %}
{%        for prefix in ra_conf.pool.prefix %}
{%          if prefix | is_ipv4 %}
    ra-{{ ra }}-ipv4 {
        addrs = {{ prefix }}
{%            if ra_conf.pool.name_server_v4 is defined and ra_conf.pool.name_server_v4 is not none %}
        dns = {{ ra_conf.pool.name_server_v4 | join(',') }}
{%            endif %}
{%            if ra_conf.pool.exclude_v4 is defined and ra_conf.pool.exclude_v4 is not none %}
        split_exclude = {{ ra_conf.pool.exclude_v4 | join(',') }}
{%            endif %}
    }
{%          elif prefix | is_ipv6 %}
    ra-{{ ra }}-ipv6 {
        addrs = {{ prefix }}
{%            if ra_conf.pool.name_server_v6 is defined and ra_conf.pool.name_server_v6 is not none %}
        dns = {{ ra_conf.pool.name_server_v6 | join(',') }}
{%            endif %}
{%            if ra_conf.pool.exclude_v6 is defined and ra_conf.pool.exclude_v6 is not none %}
        split_exclude = {{ ra_conf.pool.exclude_v6 | join(',') }}
{%            endif %}
    }
{%          endif %}
{%        endfor %}
{%      endif %}
{%    endfor %}
{%  endif %}
}

secrets {
{%  if profile is defined %}
{%    for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{%      if profile_conf.authentication.mode == 'pre-shared-secret' %}
{%        for interface in profile_conf.bind.tunnel %}
    ike-dmvpn-{{ interface }} {
        secret = {{ profile_conf.authentication.pre_shared_secret }}
    }
{%        endfor %}
{%      endif %}
{%    endfor %}
{%  endif %}
{%  if site_to_site is defined and site_to_site.peer is defined %}
{%    for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{%      set peer_name = peer.replace(".", "-").replace("@", "") %}
{%      if peer_conf.authentication.mode == 'pre-shared-secret' %}
    ike_{{ peer_name }} {
{%        if peer_conf.local_address is defined %}
        id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{%        endif %}
        id-remote = {{ peer }}
{%        if peer_conf.authentication.id is defined %}
        id-localid = {{ peer_conf.authentication.id }}
{%        endif %}
{%        if peer_conf.authentication.remote_id is defined %}
        id-remoteid = {{ peer_conf.authentication.remote_id }}
{%        endif %}
        secret = "{{ peer_conf.authentication.pre_shared_secret }}"
    }
{%      elif peer_conf.authentication.mode == 'x509' %}
    private_{{ peer_name }} {
        file = {{ peer_conf.authentication.x509.certificate }}.pem
{%        if peer_conf.authentication.x509.passphrase is defined %}
        secret = "{{ peer_conf.authentication.x509.passphrase }}"
{%        endif %}
    }
{%      elif peer_conf.authentication.mode == 'rsa' %}
    rsa_{{ peer_name }}_local {
        file = {{ peer_conf.authentication.rsa.local_key }}.pem
{%        if peer_conf.authentication.rsa.passphrase is defined %}
        secret = "{{ peer_conf.authentication.rsa.passphrase }}"
{%        endif %}
    }
{%      endif %}
{%    endfor %}
{%  endif %}
{%  if remote_access is defined %}
{%    for ra, ra_conf in remote_access.items() if remote_access is defined %}
{%      if ra_conf.authentication.server_mode == 'pre-shared-secret' %}
    ike_{{ ra }} {
{%        if ra_conf.authentication.id is defined %}
        id = "{{ ra_conf.authentication.id }}"
{%        elif ra_conf.local_address is defined %}
        id = "{{ ra_conf.local_address }}"
{%        endif %}
        secret = "{{ ra_conf.authentication.pre_shared_secret }}"
    }
{%      endif %}
{%      if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
{%        for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %}
    eap-{{ ra }}-{{ user }} {
        secret = "{{ user_conf.password }}"
        id-{{ ra }}-{{ user }} = "{{ user }}"
    }
{%        endfor %}
{%      endif %}
{%    endfor %}
{%  endif %}
{%  if l2tp %}
{%    if l2tp.authentication.mode == 'pre-shared-secret' %}
    ike_l2tp_remote_access {
        id = "{{ l2tp_outside_address }}"
        secret = "{{ l2tp.authentication.pre_shared_secret }}"
    }
{%    elif l2tp.authentication.mode == 'x509' %}
    private_l2tp_remote_access {
        id = "{{ l2tp_outside_address }}"
        file = {{ l2tp.authentication.x509.certificate }}.pem
{%      if l2tp.authentication.x509.passphrase is defined %}
        secret = "{{ l2tp.authentication.x509.passphrase }}"
{%      endif %}
    }
{%    endif %}
{%  endif %}
}