1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %}
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %}
connections {
{% if profile is defined %}
{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if site_to_site is defined and site_to_site.peer is defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %}
{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not defined %}
{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
{% endfor %}
{% endif %}
{% if l2tp %}
{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }}
{% endif %}
}
pools {
{% if remote_access is defined and remote_access.pool is defined and remote_access.pool is not none %}
{% for pool, pool_config in remote_access.pool.items() %}
{{ pool }} {
{% if pool_config.prefix is defined and pool_config.prefix is not none %}
addrs = {{ pool_config.prefix }}
{% endif %}
{% if pool_config.name_server is defined and pool_config.name_server is not none %}
dns = {{ pool_config.name_server | join(',') }}
{% endif %}
{% if pool_config.exclude is defined and pool_config.exclude is not none %}
split_exclude = {{ pool_config.exclude | join(',') }}
{% endif %}
}
{% endfor %}
{% endif %}
}
secrets {
{% if profile is defined %}
{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
{% for interface in profile_conf.bind.tunnel %}
ike-dmvpn-{{ interface }} {
secret = {{ profile_conf.authentication.pre_shared_secret }}
}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if site_to_site is defined and site_to_site.peer is defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
ike_{{ peer_name }} {
{% if peer_conf.local_address is defined %}
id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{% endif %}
id-remote = {{ peer }}
{% if peer_conf.authentication.id is defined %}
id-localid = {{ peer_conf.authentication.id }}
{% endif %}
{% if peer_conf.authentication.remote_id is defined %}
id-remoteid = {{ peer_conf.authentication.remote_id }}
{% endif %}
secret = "{{ peer_conf.authentication.pre_shared_secret }}"
}
{% elif peer_conf.authentication.mode == 'x509' %}
private_{{ peer_name }} {
file = {{ peer_conf.authentication.x509.certificate }}.pem
{% if peer_conf.authentication.x509.passphrase is defined %}
secret = "{{ peer_conf.authentication.x509.passphrase }}"
{% endif %}
}
{% elif peer_conf.authentication.mode == 'rsa' %}
rsa_{{ peer_name }}_local {
file = {{ peer_conf.authentication.rsa.local_key }}.pem
{% if peer_conf.authentication.rsa.passphrase is defined %}
secret = "{{ peer_conf.authentication.rsa.passphrase }}"
{% endif %}
}
{% endif %}
{% endfor %}
{% endif %}
{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %}
{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not defined %}
{% if ra_conf.authentication.server_mode == 'pre-shared-secret' %}
ike_{{ ra }} {
{% if ra_conf.authentication.id is defined %}
id = "{{ ra_conf.authentication.id }}"
{% elif ra_conf.local_address is defined %}
id = "{{ ra_conf.local_address }}"
{% endif %}
secret = "{{ ra_conf.authentication.pre_shared_secret }}"
}
{% endif %}
{% if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %}
eap-{{ ra }}-{{ user }} {
secret = "{{ user_conf.password }}"
id-{{ ra }}-{{ user }} = "{{ user }}"
}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if l2tp %}
{% if l2tp.authentication.mode == 'pre-shared-secret' %}
ike_l2tp_remote_access {
id = "{{ l2tp_outside_address }}"
secret = "{{ l2tp.authentication.pre_shared_secret }}"
}
{% elif l2tp.authentication.mode == 'x509' %}
private_l2tp_remote_access {
id = "{{ l2tp_outside_address }}"
file = {{ l2tp.authentication.x509.certificate }}.pem
{% if l2tp.authentication.x509.passphrase is defined %}
secret = "{{ l2tp.authentication.x509.passphrase }}"
{% endif %}
}
{% endif %}
{% endif %}
}
|
