data/templates/ipsec/swanctl.conf.tmpl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

### Autogenerated by vpn_ipsec.py ###
{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %}
{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %}
{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %}

connections {
{% if profile is defined %}
{%   for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{{     profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }}
{%   endfor %}
{% endif %}
{% if site_to_site is defined and site_to_site.peer is defined %}
{%   for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{{     peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
{%   endfor %}
{%  endif %}
{% if remote_access is defined and remote_access is not none %}
{%   for rw, rw_conf in remote_access.items() if rw_conf.disable is not defined %}
{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }}
{%   endfor %}
{% endif %}
}

pools {
{%  if remote_access is defined %}
{%    for ra, ra_conf in remote_access.items() if ra_conf.pool.dhcp_enable is not defined %}
    ra-{{ ra }} {
        addrs = {{ ra_conf.pool.prefix }}
        dns = {{ ra_conf.pool.name_server | join(",") }}
{%      if ra_conf.pool.exclude is defined %}
        split_exclude = {{ ra_conf.pool.exclude | join(",") }}
{%      endif %}
    }
{%    endfor %}
{%  endif %}
}

secrets {
{%  if profile is defined %}
{%    for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{%      if profile_conf.authentication.mode == 'pre-shared-secret' %}
{%        for interface in profile_conf.bind.tunnel %}
    ike-dmvpn-{{ interface }} {
        secret = {{ profile_conf.authentication.pre_shared_secret }}
    }
{%        endfor %}
{%      endif %}
{%    endfor %}
{%  endif %}
{%  if site_to_site is defined and site_to_site.peer is defined %}
{%    for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{%      set peer_name = peer.replace(".", "-").replace("@", "") %}
{%      if peer_conf.authentication.mode == 'pre-shared-secret' %}
    ike_{{ peer_name }} {
{%        if peer_conf.local_address is defined %}
        id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
{%        endif %}
        id-remote = {{ peer }}
{%        if peer_conf.authentication.id is defined %}
        id-localid = {{ peer_conf.authentication.id }}
{%        endif %}
{%        if peer_conf.authentication.remote_id is defined %}
        id-remoteid = {{ peer_conf.authentication.remote_id }}
{%        endif %}
        secret = "{{ peer_conf.authentication.pre_shared_secret }}"
    }
{%      elif peer_conf.authentication.mode == 'x509' %}
    private_{{ peer_name }} {
        file = {{ peer_conf.authentication.x509.certificate }}.pem
{%        if peer_conf.authentication.x509.passphrase is defined %}
        secret = "{{ peer_conf.authentication.x509.passphrase }}"
{%        endif %}
    }
{%      elif peer_conf.authentication.mode == 'rsa' %}
    rsa_{{ peer_name }}_local {
        file = {{ peer_conf.authentication.rsa.local_key }}.pem
{%        if peer_conf.authentication.rsa.passphrase is defined %}
        secret = "{{ peer_conf.authentication.rsa.passphrase }}"
{%        endif %}
    }
{%      endif %}
{%    endfor %}
{%  endif %}
{%  if remote_access is defined %}
{%    for ra, ra_conf in remote_access.items() if remote_access is defined %}
{%      if ra_conf.authentication.server_mode == 'pre-shared-secret' %}
    ike_{{ ra }} {
{%        if ra_conf.authentication.id is defined %}
        id = "{{ ra_conf.authentication.id }}"
{%        elif ra_conf.local_address is defined %}
        id = "{{ ra_conf.local_address }}"
{%        endif %}
        secret = "{{ ra_conf.authentication.pre_shared_secret }}"
    }
{%      endif %}
{%      if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %}
{%        for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %}
    eap-{{ ra }}-{{ user }} {
        secret = "{{ user_conf.password }}"
        id-{{ ra }}-{{ user }} = "{{ user }}"
    }
{%        endfor %}
{%      endif %}
{%    endfor %}
{%  endif %}
}