summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl/l2tp.tmpl
blob: 2df5c2a4d2024f067f86d6cb951d87ef0e24d182 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %}
{%   set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is defined else None %}
{%   set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is defined else None %}
    l2tp_remote_access {
        proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }}
        local_addrs = {{ l2tp_outside_address }}
        dpd_delay = 15s
        dpd_timeout = 45s
        rekey_time = {{ l2tp_ike.lifetime if l2tp_ike else l2tp.ike_lifetime }}s
        reauth_time = 0
        local {
            auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{%   if l2tp.authentication.mode == 'x509' %}
            certs = {{ l2tp.authentication.x509.certificate }}.pem
{%   endif %}
        }
        remote {
            auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
        }
        children {
            l2tp_remote_access_esp {
                mode = transport
                esp_proposals = {{ l2tp_esp | get_esp_ike_cipher | join(',') if l2tp_esp else l2tp_esp_default }}
                life_time = {{ l2tp_esp.lifetime if l2tp_esp else l2tp.lifetime }}s
                local_ts = dynamic[/1701]
                remote_ts = dynamic
            }
        }
    }
{% endmacro %}