1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
{% macro conn(peer, peer_conf, ike_group, esp_group) %}
{% set name = peer.replace("@", "") | dot_colon_to_dash %}
{# peer needs to reference the global IKE configuration for certain values #}
{% set ike = ike_group[peer_conf.ike_group] %}
peer_{{ name }} {
proposals = {{ ike | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %}
send_cert = always
{% endif %}
{% if ike.dead_peer_detection is defined %}
dpd_timeout = {{ ike.dead_peer_detection.timeout }}
dpd_delay = {{ ike.dead_peer_detection.interval }}
{% endif %}
{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %}
aggressive = yes
{% endif %}
rekey_time = {{ ike.lifetime }}s
mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
{% if peer[0:1] == '@' %}
keyingtries = 0
reauth_time = 0
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
keyingtries = 0
{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %}
keyingtries = 1
{% endif %}
{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %}
encap = yes
{% endif %}
local {
{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.id is not none %}
id = "{{ peer_conf.authentication.id }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'x509' %}
certs = {{ peer_conf.authentication.x509.certificate }}.pem
{% elif peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem
{% endif %}
}
remote {
{% if peer_conf.authentication is defined and peer_conf.authentication.remote_id is defined and peer_conf.authentication.remote_id is not none %}
id = "{{ peer_conf.authentication.remote_id }}"
{% else %}
id = "{{ peer }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem
{% endif %}
}
children {
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %}
peer_{{ name }}_vti {
esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
life_time = {{ vti_esp.lifetime }}s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
{# Thus we simply shift the key by one to also support a vti0 interface #}
{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
if_id_in = {{ if_id }}
if_id_out = {{ if_id }}
ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }}
mode = {{ vti_esp.mode }}
{% if peer[0:1] == '@' %}
start_action = none
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
start_action = start
{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
{% endif %}
{% if ike.dead_peer_detection is defined %}
{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
}
{% elif peer_conf.tunnel is defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %}
{% set tunnel_esp = esp_group[tunnel_esp_name] %}
{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is defined else '' %}
{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %}
{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
life_time = {{ tunnel_esp.lifetime }}s
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
{% endif %}
{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %}
{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }}
{% endif %}
{% elif tunnel_esp.mode == 'transport' %}
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer }}{{ remote_suffix }}
{% endif %}
ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }}
mode = {{ tunnel_esp.mode }}
{% if peer[0:1] == '@' %}
start_action = none
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
start_action = start
{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
{% endif %}
{% if ike.dead_peer_detection is defined %}
{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
{# Thus we simply shift the key by one to also support a vti0 interface #}
{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
if_id_in = {{ if_id }}
if_id_out = {{ if_id }}
{% endif %}
}
{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}
peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough {
local_ts = {{ tunnel_conf.passthrough | join(",") }}
remote_ts = {{ tunnel_conf.passthrough | join(",") }}
start_action = trap
mode = pass
}
{% endif %}
{% endfor %}
{% endif %}
}
}
{% endmacro %}
|