1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type) %}
peer_{{ name }} {
proposals = {{ ciphers.ike[peer_conf.ike_group] }}
version = {{ ike['key_exchange'][4:] if "key_exchange" in ike else "0" }}
local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
{% if peer_conf.authentication.mode == 'x509' %}
send_cert = always
{% endif %}
{% if "dead_peer_detection" in ike %}
dpd_timeout = {{ ike.dead_peer_detection.timeout }}
dpd_delay = {{ ike.dead_peer_detection.interval }}
{% endif %}
{% if "key_exchange" in ike and ike.key_exchange == "ikev1" and "mode" in ike and ike.mode == "aggressive" %}
aggressive = yes
{% endif %}
mobike = {{ "yes" if "mobike" not in ike or ike.mobike == "enable" else "no" }}
{% if peer[0:1] == '@' %}
keyingtries = 0
rekey_time = 0
reauth_time = 0
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
keyingtries = 0
{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %}
keyingtries = 1
{% endif %}
{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %}
encap = yes
{% endif %}
local {
{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
id = "{{ peer_conf.authentication.id }}"
{% endif %}
{% if auth_type %}
auth = {{ auth_type }}
{% endif %}
{% if peer_conf.authentication.mode == 'x509' %}
certs = {{ peer_conf.authentication.x509.certificate }}.pem
{% elif peer_conf.authentication.mode == 'rsa' %}
pubkeys = localhost.pub
{% endif %}
}
remote {
{% if peer_conf.authentication.remote_id is defined %}
id = "{{ peer_conf.authentication.remote_id }}"
{% elif peer[0:1] == '@' %}
id = "{{ peer }}"
{% endif %}
{% if auth_type %}
auth = {{ auth_type }}
{% endif %}
{% if peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa_key_name }}.pub
{% endif %}
}
children {
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
peer_{{ name }}_vti {
esp_proposals = {{ ciphers.esp[peer_conf.vti.esp_group] }}
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
ipcomp = {{ 'yes' if "compression" in vti_esp and vti_esp.compression == 'enable' else 'no' }}
mode = {{ vti_esp.mode if "mode" in vti_esp else "tunnel" }}
{% if peer[0:1] == '@' %}
start_action = none
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
start_action = start
{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
{% endif %}
{% if "dead_peer_detection" in ike %}
{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
}
{% endif %}
{% if peer_conf.tunnel is defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %}
{% set tunnel_esp = esp_group[tunnel_esp_name] %}
{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '' %}
{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %}
{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
esp_proposals = {{ ciphers.esp[tunnel_esp_name] }}
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
{% endif %}
{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %}
{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }}
{% endif %}
{% elif tunnel_esp.mode == 'transport' %}
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer }}{{ remote_suffix }}
{% endif %}
ipcomp = {{ 'yes' if "compression" in tunnel_esp and tunnel_esp.compression == 'enable' else 'no' }}
mode = {{ tunnel_esp.mode if "mode" in tunnel_esp else "tunnel" }}
{% if peer[0:1] == '@' %}
start_action = none
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
start_action = start
{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
{% endif %}
{% if "dead_peer_detection" in ike %}
{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
{% endif %}
}
{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}
peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough {
local_ts = {{ tunnel_conf.passthrough | join(",") }}
remote_ts = {{ tunnel_conf.passthrough | join(",") }}
start_action = trap
mode = pass
}
{% endif %}
{% endfor %}
{% endif %}
}
}
{% endmacro %}
|