1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
{% macro conn(peer, peer_conf, ike_group, esp_group) %}
{% set name = peer.replace(".", "-").replace("@", "") %}
{# peer needs to reference the global IKE configuration for certain values #}
{% set ike = ike_group[peer_conf.ike_group] %}
peer_{{ name }} {
proposals = {{ ike | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %}
send_cert = always
{% endif %}
{% if ike.dead_peer_detection is defined %}
dpd_timeout = {{ ike.dead_peer_detection.timeout }}
dpd_delay = {{ ike.dead_peer_detection.interval }}
{% endif %}
{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %}
aggressive = yes
{% endif %}
mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
{% if peer[0:1] == '@' %}
keyingtries = 0
rekey_time = 0
reauth_time = 0
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
keyingtries = 0
{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %}
keyingtries = 1
{% endif %}
{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %}
encap = yes
{% endif %}
local {
{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
id = "{{ peer_conf.authentication.id }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'x509' %}
certs = {{ peer_conf.authentication.x509.certificate }}.pem
{% elif peer_conf.authentication.mode == 'rsa' %}
pubkeys = localhost.pub
{% endif %}
}
remote {
{% if peer_conf.authentication.remote_id is defined %}
id = "{{ peer_conf.authentication.remote_id }}"
{% elif peer[0:1] == '@' %}
id = "{{ peer }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa_key_name }}.pub
{% endif %}
}
children {
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
peer_{{ name }}_vti {
esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }}
mode = {{ vti_esp.mode if vti_esp.mode is defined else "tunnel" }}
{% if peer[0:1] == '@' %}
start_action = none
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
start_action = start
{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
{% endif %}
{% if ike.dead_peer_detection is defined %}
{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
}
{% elif peer_conf.tunnel is defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %}
{% set tunnel_esp = esp_group[tunnel_esp_name] %}
{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is defined else '' %}
{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %}
{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }}
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
{% endif %}
{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %}
{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }}
{% endif %}
{% elif tunnel_esp.mode == 'transport' %}
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer }}{{ remote_suffix }}
{% endif %}
ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }}
mode = {{ tunnel_esp.mode if tunnel_esp.mode is defined else "tunnel" }}
{% if peer[0:1] == '@' %}
start_action = none
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
start_action = start
{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
{% endif %}
{% if ike.dead_peer_detection is defined %}
{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
{% endif %}
}
{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}
peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough {
local_ts = {{ tunnel_conf.passthrough | join(",") }}
remote_ts = {{ tunnel_conf.passthrough | join(",") }}
start_action = trap
mode = pass
}
{% endif %}
{% endfor %}
{% endif %}
}
}
{% endmacro %}
|