summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl/peer.tmpl
blob: a622cbf74b24765010967c0f1cbf73c5122b534a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
{% macro conn(peer, peer_conf, ike_group, esp_group) %}
{%   set name = peer.replace("@", "") | dot_colon_to_dash %}
{#   peer needs to reference the global IKE configuration for certain values #}
{%   set ike = ike_group[peer_conf.ike_group] %}
    peer_{{ name }} {
        proposals = {{ ike | get_esp_ike_cipher | join(',') }}
        version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
{%   if peer_conf.virtual_address is defined and peer_conf.virtual_address is not none %}
        vips = {{ peer_conf.virtual_address | join(', ') }}
{%   endif %}
        local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
        remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
{%   if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %}
        send_cert = always
{%   endif %}
{%   if ike.dead_peer_detection is defined %}
        dpd_timeout = {{ ike.dead_peer_detection.timeout }}
        dpd_delay = {{ ike.dead_peer_detection.interval }}
{%   endif %}
{%   if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %}
        aggressive = yes
{%   endif %}
        rekey_time = {{ ike.lifetime }}s
        mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
{%   if peer[0:1] == '@' %}
        keyingtries = 0
        reauth_time = 0
{%   elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
        keyingtries = 0
{%   elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %}
        keyingtries = 1
{%   endif %}
{%   if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %}
        encap = yes
{%   endif %}
        local {
{%   if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.id is not none %}
            id = "{{ peer_conf.authentication.id }}"
{%   endif %}
            auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{%   if peer_conf.authentication.mode == 'x509' %}
            certs = {{ peer_conf.authentication.x509.certificate }}.pem
{%   elif peer_conf.authentication.mode == 'rsa' %}
            pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem
{%   endif %}
        }
        remote {
{%   if peer_conf.authentication is defined and peer_conf.authentication.remote_id is defined and peer_conf.authentication.remote_id is not none %}
            id = "{{ peer_conf.authentication.remote_id }}"
{%   else %}
            id = "{{ peer }}"
{%   endif %}
            auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{%   if peer_conf.authentication.mode == 'rsa' %}
            pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem
{%   endif %}
        }
        children {
{%   if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
{%     set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %}
            peer_{{ name }}_vti {
                esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
{%   if vti_esp.life_bytes is defined and vti_esp.life_bytes is not none %}
                life_bytes = {{ vti_esp.life_bytes }}
{%   endif %}
{%   if vti_esp.life_packets is defined and vti_esp.life_packets is not none %}
                life_packets = {{ vti_esp.life_packets }}
{%   endif %}
                life_time = {{ vti_esp.lifetime }}s
                local_ts = 0.0.0.0/0,::/0
                remote_ts = 0.0.0.0/0,::/0
                updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
                {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
                {# Thus we simply shift the key by one to also support a vti0 interface #}
{%              set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
                if_id_in = {{ if_id }}
                if_id_out = {{ if_id }}
                ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }}
                mode = {{ vti_esp.mode }}
{%     if peer[0:1] == '@' %}
                start_action = none
{%     elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
                start_action = start
{%     elif peer_conf.connection_type == 'respond' %}
                start_action = trap
{%     elif peer_conf.connection_type == 'none' %}
                start_action = none
{%     endif %}
{%     if ike.dead_peer_detection is defined %}
{%       set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
                dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{%     endif %}
                close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
            }
{%   elif peer_conf.tunnel is defined %}
{%     for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
{%       set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %}
{%       set tunnel_esp = esp_group[tunnel_esp_name] %}
{%       set proto = tunnel_conf.protocol if tunnel_conf.protocol is defined else '' %}
{%       set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %}
{%       set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
{%       set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
{%       set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
            peer_{{ name }}_tunnel_{{ tunnel_id }} {
                esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
{%       if tunnel_esp.life_bytes is defined and tunnel_esp.life_bytes is not none %}
                life_bytes = {{ tunnel_esp.life_bytes }}
{%       endif %}
{%       if tunnel_esp.life_packets is defined and tunnel_esp.life_packets is not none %}
                life_packets = {{ tunnel_esp.life_packets }}
{%       endif %}
                life_time = {{ tunnel_esp.lifetime }}s
{%       if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{%         if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
{%           set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
                local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
{%         endif %}
{%         if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %}
{%           set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
                remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }}
{%         endif %}
{%         if tunnel_conf.priority is defined and tunnel_conf.priority is not none %}
                priority = {{ tunnel_conf.priority }}
{%         endif %}
{%       elif tunnel_esp.mode == 'transport' %}
                local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
                remote_ts = {{ peer }}{{ remote_suffix }}
{%       endif %}
                ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }}
                mode = {{ tunnel_esp.mode }}
{%       if peer[0:1] == '@' %}
                start_action = none
{%       elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
                start_action = start
{%       elif peer_conf.connection_type == 'respond' %}
                start_action = trap
{%       elif peer_conf.connection_type == 'none' %}
                start_action = none
{%       endif %}
{%       if ike.dead_peer_detection is defined %}
{%         set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
                dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{%       endif %}
                close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
{%       if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
                updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
                {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
                {# Thus we simply shift the key by one to also support a vti0 interface #}
{%              set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
                if_id_in = {{ if_id }}
                if_id_out = {{ if_id }}
{%       endif %}
            }
{%       if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}
            peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough {
                local_ts = {{ tunnel_conf.passthrough | join(",") }}
                remote_ts = {{ tunnel_conf.passthrough | join(",") }}
                start_action = trap
                mode = pass
            }
{%       endif %}
{%     endfor %}
{%   endif %}
        }
    }
{% endmacro %}