T6357: create test repository to validate setup

1 files changed, 117 insertions, 0 deletions

diff --git a/data/templates/ipsec/charon/eap-radius.conf.j2 b/data/templates/ipsec/charon/eap-radius.conf.j2
new file mode 100644
index 0000000..3643774
--- /dev/null
+++ b/data/templates/ipsec/charon/eap-radius.conf.j2
@@ -0,0 +1,117 @@
+eap-radius {
+    # Send RADIUS accounting information to RADIUS servers.
+    # accounting = no
+
+    # Close the IKE_SA if there is a timeout during interim RADIUS accounting
+    # updates.
+    # accounting_close_on_timeout = yes
+
+    # Interval in seconds for interim RADIUS accounting updates, if not
+    # specified by the RADIUS server in the Access-Accept message.
+    # accounting_interval = 0
+
+    # If enabled, accounting is disabled unless an IKE_SA has at least one
+    # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
+    # accounting_requires_vip = no
+
+    # If enabled, adds the Class attributes received in Access-Accept message to
+    # the RADIUS accounting messages.
+    # accounting_send_class = no
+
+    # Use class attributes in Access-Accept messages as group membership
+    # information.
+    # class_group = no
+
+    # Closes all IKE_SAs if communication with the RADIUS server times out. If
+    # it is not set only the current IKE_SA is closed.
+    # close_all_on_timeout = no
+
+    # Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
+    # eap_start = no
+
+    # Use filter_id attribute as group membership information.
+    # filter_id = no
+
+    # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+    # EAP method.
+    # id_prefix =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # NAS-Identifier to include in RADIUS messages.
+    nas_identifier = {{ remote_access.radius.nas_identifier if remote_access.radius.nas_identifier is vyos_defined else 'strongSwan' }}
+
+    # Port of RADIUS server (authentication).
+    # port = 1812
+
+    # Base to use for calculating exponential back off.
+    # retransmit_base = 1.4
+
+{% if remote_access.radius.timeout is vyos_defined %}
+    # Timeout in seconds before sending first retransmit.
+    retransmit_timeout = {{ remote_access.radius.timeout | float }}
+{% endif %}
+
+    # Number of times to retransmit a packet before giving up.
+    # retransmit_tries = 4
+
+    # Shared secret between RADIUS and NAS. If set, make sure to adjust the
+    # permissions of the config file accordingly.
+    # secret =
+
+    # IP/Hostname of RADIUS server.
+    # server =
+
+    # Number of sockets (ports) to use, increase for high load.
+    # sockets = 1
+
+    # Whether to include the UDP port in the Called- and Calling-Station-Id
+    # RADIUS attributes.
+    # station_id_with_port = yes
+
+    dae {
+        # Enables support for the Dynamic Authorization Extension (RFC 5176).
+        # enable = no
+
+        # Address to listen for DAE messages from the RADIUS server.
+        # listen = 0.0.0.0
+
+        # Port to listen for DAE requests.
+        # port = 3799
+
+        # Shared secret used to verify/sign DAE messages. If set, make sure to
+        # adjust the permissions of the config file accordingly.
+        # secret =
+    }
+
+    forward {
+        # RADIUS attributes to be forwarded from IKEv2 to RADIUS.
+        # ike_to_radius =
+
+        # Same as ike_to_radius but from RADIUS to IKEv2.
+        # radius_to_ike =
+    }
+
+    # Section to specify multiple RADIUS servers.
+    servers {
+{% if remote_access.radius.server is vyos_defined %}
+{%     for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %}
+        {{ server | replace('.', '-') }} {
+            address = {{ server }}
+            secret = {{ server_options.key }}
+            auth_port = {{ server_options.port }}
+{%         if server_options.disable_accounting is not vyos_defined %}
+            acct_port = {{ server_options.port | int + 1 }}
+{%         endif %}
+            sockets = 20
+        }
+{%     endfor %}
+{% endif %}
+    }
+
+    # Section to configure multiple XAuth authentication rounds via RADIUS.
+    xauth {
+    }
+}