From 5502042c8908d7b5bd19e1c2b7711edd1052eef2 Mon Sep 17 00:00:00 2001
From: 7u83 <7u83@mail.ru>
Date: Fri, 22 May 2020 10:20:21 +0000
Subject: [PATCH] Racoon templates

---
 templates/racoon/ipsec.conf.transport.erb  |  9 ++-
 templates/racoon/racoon-transport.conf.erb | 81 +++++++++++++++-------
 templates/racoon/racoon.conf.footer.erb    | 26 +++++++
 templates/racoon/racoon.conf.header.erb    | 20 +-----
 templates/racoon/remote.erb                | 34 +++++++++
 templates/racoon/sainfo.erb                | 17 +++++
 6 files changed, 141 insertions(+), 46 deletions(-)
 create mode 100644 templates/racoon/racoon.conf.footer.erb
 create mode 100644 templates/racoon/remote.erb
 create mode 100644 templates/racoon/sainfo.erb

diff --git a/templates/racoon/ipsec.conf.transport.erb b/templates/racoon/ipsec.conf.transport.erb
index 1f64e0b..e518864 100644
--- a/templates/racoon/ipsec.conf.transport.erb
+++ b/templates/racoon/ipsec.conf.transport.erb
@@ -2,9 +2,12 @@
 # Transport
 # Name: <%= @title %>
 #
-
-spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
+<%-
+  local = @local_ip ? @local_ip : "0.0.0.0/0"
+  remote= @remote_ip ? @remote_ip : "0.0.0.0/0" 
+%>
+spdadd <%= local %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
 	esp/transport//require;
-spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P in ipsec 
+spdadd <%= @remote_ip %> <%= local %> <%= @proto %> -P in ipsec 
 	esp/transport//require;
 
diff --git a/templates/racoon/racoon-transport.conf.erb b/templates/racoon/racoon-transport.conf.erb
index ca7d3bc..0558905 100644
--- a/templates/racoon/racoon-transport.conf.erb
+++ b/templates/racoon/racoon-transport.conf.erb
@@ -1,32 +1,65 @@
 #
-# remote $title
+# IPSec Transpoty <%= @title %>
 # 
-
-remote <%= @remote_ip %> {
-        exchange_mode main;
-        proposal {
-		encryption_algorithm <%= @encryption.join(",") %>;
-		hash_algorithm <%= @hash %>;
-		dh_group <%= @dh_group %>;
-		lifetime time <%= @lifetime %> sec;
-                authentication_method pre_shared_key;
-        }
-  # generate_policy on;
-}
-
-	<%- @salifetime = @lifetime ? @lifetime : "3600 " %>
-	<%- @saencryption = @encryption ? @encryption : @encryption %>
-	<%- @pfs_group = @pfs_group ? @pfs_group : @dh_group %>
-	<%- @port = 'any' -%>
-
-
-sainfo address <%= @local_ip %> <%= @proto %> address <%= @remote_ip %> <%= @proto %>
+<%- 
+  if @local_ip == "anonymous"
+    local = "anonymous"
+    lport = ""
+    proto = ""
+  else
+    local = "address "+@local_ip
+    if @local_port
+      lport="["+@local_port+"]"
+    else
+      lport=""
+    end
+    proto = " "+@proto
+  end
+  
+  @salifetime = @lifetime ? @lifetime : "3600 " 
+	 @saencryption = @encryption ? @encryption : @encryption 
+	 @pfs_group = @pfs_group ? @pfs_group : @dh_group 
+	 @port = 'any' -%>
+         
+sainfo <%= local %><%=lport%><%= proto %> address <%= @remote_ip %> <%= @proto %>
 {
-	pfs_group <%= @pfs_group %>;
+        <%- if @pfs_group  -%>
+        pfs_group <%-= @pfs_group -%>; 
+        <%- end -%>  
 	encryption_algorithm <%= @encryption.join(",") %>;
-	<%- @komma="" -%>
-	authentication_algorithm <%- @p2hash.each do |hmalgo| -%><%=@komma -%>hmac_<%= hmalgo -%> <%- @komma=',' -%> <%- end -%>; 
+	<%- komma="" -%>
+	authentication_algorithm <%- @hash.each do |hmalgo| -%><%=komma -%>hmac_<%= hmalgo -%> <%- komma=',' -%> <%- end -%>; 
 	compression_algorithm deflate;
 	lifetime time <%= @lifetime %> sec;
 }
 
+
+#remote <%= @remote_ip %> {
+#        exchange_mode main;
+#        proposal {
+#		encryption_algorithm <%= @encryption.join(",") %>;
+#		hash_algorithm <%= @hash %>;
+#		dh_group <%= @dh_group %>;
+#		lifetime time <%= @lifetime %> sec;
+#                authentication_method pre_shared_key;
+#        }
+#  # generate_policy on;
+#}
+
+<%if @p1_proposals %>
+remote <%= @remote_ip %> {
+        exchange_mode main;
+        generate_policy on;
+
+        <%- @p1_proposals.each do |p| -%>
+	proposal {
+                encryption_algorithm <%= p['encryption'] %>;
+                hash_algorithm <%= p['hash'] %>;
+                authentication_method pre_shared_key;
+                dh_group <%= p['dh_group'] %>;
+        }
+        <%- end -%>
+}
+<% end %>
+
+	
diff --git a/templates/racoon/racoon.conf.footer.erb b/templates/racoon/racoon.conf.footer.erb
new file mode 100644
index 0000000..ef23570
--- /dev/null
+++ b/templates/racoon/racoon.conf.footer.erb
@@ -0,0 +1,26 @@
+<%if @default_proposals %>
+remote anonymous {
+        exchange_mode main;
+        generate_policy on;
+
+        <%- @default_proposals.each do |p| -%>
+	proposal {
+                encryption_algorithm <%= p['encryption'] %>;
+                hash_algorithm <%= p['hash'] %>;
+                authentication_method pre_shared_key;
+                dh_group <%= p['dh_group'] %>;
+        }
+        <%- end -%>
+}
+<% end %>
+
+<% if false %>
+#sainfo anonymous{
+#        pfs_group 2;
+#        encryption_algorithm aes_256;
+#        authentication_algorithm hmac_md5;
+#        compression_algorithm deflate;
+#}
+
+<% end %>
+
diff --git a/templates/racoon/racoon.conf.header.erb b/templates/racoon/racoon.conf.header.erb
index 1b6f400..0b7dec2 100644
--- a/templates/racoon/racoon.conf.header.erb
+++ b/templates/racoon/racoon.conf.header.erb
@@ -6,24 +6,6 @@
 log notify;
 path pre_shared_key "<%= @racoon_pskfile %>";
 
-path certificate "/etc/racoon/certs";
-
-#remote anonymous {
-#        exchange_mode main;
-#        proposal {
-#                encryption_algorithm aes_256;
-#                hash_algorithm md5;
-#                authentication_method pre_shared_key;
-#                dh_group modp1024;
-#        }
-#        generate_policy on;
-#}
-
-#sainfo anonymous{
-#        pfs_group 2;
-#        encryption_algorithm aes_256;
-#        authentication_algorithm hmac_md5;
-#        compression_algorithm deflate;
-#}
+path certificate "<%= @racoon_certs %>";
 
 
diff --git a/templates/racoon/remote.erb b/templates/racoon/remote.erb
new file mode 100644
index 0000000..76c472b
--- /dev/null
+++ b/templates/racoon/remote.erb
@@ -0,0 +1,34 @@
+#
+# Remote definition <%= @title %>
+#
+<%- 
+if not @psk
+        auth_method = 'rsasig'
+        myid = 'asn1dn'
+else
+        auth_method = 'pre_shared_key'
+        myid = false
+end
+-%>
+remote <%= @remote_id %> {
+        exchange_mode <%= @exchange_mode %>;
+        generate_policy <%= @generate_policy %>;
+
+        <%- if not @psk -%>
+        certificate_type x509 "<%= @client_cert -%>" "<%= @client_key %>";
+        ca_type x509 "<%= @ca_cert %>";
+        <%- end -%>
+        <%- if myid -%>
+        my_identifier asn1dn;
+        <%- end -%>
+        
+        <%- @proposals.each do |p| -%>
+	proposal {
+                encryption_algorithm <%= p['encryption'] %>;
+                hash_algorithm <%= p['hash'] %>;
+                dh_group <%= p['dh_group'] %>;
+                authentication_method <%= auth_method %>;
+        }
+        <%- end -%>
+}
+
diff --git a/templates/racoon/sainfo.erb b/templates/racoon/sainfo.erb
new file mode 100644
index 0000000..b031c68
--- /dev/null
+++ b/templates/racoon/sainfo.erb
@@ -0,0 +1,17 @@
+#
+#  
+#
+
+sainfo <%= @saparam %>
+{
+        <%- if @pfs_group  -%>
+        pfs_group <%= @pfs_group -%>; 
+        <%- end -%>
+        encryption_algorithm <%= @encryption.join(",") -%>;
+	<%- komma="" -%>
+	authentication_algorithm <%- @hash.each do |hmalgo| -%><%=komma -%>hmac_<%= hmalgo -%> <%- komma=',' -%> <%- end -%>; 
+	compression_algorithm deflate;
+	lifetime time <%= @lifetime %> sec;
+}
+
+