Racoon templates

This commit is contained in:
7u83 2020-05-22 10:20:21 +00:00
parent 4f5d03a627
commit 5502042c89
6 changed files with 141 additions and 46 deletions

View File

@ -2,9 +2,12 @@
# Transport # Transport
# Name: <%= @title %> # Name: <%= @title %>
# #
<%-
spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec local = @local_ip ? @local_ip : "0.0.0.0/0"
remote= @remote_ip ? @remote_ip : "0.0.0.0/0"
%>
spdadd <%= local %> <%= @remote_ip %> <%= @proto %> -P out ipsec
esp/transport//require; esp/transport//require;
spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P in ipsec spdadd <%= @remote_ip %> <%= local %> <%= @proto %> -P in ipsec
esp/transport//require; esp/transport//require;

View File

@ -1,32 +1,65 @@
# #
# remote $title # IPSec Transpoty <%= @title %>
# #
<%-
if @local_ip == "anonymous"
local = "anonymous"
lport = ""
proto = ""
else
local = "address "+@local_ip
if @local_port
lport="["+@local_port+"]"
else
lport=""
end
proto = " "+@proto
end
remote <%= @remote_ip %> { @salifetime = @lifetime ? @lifetime : "3600 "
exchange_mode main; @saencryption = @encryption ? @encryption : @encryption
proposal { @pfs_group = @pfs_group ? @pfs_group : @dh_group
encryption_algorithm <%= @encryption.join(",") %>; @port = 'any' -%>
hash_algorithm <%= @hash %>;
dh_group <%= @dh_group %>;
lifetime time <%= @lifetime %> sec;
authentication_method pre_shared_key;
}
# generate_policy on;
}
<%- @salifetime = @lifetime ? @lifetime : "3600 " %> sainfo <%= local %><%=lport%><%= proto %> address <%= @remote_ip %> <%= @proto %>
<%- @saencryption = @encryption ? @encryption : @encryption %>
<%- @pfs_group = @pfs_group ? @pfs_group : @dh_group %>
<%- @port = 'any' -%>
sainfo address <%= @local_ip %> <%= @proto %> address <%= @remote_ip %> <%= @proto %>
{ {
pfs_group <%= @pfs_group %>; <%- if @pfs_group -%>
pfs_group <%-= @pfs_group -%>;
<%- end -%>
encryption_algorithm <%= @encryption.join(",") %>; encryption_algorithm <%= @encryption.join(",") %>;
<%- @komma="" -%> <%- komma="" -%>
authentication_algorithm <%- @p2hash.each do |hmalgo| -%><%=@komma -%>hmac_<%= hmalgo -%> <%- @komma=',' -%> <%- end -%>; authentication_algorithm <%- @hash.each do |hmalgo| -%><%=komma -%>hmac_<%= hmalgo -%> <%- komma=',' -%> <%- end -%>;
compression_algorithm deflate; compression_algorithm deflate;
lifetime time <%= @lifetime %> sec; lifetime time <%= @lifetime %> sec;
} }
#remote <%= @remote_ip %> {
# exchange_mode main;
# proposal {
# encryption_algorithm <%= @encryption.join(",") %>;
# hash_algorithm <%= @hash %>;
# dh_group <%= @dh_group %>;
# lifetime time <%= @lifetime %> sec;
# authentication_method pre_shared_key;
# }
# # generate_policy on;
#}
<%if @p1_proposals %>
remote <%= @remote_ip %> {
exchange_mode main;
generate_policy on;
<%- @p1_proposals.each do |p| -%>
proposal {
encryption_algorithm <%= p['encryption'] %>;
hash_algorithm <%= p['hash'] %>;
authentication_method pre_shared_key;
dh_group <%= p['dh_group'] %>;
}
<%- end -%>
}
<% end %>

View File

@ -0,0 +1,26 @@
<%if @default_proposals %>
remote anonymous {
exchange_mode main;
generate_policy on;
<%- @default_proposals.each do |p| -%>
proposal {
encryption_algorithm <%= p['encryption'] %>;
hash_algorithm <%= p['hash'] %>;
authentication_method pre_shared_key;
dh_group <%= p['dh_group'] %>;
}
<%- end -%>
}
<% end %>
<% if false %>
#sainfo anonymous{
# pfs_group 2;
# encryption_algorithm aes_256;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}
<% end %>

View File

@ -6,24 +6,6 @@
log notify; log notify;
path pre_shared_key "<%= @racoon_pskfile %>"; path pre_shared_key "<%= @racoon_pskfile %>";
path certificate "/etc/racoon/certs"; path certificate "<%= @racoon_certs %>";
#remote anonymous {
# exchange_mode main;
# proposal {
# encryption_algorithm aes_256;
# hash_algorithm md5;
# authentication_method pre_shared_key;
# dh_group modp1024;
# }
# generate_policy on;
#}
#sainfo anonymous{
# pfs_group 2;
# encryption_algorithm aes_256;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}

View File

@ -0,0 +1,34 @@
#
# Remote definition <%= @title %>
#
<%-
if not @psk
auth_method = 'rsasig'
myid = 'asn1dn'
else
auth_method = 'pre_shared_key'
myid = false
end
-%>
remote <%= @remote_id %> {
exchange_mode <%= @exchange_mode %>;
generate_policy <%= @generate_policy %>;
<%- if not @psk -%>
certificate_type x509 "<%= @client_cert -%>" "<%= @client_key %>";
ca_type x509 "<%= @ca_cert %>";
<%- end -%>
<%- if myid -%>
my_identifier asn1dn;
<%- end -%>
<%- @proposals.each do |p| -%>
proposal {
encryption_algorithm <%= p['encryption'] %>;
hash_algorithm <%= p['hash'] %>;
dh_group <%= p['dh_group'] %>;
authentication_method <%= auth_method %>;
}
<%- end -%>
}

View File

@ -0,0 +1,17 @@
#
#
#
sainfo <%= @saparam %>
{
<%- if @pfs_group -%>
pfs_group <%= @pfs_group -%>;
<%- end -%>
encryption_algorithm <%= @encryption.join(",") -%>;
<%- komma="" -%>
authentication_algorithm <%- @hash.each do |hmalgo| -%><%=komma -%>hmac_<%= hmalgo -%> <%- komma=',' -%> <%- end -%>;
compression_algorithm deflate;
lifetime time <%= @lifetime %> sec;
}