Racoon templates

templates/racoon/ipsec.conf.transport.erb

@@ -2,9 +2,12 @@
 # Transport
 # Name: <%= @title %>
 #
-
+<%-
-spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
+  local = @local_ip ? @local_ip : "0.0.0.0/0"
+  remote= @remote_ip ? @remote_ip : "0.0.0.0/0" 
+%>
+spdadd <%= local %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
 	esp/transport//require;
-spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P in ipsec 
+spdadd <%= @remote_ip %> <%= local %> <%= @proto %> -P in ipsec 
 	esp/transport//require;
 

templates/racoon/racoon-transport.conf.erb

@@ -1,32 +1,65 @@
 #
-# remote $title
+# IPSec Transpoty <%= @title %>
 # 
+<%- 
+  if @local_ip == "anonymous"
+    local = "anonymous"
+    lport = ""
+    proto = ""
+  else
+    local = "address "+@local_ip
+    if @local_port
+      lport="["+@local_port+"]"
+    else
+      lport=""
+    end
+    proto = " "+@proto
+  end
   
-remote <%= @remote_ip %> {
+  @salifetime = @lifetime ? @lifetime : "3600 " 
-        exchange_mode main;
+	 @saencryption = @encryption ? @encryption : @encryption 
-        proposal {
+	 @pfs_group = @pfs_group ? @pfs_group : @dh_group 
-		encryption_algorithm <%= @encryption.join(",") %>;
+	 @port = 'any' -%>
-		hash_algorithm <%= @hash %>;
-		dh_group <%= @dh_group %>;
-		lifetime time <%= @lifetime %> sec;
-                authentication_method pre_shared_key;
-        }
-  # generate_policy on;
-}
          
-	<%- @salifetime = @lifetime ? @lifetime : "3600 " %>
+sainfo <%= local %><%=lport%><%= proto %> address <%= @remote_ip %> <%= @proto %>
-	<%- @saencryption = @encryption ? @encryption : @encryption %>
-	<%- @pfs_group = @pfs_group ? @pfs_group : @dh_group %>
-	<%- @port = 'any' -%>
-
-
-sainfo address <%= @local_ip %> <%= @proto %> address <%= @remote_ip %> <%= @proto %>
 {
-	pfs_group <%= @pfs_group %>;
+        <%- if @pfs_group  -%>
+        pfs_group <%-= @pfs_group -%>; 
+        <%- end -%>  
 	encryption_algorithm <%= @encryption.join(",") %>;
-	<%- @komma="" -%>
+	<%- komma="" -%>
-	authentication_algorithm <%- @p2hash.each do |hmalgo| -%><%=@komma -%>hmac_<%= hmalgo -%> <%- @komma=',' -%> <%- end -%>; 
+	authentication_algorithm <%- @hash.each do |hmalgo| -%><%=komma -%>hmac_<%= hmalgo -%> <%- komma=',' -%> <%- end -%>; 
 	compression_algorithm deflate;
 	lifetime time <%= @lifetime %> sec;
 }
 
+
+#remote <%= @remote_ip %> {
+#        exchange_mode main;
+#        proposal {
+#		encryption_algorithm <%= @encryption.join(",") %>;
+#		hash_algorithm <%= @hash %>;
+#		dh_group <%= @dh_group %>;
+#		lifetime time <%= @lifetime %> sec;
+#                authentication_method pre_shared_key;
+#        }
+#  # generate_policy on;
+#}
+
+<%if @p1_proposals %>
+remote <%= @remote_ip %> {
+        exchange_mode main;
+        generate_policy on;
+
+        <%- @p1_proposals.each do |p| -%>
+	proposal {
+                encryption_algorithm <%= p['encryption'] %>;
+                hash_algorithm <%= p['hash'] %>;
+                authentication_method pre_shared_key;
+                dh_group <%= p['dh_group'] %>;
+        }
+        <%- end -%>
+}
+<% end %>
+
+	

templates/racoon/racoon.conf.footer.erb

@@ -0,0 +1,26 @@
+<%if @default_proposals %>
+remote anonymous {
+        exchange_mode main;
+        generate_policy on;
+
+        <%- @default_proposals.each do |p| -%>
+	proposal {
+                encryption_algorithm <%= p['encryption'] %>;
+                hash_algorithm <%= p['hash'] %>;
+                authentication_method pre_shared_key;
+                dh_group <%= p['dh_group'] %>;
+        }
+        <%- end -%>
+}
+<% end %>
+
+<% if false %>
+#sainfo anonymous{
+#        pfs_group 2;
+#        encryption_algorithm aes_256;
+#        authentication_algorithm hmac_md5;
+#        compression_algorithm deflate;
+#}
+
+<% end %>
+

templates/racoon/racoon.conf.header.erb

@@ -6,24 +6,6 @@
 log notify;
 path pre_shared_key "<%= @racoon_pskfile %>";
 
-path certificate "/etc/racoon/certs";
+path certificate "<%= @racoon_certs %>";
-
-#remote anonymous {
-#        exchange_mode main;
-#        proposal {
-#                encryption_algorithm aes_256;
-#                hash_algorithm md5;
-#                authentication_method pre_shared_key;
-#                dh_group modp1024;
-#        }
-#        generate_policy on;
-#}
-
-#sainfo anonymous{
-#        pfs_group 2;
-#        encryption_algorithm aes_256;
-#        authentication_algorithm hmac_md5;
-#        compression_algorithm deflate;
-#}
 
 

templates/racoon/remote.erb

@@ -0,0 +1,34 @@
+#
+# Remote definition <%= @title %>
+#
+<%- 
+if not @psk
+        auth_method = 'rsasig'
+        myid = 'asn1dn'
+else
+        auth_method = 'pre_shared_key'
+        myid = false
+end
+-%>
+remote <%= @remote_id %> {
+        exchange_mode <%= @exchange_mode %>;
+        generate_policy <%= @generate_policy %>;
+
+        <%- if not @psk -%>
+        certificate_type x509 "<%= @client_cert -%>" "<%= @client_key %>";
+        ca_type x509 "<%= @ca_cert %>";
+        <%- end -%>
+        <%- if myid -%>
+        my_identifier asn1dn;
+        <%- end -%>
+        
+        <%- @proposals.each do |p| -%>
+	proposal {
+                encryption_algorithm <%= p['encryption'] %>;
+                hash_algorithm <%= p['hash'] %>;
+                dh_group <%= p['dh_group'] %>;
+                authentication_method <%= auth_method %>;
+        }
+        <%- end -%>
+}
+

templates/racoon/sainfo.erb

@@ -0,0 +1,17 @@
+#
+#  
+#
+
+sainfo <%= @saparam %>
+{
+        <%- if @pfs_group  -%>
+        pfs_group <%= @pfs_group -%>; 
+        <%- end -%>
+        encryption_algorithm <%= @encryption.join(",") -%>;
+	<%- komma="" -%>
+	authentication_algorithm <%- @hash.each do |hmalgo| -%><%=komma -%>hmac_<%= hmalgo -%> <%- komma=',' -%> <%- end -%>; 
+	compression_algorithm deflate;
+	lifetime time <%= @lifetime %> sec;
+}
+
+