44 lines
1.7 KiB
Bash
44 lines
1.7 KiB
Bash
# Generate StrongSwan config
|
|
cat > /etc/ipsec.conf << EOF
|
|
config setup
|
|
strictcrlpolicy=yes
|
|
uniqueids=yes
|
|
|
|
ca {{ session.authority.hostname }}
|
|
auto=add
|
|
cacert=/etc/certidude/authority/{{ session.authority.hostname }}/ca_cert.pem
|
|
|
|
conn default-{{ session.authority.hostname }}
|
|
ike=aes256-sha384-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
|
|
esp=aes128gcm16-aes128gmac-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
|
|
left=$(uci get network.wan.ipaddr) # Bind to this IP address
|
|
leftid={{ session.service.routers | first }}
|
|
leftupdown=/etc/certidude/authority/{{ session.authority.hostname }}/updown
|
|
leftcert=/etc/certidude/authority/{{ session.authority.hostname }}/host_cert.pem
|
|
leftsubnet=$(uci get network.lan.ipaddr | cut -d . -f 1-3).0/24 # Subnets pushed to roadwarriors
|
|
leftca="{{ session.authority.certificate.distinguished_name }}"
|
|
rightca="{{ session.authority.certificate.distinguished_name }}"
|
|
rightsourceip=172.21.0.0/24 # Roadwarrior virtual IP pool
|
|
dpddelay=0
|
|
dpdaction=clear
|
|
fragmentation=yes
|
|
reauth=no
|
|
rekey=no
|
|
leftsendcert=always
|
|
|
|
conn s2c-rw
|
|
auto=add
|
|
also=default-{{ session.authority.hostname }}
|
|
rightdns=$(uci get network.lan.ipaddr) # IP of DNS server advertised to roadwarriors
|
|
|
|
conn s2c-client1
|
|
auto=ignore
|
|
also=default-{{ session.authority.hostname }}
|
|
rightid="CN=*, OU=IP Camera, O=*, DC=*, DC=*, DC=*"
|
|
rightsourceip=172.21.0.1
|
|
|
|
EOF
|
|
|
|
echo ": {% if session.authority.certificate.algorithm == "ec" %}ECDSA{% else %}RSA{% endif %} /etc/certidude/authority/{{ session.authority.hostname }}/host_key.pem" > /etc/ipsec.secrets
|
|
|