From: Tobias Brunner Date: Thu, 17 Apr 2014 16:59:42 +0000 (+0200) Subject: swanctl: Convert swanctl.conf to an options file and generate config X-Git-Tag: 5.2.0dr3~8^2~9 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=5fdba04312988f31977232684386e47c3880dcfc;p=thirdparty%2Fstrongswan.git swanctl: Convert swanctl.conf to an options file and generate config --- diff --git a/src/swanctl/.gitignore b/src/swanctl/.gitignore index 1db645ba78..a37446ed5f 100644 --- a/src/swanctl/.gitignore +++ b/src/swanctl/.gitignore @@ -1 +1,2 @@ swanctl +swanctl.conf diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 4f0c1c2e67..3ed47fe844 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -29,7 +29,15 @@ AM_CPPFLAGS = \ -DSWANCTLDIR=\""${swanctldir}\"" \ -DPLUGINS=\""${s_plugins}\"" -EXTRA_DIST = swanctl.conf +BUILT_SOURCES = swanctl.conf +EXTRA_DIST = swanctl.opt swanctl.conf + +.opt.conf: + $(AM_V_GEN) \ + $(PYTHON) $(top_srcdir)/conf/format-options.py -f conf $< > $(srcdir)/$@ + +maintainer-clean-local: + cd $(srcdir) && rm -f swanctl.conf install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)" diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf deleted file mode 100644 index f43d1d49b9..0000000000 --- a/src/swanctl/swanctl.conf +++ /dev/null @@ -1,125 +0,0 @@ -connections { - -# # an IKE configuration named conn1 -# conn1 { -# # IKE version to use -# version = 2 -# # list of acceptable local addresses/subnets -# local_addrs = 0.0.0.0 -# # peer address, additional addresses/subnets as responder -# remote_addrs = 192.168.5.1 -# # local UPD port for IKE -# local_port = 500 -# # remote UDP port for IKE -# remote_port = 500 -# # Proposals for IKE, "default" is the default proposal -# proposals = aes128gcm16-prfsha256-modp2048, default -# # virtual IPs to request, such as 0.0.0.0 or :: -# vips = -# # IKEv1 aggressive mode -# aggressive = no -# # use of pull/push in IKEv1 mode config -# pull = yes -# # enforce UDP encapsulation by faking NAT-D payloads -# encap = no -# # enable IKEv2 MOBIKE -# mobike = yes -# # interval of liveness checks -# dpd_delay = 10s -# # timeout for DPD checks (IKEV1 only) -# dpd_timeout = 30s -# # use IKEv1 UDP packet fragmentation -# fragmentation = force -# # send certificate requests -# send_certreq = yes -# # send certificate payloads -# send_cert = ifasked -# # number of retransmission sequences to do before givin up -# keyingtries = 0 -# # uniquness policy, never|no|keep|replace| -# unique = no -# # time to schedule IKE reauthentication -# reauth_time = 3h -# # time to schedule IKE rekeying -# rekey_time = 2h -# # hard IKE_SA lifetime if rekey/reauth does not complete -# over_time = 10m -# # range of random time to subtract from rekey/rauth times -# rand_time = 10m -# -# # local authentication, first round -# local { -# # additional certificates to load -# certs = a.pem, xy.der -# # authentication to perform locally -# auth = pubkey -# # IKE identity for local -# id = win@strongswan.org -# # Client EAP-Identity to use -# eap_id = moon -# # Server side EAP identity to use, EAP-TTLS etc. -# aaa_identity = srv -# # IKEv1 XAuth username -# xauth_id = moon -# } -# # remote authentication, first round -# remote { -# # IKE identity for peer -# id = %any -# # list of acceptable peer certificates -# certs = client.pem -# # list of acceptable CA certificates -# cacert = ca.der -# # revocation policy, strict|ifuri -# revocation = ifuri -# # authentication to expect from remote -# auth = pubkey -# } -# children { -# # First CHILD_SA configuration -# child1 { -# # AH proposals to offer -# ah_proposals = default -# # ESP proposals to offer -# esp_proposals = aes128gcm16-modp2048, default -# # local subnets to tunnel -# local_ts = 192.168.3.0/24 -# # remote subnets to tunnel -# remote_ts = 192.168.1.0/24 -# # updown script to invoke -# updown = path-to-script -# # hostaccess variable to pass to updown -# hostaccess = yes -# # IPsec mode, tunnel|transport|pass|drop -# mode = tunnel -# # action to perform on DPD timeout -# dpd_action = restart -# # enable IPComp -# ipcomp = no -# # inactivity timeout before closing CHILD_SA -# inactivity = 2m -# # fixed reqid to use for this CHILD_SA -# reqid = 5 -# # Netfilter mark for input traffic -# mark_in = 1 -# # Netfilter mark for output traffic -# mark_out = 5/0xffffffff -# # Traffic Flow Confidentiality padding -# tfc_padding = 1500 -# } -# } -# } - -} - -secrets { -# eap-tester { -# id = tester -# secret = test -# } -# ike-moon { -# id-local = sun.strongswan.org -# id-remote = mon.strongswan.org -# secret = 0x12345678901234 -# } -} diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt new file mode 100644 index 0000000000..1e3adb2a64 --- /dev/null +++ b/src/swanctl/swanctl.opt @@ -0,0 +1,188 @@ +connections.conn1 { # } + An IKE configuration named conn1 + +connections.conn1.version = 2 + IKE version to use + +connections.conn1.local_addrs = 0.0.0.0 + List of acceptable local addresses/subnets + +connections.conn1.remote_addrs = 192.168.5.1 + Peer address, additional addresses/subnets as responder + +connections.conn1.local_port = 500 + Local UPD port for IKE + +connections.conn1.remote_port = 500 + Remote UDP port for IKE + +connections.conn1.proposals = aes128gcm16-prfsha256-modp2048, default + Proposals for IKE, "default" is the default proposal + +connections.conn1.vips = + Virtual IPs to request, such as 0.0.0.0 or :: + +connections.conn1.aggressive = no + IKEv1 aggressive mode + +connections.conn1.pull = yes + Use of pull/push in IKEv1 mode config + +connections.conn1.encap = no + Enforce UDP encapsulation by faking NAT-D payloads + +connections.conn1.mobike = yes + Enable IKEv2 MOBIKE + +connections.conn1.dpd_delay = 10s + Interval of liveness checks + +connections.conn1.dpd_timeout = 30s + Timeout for DPD checks (IKEV1 only) + +connections.conn1.fragmentation = force + Use IKEv1 UDP packet fragmentation + +connections.conn1.send_certreq = yes + Send certificate requests + +connections.conn1.send_cert = ifasked + Send certificate payloads + +connections.conn1.keyingtries = 0 + Number of retransmission sequences to do before givin up + +connections.conn1.unique = no + Uniquness policy, never|no|keep|replace| + +connections.conn1.reauth_time = 3h + Time to schedule IKE reauthentication + +connections.conn1.rekey_time = 2h + Time to schedule IKE rekeying + +connections.conn1.over_time = 10m + Hard IKE_SA lifetime if rekey/reauth does not complete + +connections.conn1.rand_time = 10m + Range of random time to subtract from rekey/rauth times + +connections.conn1.pools = pool1 + Hand out addresses and attributes from pool1 as responder + +connections.conn1.vips = 0.0.0.0 + Request a virtual IP as initiator + +connections.conn1.local {} + Local authentication, first round + +connections.conn1.local.certs = a.pem, xy.der + Additional certificates to load + +connections.conn1.local.auth = pubkey + Authentication to perform locally + +connections.conn1.local.id = win@strongswan.org + IKE identity for local + +connections.conn1.local.eap_id = moon + Client EAP-Identity to use + +connections.conn1.local.aaa_identity = srv + Server side EAP identity to use, EAP-TTLS etc. + +connections.conn1.local.xauth_id = moon + IKEv1 XAuth username + +connections.conn1.remote {} + Remote authentication, first round + +connections.conn1.remote.id = %any + IKE identity for peer + +connections.conn1.remote.certs = client.pem + List of acceptable peer certificates + +connections.conn1.remote.cacert = ca.der + List of acceptable CA certificates + +connections.conn1.remote.revocation = ifuri + Revocation policy, strict|ifuri + +connections.conn1.remote.auth = pubkey + Authentication to expect from remote + +connections.conn1.children.child1 {} + First CHILD_SA configuration + +connections.conn1.children.child1.ah_proposals = default + AH proposals to offer + +connections.conn1.children.child1.esp_proposals = aes128gcm16-modp2048, default + ESP proposals to offer + +connections.conn1.children.child1.local_ts = 192.168.3.0/24 + Local subnets to tunnel + +connections.conn1.children.child1.remote_ts = 192.168.1.0/24 + Remote subnets to tunnel + +connections.conn1.children.child1.updown = path-to-script + Updown script to invoke + +connections.conn1.children.child1.hostaccess = yes + Hostaccess variable to pass to updown + +connections.conn1.children.child1.mode = tunnel + IPsec mode, tunnel|transport|pass|drop + +connections.conn1.children.child1.dpd_action = restart + Action to perform on DPD timeout + +connections.conn1.children.child1.ipcomp = no + Enable IPComp + +connections.conn1.children.child1.inactivity = 2m + Inactivity timeout before closing CHILD_SA + +connections.conn1.children.child1.reqid = 5 + Fixed reqid to use for this CHILD_SA + +connections.conn1.children.child1.mark_in = 1 + Netfilter mark for input traffic + +connections.conn1.children.child1.mark_out = 5/0xffffffff + Netfilter mark for output traffic + +connections.conn1.children.child1.tfc_padding = 1500 + Traffic Flow Confidentiality padding + +secrets.eap1 { # } + EAP secret section + +secrets.eap1.secret = testpassword + Password for EAP secret + +secrets.eap1.id = tester + User EAP secret belongs to + +secrets.ike-moon { # } + IKE secret for moon + +secrets.ike-moon.secret = 0x12345678 + IKE shared secret for moon + +secrets.ike-moon.id-local = sun.strongswan.org + First identity secret belongs to + +secrets.ike-moon.id-remote = moon.strongswan.org + Second identity secret belongs to + +pools.poolx { # } + Section defining an address pool + +pools.poolx.addrs = 10.1.2.0/24 + Define addresses for this pool + +pools.poolx.dns = 10.1.1.1, 10.1.2.1 + Define DNS server addresses associated to pool