mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-09 05:23:16 +02:00
acc3fe4c95
Fix an issue where strongswan clients required a separate "conn" section by modifying the client strongswan config to send the client name as leftid.
43 lines
1.4 KiB
Django/Jinja
43 lines
1.4 KiB
Django/Jinja
config setup
|
|
uniqueids=replace # if the same user connects twice, replace the old connection with the new one
|
|
charondebug="ike {{ strongswan_log_level }}, knl {{ strongswan_log_level }}, cfg {{ strongswan_log_level }}, net {{ strongswan_log_level }}, esp {{ strongswan_log_level }}, dmn {{ strongswan_log_level }}, mgr {{ strongswan_log_level }}"
|
|
|
|
conn %default
|
|
fragmentation=yes
|
|
rekey=no
|
|
dpdaction=clear
|
|
keyexchange=ikev2
|
|
compress=yes
|
|
dpddelay=35s
|
|
|
|
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
|
|
ike={{ ciphers.compat.ike }}
|
|
esp={{ ciphers.compat.esp }}
|
|
{% else %}
|
|
ike={{ ciphers.defaults.ike }}
|
|
esp={{ ciphers.defaults.esp }}
|
|
{% endif %}
|
|
|
|
left=%any
|
|
leftauth=pubkey
|
|
leftid={{ IP_subject_alt_name }}
|
|
leftcert={{ IP_subject_alt_name }}.crt
|
|
leftsendcert=always
|
|
leftsubnet=0.0.0.0/0,::/0
|
|
|
|
right=%any
|
|
rightauth=pubkey
|
|
{% if local_dns is defined and local_dns == "Y" %}
|
|
rightdns={{ local_service_ip }}
|
|
{% else %}
|
|
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
|
|
{% endif %}
|
|
|
|
{% for user in users %}
|
|
|
|
conn AlgoUser-{{ user }}
|
|
rightid={{ user }}
|
|
rightsourceip={{ vpn_network | ipaddr(loop.index) | ipaddr('address') }}
|
|
auto=add
|
|
|
|
{% endfor %}
|