swanctl: Convert swanctl.conf to an options file and generate config
authorTobias Brunner <tobias@strongswan.org>
Thu, 17 Apr 2014 16:59:42 +0000 (18:59 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 7 May 2014 13:48:16 +0000 (15:48 +0200)
src/swanctl/.gitignore
src/swanctl/Makefile.am
src/swanctl/swanctl.conf [deleted file]
src/swanctl/swanctl.opt [new file with mode: 0644]

index 1db645b..a37446e 100644 (file)
@@ -1 +1,2 @@
 swanctl
+swanctl.conf
index 4f0c1c2..3ed47fe 100644 (file)
@@ -29,7 +29,15 @@ AM_CPPFLAGS = \
        -DSWANCTLDIR=\""${swanctldir}\"" \
        -DPLUGINS=\""${s_plugins}\""
 
-EXTRA_DIST = swanctl.conf
+BUILT_SOURCES = swanctl.conf
+EXTRA_DIST = swanctl.opt swanctl.conf
+
+.opt.conf:
+       $(AM_V_GEN) \
+       $(PYTHON) $(top_srcdir)/conf/format-options.py -f conf $< > $(srcdir)/$@
+
+maintainer-clean-local:
+       cd $(srcdir) && rm -f swanctl.conf
 
 install-data-local: swanctl.conf
        test -e "$(DESTDIR)$(swanctldir)" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)"
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
deleted file mode 100644 (file)
index f43d1d4..0000000
+++ /dev/null
@@ -1,125 +0,0 @@
-connections {
-
-#      # an IKE configuration named conn1
-#      conn1 {
-#              # IKE version to use
-#              version = 2
-#              # list of acceptable local addresses/subnets
-#              local_addrs = 0.0.0.0
-#              # peer address, additional addresses/subnets as responder
-#              remote_addrs = 192.168.5.1
-#              # local UPD port for IKE
-#              local_port = 500
-#              # remote UDP port for IKE
-#              remote_port = 500
-#              # Proposals for IKE, "default" is the default proposal
-#              proposals = aes128gcm16-prfsha256-modp2048, default
-#              # virtual IPs to request, such as 0.0.0.0 or ::
-#              vips =
-#              # IKEv1 aggressive mode
-#              aggressive = no
-#              # use of pull/push in IKEv1 mode config
-#              pull = yes
-#              # enforce UDP encapsulation by faking NAT-D payloads
-#              encap = no
-#              # enable IKEv2 MOBIKE
-#              mobike = yes
-#              # interval of liveness checks
-#              dpd_delay = 10s
-#              # timeout for DPD checks (IKEV1 only)
-#              dpd_timeout = 30s
-#              # use IKEv1 UDP packet fragmentation
-#              fragmentation = force
-#              # send certificate requests
-#              send_certreq = yes
-#              # send certificate payloads
-#              send_cert = ifasked
-#              # number of retransmission sequences to do before givin up
-#              keyingtries = 0
-#              # uniquness policy, never|no|keep|replace|
-#              unique = no
-#              # time to schedule IKE reauthentication
-#              reauth_time = 3h
-#              # time to schedule IKE rekeying
-#              rekey_time = 2h
-#              # hard IKE_SA lifetime if rekey/reauth does not complete
-#              over_time = 10m
-#              # range of random time to subtract from rekey/rauth times
-#              rand_time = 10m
-#
-#              # local authentication, first round
-#              local {
-#                      # additional certificates to load
-#                      certs = a.pem, xy.der
-#                      # authentication to perform locally
-#                      auth = pubkey
-#                      # IKE identity for local
-#                      id = win@strongswan.org
-#                      # Client EAP-Identity to use
-#                      eap_id = moon
-#                      # Server side EAP identity to use, EAP-TTLS etc.
-#                      aaa_identity = srv
-#                      # IKEv1 XAuth username
-#                      xauth_id = moon
-#              }
-#              # remote authentication, first round
-#              remote {
-#                      # IKE identity for peer
-#                      id = %any
-#                      # list of acceptable peer certificates
-#                      certs = client.pem
-#                      # list of acceptable CA certificates
-#                      cacert = ca.der
-#                      # revocation policy, strict|ifuri
-#                      revocation = ifuri
-#                      # authentication to expect from remote
-#                      auth = pubkey
-#              }
-#              children {
-#                      # First CHILD_SA configuration
-#                      child1 {
-#                              # AH proposals to offer
-#                              ah_proposals = default
-#                              # ESP proposals to offer
-#                              esp_proposals = aes128gcm16-modp2048, default
-#                              # local subnets to tunnel
-#                              local_ts = 192.168.3.0/24
-#                              # remote subnets to tunnel
-#                              remote_ts = 192.168.1.0/24
-#                              # updown script to invoke
-#                              updown = path-to-script
-#                              # hostaccess variable to pass to updown
-#                              hostaccess = yes
-#                              # IPsec mode, tunnel|transport|pass|drop
-#                              mode = tunnel
-#                              # action to perform on DPD timeout
-#                              dpd_action = restart
-#                              # enable IPComp
-#                              ipcomp = no
-#                              # inactivity timeout before closing CHILD_SA
-#                              inactivity = 2m
-#                              # fixed reqid to use for this CHILD_SA
-#                              reqid = 5
-#                              # Netfilter mark for input traffic
-#                              mark_in = 1
-#                              # Netfilter mark for output traffic
-#                              mark_out = 5/0xffffffff
-#                              # Traffic Flow Confidentiality padding
-#                              tfc_padding = 1500
-#                      }
-#              }
-#      }
-
-}
-
-secrets {
-#      eap-tester {
-#              id = tester
-#              secret = test
-#      }
-#      ike-moon {
-#              id-local = sun.strongswan.org
-#              id-remote = mon.strongswan.org
-#              secret = 0x12345678901234
-#      }
-}
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
new file mode 100644 (file)
index 0000000..1e3adb2
--- /dev/null
@@ -0,0 +1,188 @@
+connections.conn1 { # }
+       An IKE configuration named conn1
+
+connections.conn1.version = 2
+       IKE version to use
+
+connections.conn1.local_addrs = 0.0.0.0
+       List of acceptable local addresses/subnets
+
+connections.conn1.remote_addrs = 192.168.5.1
+       Peer address, additional addresses/subnets as responder
+
+connections.conn1.local_port = 500
+       Local UPD port for IKE
+
+connections.conn1.remote_port = 500
+       Remote UDP port for IKE
+
+connections.conn1.proposals = aes128gcm16-prfsha256-modp2048, default
+       Proposals for IKE, "default" is the default proposal
+
+connections.conn1.vips =
+       Virtual IPs to request, such as 0.0.0.0 or ::
+
+connections.conn1.aggressive = no
+       IKEv1 aggressive mode
+
+connections.conn1.pull = yes
+       Use of pull/push in IKEv1 mode config
+
+connections.conn1.encap = no
+       Enforce UDP encapsulation by faking NAT-D payloads
+
+connections.conn1.mobike = yes
+       Enable IKEv2 MOBIKE
+
+connections.conn1.dpd_delay = 10s
+       Interval of liveness checks
+
+connections.conn1.dpd_timeout = 30s
+       Timeout for DPD checks (IKEV1 only)
+
+connections.conn1.fragmentation = force
+       Use IKEv1 UDP packet fragmentation
+
+connections.conn1.send_certreq = yes
+       Send certificate requests
+
+connections.conn1.send_cert = ifasked
+       Send certificate payloads
+
+connections.conn1.keyingtries = 0
+       Number of retransmission sequences to do before givin up
+
+connections.conn1.unique = no
+       Uniquness policy, never|no|keep|replace|
+
+connections.conn1.reauth_time = 3h
+       Time to schedule IKE reauthentication
+
+connections.conn1.rekey_time = 2h
+       Time to schedule IKE rekeying
+
+connections.conn1.over_time = 10m
+       Hard IKE_SA lifetime if rekey/reauth does not complete
+
+connections.conn1.rand_time = 10m
+       Range of random time to subtract from rekey/rauth times
+
+connections.conn1.pools = pool1
+       Hand out addresses and attributes from pool1 as responder
+
+connections.conn1.vips = 0.0.0.0
+       Request a virtual IP as initiator
+
+connections.conn1.local {}
+       Local authentication, first round
+
+connections.conn1.local.certs = a.pem, xy.der
+       Additional certificates to load
+
+connections.conn1.local.auth = pubkey
+       Authentication to perform locally
+
+connections.conn1.local.id = win@strongswan.org
+       IKE identity for local
+
+connections.conn1.local.eap_id = moon
+       Client EAP-Identity to use
+
+connections.conn1.local.aaa_identity = srv
+       Server side EAP identity to use, EAP-TTLS etc.
+
+connections.conn1.local.xauth_id = moon
+       IKEv1 XAuth username
+
+connections.conn1.remote {}
+       Remote authentication, first round
+
+connections.conn1.remote.id = %any
+       IKE identity for peer
+
+connections.conn1.remote.certs = client.pem
+       List of acceptable peer certificates
+
+connections.conn1.remote.cacert = ca.der
+       List of acceptable CA certificates
+
+connections.conn1.remote.revocation = ifuri
+       Revocation policy, strict|ifuri
+
+connections.conn1.remote.auth = pubkey
+       Authentication to expect from remote
+
+connections.conn1.children.child1 {}
+       First CHILD_SA configuration
+
+connections.conn1.children.child1.ah_proposals = default
+       AH proposals to offer
+
+connections.conn1.children.child1.esp_proposals = aes128gcm16-modp2048, default
+       ESP proposals to offer
+
+connections.conn1.children.child1.local_ts = 192.168.3.0/24
+       Local subnets to tunnel
+
+connections.conn1.children.child1.remote_ts = 192.168.1.0/24
+       Remote subnets to tunnel
+
+connections.conn1.children.child1.updown = path-to-script
+       Updown script to invoke
+
+connections.conn1.children.child1.hostaccess = yes
+       Hostaccess variable to pass to updown
+
+connections.conn1.children.child1.mode = tunnel
+       IPsec mode, tunnel|transport|pass|drop
+
+connections.conn1.children.child1.dpd_action = restart
+       Action to perform on DPD timeout
+
+connections.conn1.children.child1.ipcomp = no
+       Enable IPComp
+
+connections.conn1.children.child1.inactivity = 2m
+       Inactivity timeout before closing CHILD_SA
+
+connections.conn1.children.child1.reqid = 5
+       Fixed reqid to use for this CHILD_SA
+
+connections.conn1.children.child1.mark_in = 1
+       Netfilter mark for input traffic
+
+connections.conn1.children.child1.mark_out = 5/0xffffffff
+       Netfilter mark for output traffic
+
+connections.conn1.children.child1.tfc_padding = 1500
+       Traffic Flow Confidentiality padding
+
+secrets.eap1 { # }
+       EAP secret section
+
+secrets.eap1.secret = testpassword
+       Password for EAP secret
+
+secrets.eap1.id = tester
+       User EAP secret belongs to
+
+secrets.ike-moon { # }
+       IKE secret for moon
+
+secrets.ike-moon.secret = 0x12345678
+       IKE shared secret for moon
+
+secrets.ike-moon.id-local = sun.strongswan.org
+       First identity secret belongs to
+
+secrets.ike-moon.id-remote = moon.strongswan.org
+       Second identity secret belongs to
+
+pools.poolx { # }
+       Section defining an address pool
+
+pools.poolx.addrs = 10.1.2.0/24
+       Define addresses for this pool
+
+pools.poolx.dns = 10.1.1.1, 10.1.2.1
+       Define DNS server addresses associated to pool