| author | Mark Fenwick <Mark.Fenwick@Oracle.COM> |
| Mon, 11 Jul 2016 12:54:44 -0700 | |
| changeset 6378 | 9d70f1e25eba |
| parent 5405 | 66fd59fecd68 |
| permissions | -rw-r--r-- |
|
6378
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
1 |
{#
|
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
2 |
# |
|
6378
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
3 |
# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. |
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
4 |
# |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
5 |
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
6 |
# not use this file except in compliance with the License. You may obtain |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
7 |
# a copy of the License at |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
8 |
# |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
9 |
# http://www.apache.org/licenses/LICENSE-2.0 |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
10 |
# |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
11 |
# Unless required by applicable law or agreed to in writing, software |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
12 |
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
13 |
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
14 |
# License for the specific language governing permissions and limitations |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
15 |
# under the License. |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
16 |
# |
|
6378
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
17 |
#} |
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
18 |
# IKE Configuration for vpn-service "{{vpnservice.id}}"
|
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
19 |
# Configuration for vpn-service "{{vpnservice.id}}"
|
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
20 |
{% for ipsec_site_connection in vpnservice.ipsec_site_connections if ipsec_site_connection.admin_state_up
|
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
21 |
%} |
|
6378
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
22 |
{% set aalg=ipsec_site_connection.ipsecpolicy.auth_algorithm %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
23 |
{% set ealg=ipsec_site_connection.ipsecpolicy.encryption_algorithm %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
24 |
{% set tun_name=ipsec_site_connection['tunnel_id'] %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
25 |
{% if ipsec_site_connection.ipsecpolicy.transform_protocol == "esp" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
26 |
{% set atok="encr_auth_algs" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
27 |
{% else %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
28 |
{% set atok="auth_algs" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
29 |
{% endif %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
30 |
{% if ipsec_site_connection.ipsecpolicy.transform_protocol == "ah" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
31 |
{% set etok="" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
32 |
{% set ealg="" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
33 |
{% else %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
34 |
{% set etok="encr_algs" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
35 |
{% endif %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
36 |
{% set laddr=vpnservice.subnet.cidr %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
37 |
{% set raddr=ipsec_site_connection['peer_cidrs']|join(' ') %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
38 |
{# We can support Combined modes algorithms by configuring the authentication
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
39 |
# and encryption algorithms as the same value. |
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
40 |
#} |
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
41 |
{% if aalg == ealg %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
42 |
{% set atok="" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
43 |
{% set aalg="" %}
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
44 |
{% endif %}
|
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
45 |
|
|
6378
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
46 |
{ tunnel {{tun_name}} negotiate tunnel laddr {{laddr}} raddr {{raddr}} } ipsec
|
|
9d70f1e25eba
23594244 IKEv2 mode of VPNaaS needs to deal with ikeuser privileges
Mark Fenwick <Mark.Fenwick@Oracle.COM>
parents:
5405
diff
changeset
|
47 |
{ {{atok}} {{aalg}} {{etok}} {{ealg}} sa shared }
|
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
48 |
|
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
49 |
{% endfor %}
|
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
diff
changeset
|
50 |