# strongswan templates/ipsec.conf - {{ ansible_managed }}
#
# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
# SPDX-License-Identifier: Apache-2.0

# basic configuration
config setup
    # strictcrlpolicy=yes
    # uniqueids = no

conn %default
    ikelifetime={{ strongswan_conf_phase1_lifetime }}
    keylife={{ strongswan_conf_phase2_lifetime }}
    lifetime={{ strongswan_conf_phase2_lifetime }}
    rekeymargin=3m
    keyingtries={{ strongswan_conf_keyingtries }}
    keyexchange={{ strongswan_conf_key_exchange }}
    mobike=no
    ike={{ strongswan_conf_ike_cipher }}
    esp={{ strongswan_conf_esp_cipher }}
    authby={{ strongswan_conf_auth_type }}
    auto={{ strongswan_conf_auto }}
    reauth={{ strongswan_conf_reauth }}
    type=tunnel
    dpdaction={{ strongswan_conf_dpdaction }}
    closeaction={{ strongswan_conf_closeaction }}

{% for conn in strongswan_conf_connections %}
conn {{ conn.name }}
{% if conn.vti is defined %}
    leftupdown="/etc/ipsec.d/ipsec-vti.sh {{ conn.name }} {{ conn.vti.remote }} {{ conn.vti.local }}"
{% endif %}
    left={{ conn.left }}
    leftid={{ conn.leftid }}
    leftsubnet={{ conn.left_subnets }}
    leftauth={{ strongswan_conf_auth_type }}
    right={{ conn.right }}
    rightsubnet={{ conn.right_subnets }}
    rightauth={{ strongswan_conf_auth_type }}
{% if conn.vti is defined %}
    mark=%unique
{% endif %}
{% endfor %}