adding swanctl draft config. not yet used but wanna eventually switch to it

debian/wit-network-config.install

@@ -12,3 +12,4 @@ files/qemu-ifup etc/libvirt/hooks
 files/firewall etc/init.d
 files/frr.conf.wit etc/frr
 files/ipsec.conf.wit etc
+swanctl-wit.conf.wit etc/swanctl/conf.d

debian/wit-network-config.postinst

@@ -25,6 +25,7 @@ case "$1" in
         UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
         FRRCONFIG="/etc/frr/frr.conf.wit"
         IPSECCONFIG="/etc/ipsec.conf.wit"
+        SWANCTLCONFIG="/etc/swanctl/conf.d/swanctl-wit.conf"
 
 
      ## START gather all the info from the box and generate the variabels
@@ -303,13 +304,16 @@ case "$1" in
 
 
       # set ipsec config
-        sed -i \
+        for IPSECCONFIGFILE in $IPSECCONFIG $SWANCTLCONFIG
+	  do
+            sed -i \
                 -e "s/FQHOSTNAME/${HOSTNAME}/" \
                 -e "s/LOOPBACKv4/${LOOPBACKv4}\/32/" \
                 -e "s/LOOPBACKv6/${LOOPBACKv6}\/128/" \
                 -e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
                 -e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
-                $IPSECCONFIG
+                $IPSECCONFIGFILE
+        done
 
         echo ": RSA ${HOSTNAME}.key" >/etc/ipsec.secrets
 

files/swanctl-wit.conf.wit

@@ -0,0 +1,55 @@
+connections {
+    loopback4 {
+        version = 1
+        local_addrs = LOOPBACKv4
+        remote_addrs = %any4
+        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+
+        local {
+            auth = pubkey
+            certs = FQHOSTNAME.crt
+            id = "C=US, O=Wit, CN=FQHOSTNAME"
+        }
+        remote {
+            auth = pubkey
+            id = "C=US, O=Wit, CN=*"
+        }
+
+        children {
+            loopback4 {
+                remote_ts = IPSEC_IPV4_SUBNETS
+                local_ts = LOOPBACKv4
+                mode = transport
+                start_action = trap
+                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+            }
+        }
+    }
+
+    loopback6 {
+        version = 1
+        local_addrs = LOOPBACKv6
+        remote_addrs = %any6
+        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+
+        local {
+            auth = pubkey
+            certs = FQHOSTNAME.crt
+            id = "C=US, O=Wit, CN=FQHOSTNAME"
+        }
+        remote {
+            auth = pubkey
+            id = "C=US, O=Wit, CN=*"
+        }
+
+        children {
+            loopback6 {
+                remote_ts = IPSEC_IPV6_SUBNETS
+                local_ts = LOOPBACKv6
+                mode = transport
+                start_action = trap
+                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+            }
+        }
+    }
+}