From 3f2238a09011326c53c72205a9cd1cdfe5f9c2c1 Mon Sep 17 00:00:00 2001
From: toby <toby@wit.com>
Date: Sun, 28 Oct 2018 20:45:20 +0100
Subject: [PATCH] adding swanctl draft config. not yet used but wanna
 eventually switch to it

---
 debian/wit-network-config.install  |  1 +
 debian/wit-network-config.postinst |  8 +++--
 files/swanctl-wit.conf.wit         | 55 ++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 files/swanctl-wit.conf.wit

diff --git a/debian/wit-network-config.install b/debian/wit-network-config.install
index eef5dd4..affa772 100644
--- a/debian/wit-network-config.install
+++ b/debian/wit-network-config.install
@@ -12,3 +12,4 @@ files/qemu-ifup etc/libvirt/hooks
 files/firewall etc/init.d
 files/frr.conf.wit etc/frr
 files/ipsec.conf.wit etc
+swanctl-wit.conf.wit etc/swanctl/conf.d
diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst
index 5c38dd1..482c934 100755
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@@ -25,6 +25,7 @@ case "$1" in
         UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
         FRRCONFIG="/etc/frr/frr.conf.wit"
         IPSECCONFIG="/etc/ipsec.conf.wit"
+        SWANCTLCONFIG="/etc/swanctl/conf.d/swanctl-wit.conf"
 
 
      ## START gather all the info from the box and generate the variabels
@@ -303,13 +304,16 @@ case "$1" in
 
 
       # set ipsec config
-        sed -i \
+        for IPSECCONFIGFILE in $IPSECCONFIG $SWANCTLCONFIG
+	  do
+            sed -i \
                 -e "s/FQHOSTNAME/${HOSTNAME}/" \
                 -e "s/LOOPBACKv4/${LOOPBACKv4}\/32/" \
                 -e "s/LOOPBACKv6/${LOOPBACKv6}\/128/" \
                 -e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
                 -e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
-                $IPSECCONFIG
+                $IPSECCONFIGFILE
+        done
 
         echo ": RSA ${HOSTNAME}.key" >/etc/ipsec.secrets
 
diff --git a/files/swanctl-wit.conf.wit b/files/swanctl-wit.conf.wit
new file mode 100644
index 0000000..21c8032
--- /dev/null
+++ b/files/swanctl-wit.conf.wit
@@ -0,0 +1,55 @@
+connections {
+    loopback4 {
+        version = 1
+        local_addrs = LOOPBACKv4
+        remote_addrs = %any4
+        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+
+        local {
+            auth = pubkey
+            certs = FQHOSTNAME.crt
+            id = "C=US, O=Wit, CN=FQHOSTNAME"
+        }
+        remote {
+            auth = pubkey
+            id = "C=US, O=Wit, CN=*"
+        }
+
+        children {
+            loopback4 {
+                remote_ts = IPSEC_IPV4_SUBNETS
+                local_ts = LOOPBACKv4
+                mode = transport
+                start_action = trap
+                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+            }
+        }
+    }
+
+    loopback6 {
+        version = 1
+        local_addrs = LOOPBACKv6
+        remote_addrs = %any6
+        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+
+        local {
+            auth = pubkey
+            certs = FQHOSTNAME.crt
+            id = "C=US, O=Wit, CN=FQHOSTNAME"
+        }
+        remote {
+            auth = pubkey
+            id = "C=US, O=Wit, CN=*"
+        }
+
+        children {
+            loopback6 {
+                remote_ts = IPSEC_IPV6_SUBNETS
+                local_ts = LOOPBACKv6
+                mode = transport
+                start_action = trap
+                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+            }
+        }
+    }
+}