# Configuration for {{vpnservice.name}}
config setup
    nat_traversal=yes
    listen={{vpnservice.external_ip}}
conn %default
    ikelifetime=480m
    keylife=60m
    keyingtries=%forever
{% for ipsec_site_connection in vpnservice.ipsec_site_connections if ipsec_site_connection.admin_state_up
%}conn {{ipsec_site_connection.id}}
    # NOTE: a default route is required for %defaultroute to work...
    left={{vpnservice.external_ip}}
    leftid={{vpnservice.external_ip}}
    auto={{ipsec_site_connection.initiator}}
    # NOTE:REQUIRED
    # [subnet]
    leftsubnet={{vpnservice.subnet.cidr}}
    # leftsubnet=networkA/netmaskA, networkB/netmaskB (IKEv2 only)
    leftnexthop=%defaultroute
    ######################
    # ipsec_site_connections
    ######################
    # [peer_address]
    right={{ipsec_site_connection.peer_address}}
    # [peer_id]
    rightid={{ipsec_site_connection.peer_id}}
    # [peer_cidrs]
    rightsubnets={ {{ipsec_site_connection['peer_cidrs']|join(' ')}} }
    # rightsubnet=networkA/netmaskA, networkB/netmaskB (IKEv2 only)
    rightnexthop=%defaultroute
    # [mtu]
    # Note It looks like not supported in the strongswan driver
    # ignore it now
    # [dpd_action]
    dpdaction={{ipsec_site_connection.dpd_action}}
    # [dpd_interval]
    dpddelay={{ipsec_site_connection.dpd_interval}}
    # [dpd_timeout]
    dpdtimeout={{ipsec_site_connection.dpd_timeout}}
    # [auth_mode]
    authby=secret
    ######################
    # IKEPolicy params
    ######################
    #ike version
    ikev2={{ipsec_site_connection.ikepolicy.ike_version}}
    # [encryption_algorithm]-[auth_algorithm]-[pfs]
    ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}};{{ipsec_site_connection.ikepolicy.pfs}}
    # [lifetime_value]
    ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
    # NOTE: it looks lifetime_units=kilobytes can't be enforced (could be seconds,  hours,  days...)
    ##########################
    # IPsecPolicys params
    ##########################
    # [transform_protocol]
    auth={{ipsec_site_connection.ipsecpolicy.transform_protocol}}
    # [encryption_algorithm]-[auth_algorithm]-[pfs]
    phase2alg={{ipsec_site_connection.ipsecpolicy.encryption_algorithm}}-{{ipsec_site_connection.ipsecpolicy.auth_algorithm}};{{ipsec_site_connection.ipsecpolicy.pfs}}
    # [encapsulation_mode]
    type={{ipsec_site_connection.ipsecpolicy.encapsulation_mode}}
    # [lifetime_value]
    lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
    # lifebytes=100000 if lifetime_units=kilobytes (IKEv2 only)
{% endfor %}