-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhe_template.j2
More file actions
206 lines (173 loc) · 15.1 KB
/
he_template.j2
File metadata and controls
206 lines (173 loc) · 15.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#jinja2: lstrip_blocks: "True", trim_blocks: "True"
###########################################################################################################
# {{data['<PRESHARED_KEY>']}} - Preshared key for sub ( if new ) (SUB!psk1234)
# {{data['<SUB>']}} - Subsidiary (DII)
# {{data['<SITE>']}} - Location (RCA)
# {{data['<SITE_SUPERNET>']}} - Site subnet (10.65.0.0/21)
#
# {{data['<TUN1_ST>']}} - Tunnel 1 st0 interface number (4096)
# {{data['<ATL_TUN1_PEER>']}} - IP address of remote peer (st0.0) (10.255.0.1)
# {{data['<DAL_TUN1_PEER>']}} - IP address of remote peer (st0.10) (10.254.0.1)
#
#
# {{data['<WAN1_IP>']}} - IP address for ISP1 at the site (4.1.2.3)
# {{data['<ATL_TUN1_IP>']}} - IP address for the ATLANTA side for the head-end st0 interface for ISP1 (10.255.0.0)
# {{data['<DAL_TUN1_IP>']}} - IP address for the DALLAS side for the head-end st0 internface for ISP1 (10.254.0.0)
#
# {{data['<BGP_ASN>']}} - Remote site BGP ASN number (65123)
#
{%- if data['<EF_TYPE>'] == 'Cluster' %}
# {{data['<TUN2_ST>']}} - Tunnel 2 st0 interface number (4097)
# {{data['<WAN2_IP>']}} - IP address for ISP2 at the site (12.13.14.15)
# {{data['<ATL_TUN2_IP>']}} - Ip address of remote peer (st0.1) (10.255.0.3)
# {{data['<DAL_TUN2_IP>']}} - Ip address of remote peer (st0.11) (10.254.0.3)
# {{data['<ATL_TUN2_PEER>']}} - IP address for the ATLANTA side for the head-end st0 interface for ISP2 (10.255.0.2)
# {{data['<DAL_TUN2_PEER>']}} - IP address for the DALLAS side for the head-end st0 interface for ISP2 (10.254.0.2)
{%- endif %}
#
#
###########################################################################################################
### ATLANTA HEAD-END CONFIGURATION
### IKE-POLICY-{{data['<SUB>']}}-DYC19 should only be configured once per subsidiary
set groups GRP_{{data['<SUB>']}} security ike policy IKE-POLICY-{{data['<SUB>']}}-DYC19 mode main
set groups GRP_{{data['<SUB>']}} security ike policy IKE-POLICY-{{data['<SUB>']}}-DYC19 proposals IKE-DYC19
set groups GRP_{{data['<SUB>']}} security ike policy IKE-POLICY-{{data['<SUB>']}}-DYC19 pre-shared-key ascii-text {{data['<PRESHARED_KEY>']}}
### BGP POLICY NEEDS TO BE CONFIGURED ONCE PER SUB TO SUPPORT NEW EXPORT/IMPORT POLICY ###
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 passive
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 mtu-discovery
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 import BGP-SPOKE_TO_HUB-IMPORT
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 family inet unicast
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 family inet6 unicast
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 export BGP-HUB-EXPORT
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 export BGP-HUB_TO_SPOKE-EXPORT
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 graceful-restart
### THIS IS PER-SITE ADDITIONAL CONFIGURATION
set groups GRP_{{data['<SUB>']}} security zones security-zone VPN address-book address NET-{{data['<SUB>']}}-{{data['<SITE>']}} {{data['<SITE_SUPERNET>']}}
set groups GRP_{{data['<SUB>']}} security zones security-zone VPN address-book address-set NET_{{data['<SUB>']}} address NET-{{data['<SUB>']}}-{{data['<SITE>']}}
### CREATE ST0 INTERFACES FOR REMOTE SITE
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN1_ST>']}} description {{data['<SUB>']}}-{{data['<SITE>']}}
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN1_ST>']}} family inet mtu 1414
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN1_ST>']}} family inet address {{data['<ATL_TUN1_PEER>']}}/31
{%- if data['<EF_TYPE>'] == 'Cluster' %}
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN2_ST>']}} description {{data['<SUB>']}}-{{data['<SITE>']}}
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN2_ST>']}} family inet mtu 1414
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN2_ST>']}} family inet address {{data['<ATL_TUN2_PEER>']}}/31
{%- endif %}
set groups GRP_{{data['<SUB>']}} security zones security-zone VPN interfaces st0.{{data['<TUN1_ST>']}}
{%- if data['<EF_TYPE>'] == 'Cluster' %}
set groups GRP_{{data['<SUB>']}} security zones security-zone VPN interfaces st0.{{data['<TUN2_ST>']}}
{%- endif %}
### IKE IPSEC POLICY FOR ISP1
{%- if data['<DHCP>'] == 'No' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike-policy IKE-POLICY-{{data['<SUB>']}}-DYC19
{%- endif %}
{%- if data['<DHCP>'] == 'Yes' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike-policy IKE-POLICY-DYNAMIC
{%- endif %}
{%- if data['<DHCP>'] == 'No' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 address {{data['<WAN1_IP>']}}
{%- endif %}
{%- if data['<DHCP>'] == 'Yes' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 dynamic hostname {{data['<IKEHOST>']}}
{%- endif %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 external-interface reth0.890
{%- if data['<DHCP>'] == 'No' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 version v2-only
{%- endif %}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 bind-interface st0.{{data['<TUN1_ST>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 vpn-monitor optimized
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 vpn-monitor source-interface st0.{{data['<TUN1_ST>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 vpn-monitor destination-ip {{data['<ATL_TUN1_IP>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1
{%- if data['<DHCP>'] == 'No' %}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike ipsec-policy IPSEC-POLICY-DYC19
{%- endif %}
{%- if data['<DHCP>'] == 'Yes' %}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike ipsec-policy IPSEC-POLICY-
{%- endif %}
### IKE IPSEC POLICY FOR ISP2
{%- if data['<EF_TYPE>'] == 'Cluster' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 ike-policy IKE-POLICY-{{data['<SUB>']}}-DYC19
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 address {{data['<WAN2_IP>']}}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 external-interface reth0.890
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 version v2-only
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 bind-interface st0.{{data['<TUN2_ST>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 vpn-monitor optimized
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 vpn-monitor source-interface st0.{{data['<TUN2_ST>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 vpn-monitor destination-ip {{data['<ATL_TUN2_IP>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 ike ipsec-policy IPSEC-POLICY-DYC19
{%- endif %}
### BGP CONFIGURATION FOR THE SITE
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 neighbor {{data['<ATL_TUN1_IP>']}} description {{data['<SUB>']}}-{{data['<SITE>']}}-ISP1
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 neighbor {{data['<ATL_TUN1_IP>']}} peer-as {{data['<BGP_ASN>']}}
{%- if data['<EF_TYPE>'] == 'Cluster' %}
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 neighbor {{data['<ATL_TUN2_IP>']}} description {{data['<SUB>']}}-{{data['<SITE>']}}-ISP2
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 neighbor {{data['<ATL_TUN2_IP>']}} peer-as {{data['<BGP_ASN>']}}
{%- endif %}
#######################################################################################################
### DALLAS HEAD-END CONFIGURATION
### IKE-POLICY-{{data['<SUB>']}}-DYC19 should only be configured once per subsidiary
set groups GRP_{{data['<SUB>']}} security ike policy IKE-POLICY-{{data['<SUB>']}}-DYC19 mode main
set groups GRP_{{data['<SUB>']}} security ike policy IKE-POLICY-{{data['<SUB>']}}-DYC19 proposals IKE-DYC19
set groups GRP_{{data['<SUB>']}} security ike policy IKE-POLICY-{{data['<SUB>']}}-DYC19 pre-shared-key ascii-text {{data['<PRESHARED_KEY>']}}
### BGP POLICY NEEDS TO BE CONFIGURED ONCE PER SUB TO SUPPORT NEW EXPORT/IMPORT POLICY ###
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 passive
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 mtu-discovery
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 import BGP-SPOKE_TO_HUB-IMPORT
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 family inet unicast
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 family inet6 unicast
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 export BGP-HUB-EXPORT
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 export BGP-HUB_TO_SPOKE-EXPORT
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 graceful-restart
### THIS IS PER-SITE ADDITIONAL CONFIGURATION
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN1_ST>']}} description {{data['<SUB>']}}-{{data['<SITE>']}}
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN1_ST>']}} family inet mtu 1414
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN1_ST>']}} family inet address {{data['<DAL_TUN1_PEER>']}}/31
{%- if data['<EF_TYPE>'] == 'Cluster' %}
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN2_ST>']}} description {{data['<SUB>']}}-{{data['<SITE>']}}
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN2_ST>']}} family inet mtu 1414
set groups GRP_{{data['<SUB>']}} interfaces st0 unit {{data['<TUN2_ST>']}} family inet address {{data['<DAL_TUN2_PEER>']}}/31
{%- endif %}
set groups GRP_{{data['<SUB>']}} security zones security-zone VPN interfaces st0.{{data['<TUN1_ST>']}}
{%- if data['<EF_TYPE>'] == 'Cluster' %}
set groups GRP_{{data['<SUB>']}} security zones security-zone VPN interfaces st0.{{data['<TUN2_ST>']}}
{%- endif %}
{%- if data['<DHCP>'] == 'No' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike-policy IKE-POLICY-{{data['<SUB>']}}-DYC19
{%- endif %}
{%- if data['<DHCP>'] == 'Yes' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike-policy IKEv2-POLICY-DYNAMIC
{%- endif %}
{%- if data['<DHCP>'] == 'No' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 address {{data['<WAN1_IP>']}}
{%- endif %}
{%- if data['<DHCP>'] == 'Yes' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 dynamic hostname {{data['<IKEHOST>']}}
{%- endif %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 external-interface xe-0/0/7.0
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 version v2-only
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 bind-interface st0.{{data['<TUN1_ST>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 vpn-monitor optimized
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 vpn-monitor source-interface st0.{{data['<TUN1_ST>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 vpn-monitor destination-ip {{data['<DAL_TUN1_IP>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP1 ike ipsec-policy IPSEC-POLICY-DYC19
{%- if data['<EF_TYPE>'] == 'Cluster' %}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 ike-policy IKE-POLICY-{{data['<SUB>']}}-DYC19
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 address {{data['<WAN2_IP>']}}
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 external-interface xe-0/0/7.0
set groups GRP_{{data['<SUB>']}} security ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 version v2-only
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 bind-interface st0.{{data['<TUN2_ST>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 vpn-monitor optimized
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 vpn-monitor source-interface st0.{{data['<TUN2_ST>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 vpn-monitor destination-ip {{data['<DAL_TUN2_IP>']}}
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 ike gateway IKE-GW-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2
set groups GRP_{{data['<SUB>']}} security ipsec vpn VPN-{{data['<SUB>']}}-{{data['<SITE>']}}-ISP2 ike ipsec-policy IPSEC-POLICY-DYC19
{% endif %}
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 neighbor {{data['<DAL_TUN1_IP>']}} description {{data['<SUB>']}}-{{data['<SITE>']}}-ISP1
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 neighbor {{data['<DAL_TUN1_IP>']}} peer-as {{data['<BGP_ASN>']}}
{%- if data['<EF_TYPE>'] == 'Cluster' %}
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 neighbor {{data['<DAL_TUN2_IP>']}} description {{data['<SUB>']}}-{{data['<SITE>']}}-ISP2
set groups GRP_{{data['<SUB>']}} protocols bgp group BGP-VPN-{{data['<SUB>']}}-DYC19 neighbor {{data['<DAL_TUN2_IP>']}} peer-as {{data['<BGP_ASN>']}}
{%- endif %}