From 1649b27766fed5f685a4f9705a11abefb6f809ca Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Tue, 7 Mar 2023 07:35:12 +0100
Subject: [PATCH] Roaming host configuration

---
 .../ipsec.d/roaming-host-domain.conf.template |  4 ++++
 libreswan/etc/ipsec.d/roaming-host.conf       | 21 +++++++++++++++++++
 libreswan/etc/ipsec.d/roaming.conf            |  9 +++-----
 3 files changed, 28 insertions(+), 6 deletions(-)
 create mode 100644 libreswan/etc/ipsec.d/roaming-host-domain.conf.template
 create mode 100644 libreswan/etc/ipsec.d/roaming-host.conf

diff --git a/libreswan/etc/ipsec.d/roaming-host-domain.conf.template b/libreswan/etc/ipsec.d/roaming-host-domain.conf.template
new file mode 100644
index 0000000..1880dff
--- /dev/null
+++ b/libreswan/etc/ipsec.d/roaming-host-domain.conf.template
@@ -0,0 +1,4 @@
+conn roaming-host-domain
+	leftsubnet=fdfd:dead:beef::/48
+	modecfgdomains="in.example.org f.e.e.b.d.a.e.d.d.f.d.f.ip6.arpa"
+	#modecfgdomains="."
diff --git a/libreswan/etc/ipsec.d/roaming-host.conf b/libreswan/etc/ipsec.d/roaming-host.conf
new file mode 100644
index 0000000..57631be
--- /dev/null
+++ b/libreswan/etc/ipsec.d/roaming-host.conf
@@ -0,0 +1,21 @@
+conn roaming-host-ipv6
+	also=roaming-host-common
+	hostaddrfamily=ipv6
+
+conn roaming-host-ipv4
+	also=roaming-host-common
+	hostaddrfamily=ipv4
+	# Required so that client is considered IPv6:
+	rightsubnet=::/0
+	ipsec-interface=yes
+	leftupdown="/usr/libexec/ipsec/_updown.host4client6"
+
+conn roaming-host-common 
+	also=roaming-host-domain
+	# Authorisation
+	authby=rsa-sha2
+	leftid=%fromcert
+	rightid=%fromcert
+	# Networking
+	clientaddrfamily=ipv6
+	right=%any
diff --git a/libreswan/etc/ipsec.d/roaming.conf b/libreswan/etc/ipsec.d/roaming.conf
index b18969c..6bf61fd 100644
--- a/libreswan/etc/ipsec.d/roaming.conf
+++ b/libreswan/etc/ipsec.d/roaming.conf
@@ -1,15 +1,13 @@
 # Generic roaming configurations
 conn roaming-ipv6
-	hostaddrfamily=ipv6
 	also=roaming-common
-
+	hostaddrfamily=ipv6
 	ipsec-interface=yes
 
 conn roaming-ipv4
-	hostaddrfamily=ipv4
 	also=roaming-common
-
-	# Required so that client is considered IPv6
+	hostaddrfamily=ipv4
+	# Required so that client is considered IPv6:
 	leftsubnet=::0/0
 	ipsec-interface=yes
 	leftupdown="/usr/libexec/ipsec/_updown.host4client6"
@@ -20,7 +18,6 @@ conn roaming-common
 	leftid=%fromcert
 	rightid=%fromcert
 	leftcert=ipa-client
-
 	# Networking
 	left=%defaultroute
 	clientaddrfamily=ipv6
-- 
2.30.2