Support certificate filtering during IPSEC authentication

[dmitryperets]

By default, when certificate-based IPSEC authentication is implemented, we accept any valid and trusted certificate.
Users may want to restrict the list of accepted certificates.

The most common example is to restrict the list of trusted CAs, because the full list of CAs trusted by the FortiGate normally contains the default Fortinet CA, it might contain public Internet CAs and so on. For the SD-WAN overlay network, the user might want to restrict the list only to the CA actually used to issue the SD-WAN node certificates (it could be a built-in FortiManager CA or an external corporate CA). Optionally, the user may want to add other constraints too.

FOS supports certificate filtering using the config user peer object that is then referred under the IPSEC configuration. At the moment, we do not plan generating that object, because it would require to pass to the Jinja Orchestrator the actual names of the CA certificates the user would like to trust, as well as any other FOS-supported parameters. Instead, we add the capability to add this object to the generated IPSEC configuration, assuming that the object itself has been created by the user elsewhere (for example, using the FortiManager GUI or using an additional CLI Template added by the user).

This way, we leave it to the user to define any type of constraints and any list of trusted CAs they may desire. We will simply reference the object in the IPSEC configuration, as follows:

config vpn ipsec phase1-interface
  edit "{{ ol_tun_name }}"
    set authmethod signature
    set peertype peer
    set peer "TheCA"
    ...

Configuration

To enable this functionality (on all Hubs and Spokes, including the Hub-to-Hub tunnels), the following two global options must be configured:

# Enable certificate-based IPSEC authentication (enabled by default)
{% set cert_auth = true %} 

# Enable certificate filtering (new feature, disabled by default)
{% set cert_auth_filter = true %}

Naming Convention

By default, we expect the config user peer object called "TheCA".
Its content can be anything supported by the FOS.

The name can be customized, using the following global optional parameters:

# On the Spokes (configured on the Spoke-to-Hub tunnels)
{% set edge_cert_filter = "MyOwnCA" %}

# On the Hubs (configured on the Spoke-facing Dial-Up tunnels)
{% set hub_cert_filter = "MyOwnCA" %}

# On the Hubs (configured on the Hub-to-Hub tunnels, both within and between regions)
{% set hub_cert_filter_hub2hub = "MyOwnCA" %}

Example

Here is an example of the config user peer object limiting the list of trusted CAs.
This configuration is NOT generated by the Jinja Orchestrator, it is prepared by the user elsewhere.

config user peer
    edit "TheCA"
        set ca "CustomerA_CA3"
    next
end