
{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB    = esmith::ConfigDB->open_ro or die("can't open Config DB");
    my $dbKey       = 'ipsec';
    my $systemMode  = $configDB->get("SystemMode")->value;
    my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';

    if ( $systemMode ne 'servergateway' ) {
        $OUT .= "# System not in Server Gateway mode\n";
    }

    elsif ( $ipsecStatus ne 'enabled' ) {
        $OUT .= "# Ipsec not enabled\n";
    }

    else {
        my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
            or die("cant connect to ipsec database");

        # This should get all the connections in an array

        my @connections = $ipsecDB->keys;

        $OUT .= "# ipsec.secrets\n\n";

        my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );

        foreach my $ipsecprop (@connections) {

            if ( $ipsecprop ne 'L2TPD-PSK' ) {

                # first we verify if IPSec is enabled for the connection

                my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
                    || "disabled";

                if ( $ipsecstatus eq "enabled" ) {

                    my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';

                    # Hmm..... if left is not set it defaults to %defaultroute which we don't want here

                    my $left     = $ipsecDB->get_prop( $ipsecprop, 'left' )     || $ExternalIP;
                    my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
                    my $iptype   = $ipsecDB->get_prop( $ipsecprop, 'iptype' )   || '';
                    my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
                    my $passwd   = $ipsecDB->get_prop( $ipsecprop, 'passwd' )   || '';

                    # Double quote is not allowed in configuration
                    if ( $passwd =~ /"/ ) {
                        die("Ipsec Error - PSK value cannot contain double quotes (\")");
                    }

                    $OUT .= "# $ipsecprop is enabled\n";

                    if ( $security eq 'certs' ) {
                        $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
                    }

                    elsif ( $security eq 'secret' ) {

                        # If dynamic it must be %any here
                        # If not it can be ExternalIP if left not set

                        # IF we have IDs then use them in preference to %any

                        my $leftid  = $ipsecDB->get_prop( $ipsecprop, 'leftid' )  || '';
                        my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';

                        if ( $iptype eq 'stattodyn' ) {
                            if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
                                $OUT .= "$left %any \: PSK \"$passwd\"";
                            }
                            else {
                                $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
                            }
                        }

                        elsif ( $iptype eq 'dyntostat' ) {
                            if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
                                $OUT .= "%any $right\: PSK \"$passwd\"";
                            }
                            else {
                                $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
                            }
                        }

                        elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
                            $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
                        }

                        else {
                            $OUT .= "$left $right \: PSK \"$passwd\"";
                        }
                    }

                    elsif ( $security eq "rsasig" ) {
                        $OUT .= "# Connection to $ipsecprop is RSA\n";
                        $OUT .= "# Our RSA key is in separate file\n";
                    }

                    else {
                        $OUT .= "# $ipsecprop is disabled\n";
                        $OUT .= "\n";
                    }
                    $OUT .= "\n";
                }    # if
            }    #unless
        }    #foreach
    }    #else
}

