
{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB    = esmith::ConfigDB->open_ro or die("can't open Config DB");
    my $dbKey       = 'ipsec';
    my $systemMode  = $configDB->get("SystemMode")->value;
    my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';

    if ( $systemMode ne 'servergateway' ) {
        $OUT .= "# System not in Server Gateway mode\n";
    }

    elsif ( $ipsecStatus ne 'enabled' ) {
        $OUT .= "# Ipsec not enabled\n";
    }

    else {
        my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
          or die("cant connect to ipsec database");

        # This should get all the connections in an array

        my @connections = $ipsecDB->keys;

        $OUT .= "# ipsec.secrets\n\n";
        
        my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
        
        foreach my $ipsecprop (@connections) {

            # first we verify if IPSec is enabled for the connection

            my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
              || "disabled";

            if ( $ipsecstatus eq "enabled" ) {

                my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';

                # Hmm..... if left is not set it defaults to %defaultroute which we don't want here

                my $left     = $ipsecDB->get_prop( $ipsecprop, 'left' )     || $ExternalIP;
                my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
                my $iptype   = $ipsecDB->get_prop( $ipsecprop, 'iptype' )   || '';
                my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
                my $passwd   = $ipsecDB->get_prop( $ipsecprop, 'passwd' )   || '';

                # Double quote is not allowed in configuration
                if ( $passwd =~ /"/ ) {
                    die("Ipsec Error - PSK value cannot contain double quotes (\")");
                }

                $OUT .= "# $ipsecprop is enabled\n";

                if ( $security eq 'certs' ) {
                    $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
                }

                elsif ( $security eq 'secret' ) {

                    # If dynamic it must be %any here
                    # If not it can be ExternalIP if left not set

                    # IF we have IDs then use them in preference to %any

                    my $leftid  = $ipsecDB->get_prop( $ipsecprop, 'leftid' )  || '';
                    my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';

                    if ( $iptype eq 'stattodyn' ) {
                        if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
                            $OUT .= "$left %any \: PSK \"$passwd\"";
                        }
                        else {
                            $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
                        }
                    }

                    elsif ( $iptype eq 'dyntostat' ) {
                        if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
                            $OUT .= "%any $right\: PSK \"$passwd\"";
                        }
                        else {
                            $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
                        }
                    }

                    elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
                        $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
                    }

                    else {
                        $OUT .= "$left $right \: PSK \"$passwd\"";
                    }
                }

                elsif ( $security eq "rsasig" ) {
                    $OUT .= "# Connection to $ipsecprop is RSA\n";
                    $OUT .= "# Our RSA key is in separate file\n";
                }

                else {
                    $OUT .= "# $ipsecprop is disabled\n";
                    $OUT .= "\n";
                }
                $OUT .= "\n";
            }
        }
    }
}
