Prefer maching on policy rather than marks.

Also, use ESP tunnel mode instead of transport mode.
author: Guilhem Moulin <guilhem@fripost.org> 2013-11-03 22:25:16 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:50:38 +0200
commit: ad9c840c40d923e0fd1b04a57274cc2ec2e381ec (patch)
tree: ae1f9fbdb938451e8c24151dd4d5723a6bf3fa82 /roles/common/templates/etc
parent: 8f6d93f2c1af4084366cc2d6e835535608fc1e4e (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
index ceed16a..5ac2dd1 100644
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -10,31 +10,30 @@ config setup
 # Add connections here.
 
 conn %default
     keyexchange  = ikev2
     ikelifetime  = 1h
     keylife      = 15m
     rekeymargin  = 3m
     keyingtries  = 1
     esp          = aes128gcm16-ecp256!
     ike          = aes128gcm16-aesxcbc-ecp256!
     # TODO: test DynDNS
     mobike       = no
     leftauth     = pubkey
     left         = %defaultroute
     leftcert     = {{ inventory_hostname }}.pem
     leftid       = "C=SE, O=Fripost, OU=IPsec, CN={{ inventory_hostname }}"
     leftca       = "C=SE, O=Fripost, OU=root CA, CN=IPsec (internal network)"
     leftfirewall = yes
     rightauth    = pubkey
     rightca      = %same
-    type         = transport
     auto         = start
 
 {% for host in groups.all|sort %}
 {% if host != inventory_hostname %}
 
 conn {{ host }}
     right   = {{ hostvars[host]['inventory_hostname'] }}
     rightid = "C=SE, O=Fripost, OU=IPsec, CN={{ hostvars[host]['inventory_hostname'] }}"
 {% endif -%}
 {%- endfor %}
author	Guilhem Moulin <guilhem@fripost.org>	2013-11-03 22:25:16 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:50:38 +0200
commit	ad9c840c40d923e0fd1b04a57274cc2ec2e381ec (patch)
tree	ae1f9fbdb938451e8c24151dd4d5723a6bf3fa82 /roles/common/templates/etc
parent	8f6d93f2c1af4084366cc2d6e835535608fc1e4e (diff)