Configure IPSec.

2 files changed, 45 insertions, 0 deletions

diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
new file mode 100644
index 0000000..ceed16a
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+config setup
+    # crlcheckinterval = 600
+    strictcrlpolicy    = no
+    # cachecrls        = yes
+    plutostart         = no
+
+# Add connections here.
+
+conn %default
+    keyexchange  = ikev2
+    ikelifetime  = 1h
+    keylife      = 15m
+    rekeymargin  = 3m
+    keyingtries  = 1
+    esp          = aes128gcm16-ecp256!
+    ike          = aes128gcm16-aesxcbc-ecp256!
+    # TODO: test DynDNS
+    mobike       = no
+    leftauth     = pubkey
+    left         = %defaultroute
+    leftcert     = {{ inventory_hostname }}.pem
+    leftid       = "C=SE, O=Fripost, OU=IPsec, CN={{ inventory_hostname }}"
+    leftca       = "C=SE, O=Fripost, OU=root CA, CN=IPsec (internal network)"
+    leftfirewall = yes
+    rightauth    = pubkey
+    rightca      = %same
+    type         = transport
+    auto         = start
+
+{% for host in groups.all|sort %}
+{% if host != inventory_hostname %}
+
+conn {{ host }}
+    right   = {{ hostvars[host]['inventory_hostname'] }}
+    rightid = "C=SE, O=Fripost, OU=IPsec, CN={{ hostvars[host]['inventory_hostname'] }}"
+{% endif -%}
+{%- endfor %}
diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2
new file mode 100644
index 0000000..da707bd
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.secrets.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+# Our VPN uses ECC only.
+: ECDSA {{ inventory_hostname }}.key