summaryrefslogtreecommitdiffstats
path: root/roles/common/templates
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-10-30 21:49:34 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:50:31 +0200
commit42ec51e418142f68a97d96663a43ae617c971ad5 (patch)
treea329b6705d0c55d33b952c07a032e45fb3919c4c /roles/common/templates
parent035ea3c7dbe80c92c59635f710076c586c7394c8 (diff)
Configure IPSec.
Diffstat (limited to 'roles/common/templates')
-rw-r--r--roles/common/templates/etc/ipsec.conf.j240
-rw-r--r--roles/common/templates/etc/ipsec.secrets.j25
2 files changed, 45 insertions, 0 deletions
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
new file mode 100644
index 0000000..ceed16a
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+config setup
+ # crlcheckinterval = 600
+ strictcrlpolicy = no
+ # cachecrls = yes
+ plutostart = no
+
+# Add connections here.
+
+conn %default
+ keyexchange = ikev2
+ ikelifetime = 1h
+ keylife = 15m
+ rekeymargin = 3m
+ keyingtries = 1
+ esp = aes128gcm16-ecp256!
+ ike = aes128gcm16-aesxcbc-ecp256!
+ # TODO: test DynDNS
+ mobike = no
+ leftauth = pubkey
+ left = %defaultroute
+ leftcert = {{ inventory_hostname }}.pem
+ leftid = "C=SE, O=Fripost, OU=IPsec, CN={{ inventory_hostname }}"
+ leftca = "C=SE, O=Fripost, OU=root CA, CN=IPsec (internal network)"
+ leftfirewall = yes
+ rightauth = pubkey
+ rightca = %same
+ type = transport
+ auto = start
+
+{% for host in groups.all|sort %}
+{% if host != inventory_hostname %}
+
+conn {{ host }}
+ right = {{ hostvars[host]['inventory_hostname'] }}
+ rightid = "C=SE, O=Fripost, OU=IPsec, CN={{ hostvars[host]['inventory_hostname'] }}"
+{% endif -%}
+{%- endfor %}
diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2
new file mode 100644
index 0000000..da707bd
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.secrets.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+# Our VPN uses ECC only.
+: ECDSA {{ inventory_hostname }}.key