diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2013-10-30 21:49:34 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:50:31 +0200 |
commit | 42ec51e418142f68a97d96663a43ae617c971ad5 (patch) | |
tree | a329b6705d0c55d33b952c07a032e45fb3919c4c /roles/common/templates | |
parent | 035ea3c7dbe80c92c59635f710076c586c7394c8 (diff) |
Configure IPSec.
Diffstat (limited to 'roles/common/templates')
-rw-r--r-- | roles/common/templates/etc/ipsec.conf.j2 | 40 | ||||
-rw-r--r-- | roles/common/templates/etc/ipsec.secrets.j2 | 5 |
2 files changed, 45 insertions, 0 deletions
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 new file mode 100644 index 0000000..ceed16a --- /dev/null +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -0,0 +1,40 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +config setup + # crlcheckinterval = 600 + strictcrlpolicy = no + # cachecrls = yes + plutostart = no + +# Add connections here. + +conn %default + keyexchange = ikev2 + ikelifetime = 1h + keylife = 15m + rekeymargin = 3m + keyingtries = 1 + esp = aes128gcm16-ecp256! + ike = aes128gcm16-aesxcbc-ecp256! + # TODO: test DynDNS + mobike = no + leftauth = pubkey + left = %defaultroute + leftcert = {{ inventory_hostname }}.pem + leftid = "C=SE, O=Fripost, OU=IPsec, CN={{ inventory_hostname }}" + leftca = "C=SE, O=Fripost, OU=root CA, CN=IPsec (internal network)" + leftfirewall = yes + rightauth = pubkey + rightca = %same + type = transport + auto = start + +{% for host in groups.all|sort %} +{% if host != inventory_hostname %} + +conn {{ host }} + right = {{ hostvars[host]['inventory_hostname'] }} + rightid = "C=SE, O=Fripost, OU=IPsec, CN={{ hostvars[host]['inventory_hostname'] }}" +{% endif -%} +{%- endfor %} diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2 new file mode 100644 index 0000000..da707bd --- /dev/null +++ b/roles/common/templates/etc/ipsec.secrets.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +# Our VPN uses ECC only. +: ECDSA {{ inventory_hostname }}.key |