1 files changed, 43 insertions, 0 deletions

diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
new file mode 100644
index 0000000..4d6aa68
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+config setup
+    charondebug = "dmn 0, lib 0, cfg 0, ike 0, enc 0, net 0"
+
+conn %default
+    keyexchange    = ikev2
+    keyingtries    = %forever
+    ike            = aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
+    esp            = aes128gcm16-ecp256,aes256gcm16-ecp384!
+{% if 'NATed' not in group_names %}
+    mobike         = no
+{% endif %}
+{% if 'DynDNS' in group_names %}
+    leftallowany   = yes
+{% endif %}
+    leftauth       = pubkey
+    left           = %defaultroute
+    leftsubnet     = {{ ipsec[inventory_hostname_short] | ipv4 }}/32
+    leftcert       = {{ inventory_hostname_short }}.pem
+    leftfirewall   = yes
+    lefthostaccess = yes
+    rightauth      = pubkey
+    auto           = route
+    dpdaction      = hold
+    inactivity     = 30m
+    modeconfig     = push
+
+{% for host in groups.all | difference([inventory_hostname]) | sort %}
+
+conn {{ hostvars[host].inventory_hostname_short }}
+    right         = {{ hostvars[host].inventory_hostname }}
+{% if 'DynDNS' in hostvars[host].group_names %}
+    rightallowany = yes
+{% endif %}
+    rightcert     = {{ hostvars[host].inventory_hostname_short }}.pem
+    rightsubnet   = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 }}/32
+{% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
+    mobike        = yes
+{% endif %}
+
+{%- endfor %}