From bc41db5237d188c339d25d96a20465e488ea5475 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 8 Sep 2024 02:32:24 +0200
Subject: Firewall: Harden IPsec configuration by pining the reqids.

---
 roles/common/templates/etc/ipsec.conf.j2 | 1 +
 1 file changed, 1 insertion(+)

(limited to 'roles/common/templates/etc/ipsec.conf.j2')

diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
index e7505b4..eaa9a08 100644
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -37,6 +37,7 @@ conn {{ hostvars[host].inventory_hostname_short }}
 {% endif %}
     rightsigkey   = {{ hostvars[host].inventory_hostname_short }}.pem
     rightsubnet   = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ansible.utils.ipv4 }}/32
+    reqid         = {{ ipsec[ hostvars[host].inventory_hostname_short ].replace(":",".").split(".")[-1] }}
 {% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
     mobike        = yes
 {% endif %}
-- 
cgit v1.2.3