From a4d0e4a7f8cd829de8346fb6edd9866cc855134f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Jun 2014 05:22:58 +0200 Subject: Don't require a PKI for IPSec. Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines. --- roles/common/templates/etc/ipsec.conf.j2 | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) (limited to 'roles/common/templates') diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 index 5ac2dd1..1dbcdbd 100644 --- a/roles/common/templates/etc/ipsec.conf.j2 +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -2,10 +2,7 @@ # Do NOT edit this file directly! config setup - # crlcheckinterval = 600 - strictcrlpolicy = no - # cachecrls = yes - plutostart = no + plutostart = no # Add connections here. @@ -22,18 +19,12 @@ conn %default leftauth = pubkey left = %defaultroute leftcert = {{ inventory_hostname }}.pem - leftid = "C=SE, O=Fripost, OU=IPsec, CN={{ inventory_hostname }}" - leftca = "C=SE, O=Fripost, OU=root CA, CN=IPsec (internal network)" leftfirewall = yes rightauth = pubkey - rightca = %same auto = start - -{% for host in groups.all|sort %} -{% if host != inventory_hostname %} +{% for host in groups.all | difference([inventory_hostname]) | sort %} conn {{ host }} - right = {{ hostvars[host]['inventory_hostname'] }} - rightid = "C=SE, O=Fripost, OU=IPsec, CN={{ hostvars[host]['inventory_hostname'] }}" -{% endif -%} + right = {{ hostvars[host]['inventory_hostname'] }} + rightcert = {{ hostvars[host]['inventory_hostname'] }}.pem {%- endfor %} -- cgit v1.2.3