blob: eaa9a088360b90761b8b0621dce41f2f5f683b6f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
# {{ ansible_managed }}
# Do NOT edit this file directly!
config setup
charondebug = "dmn 0, lib 0, cfg 0, ike 0, enc 0, net 0"
conn %default
keyexchange = ikev2
keyingtries = %forever
ike = aes256gcm16-prfsha384-ecp384!
esp = aes256gcm16-ecp384!
{% if 'NATed' not in group_names %}
mobike = no
{% endif %}
{% if 'DynDNS' in group_names %}
leftallowany = yes
{% endif %}
leftauth = pubkey
left = %defaultroute
leftsubnet = {{ ipsec[inventory_hostname_short] | ansible.utils.ipv4 }}/32
leftid = {{ inventory_hostname }}
leftsigkey = {{ inventory_hostname_short }}.pem
leftfirewall = no
lefthostaccess = yes
rightauth = pubkey
auto = route
dpdaction = hold
inactivity = 30m
modeconfig = push
{% for host in groups.all | difference([inventory_hostname]) | sort %}
conn {{ hostvars[host].inventory_hostname_short }}
right = {{ hostvars[host].inventory_hostname }}
{% if 'DynDNS' in hostvars[host].group_names %}
rightallowany = yes
{% endif %}
rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem
rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ansible.utils.ipv4 }}/32
reqid = {{ ipsec[ hostvars[host].inventory_hostname_short ].replace(":",".").split(".")[-1] }}
{% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
mobike = yes
{% endif %}
{%- endfor %}
|