summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc/ipsec.conf.j2
blob: 938f6b84ec3d9a8bfbd08aecef6b2842bf5dbc6a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# {{ ansible_managed }}
# Do NOT edit this file directly!

config setup
    charondebug = "dmn 0, lib 0, cfg 0, ike 0, enc 0, net 0"

conn %default
    keyexchange    = ikev2
    keyingtries    = %forever
    ike            = aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
    esp            = aes128gcm16-ecp256,aes256gcm16-ecp384!
{% if 'NATed' not in group_names %}
    mobike         = no
{% endif %}
{% if 'DynDNS' in group_names %}
    leftallowany   = yes
{% endif %}
    leftauth       = pubkey
    left           = %defaultroute
    leftsubnet     = {{ ipsec[inventory_hostname_short] | ipv4 }}/32
    leftid         = {{ inventory_hostname }}
    leftsigkey     = {{ inventory_hostname_short }}.pem
    leftfirewall   = yes
    lefthostaccess = yes
    rightauth      = pubkey
    auto           = route
    dpdaction      = hold
    inactivity     = 30m
    modeconfig     = push

{% for host in groups.all | difference([inventory_hostname]) | sort %}

conn {{ hostvars[host].inventory_hostname_short }}
    right         = {{ hostvars[host].inventory_hostname }}
{% if 'DynDNS' in hostvars[host].group_names %}
    rightallowany = yes
{% endif %}
    rightsigkey   = {{ hostvars[host].inventory_hostname_short }}.pem
    rightsubnet   = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 }}/32
{% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
    mobike        = yes
{% endif %}

{%- endfor %}