client configuration templates #43

2025-04-22 00:57:08 +02:00 · 2016-10-16 15:27:05 +03:00 · 2016-10-16 15:27:05 +03:00 · 062426e0ec
commit 062426e0ec
parent fcf29534ba
5 changed files with 58 additions and 8 deletions
--- a/config.cfg
+++ b/config.cfg
@ -55,5 +55,15 @@ strongswan_enabled_plugins:
  - stroke
  - x509

+ipsec_config:
+  dpdaction: 'clear'
+  dpddelay: '35s'
+  rekey: 'no'
+  keyexchange: 'ikev2'
+  ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
+  esp: 'aes128gcm16-sha2_256-ecp256!'
+  compress: 'yes'
+  fragmentation: 'yes'
+
 # IP address for the proxy and the local dns resolver
 local_service_ip: 172.16.0.1
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -174,6 +174,16 @@
    - "{{ PayloadContent.results }}"
  no_log: True

+- name: Build the client ipsec config file
+  template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600
+  with_items:
+    - "{{ users }}"
+
+- name: Build the client ipsec secret file
+  template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600
+  with_items:
+    - "{{ users }}"
+
 - name: Fetch users P12
  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
  with_items: "{{ users }}"
@ -182,6 +192,22 @@
  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
  with_items: "{{ users }}"

+- name: Fetch users certificates
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users keys
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users ipsec configs
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users ipsec secrets
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
+  with_items: "{{ users }}"
+
 - name: Restrict permissions
  file: path="{{ item }}" state=directory mode=0700  owner=strongswan group=root
  with_items:
--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@ -0,0 +1,17 @@
+conn ikev2-{{ IP_subject_alt_name }}
+{% for key, value in ipsec_config.iteritems() %}
+    {{ key }}={{ value }}
+{% endfor %}
+
+    right={{ IP_subject_alt_name }}
+    rightid={{ IP_subject_alt_name }}
+    rightsubnet=0.0.0.0/0
+    rightauth=pubkey
+
+    leftsourceip=%config
+    leftauth=pubkey
+    leftcert={{ IP_subject_alt_name }}_{{ item }}.crt
+    leftfirewall=yes
+    left=%defaultroute
+
+    auto=add
--- a/roles/vpn/templates/client_ipsec.secrets.j2
+++ b/roles/vpn/templates/client_ipsec.secrets.j2
@ -0,0 +1,2 @@
+{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
+
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@ -3,14 +3,9 @@ config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

 conn %default
-    dpdaction=clear
-    dpddelay=35s
-    rekey=no
-    keyexchange=ikev2
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
-    esp=aes128gcm16-sha2_256-ecp256!
-    compress=yes
-    fragmentation=yes
+{% for key, value in ipsec_config.iteritems() %}
+    {{ key }}={{ value }}
+{% endfor %}

    left=%any
    leftauth=pubkey
				`@ -0,0 +1,2 @@`
				`{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key`