From 062426e0ecffab6bcabe3f8bfaab1f8382408b15 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Sun, 16 Oct 2016 15:27:05 +0300
Subject: [PATCH] client configuration templates #43

---
 config.cfg                                  | 10 ++++++++
 roles/vpn/tasks/main.yml                    | 26 +++++++++++++++++++++
 roles/vpn/templates/client_ipsec.conf.j2    | 17 ++++++++++++++
 roles/vpn/templates/client_ipsec.secrets.j2 |  2 ++
 roles/vpn/templates/ipsec.conf.j2           | 11 +++------
 5 files changed, 58 insertions(+), 8 deletions(-)
 create mode 100644 roles/vpn/templates/client_ipsec.conf.j2
 create mode 100644 roles/vpn/templates/client_ipsec.secrets.j2

diff --git a/config.cfg b/config.cfg
index 4704920..e1052ad 100644
--- a/config.cfg
+++ b/config.cfg
@@ -55,5 +55,15 @@ strongswan_enabled_plugins:
   - stroke
   - x509
 
+ipsec_config:
+  dpdaction: 'clear'
+  dpddelay: '35s'
+  rekey: 'no'
+  keyexchange: 'ikev2'
+  ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
+  esp: 'aes128gcm16-sha2_256-ecp256!'
+  compress: 'yes'
+  fragmentation: 'yes'
+
 # IP address for the proxy and the local dns resolver
 local_service_ip: 172.16.0.1
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 1009911..b152c7a 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -174,6 +174,16 @@
     - "{{ PayloadContent.results }}"
   no_log: True
 
+- name: Build the client ipsec config file
+  template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600
+  with_items:
+    - "{{ users }}"
+
+- name: Build the client ipsec secret file
+  template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600
+  with_items:
+    - "{{ users }}"
+
 - name: Fetch users P12
   fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
   with_items: "{{ users }}"
@@ -182,6 +192,22 @@
   fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
   with_items: "{{ users }}"
 
+- name: Fetch users certificates
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users keys
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users ipsec configs
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users ipsec secrets
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
+  with_items: "{{ users }}"
+
 - name: Restrict permissions
   file: path="{{ item }}" state=directory mode=0700  owner=strongswan group=root
   with_items:
diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2
new file mode 100644
index 0000000..3b01ff1
--- /dev/null
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@@ -0,0 +1,17 @@
+conn ikev2-{{ IP_subject_alt_name }}
+{% for key, value in ipsec_config.iteritems() %}
+    {{ key }}={{ value }}
+{% endfor %}
+
+    right={{ IP_subject_alt_name }}
+    rightid={{ IP_subject_alt_name }}
+    rightsubnet=0.0.0.0/0
+    rightauth=pubkey
+
+    leftsourceip=%config
+    leftauth=pubkey
+    leftcert={{ IP_subject_alt_name }}_{{ item }}.crt
+    leftfirewall=yes
+    left=%defaultroute
+
+    auto=add
diff --git a/roles/vpn/templates/client_ipsec.secrets.j2 b/roles/vpn/templates/client_ipsec.secrets.j2
new file mode 100644
index 0000000..ec4a30f
--- /dev/null
+++ b/roles/vpn/templates/client_ipsec.secrets.j2
@@ -0,0 +1,2 @@
+{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
+
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index b1dde99..fa29458 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -3,14 +3,9 @@ config setup
     charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
 
 conn %default
-    dpdaction=clear
-    dpddelay=35s
-    rekey=no
-    keyexchange=ikev2
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
-    esp=aes128gcm16-sha2_256-ecp256!
-    compress=yes
-    fragmentation=yes
+{% for key, value in ipsec_config.iteritems() %}
+    {{ key }}={{ value }}
+{% endfor %}
 
     left=%any
     leftauth=pubkey