client configuration templates #43

2025-06-06 15:13:56 +02:00 · 2016-10-16 15:27:05 +03:00 · 2016-10-16 15:27:05 +03:00 · 062426e0ec
commit 062426e0ec
parent fcf29534ba
5 changed files with 58 additions and 8 deletions
--- a/config.cfg
+++ b/config.cfg
@ -55,5 +55,15 @@ strongswan_enabled_plugins:
  - stroke
  - x509
 ipsec_config:
  dpdaction: 'clear'
  dpddelay: '35s'
  rekey: 'no'
  keyexchange: 'ikev2'
  ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
  esp: 'aes128gcm16-sha2_256-ecp256!'
  compress: 'yes'
  fragmentation: 'yes'
 # IP address for the proxy and the local dns resolver
 local_service_ip: 172.16.0.1
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -174,6 +174,16 @@
    - "{{ PayloadContent.results }}"
  no_log: True
 - name: Build the client ipsec config file
  template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600
  with_items:
    - "{{ users }}"
 - name: Build the client ipsec secret file
  template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600
  with_items:
    - "{{ users }}"
 - name: Fetch users P12
  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
  with_items: "{{ users }}"
@ -182,6 +192,22 @@
  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
  with_items: "{{ users }}"
 - name: Fetch users certificates
  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes
  with_items: "{{ users }}"
 - name: Fetch users keys
  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes
  with_items: "{{ users }}"
 - name: Fetch users ipsec configs
  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes
  with_items: "{{ users }}"
 - name: Fetch users ipsec secrets
  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
  with_items: "{{ users }}"
 - name: Restrict permissions
  file: path="{{ item }}" state=directory mode=0700  owner=strongswan group=root
  with_items:
--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@ -0,0 +1,17 @@
 conn ikev2-{{ IP_subject_alt_name }}
 {% for key, value in ipsec_config.iteritems() %}
    {{ key }}={{ value }}
 {% endfor %}
    right={{ IP_subject_alt_name }}
    rightid={{ IP_subject_alt_name }}
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftauth=pubkey
    leftcert={{ IP_subject_alt_name }}_{{ item }}.crt
    leftfirewall=yes
    left=%defaultroute
    auto=add
--- a/roles/vpn/templates/client_ipsec.secrets.j2
+++ b/roles/vpn/templates/client_ipsec.secrets.j2
@ -0,0 +1,2 @@
 {{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@ -3,14 +3,9 @@ config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
 conn %default
-    dpdaction=clear
+{% for key, value in ipsec_config.iteritems() %}
-    dpddelay=35s
+    {{ key }}={{ value }}
-    rekey=no
+{% endfor %}
    keyexchange=ikev2
    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
    esp=aes128gcm16-sha2_256-ecp256!
    compress=yes
    fragmentation=yes
    left=%any
    leftauth=pubkey
		`@ -0,0 +1,2 @@`
							`{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key`