From 63e67cb3a651472542f5ab9b8025677aaddc34ec Mon Sep 17 00:00:00 2001
From: Evgeniy Ivanov <eivanov@sardinasystems.com>
Date: Tue, 12 Jul 2016 21:05:06 +0300
Subject: [PATCH] export p12 added

---
 config.cfg              | 2 +-
 templates/ipsec.conf.j2 | 3 +--
 vpn.yml                 | 6 +++---
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/config.cfg b/config.cfg
index 56363cf..21a05f0 100644
--- a/config.cfg
+++ b/config.cfg
@@ -13,7 +13,7 @@ easyrsa_cert_expire: 3650
 easyrsa_reinit_existent: True
 
 # Domain or ip
-server_name: "win7.mycompany.local"
+server_name: ivlis.me
 server_ip: "{{ ansible_ssh_host }}"
 
 users:
diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2
index 6306192..4c5135d 100644
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@@ -8,7 +8,6 @@ conn %default
     rekey=no
 	keyexchange=ikev2
     ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
-
     esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
 	compress=yes
 	fragmentation=yes
@@ -21,7 +20,7 @@ conn %default
     leftsubnet=0.0.0.0/0,::/0
 
     right=%any
-    #rightauth=pubkey
+    rightauth=pubkey
     rightsourceip=10.0.0.0/24
     rightdns=8.8.8.8,8.8.4.4
 
diff --git a/vpn.yml b/vpn.yml
index 44ed16e..8269c51 100644
--- a/vpn.yml
+++ b/vpn.yml
@@ -78,7 +78,7 @@
     
   - name: Build the server pair
     shell: |
-      ./easyrsa --subject-alt-name=DNS:{{ server_name }} build-server-full {{ server_name }} nopass
+      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-server-full {{ server_name }} nopass
       touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -88,7 +88,7 @@
 
   - name: Build the client's pair
     shell: |
-      ./easyrsa --subject-alt-name=DNS:{{ server_name }} build-client-full {{ item }} nopass
+      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-client-full {{ item }} nopass
       touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -97,7 +97,7 @@
 
   - name: Build the client's p12 
     shell: |
-      ./easyrsa export-p12 {{ item }} nopass
+      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:vpn
       touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'