SAN fixed

config.cfg

@@ -8,13 +8,13 @@ easyrsa_dir: /opt/easy-rsa-ipsec
 easyrsa_curve: secp384r1
 easyrsa_ca_expire: 3650
 easyrsa_cert_expire: 3650
-easyrsa_key_size: 2048
 
 # if True re-init all existing certificates. Boolean
-easyrsa_reinit_existent: True
+easyrsa_reinit_existent: False
 
 # Domain or ip
 server_name: "{{ ansible_ssh_host }}"
+server_ip: "{{ ansible_ssh_host }}"
 
 users:
   - mr.smith

templates/easy-rsa.vars.j2

@@ -94,7 +94,7 @@ set_var EASYRSA_DN "cn_only"
 # generation take much longer. Values up to 4096 should be accepted by most
 # software. Only used when the crypto alg is rsa (see below.)
 
-set_var EASYRSA_KEY_SIZE   {{ easyrsa_key_size }}
+# set_var EASYRSA_KEY_SIZE    2048
 
 # The default crypto mode is rsa; ec can enable elliptic curve support.
 # Note that not all software supports ECC, so use care when enabling it.
@@ -177,7 +177,7 @@ set_var EASYRSA_CERT_EXPIRE    {{ easyrsa_cert_expire }}
 # specific and you cannot just use a standard config file, so this is an
 # advanced feature.
 
-#set_var EASYRSA_SSL_CONF   "$EASYRSA/openssl-1.0.cnf"
+set_var EASYRSA_SSL_CONF   "$EASYRSA/openssl-1.0.cnf"
 
 # Default CN:
 # This is best left alone. Interactively you will set this manually, and BATCH

templates/ipsec.conf.j2

@@ -1,52 +1,52 @@
-#config setup
-	#uniqueids = never # allow multiple connections per user
-
-#conn %default
-    #dpdaction=clear
-    #dpddelay=35s
-    #dpdtimeout=300s
-    #rekey=no
-	#keyexchange=ikev2
-    #ike=aes256-sha1-modp1024!
-    #esp=aes256-sha1!
-	#compress=yes
-	#fragmentation=yes
-	
-    #left=%any
-    #leftauth=pubkey
-    #leftid={{ server_name }}
-    #leftcert={{ server_name }}.crt
-    #leftsendcert=always
-    #leftsubnet=0.0.0.0/0,::/0
-
-    #right=%any
-    ##rightauth=pubkey
-    #rightsourceip=10.0.0.0/24
-    #rightdns=8.8.8.8,8.8.4.4
-
-#conn ikev2-pubkey
-    #auto=add
-
-    
-    
 config setup
+	uniqueids = never # allow multiple connections per user
 
 conn %default
-        ikelifetime=60m
-        keylife=20m
-        rekeymargin=3m
-        keyingtries=1
+    dpdaction=clear
+    dpddelay=35s
+    dpdtimeout=300s
+    rekey=no
+	keyexchange=ikev2
+    ike=aes256-sha1-modp1024!
+    esp=aes256-sha1!
+	compress=yes
+	fragmentation=yes
+	
+    left=%any
+    leftauth=pubkey
+    leftid={{ server_name }}
+    leftcert={{ server_name }}.crt
+    leftsendcert=always
+    leftsubnet=0.0.0.0/0,::/0
 
-conn common
-        left=%any         # Ip of the host
-        leftcert={{ server_name }}.crt # the cert we just created and copied
-        leftid={{ server_name }}  # the Alt name in the Cert we just created
-        leftsubnet=172.16.31.0/24      # The internal subnet the remote user wants to access
-        right=%any
-        rightid=%any # Connections can come from anywhere
-        rightsourceip=192.168.1.0/24   # Use this pool of IPs to assign to these inbound connections
-        auto=add
+    right=%any
+    #rightauth=pubkey
+    rightsourceip=10.0.0.0/24
+    rightdns=8.8.8.8,8.8.4.4
 
-conn ikev2
-        keyexchange=ikev2 
-        also=common
+conn ikev2-pubkey
+    auto=add
+
+    
+    
+#config setup
+
+#conn %default
+        #ikelifetime=60m
+        #keylife=20m
+        #rekeymargin=3m
+        #keyingtries=1
+
+#conn common
+        #left=%any         # Ip of the host
+        #leftcert={{ server_name }}.crt # the cert we just created and copied
+        #leftid={{ server_name }}  # the Alt name in the Cert we just created
+        #leftsubnet=172.16.31.0/24      # The internal subnet the remote user wants to access
+        #right=%any
+        #rightid=%any # Connections can come from anywhere
+        #rightsourceip=192.168.1.0/24   # Use this pool of IPs to assign to these inbound connections
+        #auto=add
+
+#conn ikev2
+        #keyexchange=ikev2 
+        #also=common

vpn.yml

@@ -11,42 +11,42 @@
   - name: Wait for port 22 to become available
     local_action: "wait_for port=22 host={{ inventory_hostname }}"
 
-  #- name: Updating apt-get
-    #raw: apt-get update -qq
+  - name: Updating apt-get
+    raw: apt-get update -qq
     
-  #- name: Install python2.7 for Ansible
-    #raw: apt-get install -qq -y python2.7
+  - name: Install python2.7 for Ansible
+    raw: apt-get install -qq -y python2.7
 
-  #- name: Install StrongSwan
-    #apt: name=strongswan state=latest update_cache=yes
+  - name: Install StrongSwan
+    apt: name=strongswan state=latest update_cache=yes
 
-  #- name: Enable strongswan
-    #service: name=strongswan enabled=yes
+  - name: Enable strongswan
+    service: name=strongswan enabled=yes
 
-  #- name: Enable packet forwarding for IPv4
-    #sysctl: name=net.ipv4.ip_forward value=1
+  - name: Enable packet forwarding for IPv4
+    sysctl: name=net.ipv4.ip_forward value=1
 
-  #- name: Do not accept ICMP redirects (prevent MITM attacks)
-    #sysctl: name=net.ipv4.conf.all.accept_redirects value=0
+  - name: Do not accept ICMP redirects (prevent MITM attacks)
+    sysctl: name=net.ipv4.conf.all.accept_redirects value=0
 
-  #- name: Do not send ICMP redirects (we are not a router)
-    #sysctl: name=net.ipv4.conf.all.send_redirects value=0
+  - name: Do not send ICMP redirects (we are not a router)
+    sysctl: name=net.ipv4.conf.all.send_redirects value=0
 
-  #- name: Configure iptables so IPSec traffic can traverse the tunnel
-    #iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
+  - name: Configure iptables so IPSec traffic can traverse the tunnel
+    iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
 
-  #- name: Setup the ipsec.conf file from our template
-    #template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
-    #notify:
-    #- restart strongswan    
+  - name: Setup the ipsec.conf file from our template
+    template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
+    notify:
+    - restart strongswan    
 
-  #- name: Setup the ipsec.secrets file with users and passwords
-    #template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600
-    #notify:
-    #- restart strongswan    
+  - name: Setup the ipsec.secrets file with users and passwords
+    template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600
+    notify:
+    - restart strongswan    
  
-  #- name: Install git
-    #apt: name=git state=latest      
+  - name: Install git
+    apt: name=git state=latest      
     
   - name: Fetch easy-rsa-ipsec repo
     git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}"
@@ -78,7 +78,7 @@
     
   - name: Build the server pair
     shell: |
-      ./easyrsa build-server-full {{ server_name }} nopass
+      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-server-full {{ server_name }} nopass
       touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -88,7 +88,7 @@
 
   - name: Build the client's pair
     shell: |
-      ./easyrsa build-client-full {{ item }} nopass
+      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-client-full {{ item }} nopass
       touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'