From 993e388abbea7a74ce4643a0e9a937a44bcf9b1f Mon Sep 17 00:00:00 2001 From: Evgeniy Ivanov Date: Tue, 12 Jul 2016 10:00:46 +0300 Subject: [PATCH] SAN fixed --- config.cfg | 4 +- templates/easy-rsa.vars.j2 | 4 +- templates/ipsec.conf.j2 | 94 +++++++++++++++++++------------------- vpn.yml | 56 +++++++++++------------ 4 files changed, 79 insertions(+), 79 deletions(-) diff --git a/config.cfg b/config.cfg index 7f9449a..7f359d7 100644 --- a/config.cfg +++ b/config.cfg @@ -8,13 +8,13 @@ easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_curve: secp384r1 easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 -easyrsa_key_size: 2048 # if True re-init all existing certificates. Boolean -easyrsa_reinit_existent: True +easyrsa_reinit_existent: False # Domain or ip server_name: "{{ ansible_ssh_host }}" +server_ip: "{{ ansible_ssh_host }}" users: - mr.smith diff --git a/templates/easy-rsa.vars.j2 b/templates/easy-rsa.vars.j2 index 681859a..33663ff 100644 --- a/templates/easy-rsa.vars.j2 +++ b/templates/easy-rsa.vars.j2 @@ -94,7 +94,7 @@ set_var EASYRSA_DN "cn_only" # generation take much longer. Values up to 4096 should be accepted by most # software. Only used when the crypto alg is rsa (see below.) -set_var EASYRSA_KEY_SIZE {{ easyrsa_key_size }} +# set_var EASYRSA_KEY_SIZE 2048 # The default crypto mode is rsa; ec can enable elliptic curve support. # Note that not all software supports ECC, so use care when enabling it. @@ -177,7 +177,7 @@ set_var EASYRSA_CERT_EXPIRE {{ easyrsa_cert_expire }} # specific and you cannot just use a standard config file, so this is an # advanced feature. -#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" +set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" # Default CN: # This is best left alone. Interactively you will set this manually, and BATCH diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2 index 14b8007..736b193 100644 --- a/templates/ipsec.conf.j2 +++ b/templates/ipsec.conf.j2 @@ -1,52 +1,52 @@ -#config setup - #uniqueids = never # allow multiple connections per user - -#conn %default - #dpdaction=clear - #dpddelay=35s - #dpdtimeout=300s - #rekey=no - #keyexchange=ikev2 - #ike=aes256-sha1-modp1024! - #esp=aes256-sha1! - #compress=yes - #fragmentation=yes - - #left=%any - #leftauth=pubkey - #leftid={{ server_name }} - #leftcert={{ server_name }}.crt - #leftsendcert=always - #leftsubnet=0.0.0.0/0,::/0 - - #right=%any - ##rightauth=pubkey - #rightsourceip=10.0.0.0/24 - #rightdns=8.8.8.8,8.8.4.4 - -#conn ikev2-pubkey - #auto=add - - - config setup + uniqueids = never # allow multiple connections per user conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 + dpdaction=clear + dpddelay=35s + dpdtimeout=300s + rekey=no + keyexchange=ikev2 + ike=aes256-sha1-modp1024! + esp=aes256-sha1! + compress=yes + fragmentation=yes + + left=%any + leftauth=pubkey + leftid={{ server_name }} + leftcert={{ server_name }}.crt + leftsendcert=always + leftsubnet=0.0.0.0/0,::/0 -conn common - left=%any # Ip of the host - leftcert={{ server_name }}.crt # the cert we just created and copied - leftid={{ server_name }} # the Alt name in the Cert we just created - leftsubnet=172.16.31.0/24 # The internal subnet the remote user wants to access - right=%any - rightid=%any # Connections can come from anywhere - rightsourceip=192.168.1.0/24 # Use this pool of IPs to assign to these inbound connections - auto=add + right=%any + #rightauth=pubkey + rightsourceip=10.0.0.0/24 + rightdns=8.8.8.8,8.8.4.4 -conn ikev2 - keyexchange=ikev2 - also=common +conn ikev2-pubkey + auto=add + + + +#config setup + +#conn %default + #ikelifetime=60m + #keylife=20m + #rekeymargin=3m + #keyingtries=1 + +#conn common + #left=%any # Ip of the host + #leftcert={{ server_name }}.crt # the cert we just created and copied + #leftid={{ server_name }} # the Alt name in the Cert we just created + #leftsubnet=172.16.31.0/24 # The internal subnet the remote user wants to access + #right=%any + #rightid=%any # Connections can come from anywhere + #rightsourceip=192.168.1.0/24 # Use this pool of IPs to assign to these inbound connections + #auto=add + +#conn ikev2 + #keyexchange=ikev2 + #also=common diff --git a/vpn.yml b/vpn.yml index ab4cdd3..4d90a14 100644 --- a/vpn.yml +++ b/vpn.yml @@ -11,42 +11,42 @@ - name: Wait for port 22 to become available local_action: "wait_for port=22 host={{ inventory_hostname }}" - #- name: Updating apt-get - #raw: apt-get update -qq + - name: Updating apt-get + raw: apt-get update -qq - #- name: Install python2.7 for Ansible - #raw: apt-get install -qq -y python2.7 + - name: Install python2.7 for Ansible + raw: apt-get install -qq -y python2.7 - #- name: Install StrongSwan - #apt: name=strongswan state=latest update_cache=yes + - name: Install StrongSwan + apt: name=strongswan state=latest update_cache=yes - #- name: Enable strongswan - #service: name=strongswan enabled=yes + - name: Enable strongswan + service: name=strongswan enabled=yes - #- name: Enable packet forwarding for IPv4 - #sysctl: name=net.ipv4.ip_forward value=1 + - name: Enable packet forwarding for IPv4 + sysctl: name=net.ipv4.ip_forward value=1 - #- name: Do not accept ICMP redirects (prevent MITM attacks) - #sysctl: name=net.ipv4.conf.all.accept_redirects value=0 + - name: Do not accept ICMP redirects (prevent MITM attacks) + sysctl: name=net.ipv4.conf.all.accept_redirects value=0 - #- name: Do not send ICMP redirects (we are not a router) - #sysctl: name=net.ipv4.conf.all.send_redirects value=0 + - name: Do not send ICMP redirects (we are not a router) + sysctl: name=net.ipv4.conf.all.send_redirects value=0 - #- name: Configure iptables so IPSec traffic can traverse the tunnel - #iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE + - name: Configure iptables so IPSec traffic can traverse the tunnel + iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE - #- name: Setup the ipsec.conf file from our template - #template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644 - #notify: - #- restart strongswan + - name: Setup the ipsec.conf file from our template + template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644 + notify: + - restart strongswan - #- name: Setup the ipsec.secrets file with users and passwords - #template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600 - #notify: - #- restart strongswan + - name: Setup the ipsec.secrets file with users and passwords + template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600 + notify: + - restart strongswan - #- name: Install git - #apt: name=git state=latest + - name: Install git + apt: name=git state=latest - name: Fetch easy-rsa-ipsec repo git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}" @@ -78,7 +78,7 @@ - name: Build the server pair shell: | - ./easyrsa build-server-full {{ server_name }} nopass + ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-server-full {{ server_name }} nopass touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' @@ -88,7 +88,7 @@ - name: Build the client's pair shell: | - ./easyrsa build-client-full {{ item }} nopass + ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-client-full {{ item }} nopass touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/'