diff --git a/config.cfg b/config.cfg
index 8fe2582..e6c6b9a 100644
--- a/config.cfg
+++ b/config.cfg
@@ -54,5 +54,15 @@ strongswan_enabled_plugins:
- stroke
- x509
+ipsec_config:
+ dpdaction: 'clear'
+ dpddelay: '35s'
+ rekey: 'no'
+ keyexchange: 'ikev2'
+ ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
+ esp: 'aes128gcm16-sha2_256-ecp256!'
+ compress: 'yes'
+ fragmentation: 'yes'
+
# IP address for the proxy and the local dns resolver
local_service_ip: 172.16.0.1
diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index fc3af8b..e1d8b9d 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -84,3 +84,29 @@
- restart apache2
- meta: flush_handlers
+
+- name: Set facts for mobileconfigs
+ set_fact:
+ proxy_enabled: true
+
+- name: Register p12 PayloadContent
+ shell: >
+ cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
+ register: PayloadContent
+ with_items: "{{ users }}"
+
+- name: Register CA PayloadContent
+ shell: >
+ cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
+ register: PayloadContentCA
+
+- name: Build the mobileconfigs
+ template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}_proxy.mobileconfig mode=0600
+ with_together:
+ - "{{ users }}"
+ - "{{ PayloadContent.results }}"
+ no_log: True
+
+- name: Fetch users mobileconfig
+ fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}_proxy.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}_proxy.mobileconfig flat=yes
+ with_items: "{{ users }}"
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 1009911..fbe4b94 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -167,6 +167,10 @@
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
register: PayloadContentCA
+- name: Set facts for mobileconfigs
+ set_fact:
+ proxy_enabled: false
+
- name: Build the mobileconfigs
template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
with_together:
@@ -174,6 +178,16 @@
- "{{ PayloadContent.results }}"
no_log: True
+- name: Build the client ipsec config file
+ template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600
+ with_items:
+ - "{{ users }}"
+
+- name: Build the client ipsec secret file
+ template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600
+ with_items:
+ - "{{ users }}"
+
- name: Fetch users P12
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
with_items: "{{ users }}"
@@ -182,6 +196,22 @@
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
with_items: "{{ users }}"
+- name: Fetch users certificates
+ fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes
+ with_items: "{{ users }}"
+
+- name: Fetch users keys
+ fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes
+ with_items: "{{ users }}"
+
+- name: Fetch users ipsec configs
+ fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes
+ with_items: "{{ users }}"
+
+- name: Fetch users ipsec secrets
+ fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
+ with_items: "{{ users }}"
+
- name: Restrict permissions
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
with_items:
diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2
new file mode 100644
index 0000000..3b01ff1
--- /dev/null
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@@ -0,0 +1,17 @@
+conn ikev2-{{ IP_subject_alt_name }}
+{% for key, value in ipsec_config.iteritems() %}
+ {{ key }}={{ value }}
+{% endfor %}
+
+ right={{ IP_subject_alt_name }}
+ rightid={{ IP_subject_alt_name }}
+ rightsubnet=0.0.0.0/0
+ rightauth=pubkey
+
+ leftsourceip=%config
+ leftauth=pubkey
+ leftcert={{ IP_subject_alt_name }}_{{ item }}.crt
+ leftfirewall=yes
+ left=%defaultroute
+
+ auto=add
diff --git a/roles/vpn/templates/client_ipsec.secrets.j2 b/roles/vpn/templates/client_ipsec.secrets.j2
new file mode 100644
index 0000000..ec4a30f
--- /dev/null
+++ b/roles/vpn/templates/client_ipsec.secrets.j2
@@ -0,0 +1,2 @@
+{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
+
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index b1dde99..fa29458 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -3,14 +3,9 @@ config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
- dpdaction=clear
- dpddelay=35s
- rekey=no
- keyexchange=ikev2
- ike=aes128gcm16-sha2_256-prfsha256-ecp256!
- esp=aes128gcm16-sha2_256-ecp256!
- compress=yes
- fragmentation=yes
+{% for key, value in ipsec_config.iteritems() %}
+ {{ key }}={{ value }}
+{% endfor %}
left=%any
leftauth=pubkey
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
index 3fc3668..5714839 100644
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@@ -76,12 +76,24 @@
Proxies
HTTPEnable
+{% if proxy_enabled is defined and proxy_enabled == true %}
+ 1
+ HTTPPort
+ 8118
+ HTTPProxy
+ {{ local_service_ip }}
+ {% else %}
0
+{% endif %}
HTTPSEnable
0
UserDefinedName
+{% if proxy_enabled is defined and proxy_enabled == true %}
+ {{ IP_subject_alt_name }} IKEv2 with proxy
+ {% else %}
{{ IP_subject_alt_name }} IKEv2
+{% endif %}
VPNType
IKEv2
@@ -129,9 +141,17 @@
PayloadDisplayName
+{% if proxy_enabled is defined and proxy_enabled == true %}
+ {{ IP_subject_alt_name }} IKEv2 with proxy
+ {% else %}
{{ IP_subject_alt_name }} IKEv2
+{% endif %}
PayloadIdentifier
+{% if proxy_enabled is defined and proxy_enabled == true %}
+ donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BA
+ {% else %}
donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE
+{% endif %}
PayloadRemovalDisallowed
PayloadType