SAN fixed

2025-04-19 15:47:11 +02:00 · 2016-07-12 10:10:50 +03:00 · 2016-07-12 10:10:50 +03:00 · e4e9ddd6ad
commit e4e9ddd6ad
parent 993e388abb
2 changed files with 19 additions and 18 deletions
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@ -7,8 +7,9 @@ conn %default
    dpdtimeout=300s
    rekey=no
 	keyexchange=ikev2
-    ike=aes256-sha1-modp1024!
-    esp=aes256-sha1!
+    ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
+
+    esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
 	compress=yes
 	fragmentation=yes
 	
--- a/vpn.yml
+++ b/vpn.yml
@ -11,29 +11,29 @@
  - name: Wait for port 22 to become available
    local_action: "wait_for port=22 host={{ inventory_hostname }}"

-  - name: Updating apt-get
-    raw: apt-get update -qq
+  #- name: Updating apt-get
+    #raw: apt-get update -qq
    
-  - name: Install python2.7 for Ansible
-    raw: apt-get install -qq -y python2.7
+  #- name: Install python2.7 for Ansible
+    #raw: apt-get install -qq -y python2.7

-  - name: Install StrongSwan
-    apt: name=strongswan state=latest update_cache=yes
+  #- name: Install StrongSwan
+    #apt: name=strongswan state=latest update_cache=yes

-  - name: Enable strongswan
-    service: name=strongswan enabled=yes
+  #- name: Enable strongswan
+    #service: name=strongswan enabled=yes

-  - name: Enable packet forwarding for IPv4
-    sysctl: name=net.ipv4.ip_forward value=1
+  #- name: Enable packet forwarding for IPv4
+    #sysctl: name=net.ipv4.ip_forward value=1

-  - name: Do not accept ICMP redirects (prevent MITM attacks)
-    sysctl: name=net.ipv4.conf.all.accept_redirects value=0
+  #- name: Do not accept ICMP redirects (prevent MITM attacks)
+    #sysctl: name=net.ipv4.conf.all.accept_redirects value=0

-  - name: Do not send ICMP redirects (we are not a router)
-    sysctl: name=net.ipv4.conf.all.send_redirects value=0
+  #- name: Do not send ICMP redirects (we are not a router)
+    #sysctl: name=net.ipv4.conf.all.send_redirects value=0

-  - name: Configure iptables so IPSec traffic can traverse the tunnel
-    iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
+  #- name: Configure iptables so IPSec traffic can traverse the tunnel
+    #iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE

  - name: Setup the ipsec.conf file from our template
    template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644