From e4e9ddd6ad0529ec18977563e12ac735f74c3d49 Mon Sep 17 00:00:00 2001
From: Evgeniy Ivanov <eivanov@sardinasystems.com>
Date: Tue, 12 Jul 2016 10:10:50 +0300
Subject: [PATCH] SAN fixed

---
 templates/ipsec.conf.j2 |  5 +++--
 vpn.yml                 | 32 ++++++++++++++++----------------
 2 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2
index 736b193..6306192 100644
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@@ -7,8 +7,9 @@ conn %default
     dpdtimeout=300s
     rekey=no
 	keyexchange=ikev2
-    ike=aes256-sha1-modp1024!
-    esp=aes256-sha1!
+    ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
+
+    esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
 	compress=yes
 	fragmentation=yes
 	
diff --git a/vpn.yml b/vpn.yml
index 4d90a14..45851c6 100644
--- a/vpn.yml
+++ b/vpn.yml
@@ -11,29 +11,29 @@
   - name: Wait for port 22 to become available
     local_action: "wait_for port=22 host={{ inventory_hostname }}"
 
-  - name: Updating apt-get
-    raw: apt-get update -qq
+  #- name: Updating apt-get
+    #raw: apt-get update -qq
     
-  - name: Install python2.7 for Ansible
-    raw: apt-get install -qq -y python2.7
+  #- name: Install python2.7 for Ansible
+    #raw: apt-get install -qq -y python2.7
 
-  - name: Install StrongSwan
-    apt: name=strongswan state=latest update_cache=yes
+  #- name: Install StrongSwan
+    #apt: name=strongswan state=latest update_cache=yes
 
-  - name: Enable strongswan
-    service: name=strongswan enabled=yes
+  #- name: Enable strongswan
+    #service: name=strongswan enabled=yes
 
-  - name: Enable packet forwarding for IPv4
-    sysctl: name=net.ipv4.ip_forward value=1
+  #- name: Enable packet forwarding for IPv4
+    #sysctl: name=net.ipv4.ip_forward value=1
 
-  - name: Do not accept ICMP redirects (prevent MITM attacks)
-    sysctl: name=net.ipv4.conf.all.accept_redirects value=0
+  #- name: Do not accept ICMP redirects (prevent MITM attacks)
+    #sysctl: name=net.ipv4.conf.all.accept_redirects value=0
 
-  - name: Do not send ICMP redirects (we are not a router)
-    sysctl: name=net.ipv4.conf.all.send_redirects value=0
+  #- name: Do not send ICMP redirects (we are not a router)
+    #sysctl: name=net.ipv4.conf.all.send_redirects value=0
 
-  - name: Configure iptables so IPSec traffic can traverse the tunnel
-    iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
+  #- name: Configure iptables so IPSec traffic can traverse the tunnel
+    #iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
 
   - name: Setup the ipsec.conf file from our template
     template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644