Install Strongswan and configure IPSEC.
The role has been developed and tested on Debian/Ubuntu 18.0.4
These are the role variables and default values
ipsec_config_setup:
uniqueids: 'yes'
charonstart: 'yes'
charondebug: ''
ipsec_conn_default: {}
ipsec_conn_groups: {}
ipsec_secrets: []
Configures general configuration parameters. A list of available options can be found on StrongSwan config setup section documentation
Defaults for connections. This will populate the default conn (%default)
All conn groups inherit the parameters defined in a conn %default
Example:
strongswan_conn_default:
type: "tunnel"
keyexchange: "ikev1"
ikelifetime: "3h"
lifetime: "1h"
left: "%any"
Refer to the conn section for a list of all the parameters
In Strongswan ipsec.conf
configuration, conn defines a connection. The full list of available parameters can be found on StrongSwan Conn section documentation
ipsec_conn_groups
specifies the connections to be added to the ipsec.conf
.
Each key represents the name of a connection. The subelemets that the connection has is any valid conn parameter for a connection.
Example:
ipsec_conn_groups:
group1:
right: "10.10.10.9"
rightsubnet: "192.168.10.0/24"
ike: "aes256-sha1-modp1024"
esp: "aes256-sha1-modp1024"
auto: "start"
group2:
authby: "secret"
keyexchange: "ikev1"
left: "%defaultroute"
leftid: "3.7.150.3"
leftsubnet: "142.40.37.8/32"
right: "11.2.1.0"
rightsubnet: "192.168.1.10/32"
auto: "route"
ike: "aes256-sha1-modp1024"
esp: "aes256-sha1-modp1024"
Defines a list of secrets to be added to the ipsec secret file ipsec.secrets
Full documentation for the secrets file can be found here
ipsec_secrets
should be a list that contains the following attributes:
- left: Any valid ID selector. (optional)
- right: Any valid ID selector
- type: Optional (defaults to PSK) - any valid secret type
- credentials: Required - Connection's credentials, e.g the preshared password
Example:
ipsec_secrets:
- right: "11.2.1.0"
left: "3.7.150.3"
type: "PSK"
credentials: "presharedpassword"
None.
- hosts: ipsec_peer
roles:
- role: onaio.ipsec
Apache V2
Ona Engineering.