export p12 added

8 years ago · 63e67cb3a6
parent ec90d2acc7
commit 63e67cb3a6
3 changed files with 5 additions and 6 deletions
--- a/config.cfg
+++ b/config.cfg
@ -13,7 +13,7 @@ easyrsa_cert_expire: 3650
 easyrsa_reinit_existent: True

 # Domain or ip
-server_name: "win7.mycompany.local"
+server_name: ivlis.me
 server_ip: "{{ ansible_ssh_host }}"

 users:
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@ -8,7 +8,6 @@ conn %default
    rekey=no
 	keyexchange=ikev2
    ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
-
    esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
 	compress=yes
 	fragmentation=yes
@ -21,7 +20,7 @@ conn %default
    leftsubnet=0.0.0.0/0,::/0

    right=%any
-    #rightauth=pubkey
+    rightauth=pubkey
    rightsourceip=10.0.0.0/24
    rightdns=8.8.8.8,8.8.4.4

--- a/vpn.yml
+++ b/vpn.yml
@ -78,7 +78,7 @@
    
  - name: Build the server pair
    shell: |
-      ./easyrsa --subject-alt-name=DNS:{{ server_name }} build-server-full {{ server_name }} nopass
+      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-server-full {{ server_name }} nopass
      touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -88,7 +88,7 @@

  - name: Build the client's pair
    shell: |
-      ./easyrsa --subject-alt-name=DNS:{{ server_name }} build-client-full {{ item }} nopass
+      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-client-full {{ item }} nopass
      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -97,7 +97,7 @@

  - name: Build the client's p12 
    shell: |
-      ./easyrsa export-p12 {{ item }} nopass
+      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:vpn
      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'