diff --git a/config.cfg b/config.cfg
index 21a05f0..1ff0dcd 100644
--- a/config.cfg
+++ b/config.cfg
@@ -13,7 +13,7 @@ easyrsa_cert_expire: 3650
 easyrsa_reinit_existent: True
 
 # Domain or ip
-server_name: ivlis.me
+server_name: www.ivlis.me
 server_ip: "{{ ansible_ssh_host }}"
 
 users:
diff --git a/deploy.yml b/deploy.yml
index e190fbb..988e0da 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -1,4 +1,5 @@
 ---
 
-#- include: cloud.yml
+- include: cloud.yml
+- include: common.yml
 - include: vpn.yml
\ No newline at end of file
diff --git a/templates/easy-rsa.vars.j2 b/templates/easy-rsa.vars.j2
index 33663ff..6ab31c9 100644
--- a/templates/easy-rsa.vars.j2
+++ b/templates/easy-rsa.vars.j2
@@ -102,7 +102,7 @@ set_var EASYRSA_DN "cn_only"
 #  * rsa
 #  * ec
 
-set_var EASYRSA_ALGO       ec
+set_var EASYRSA_ALGO       rsa
 
 # Define the named curve, used in ec mode only:
 
diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2
index 4c5135d..a053330 100644
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@@ -1,52 +1,24 @@
 config setup
-	uniqueids = never # allow multiple connections per user
+    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
 
 conn %default
+    keyexchange=ikev2
+    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
+    esp=aes128gcm16-sha2_256-ecp256!
     dpdaction=clear
-    dpddelay=35s
-    dpdtimeout=300s
-    rekey=no
-	keyexchange=ikev2
-    ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
-    esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
-	compress=yes
-	fragmentation=yes
-	
+    dpddelay=300s
+    authby=pubkey
     left=%any
-    leftauth=pubkey
     leftid={{ server_name }}
+    leftsubnet=0.0.0.0/0
     leftcert={{ server_name }}.crt
     leftsendcert=always
-    leftsubnet=0.0.0.0/0,::/0
-
     right=%any
-    rightauth=pubkey
     rightsourceip=10.0.0.0/24
-    rightdns=8.8.8.8,8.8.4.4
+    rightdns=8.8.8.8
+    rightsendcert=never
 
-conn ikev2-pubkey
+conn IPSec-IKEv2
+    keyexchange=ikev2
     auto=add
 
-    
-    
-#config setup
-
-#conn %default
-        #ikelifetime=60m
-        #keylife=20m
-        #rekeymargin=3m
-        #keyingtries=1
-
-#conn common
-        #left=%any         # Ip of the host
-        #leftcert={{ server_name }}.crt # the cert we just created and copied
-        #leftid={{ server_name }}  # the Alt name in the Cert we just created
-        #leftsubnet=172.16.31.0/24      # The internal subnet the remote user wants to access
-        #right=%any
-        #rightid=%any # Connections can come from anywhere
-        #rightsourceip=192.168.1.0/24   # Use this pool of IPs to assign to these inbound connections
-        #auto=add
-
-#conn ikev2
-        #keyexchange=ikev2 
-        #also=common
diff --git a/templates/ipsec.secrets.j2 b/templates/ipsec.secrets.j2
index 647ba0f..3ddf94b 100644
--- a/templates/ipsec.secrets.j2
+++ b/templates/ipsec.secrets.j2
@@ -1 +1,2 @@
-: ECDSA {{ server_name }}.key
+: RSA {{ server_name }}.key
+
diff --git a/vpn.yml b/vpn.yml
index 8269c51..358cea9 100644
--- a/vpn.yml
+++ b/vpn.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: Install StrongSwan
+- name: VPN Configuration
   hosts: vpn-host
   gather_facts: false
   remote_user: root
@@ -8,48 +8,39 @@
     - config.cfg    
   
   tasks:
-  - name: Wait for port 22 to become available
-    local_action: "wait_for port=22 host={{ inventory_hostname }}"
+  - name: Install StrongSwan
+    apt: name=strongswan state=latest update_cache=yes
 
-  #- name: Updating apt-get
-    #raw: apt-get update -qq
+  - name: Enforcing ipsec with apparmor
+    shell: aa-enforce "{{ item }}"
+    with_items:
+      - /usr/lib/ipsec/charon
+      - /usr/lib/ipsec/lookip
+      - /usr/lib/ipsec/stroke
+    notify:
+    - restart apparmor
     
-  #- name: Install python2.7 for Ansible
-    #raw: apt-get install -qq -y python2.7
-
-  #- name: Install StrongSwan
-    #apt: name=strongswan state=latest update_cache=yes
-
-  #- name: Enable strongswan
-    #service: name=strongswan enabled=yes
-
-  #- name: Enable packet forwarding for IPv4
-    #sysctl: name=net.ipv4.ip_forward value=1
+  - name: Enable services
+    service: name={{ item }} enabled=yes
+    with_items:
+      - apparmor
+      - strongswan
 
-  #- name: Do not accept ICMP redirects (prevent MITM attacks)
-    #sysctl: name=net.ipv4.conf.all.accept_redirects value=0
-
-  #- name: Do not send ICMP redirects (we are not a router)
-    #sysctl: name=net.ipv4.conf.all.send_redirects value=0
-
-  #- name: Configure iptables so IPSec traffic can traverse the tunnel
-    #iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
+  - name: Configure iptables so IPSec traffic can traverse the tunnel
+    iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
 
   - name: Setup the ipsec.conf file from our template
     template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
     notify:
     - restart strongswan    
 
-  - name: Setup the ipsec.secrets file with users and passwords
+  - name: Setup the ipsec.secrets file
     template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600
     notify:
     - restart strongswan    
- 
-  - name: Install git
-    apt: name=git state=latest      
     
-  #- name: Fetch easy-rsa-ipsec repo
-    #git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}"
+  - name: Fetch easy-rsa-ipsec repo
+    git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}"
 
   - name: Setup the vars file from our template
     template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
@@ -78,7 +69,7 @@
     
   - name: Build the server pair
     shell: |
-      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-server-full {{ server_name }} nopass
+      ./easyrsa build-server-full {{ server_name }} nopass
       touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -88,7 +79,7 @@
 
   - name: Build the client's pair
     shell: |
-      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-client-full {{ item }} nopass
+      ./easyrsa build-client-full {{ item }} nopass
       touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -104,27 +95,27 @@
       creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
     with_items: "{{ users }}"
   
-  - name: Make the CA cert to the strongswan directory
+  - name: Copy the CA cert to the strongswan directory
     copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=root group=root mode=0600
     notify:
     - restart strongswan
 
-  - name: Make the server cert to the strongswan directory
+  - name: Copy the server cert to the strongswan directory
     copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ server_name }}.crt' dest=/etc/ipsec.d/certs/{{ server_name }}.crt owner=root group=root mode=0600
     notify:
     - restart strongswan      
     
-  - name: Make the server key to the strongswan directory
+  - name: Copy the server key to the strongswan directory
     copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ server_name }}.key' dest=/etc/ipsec.d/private/{{ server_name }}.key owner=root group=root mode=0600
     notify:
     - restart strongswan    
-   
-  - name: restart strongswan
-    service: name=strongswan state=restarted
     
   handlers:
     - name: restart strongswan
       service: name=strongswan state=restarted
+
+    - name: restart apparmor
+      service: name=apparmor state=restarted