diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2 new file mode 100644 index 0000000..3eef6ce --- /dev/null +++ b/templates/ipsec.conf.j2 @@ -0,0 +1,18 @@ +config setup + uniqueids = never # allow multiple connections per user + +conn %default + keyexchange=ikev2 + ike=aes128gcm16-sha2_256-prfsha256-ecp256! + esp=aes128gcm16-sha2_256-ecp256! + compress=yes + fragmentation=yes + +conn psk + authby=psk + left=%any + leftsubnet=0.0.0.0/0 + right=%any + rightdns=8.8.8.8,8.8.4.4 + rightsourceip=10.0.0.0/24 + auto=add \ No newline at end of file diff --git a/templates/ipsec.secrets.j2 b/templates/ipsec.secrets.j2 new file mode 100644 index 0000000..9ecb639 --- /dev/null +++ b/templates/ipsec.secrets.j2 @@ -0,0 +1 @@ +dan : PSK "{{ ipsec_psk.stdout }}" diff --git a/vpn.yml b/vpn.yml index 97880f9..01a8746 100644 --- a/vpn.yml +++ b/vpn.yml @@ -14,5 +14,15 @@ - name: Do not accept ICMP redirects (prevent MITM attacks) sysctl: name=net.ipv4.conf.all.send_redirects value=0 - - name: Configure IPTables to route traffic appropriately - iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 out_interface=eth0 jump=MASQUERADE \ No newline at end of file + - name: Needed so that IPSEC traffic can traverse the tunnel + iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 out_interface=eth0 jump=MASQUERADE + + - name: Setup the ipsec.conf file from our template + template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644 + + - name: Generate a random IPsec pre-shared key (16 bytes) + shell: openssl rand -base64 16 + register: ipsec_psk + + - name: Setup the ipsec.secrets file with users and passwords + template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600 \ No newline at end of file