configure a user

2024-11-10 01:11:07 +00:00 · 2016-05-15 12:12:17 -04:00 · 2016-05-15 12:12:17 -04:00 · c4f39262af
commit c4f39262af
parent e10b1b669f
3 changed files with 31 additions and 2 deletions
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@ -0,0 +1,18 @@
+config setup
+	uniqueids = never # allow multiple connections per user
+
+conn %default
+	keyexchange=ikev2
+	ike=aes128gcm16-sha2_256-prfsha256-ecp256!
+	esp=aes128gcm16-sha2_256-ecp256!
+	compress=yes
+	fragmentation=yes
+
+conn psk	
+	authby=psk
+	left=%any
+	leftsubnet=0.0.0.0/0
+	right=%any
+	rightdns=8.8.8.8,8.8.4.4
+	rightsourceip=10.0.0.0/24
+	auto=add
--- a/templates/ipsec.secrets.j2
+++ b/templates/ipsec.secrets.j2
@ -0,0 +1 @@
+dan : PSK "{{ ipsec_psk.stdout }}"
--- a/vpn.yml
+++ b/vpn.yml
@ -14,5 +14,15 @@
  - name: Do not accept ICMP redirects (prevent MITM attacks)
    sysctl: name=net.ipv4.conf.all.send_redirects value=0

-  - name: Configure IPTables to route traffic appropriately
+  - name: Needed so that IPSEC traffic can traverse the tunnel
    iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 out_interface=eth0 jump=MASQUERADE
+
+  - name: Setup the ipsec.conf file from our template
+    template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
+
+  - name: Generate a random IPsec pre-shared key (16 bytes)
+    shell: openssl rand -base64 16
+    register: ipsec_psk
+
+  - name: Setup the ipsec.secrets file with users and passwords
+    template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600