mirror of https://github.com/trailofbits/algo
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29 lines
1.0 KiB
YAML
29 lines
1.0 KiB
YAML
---
|
|
- name: Install StrongSwan and its dependencies
|
|
hosts: vpn
|
|
tasks:
|
|
- name: Install StrongSwan
|
|
apt: name=strongswan state=latest update_cache=yes
|
|
|
|
- name: Enable packet forwarding for IPv4
|
|
sysctl: name=net.ipv4.ip_forward value=1
|
|
|
|
- name: Do not accept ICMP redirects (prevent MITM attacks)
|
|
sysctl: name=net.ipv4.conf.all.accept_redirects value=0
|
|
|
|
- name: Do not send ICMP redirects (we are not a router)
|
|
sysctl: name=net.ipv4.conf.all.send_redirects value=0
|
|
|
|
- name: Configure iptables so IPSec traffic can traverse the tunnel
|
|
iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 out_interface=eth0 jump=MASQUERADE
|
|
|
|
- name: Setup the ipsec.conf file from our template
|
|
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
|
|
|
|
- name: Generate a random IPsec pre-shared key (16 bytes)
|
|
shell: openssl rand -base64 16
|
|
register: ipsec_psk
|
|
|
|
- name: Setup the ipsec.secrets file with users and passwords
|
|
template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600
|