Tested on:
- Ubuntu 18.04 and 20.04
- CentOS 7 and 8
- Debian 9 and 10
This role uses a swanctl.conf-style syntax (referencing sections, since 5.7.0).
strongswan_swanctl_settings
: [required]: Set all settings for swanctl.conf
strongswan_swanctl_config_dir
: [optional, default:/etc/strongswan/swanctl
]: Directory which contains StrongSwan swanctl.confstrongswan_swanctl_config_file
: [optional, default:{{ strongswan_swanctl_config_dir }}/swanctl.conf
]: The name of StrongSwan swanctl configuration filestrongswan_letsencrypt_enable
: [optional, default:true
]: Prepare StrongSwan server certificate with Let'sEncryptstrongswan_firewalld_enable
: [optional, defaulttrue
]: Set all needed firewall rules for StrongSwan serverstrongswan_client
: [optional, defaultfalse
]: Install and configure StrongSwan on clientsstrongswan_download_cert
: [optional, defaultfalse
]: Download StrongSwan certificate from server host. Should be used withstrongswan_letsencrypt_enable
=true
strongswan_upload_cert
: [optional, defaultfalse
]: Upload StrongSwan certificate to clients. Should be used withstrongswan_letsencrypt_enable
=true
- geerlingguy.certbot
# Enable variable below only for first certificate generating
certbot_create_if_missing: yes
certbot_certs:
- email: [email protected]
domains:
- "{{ inventory_hostname }}"
certbot_create_standalone_stop_services: []
# Set StrongSwan swanctl configuration
# https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
strongswan_swanctl_settings:
connections:
ikev2-eap:
version: 2
rekey_time: 0s
fragmentation: yes
proposals: aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
encap: yes
pools: primary-pool-ipv4
dpd_delay: 30s
local-1:
certs: cert.pem
id: myid
remote-1:
auth: eap-dynamic
eap_id: "%any"
children:
ikev2-eap:
local_ts: 0.0.0.0/0,::/0
rekey_time: 0s
dpd_action: clear
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
pools:
primary-pool-ipv4:
addrs: 192.168.252.0/24
secrets:
eap-user:
id: user
secret: Ar3e73tTnp02
strongswan_swanctl_settings:
connections:
home:
encap: yes
vips: 0.0.0.0
remote_addrs: moon.strongswan.org
version: 2
children:
home:
remote_ts: 0.0.0.0/0,::/0
start_action: none
local:
auth: eap-aka
eap_id: carol
remote:
auth: pubkey
id: moon.strongswan.org
secrets:
eap-carol:
id: carol
secret: Ar3etTnp
- hosts: server
vars:
strongswan_letsencrypt_enable: false
roles:
- serverbee.strongswan
- hosts: server
vars:
strongswan_letsencrypt_enable: true
certbot_certs:
- email: [email protected]
domains:
- vpn.example.com
roles:
- serverbee.strongswan
- hosts:
- server
roles:
- serverbee.strongswan
vars:
strongswan_client: true
strongswan_download_cert: true
- hosts:
- clients
roles:
- serverbee.strongswan
vars:
strongswan_upload_cert: true
- Remove some dependencies roles to achieve more flexibility.
BSD 2-clause "Simplified" license
Vitaly Yakovenko
hybridadmin