Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/torian/ansible-role-strongswan

Ansible role for StrongSwan
https://github.com/torian/ansible-role-strongswan

ansible-role strongswan

Last synced: 2 months ago
JSON representation

Ansible role for StrongSwan

Host: GitHub
URL: https://github.com/torian/ansible-role-strongswan
Owner: torian
License: apache-2.0
Created: 2017-05-24T01:44:22.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2021-12-15T05:52:47.000Z (about 3 years ago)
Last Synced: 2023-03-22T15:02:53.330Z (almost 2 years ago)
Topics: ansible-role, strongswan
Size: 13.7 KB
Stars: 12
Watchers: 1
Forks: 25
Open Issues: 13
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE

Awesome Lists containing this project

README

# Ansible role for StrongSwan

[![Build Status](https://travis-ci.org/torian/ansible-role-strongswan.svg)](https://travis-ci.org/torian/ansible-role-strongswan)

An Ansible Role that installs and configures StrongSwan on Red Hat/CentOS or Debian/Ubuntu.

## Tested On

* EL / Centos (7 / 6)
* Ubuntu (Xenial / Trusty / Precise)

## Role Variables

Defaults defined in `defaults/main.yml`:

```
strongswan_config_file: {{strongswan_prefix}}/ipsec.conf
strongswan_secrets_file: {{strongswan_prefix}}/ipsec.secrets
```

The var `strongswan_prefix` is defined based on `ansible_os_family`.

The `ipsec.conf` file is configured through the following vars (and their default values):

```
strongswan_config_setup:
uniqueids: yes
charonstart: yes
charondebug: ''

strongswan_conn_default: {}

strongswan_conns: {}
```

Secrets are specified using `strongswan_secrets`. It is a list where each
element might contain the following attributes:
```
left: Optional - Any valid ID selector
right: Optional - Any valid ID selector
type: Optional (defaults to PSK) - any valid secret type
credential: Required - Connection's credentials
```

## Usage

The vars used for the `config setup` and `conn %default` sections are a hash that accept
any valid configuration option for strongswan. An example:

```
strongswan_conn_default:
type: tunnel
ikelifetime: 1h
lifetime: 30m
left: 1.2.3.4
```

Connections are configured with `strongswan_conns` hash:

```
strongswan_conns:
conn1:
right: 2.3.4.5
rightsubnet: 2.3.4.0/24
ike: aes256-sha1-modp1024
esp: aes256-sha1-modp1024
auto: start

conn2:
right: 3.4.5.6
rightsubnet: 3.4.5.0/24
auto: route
```

Setting up secrets can be done in the following way:

```
strongswan_secrets:
- left: 1.2.3.4
right: 2.3.4.5
type: PSK
credentials: '"super wooper passw0rd"'

- right: 3.4.5.6
type: RSA
credentials: cert.pem
```

The double quotes inside the simple ones is meant to escape any special chars.

`RSA` private keys (or any secret type that requires a key file) might be specified
through `strongswan_private_keys` (TODO):

```
strongswan_private_keys:
- filename: cert.pem
key: |
--- begin your key ---
--- end your key ---
- filename: more_secure.pem
key: "{{var_from_a_vault}}"
```

## License

See [License](LICENSE)

## Author Information

This role was created in 2017 by Emiliano Castagnari.