Add ipsec role

2017-06-08 17:33:06 +02:00 · 2017-06-08 17:33:06 +02:00 · 674ad35e28
parent 8d6e9e16aa
commit 674ad35e28
2 changed files with 52 additions and 0 deletions
--- a/ipsec/tasks/main.yml
+++ b/ipsec/tasks/main.yml
@ -0,0 +1,42 @@
+---
+- name: Create /etc/ipsec dir
+  file:
+    path: /etc/ipsec
+    state: directory
+    mode: "0750"
+    owner: root
+    group: wheel
+  tags:
+  - ipsec
+
+- name: Enable and start isakmpd service
+  service:
+    name: isakmpd
+    arguments: '-K'
+    state: started
+    enabled: yes
+  tags:
+  - ipsec
+
+- name: "Copy /etc/ipsec/{{ ipsec_name }}.conf"
+  template:
+    src: ipsec.conf.j2
+    dest: "/etc/ipsec/{{ ipsec_name }}.conf"
+    mode: "0640"
+    owner: root
+    group: wheel
+  register: ipsec_conf
+  tags:
+  - ipsec
+
+- name: "Check {{ ipsec_name }} config"
+  command: "ipsecctl -nf /etc/ipsec/{{ ipsec_name }}.conf"
+  changed_when: false
+  tags:
+  - ipsec
+
+#- name: "Reload ipsec {{ ipsec_name }}"
+#  command: "ipsecctl -f /etc/ipsec/{{ ipsec_name }}.conf"
+#  when: ipsec_conf.changed
+#  tags:
+#  - ipsec
--- a/ipsec/templates/ipsec.conf.j2
+++ b/ipsec/templates/ipsec.conf.j2
@ -0,0 +1,10 @@
+local_ip="{{ ipsec_local_ip }}"
+local_network="{{ ipsec_local_network }}"
+
+remote_ip_{{ ipsec_name }}="{{ ipsec_remote_ip }}"
+remote_networks_{{ ipsec_name }}="{{ ipsec_remote_network }}"
+
+ike esp from $local_network to $remote_networks_{{ ipsec_name }} peer $remote_ip_{{ ipsec_name }} \
+main auth hmac-sha2-512 enc 3des group modp4096 \
+quick auth hmac-sha2-512 enc 3des group modp4096 \
+psk "{{ ipsec_psk }}"