Ansible strongSwan Role

This Ansible role helps set up strongSwan on Arch Linux, RHEL/CentOS, and Debian/Ubuntu.

Requirements

Currently, this module works only on Arch Linux, but you need to install the package through AUR. You should also use UFW to manage the firewall and make sure it supports GRE tunnels. This needs to be fixed before the role can be publicly available or added to Ansible Galaxy.

It might also be necessary to have strongSwan version 5.0.0 or higher, but this hasn't been verified yet.

Role Variables

strongswan_packages:
  - strongswan

This is the list of packages that will be installed. Right now, it is specific to Arch Linux.

strongswan_conn_default:
  auto: add
  type: tunnel
  authby: psk
  keyexchange: ike
  ikelifetime: 3h
  lifetime: 60m
  margintime: 15m
  keyingtries: 3
  dpdaction: restart
  dpddelay: 30

These are the default settings for the %default connection. They mostly reflect typical defaults for strongSwan (around version 5.0.0).

strongswan_conn: []
# - name: connection_name
#   conn:
#     # connection options like
#     ike: aes256gcm16-modp2048!
#     esp: aes256gcm16-modp2048!
#   left:
#     address: local_address
#   right:
#     address: remote_address
#   secret: abcde...z

This is where you specify the connection settings for strongSwan.

Example Playbook

- hosts: ipsec_server
  roles:
     - { role: jonathanio.strongswan, tags: ['ipsec'] }

strongswan_hosts:
  - name: example
    conn:
      auto: route
      type: tunnel
      authby: psk
      keyexchange: ikev2
      lifetime: 3h
      ike: aes256gcm16-modp2048!
      esp: aes256gcm16-modp2048!
      ikelifetime: 24h
    left:
      address: 0.0.0.0/0
      subnet: 192.168.100.0/24
      protoport: 47
      id: my
      updown: /usr/lib/ipsec/_updown_nat
    right:
      address: 87.65.43.21
      subnet: 192.168.101.0/24
      protoport: 47
      id: your
      updown: /usr/lib/ipsec/_updown_nat
    secret: something_needs_to_go_here

License

GPLv2

Author Information

Jonathan Wright.