serverbee.strongswan

概述 版本 洞察

StrongSwan 角色

CI

测试在:

  • Ubuntu 18.04 和 20.04
  • CentOS 7 和 8
  • Debian 9 和 10

此角色使用 swanctl.conf 风格语法(引用部分,自 5.7.0 起)。

变量

一般
  • strongswan_swanctl_settings: [必需]:设置 swanctl.conf 的所有配置
StrongSwan(服务器|客户端)设置:
  • strongswan_swanctl_config_dir: [可选,默认: /etc/strongswan/swanctl]:包含 StrongSwan swanctl.conf 的目录
  • strongswan_swanctl_config_file: [可选,默认: {{ strongswan_swanctl_config_dir }}/swanctl.conf]:StrongSwan swanctl 配置文件的名称
  • strongswan_letsencrypt_enable: [可选,默认: true]:准备使用 Let's Encrypt 的 StrongSwan 服务器证书
  • strongswan_firewalld_enable: [可选,默认 true]:为 StrongSwan 服务器设置所需的防火墙规则
  • strongswan_client: [可选,默认 false]:在客户端上安装和配置 StrongSwan
  • strongswan_download_cert: [可选,默认 false]:从服务器主机下载 StrongSwan 证书。应与 strongswan_letsencrypt_enable = true 一起使用
  • strongswan_upload_cert: [可选,默认 false]:将 StrongSwan 证书上传到客户端。应与 strongswan_letsencrypt_enable = true 一起使用

依赖

  • geerlingguy.certbot

变量

StrongSwan 服务器的主机变量:

# 仅在生成第一个证书时启用以下变量
certbot_create_if_missing: yes

certbot_certs:
  - email: [email protected]
    domains:
      - "{{ inventory_hostname }}"

certbot_create_standalone_stop_services: []

# 设置 StrongSwan swanctl 配置
# https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
strongswan_swanctl_settings:
  connections:
    ikev2-eap:
      version: 2
      rekey_time:  0s
      fragmentation: yes
      proposals: aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
      encap: yes
      pools: primary-pool-ipv4
      dpd_delay: 30s
      local-1:
        certs: cert.pem
        id: myid
      remote-1:
        auth: eap-dynamic
        eap_id: "%any"
      children:
        ikev2-eap:
          local_ts: 0.0.0.0/0,::/0
          rekey_time: 0s
          dpd_action: clear
          esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
  pools:
    primary-pool-ipv4:
      addrs: 192.168.252.0/24
  secrets:
    eap-user:
      id: user
      secret: Ar3e73tTnp02

carol.strongswan.org 的主机变量:

strongswan_swanctl_settings:
  connections:
    home:
      encap: yes
      vips: 0.0.0.0
      remote_addrs: moon.strongswan.org
      version: 2
      children:
        home:
          remote_ts: 0.0.0.0/0,::/0
          start_action: none
      local:
        auth: eap-aka
        eap_id: carol
      remote:
        auth: pubkey
        id: moon.strongswan.org
  secrets:
    eap-carol:
      id: carol
      secret: Ar3etTnp

Playbook 示例

带 PKI 证书的 StrongSwan 服务器 Playbook:

- hosts: server
  vars:
    strongswan_letsencrypt_enable: false
  roles:
    - serverbee.strongswan

带 Letsencrypt 证书的 StrongSwan 服务器 Playbook:

- hosts: server
  vars:
    strongswan_letsencrypt_enable: true
    certbot_certs:
      - email: [email protected]
        domains:
          - vpn.example.com
  roles:
    - serverbee.strongswan

StrongSwan 客户端 Playbook:

- hosts:
    - server
  roles:
    - serverbee.strongswan
  vars:
    strongswan_client: true
    strongswan_download_cert: true

- hosts:
    - clients
  roles:
    - serverbee.strongswan
  vars:
    strongswan_upload_cert: true

待办事项

  1. 移除一些依赖角色以实现更高的灵活性。

许可证

BSD 2-clause "简化" 许可证

作者信息

Vitaly Yakovenko
hybridadmin

关于项目

Role to configure a strongSwan IPSec VPN server.

role ikev2 ipsec letsencrypt strongswan swanctl vpn
安装
ansible-galaxy install serverbee.strongswan
GitHub 仓库
4 星标
6 分叉
0 未解决问题
许可证
Unknown
下载
252
拥有者