37 lines
1.5 KiB
YAML
37 lines
1.5 KiB
YAML
strongswan_requeriments:
|
|
- strongswan
|
|
- libstrongswan-standard-plugins
|
|
- strongswan-pki
|
|
- tcpdump
|
|
- iperf
|
|
- conntrack
|
|
- iptables-persistent
|
|
certificates:
|
|
- { content: '{{ cert_ipsec }}', dest: '/etc/ipsec.d/certs/cert.pem', mode: 'u=rw,g=r,o=r' }
|
|
- { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }
|
|
config_ipsec_files:
|
|
- { src: 'ipsec.conf', dest: '/etc/ipsec.conf', mode: 'u=rw,g=r,o=r' }
|
|
- { src: 'vn-attr.conf', dest: '/etc/strongswan.d/charon/vn-attr.conf', mode: 'u=rw,g=r,o=r' }
|
|
- { src: 'vn-eap-radius.conf', dest: '/etc/strongswan.d/charon/vn-eap-radius.conf', mode: 'u=r,g=,o=' }
|
|
- { src: 'ipsec.secrets', dest: '/etc/ipsec.secrets', mode: 'u=r,g=,o=' }
|
|
mangle_block: |
|
|
*mangle
|
|
:PREROUTING ACCEPT [0:0]
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
-A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
|
|
-A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
|
|
COMMIT
|
|
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "CT INVALID: "
|
|
COMMIT
|
|
config_and_logrotate:
|
|
- { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' }
|
|
- { src: charon, dest: '/etc/logrotate.d/charon' }
|