An Ansible Role that manages network encryption between inventory hosts based on IPsec / strongSwan.
| Name | Type | Version | Location |
|---|---|---|---|
| ansible-filter | Python package | 1.0.0 | Control node |
Available variables are listed below, along with default values (see defaults/main.yml):
network_encryption_charon_port: 500
UDP port used locally. If set to 0 a random port will be allocated (s. strongswan.conf).
network_encryption_port_nat_t: 4500
UDP port used locally in case of NAT-T. If set to 0 a random port will be allocated. Has to be different from charon.port, otherwise a random port will be allocated (s. strongswan.conf).
network_encryption_configs:
- name: default
psk: secret
Configuration sets must be configured using network_encryption_configs variable. The name of the configuration set is mandatory and
used for identification. Pre-shared key can be specified using psk.
network_encryption_host_configs:
- name: default
Hosts can be attached to a configuration set using network_encryption_host_configs variable. Configuration sets are referenced by name.
network_encryption_host_configs:
- name: default
state: absent
A host can be detached from the configuration set using state: absent.
network_encryption_configs:
- name: default
interface: eth0
psk: secret
The interface can be specified using interface variable. If not specified, it defaults to ansible_default_ipv4.interface.
network_encryption_configs:
- name: default
psk: secret
params:
lifetime: 8h
General connection parameters like lifetime may be set within params section (s. ipsec.conf for full parameter description).
network_encryption_default_config_params:
ike: aes256gcm16-prfsha384-modp4096,aes256gcm16-prfsha384-ecp384!
esp: aes256gcm16-modp4096,aes256gcm16-ecp384!
keyingtries: 0
ikelifetime: 1h
lifetime: 8h
dpddelay: 30
dpdtimeout: 120
dpdaction: clear
authby: secret
keyexchange: ikev2
type: tunnel
The params within network_encryption_configs extend/override default connection parameters present above.
network_encryption_config_dir: "/etc/ipsec.d/{{ role_name }}"
Defines the custom IPsec configuration directory for isolation purposes.
Tags can be used to limit the role execution to a particular task module. Following tags are available:
network_encryption: Covers the full role lifecycle.network_encryption_install,install: Installs required packagesnetwork_encryption_config,config: Configures required packages
None.
- hosts: all
roles:
- nl2go.network_encryption
Use docker-molecule following the instructions to run Molecule or install Molecule locally (not recommended, version conflicts might appear).
Use following to run tests:
molecule test --all
See the LICENSE.md file for details.
This role was created by in 2019 by Newsletter2Go GmbH.