Premier commit

roles/vpn-stg-r/files/ipsec.conf

@@ -0,0 +1,22 @@
+config setup
+        charondebug="all"
+        uniqueids=yes
+        strictcrlpolicy=no
+conn %default
+conn tunnel #
+        left=192.168.0.51
+        leftsubnet=192.168.0.0/16, 172.16.0.0/24
+        right=192.168.0.52
+        rightsubnet=172.16.128.0/24
+        ike=aes256-sha2_256-modp1024!
+        esp=aes256-sha2_256!
+        keyingtries=0
+        ikelifetime=1h
+        lifetime=8h
+        dpddelay=30
+        dpdtimeout=120
+        dpdaction=restart
+        authby=secret
+        auto=start
+        keyexchange=ikev2
+        type=tunnel

roles/vpn-stg-r/files/ipsec.secrets

@@ -0,0 +1,8 @@
+# This file holds shared secrets or RSA private keys for authentication.
+
+# RSA private key for this host, authenticating it to any other host
+# which knows the public part.
+
+# this file is managed with debconf and will contain the automatically created private key
+include /var/lib/strongswan/ipsec.secrets.inc
+192.168.0.51 192.168.0.52 : PSK 'root'

roles/vpn-stg-r/files/sysctl.conf

@@ -0,0 +1,60 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additonal system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+#net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+#

roles/vpn-stg-r/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+  - name: restart ipsec
+    service: name=ipsec state=restarted
+

roles/vpn-stg-r/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+#Installation ipsec strongswan côté droit pour le fichier de secret partagé
+  - name: install strongswan, fichier secret partagé
+    apt: name=strongswan state=present
+
+  - name: install tcpdump
+    apt: name=tcpdump state=present update_cache=yes
+
+  - name: activation du routage
+    copy: src=sysctl.conf dest=/etc/sysctl.conf
+
+  - name: Copie fichier ipsec.conf
+    copy: src=ipsec.conf dest=/etc/ipsec.conf
+    notify: restart ipsec
+
+  - name: Copie fichier ipsec.secrets
+    copy: src=ipsec.secrets dest=/etc/ipsec.secrets
+    notify: restart ipsec
+
+  - name: Message d'information
+    debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"