#cloud-config
package_update: true
packages:
  - strongswan
  - iptables
  - net-tools
  - procps  # Needed for sysctl

write_files:
  - path: /etc/ipsec.conf
    permissions: '0644'
    content: |
      config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

      conn net-net
        auto=start
        keyexchange=ikev2
        authby=psk
        left=${local_ip}
        leftid=${leftid}
        leftsubnet=${local_subnet}
        right=${remote_ip}
        rightid=${rightid}
        rightsubnet=${remote_subnet}
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=restart
        dpddelay=30s
        dpdtimeout=120s

  - path: /etc/ipsec.secrets
    permissions: '0600'
    content: |
      ${leftid} ${rightid} : PSK "${psk}"

runcmd:
  # Enable IP forwarding
  - sysctl -w net.ipv4.ip_forward=1
  - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
  - sysctl -p

  - ipsec start
  - ipsec up net-net