#cloud-config
package_update: true
packages:
  - strongswan
  - iptables
  - net-tools
  - procps  # Needed for sysctl

write_files:
  - path: /etc/ipsec.conf
    permissions: '0644'
    content: |
      config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

      conn net-net
        auto=start
        keyexchange=ikev2
        authby=psk
        left=${local_ip}
        leftid=${leftid}
        leftsubnet=${local_subnet}
        right=${remote_ip}
        rightid=${rightid}
        rightsubnet=${remote_subnet}
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=restart
        dpddelay=30s
        dpdtimeout=120s

  - path: /etc/ipsec.secrets
    permissions: '0600'
    content: |
      ${leftid} ${rightid} : PSK "${psk}"

runcmd:
  # Enable IP forwarding
  - sysctl -w net.ipv4.ip_forward=1
  - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
  - sysctl -p

  # Set up iptables rules
  # - iptables -t nat -A POSTROUTING -s ${local_subnet} -d ${remote_subnet} -j ACCEPT
  # - iptables -t nat -A POSTROUTING -s ${remote_subnet} -d ${local_subnet} -j ACCEPT
  # - iptables -t nat -A POSTROUTING -s ${local_subnet} ! -d ${local_subnet} -j MASQUERADE

  # Accept IPsec traffic
  # - iptables -A INPUT -p udp --dport 500 -j ACCEPT
  # - iptables -A INPUT -p udp --dport 4500 -j ACCEPT
  # - iptables -A INPUT -p esp -j ACCEPT
  # - iptables -A FORWARD -s ${local_subnet} -d ${remote_subnet} -m policy --pol ipsec --dir out -j ACCEPT
  # - iptables -A FORWARD -s ${remote_subnet} -d ${local_subnet} -m policy --pol ipsec --dir in -j ACCEPT

  # Enable and start strongSwan
  # - systemctl enable strongswan-starter
  # - systemctl start strongswan-starter