57 lines
No EOL
1.7 KiB
YAML
57 lines
No EOL
1.7 KiB
YAML
#cloud-config
|
|
package_update: true
|
|
packages:
|
|
- strongswan
|
|
- iptables
|
|
- net-tools
|
|
- procps # Needed for sysctl
|
|
|
|
write_files:
|
|
- path: /etc/ipsec.conf
|
|
permissions: '0644'
|
|
content: |
|
|
config setup
|
|
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
|
|
|
|
conn net-net
|
|
auto=start
|
|
keyexchange=ikev2
|
|
authby=psk
|
|
left=${local_ip}
|
|
leftid=${leftid}
|
|
leftsubnet=${local_subnet}
|
|
right=${remote_ip}
|
|
rightid=${rightid}
|
|
rightsubnet=${remote_subnet}
|
|
ike=aes256-sha1-modp1024!
|
|
esp=aes256-sha1!
|
|
dpdaction=restart
|
|
dpddelay=30s
|
|
dpdtimeout=120s
|
|
|
|
- path: /etc/ipsec.secrets
|
|
permissions: '0600'
|
|
content: |
|
|
${leftid} ${rightid} : PSK "${psk}"
|
|
|
|
runcmd:
|
|
# Enable IP forwarding
|
|
- sysctl -w net.ipv4.ip_forward=1
|
|
- sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
|
|
- sysctl -p
|
|
|
|
# Set up iptables rules
|
|
# - iptables -t nat -A POSTROUTING -s ${local_subnet} -d ${remote_subnet} -j ACCEPT
|
|
# - iptables -t nat -A POSTROUTING -s ${remote_subnet} -d ${local_subnet} -j ACCEPT
|
|
# - iptables -t nat -A POSTROUTING -s ${local_subnet} ! -d ${local_subnet} -j MASQUERADE
|
|
|
|
# Accept IPsec traffic
|
|
# - iptables -A INPUT -p udp --dport 500 -j ACCEPT
|
|
# - iptables -A INPUT -p udp --dport 4500 -j ACCEPT
|
|
# - iptables -A INPUT -p esp -j ACCEPT
|
|
# - iptables -A FORWARD -s ${local_subnet} -d ${remote_subnet} -m policy --pol ipsec --dir out -j ACCEPT
|
|
# - iptables -A FORWARD -s ${remote_subnet} -d ${local_subnet} -m policy --pol ipsec --dir in -j ACCEPT
|
|
|
|
# Enable and start strongSwan
|
|
# - systemctl enable strongswan-starter
|
|
# - systemctl start strongswan-starter |