extras

8768d99d · nanahira · 7d150277 · 8768d99d · 7d150277 · 8768d99d
Commit 8768d99d authored Mar 26, 2024 by nanahira
10 changed files
--- a/zeeai-ikev2/.gitignore
+++ b/zeeai-ikev2/.gitignore
+/certs
+/data/certs
+/test
--- a/zeeai-ikev2/data/www.test-ikev2.mypaper.ai.zip
+++ b/zeeai-ikev2/data/www.test-ikev2.mypaper.ai.zip
--- a/zeeai-ikev2/docker-compose.yml.j2
+++ b/zeeai-ikev2/docker-compose.yml.j2
@@ -9,10 +9,10 @@ services:
      - NET_ADMIN
      - NET_RAW
    volumes:
-      - ./templates/ikev2.conf:/etc/swanctl/conf.d/ikev2.conf:ro
+      - ./templates/ikev2-express.conf:/etc/swanctl/conf.d/ikev2.conf:ro
-      - ./data/certs/certificate.crt:/etc/swanctl/x509/cert.pem:ro
+      - ./data/certs/{{inventory_hostname}}/certificate.crt:/etc/swanctl/x509/cert.pem:ro
-      - ./data/certs/private.key:/etc/swanctl/private/privkey.pem:ro
+      - ./data/certs/{{inventory_hostname}}/private.key:/etc/swanctl/private/privkey.pem:ro
-      - ./data/certs/ca_bundle.crt:/etc/swanctl/x509ca/ca.pem:ro
+      - ./data/certs/{{inventory_hostname}}/ca_bundle.crt:/etc/swanctl/x509ca/ca.pem:ro
    # command: sleep infinity
    environment:
      FOO: 3

--- a/zeeai-ikev2/extract-certs.sh
+++ b/zeeai-ikev2/extract-certs.sh
+#!/bin/bash
+domain="$1"
+zip="certs/$domain.zip"
+dist="data/certs/$domain"
+7z x -y -o"$dist" "$zip"
--- a/zeeai-ikev2/templates/ikev2-express.conf.j2
+++ b/zeeai-ikev2/templates/ikev2-express.conf.j2
+connections {
+  ikev2-eap-mschapv2 {
+    version = 2
+    unique = never
+    rekey_time = 0s
+    fragmentation = yes
+    dpd_delay = 60s
+    send_cert = always
+    pools = rw_pool
+    proposals = aes256-sha256-prfsha256-modp2048, aes256gcm16-prfsha384-modp1024, default
+    local_addrs = %any
+    local {
+      certs = cert.pem
+      id = {{inventory_hostname}}
+    }
+    remote {
+      auth = eap-mschapv2
+      eap_id = %any
+    }
+    children {
+      ikev2-eap-mschapv2 {
+        local_ts = {{allow_network}}
+        rekey_time = 0s
+        dpd_action = clear
+        esp_proposals = aes256-sha256, aes128-sha1, default
+      }
+    }
+  }
+}
+secrets {
+  private-cert {
+    file = privkey.pem
+  }
+  eap-{{inventory_hostname_short}} {
+    id = {{inventory_hostname_short}}
+    secret = "{{secret}}"
+  }
+}
+pools {
+  rw_pool {
+    addrs = {{network}}
+{% if dns %}
+    dns = {{dns}}
+{% endif %}
+  }
+}
--- a/zeeai-ikev2/templates/ikev2.conf.j2
+++ b/zeeai-ikev2/templates/ikev2.conf.j2
@@ -11,7 +11,7 @@ connections {
    local_addrs = %any
    local {
      certs = cert.pem
-      id = {{ansible_ssh_host}}
+      id = {{inventory_hostname}}
    }
    remote {
      auth = eap-mschapv2

--- a/zeeai-ikev2/templates/ikev2.conf.j2.bak2
+++ b/zeeai-ikev2/templates/ikev2.conf.j2.bak2
@@ -3,7 +3,7 @@ connections {
    version = 2
    unique = never
    pools = rw_pool
-    local_addrs = {{ansible_ssh_host}}
+    local_addrs = {{inventory_hostname}}
    local {
      auth = psk
      id = {{server_id}}

--- a/zeeai-ikev2/data/certs/ca_bundle.crt
+++ b/zeeai-ikev2/data/certs/ca_bundle.crt
--- a/zeeai-ikev2/data/certs/certificate.crt
+++ b/zeeai-ikev2/data/certs/certificate.crt
--- a/zeeai-ikev2/data/certs/private.key
+++ b/zeeai-ikev2/data/certs/private.key