blob: ef5e6cf411ade915905b4d63ffbc94e0956d75df [file] [log] [blame]
---
# strongswan defaults/main.yml
#
# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
# SPDX-License-Identifier: Apache-2.0
# Default values set here work with Google Cloud VPN
#
# Upstream docs:
# https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationFiles
# https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
# https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
# How long the keying channel of a connection (ISAKMP or IKE SA) should last
strongswan_conf_phase1_lifetime: "600m"
# How long a particular instance of a connection should last
strongswan_conf_phase2_lifetime: "180m"
# Which protocol should be used to initialize the connection
# Acceptable values are ike, ikev1, or ikev2
strongswan_conf_key_exchange: "ikev2"
# IKE/ISAKMP SA encryption/authentication algorithms
strongswan_conf_ike_cipher: "aes256gcm16-sha512-modp4096"
# ESP encryption/authentication algorithms
strongswan_conf_esp_cipher: "aes256gcm16-sha512-modp8192"
# How the two security gateways should authenticate each other
# NOTE: only psk is supported
strongswan_conf_auth_type: "psk"
# What operation should be done automatically at IPsec startup
# Acceptable values: add, start, or route
strongswan_conf_auto: "route"
strongswan_conf_keyingtries: "3"
# Actions that are taken when a connection drops
# Acceptable values: clear, hold, restart
strongswan_conf_dpdaction: "clear"
strongswan_conf_closeaction: "clear"
# Whether rekeying of an IKE_SA should also reauthenticate the peer
strongswan_conf_reauth: "no"
# Handle routes in strongSwan or not
# Set no if VPNs are route based
strongswan_conf_install_routes: false
# List of connections to configure
# See README.md for the examples
strongswan_conf_connections: []