Hyunsun Moon | a5c3f64 | 2020-11-11 02:53:03 -0800 | [diff] [blame] | 1 | --- |
| 2 | # strongswan defaults/main.yml |
| 3 | # |
| 4 | # SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| 5 | # SPDX-License-Identifier: Apache-2.0 |
| 6 | |
| 7 | # Default values set here work with Google Cloud VPN |
| 8 | # |
| 9 | # Upstream docs: |
| 10 | # https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationFiles |
| 11 | # https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf |
| 12 | # https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection |
| 13 | |
| 14 | # How long the keying channel of a connection (ISAKMP or IKE SA) should last |
| 15 | strongswan_conf_phase1_lifetime: "600m" |
| 16 | |
| 17 | # How long a particular instance of a connection should last |
| 18 | strongswan_conf_phase2_lifetime: "180m" |
| 19 | |
| 20 | # Which protocol should be used to initialize the connection |
| 21 | # Acceptable values are ike, ikev1, or ikev2 |
| 22 | strongswan_conf_key_exchange: "ikev2" |
| 23 | |
| 24 | # IKE/ISAKMP SA encryption/authentication algorithms |
| 25 | strongswan_conf_ike_cipher: "aes256gcm16-sha512-modp4096" |
| 26 | |
| 27 | # ESP encryption/authentication algorithms |
| 28 | strongswan_conf_esp_cipher: "aes256gcm16-sha512-modp8192" |
| 29 | |
| 30 | # How the two security gateways should authenticate each other |
| 31 | # NOTE: only psk is supported |
| 32 | strongswan_conf_auth_type: "psk" |
| 33 | |
Hyunsun Moon | 6a19e04 | 2021-01-19 21:30:56 -0800 | [diff] [blame] | 34 | # What operation should be done automatically at IPsec startup |
Zack Williams | f7cfb4f | 2022-03-28 16:42:52 -0700 | [diff] [blame] | 35 | # Acceptable values: add, start, or route |
Hyunsun Moon | e797c95 | 2021-09-27 11:43:21 -0700 | [diff] [blame] | 36 | strongswan_conf_auto: "route" |
Hyunsun Moon | 2c0a0e3 | 2022-02-08 20:08:16 -0800 | [diff] [blame] | 37 | strongswan_conf_keyingtries: "3" |
Hyunsun Moon | 6a19e04 | 2021-01-19 21:30:56 -0800 | [diff] [blame] | 38 | |
Zack Williams | f7cfb4f | 2022-03-28 16:42:52 -0700 | [diff] [blame] | 39 | # Actions that are taken when a connection drops |
Zack Williams | 6547fdf | 2022-07-11 10:49:46 -0700 | [diff] [blame] | 40 | # Acceptable values: none, clear, hold, restart |
Zack Williams | f7cfb4f | 2022-03-28 16:42:52 -0700 | [diff] [blame] | 41 | strongswan_conf_dpdaction: "clear" |
| 42 | strongswan_conf_closeaction: "clear" |
| 43 | |
Hyunsun Moon | 6a19e04 | 2021-01-19 21:30:56 -0800 | [diff] [blame] | 44 | # Whether rekeying of an IKE_SA should also reauthenticate the peer |
| 45 | strongswan_conf_reauth: "no" |
| 46 | |
Hyunsun Moon | a5c3f64 | 2020-11-11 02:53:03 -0800 | [diff] [blame] | 47 | # Handle routes in strongSwan or not |
| 48 | # Set no if VPNs are route based |
| 49 | strongswan_conf_install_routes: false |
| 50 | |
| 51 | # List of connections to configure |
| 52 | # See README.md for the examples |
| 53 | strongswan_conf_connections: [] |