ansible-playbooks/roles/strongswan/defaults/main.yml

strongswan_user: ipsec
strongswan_group: ipsec

strongswan_cert_name: server.pem

strongswan_proposals:
  - chacha20poly1305-prfsha384-prfsha256-prfaesxcbc-prfaescmac-x448-x25519

strongswan_esp_proposals:
  - chacha20poly1305-x448-x25519

strongswan_pool: 10.250.0.0/16

strongswan_default_config:
  strongswan:
    block_threshold: 10
    dos_protection: yes
    init_limit_half_open: 100
    integrity_test: no
    load_modular: yes
    send_vendor_id: no

  logging:
    filelog: {}
    syslog:
      daemon:
        default: 0
        ike_name: yes
        log_level: yes
        dmn: 1

  connections:
    ikev2-eap-mschapv2:
      version: 2
      local_addrs: "{{ ansible_host }}"
      remote_addrs: "%any"
      send_cert: always
      encap: yes

      proposals: "{{ strongswan_proposals | d('default') }}"
      dpd_delay: 40s
      rekey_time: 8h
      pools: rw-pool-ipv4
      fragmentation: yes

      local:
        certs: "{{ strongswan_cert_name }}"
        id: "{{ host_fqdn }}"

      remote:
        auth: eap-mschapv2
        eap_id: "%any"

      children:
        ikev2-eap-mschapv2:
          local_ts: 0.0.0.0/0
          rekey_time: 2h
          esp_proposals: "{{ strongswan_esp_proposals | d('default') }}"

  pools:
    rw-pool-ipv4:
      addrs: "{{ strongswan_pool }}"

  secrets:


strongswan_exporter_dir: /opt/strongswan_exporter
strongswan_prometheus_port: 9903

strongswan_exporter_default_config:
  vici.address: unix:///var/run/charon.vici
  collector: vici
  web.listen-address: "0.0.0.0:{{ strongswan_prometheus_port }}"
init 2 years ago			`strongswan_user: ipsec`
			`strongswan_group: ipsec`

			`strongswan_cert_name: server.pem`

			`strongswan_proposals:`
			`- chacha20poly1305-prfsha384-prfsha256-prfaesxcbc-prfaescmac-x448-x25519`

			`strongswan_esp_proposals:`
			`- chacha20poly1305-x448-x25519`

			`strongswan_pool: 10.250.0.0/16`

			`strongswan_default_config:`
			`strongswan:`
			`block_threshold: 10`
			`dos_protection: yes`
			`init_limit_half_open: 100`
			`integrity_test: no`
			`load_modular: yes`
			`send_vendor_id: no`

			`logging:`
			`filelog: {}`
			`syslog:`
			`daemon:`
			`default: 0`
			`ike_name: yes`
			`log_level: yes`
			`dmn: 1`

			`connections:`
			`ikev2-eap-mschapv2:`
			`version: 2`
			`local_addrs: "{{ ansible_host }}"`
			`remote_addrs: "%any"`
			`send_cert: always`
			`encap: yes`

			`proposals: "{{ strongswan_proposals \| d('default') }}"`
			`dpd_delay: 40s`
			`rekey_time: 8h`
			`pools: rw-pool-ipv4`
			`fragmentation: yes`

			`local:`
			`certs: "{{ strongswan_cert_name }}"`
			`id: "{{ host_fqdn }}"`

			`remote:`
			`auth: eap-mschapv2`
			`eap_id: "%any"`

			`children:`
			`ikev2-eap-mschapv2:`
			`local_ts: 0.0.0.0/0`
			`rekey_time: 2h`
			`esp_proposals: "{{ strongswan_esp_proposals \| d('default') }}"`

			`pools:`
			`rw-pool-ipv4:`
			`addrs: "{{ strongswan_pool }}"`

			`secrets:`


			`strongswan_exporter_dir: /opt/strongswan_exporter`
			`strongswan_prometheus_port: 9903`

			`strongswan_exporter_default_config:`
			`vici.address: unix:///var/run/charon.vici`
			`collector: vici`
			`web.listen-address: "0.0.0.0:{{ strongswan_prometheus_port }}"`