ansible-playbooks/roles/strongswan/defaults/main.yml

strongswan_user: ipsec
strongswan_group: ipsec

strongswan_cert_name: server.pem

strongswan_proposals:
  - chacha20poly1305-prfsha384-prfsha256-prfaesxcbc-prfaescmac-x448-x25519

strongswan_esp_proposals:
  - chacha20poly1305-x448-x25519

strongswan_pool: 10.250.0.0/16

strongswan_default_config:
  strongswan:
    block_threshold: 10
    dos_protection: yes
    init_limit_half_open: 100
    integrity_test: no
    load_modular: yes
    send_vendor_id: no

  logging:
    filelog: {}
    syslog:
      daemon:
        default: 0
        ike_name: yes
        log_level: yes
        dmn: 1

  connections:
    ikev2-eap-mschapv2:
      version: 2
      local_addrs: "{{ ansible_host }}"
      remote_addrs: "%any"
      send_cert: always
      encap: yes

      proposals: "{{ strongswan_proposals | d('default') }}"
      dpd_delay: 40s
      rekey_time: 8h
      pools: rw-pool-ipv4
      fragmentation: yes

      local:
        certs: "{{ strongswan_cert_name }}"
        id: "{{ host_fqdn }}"

      remote:
        auth: eap-mschapv2
        eap_id: "%any"

      children:
        ikev2-eap-mschapv2:
          local_ts: 0.0.0.0/0
          rekey_time: 2h
          esp_proposals: "{{ strongswan_esp_proposals | d('default') }}"

  pools:
    rw-pool-ipv4:
      addrs: "{{ strongswan_pool }}"

  secrets:


strongswan_exporter_dir: /opt/strongswan_exporter
strongswan_prometheus_port: 9903

strongswan_exporter_default_config:
  vici.address: unix:///var/run/charon.vici
  collector: vici
  web.listen-address: "0.0.0.0:{{ strongswan_prometheus_port }}"