forked from ansible-network/network-engine
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add cloud vpn csr provider (ansible-network#10)
- Loading branch information
1 parent
57f2fc9
commit e9e842c
Showing
23 changed files
with
401 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider add host initiator tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_initiator_provider }}/initiator/add_host.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider add host responder tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_responder_provider }}/responder/add_host.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider configure routing initiator tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_initiator_provider }}/initiator/configure_routing.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider configure routing tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_responder_provider }}/responder/configure_routing.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider configure vpn initiator tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_initiator_provider }}/initiator/configure_vpn.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider configure vpn tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_responder_provider }}/responder/configure_vpn.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| --- | ||
|
|
||
| - add_host: | ||
| name: initiator | ||
| ansible_host: "{{ cloud_vpn_initiator_public_ip }}" | ||
| ansible_user: "{{ cloud_vpn_initiator_user }}" | ||
| ansible_connection: "{{ cloud_vpn_initiator_ansible_connection }}" | ||
| ansible_network_os: ios | ||
| ansible_ssh_private_key_file: "{{ cloud_vpn_initiator_ssh_private_key_file }}" | ||
|
|
||
| - name: Wait for SSH port to be reachable | ||
| wait_for: | ||
| host: "{{ cloud_vpn_initiator_public_ip }}" | ||
| port: 22 | ||
|
|
||
| - name: Pause for SSH daemon to settle and accept connections | ||
| pause: | ||
| seconds: "{{ cloud_vpn_pause_before_config_seconds }}" | ||
|
|
6 changes: 6 additions & 0 deletions
6
tasks/cloud_vpn/providers/csr/initiator/configure_routing.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
|
|
||
| - name: Push routing configuration to CSR device | ||
| ios_config: | ||
| src: "cloud_vpn/providers/csr/initiator/{{ cloud_vpn_responder_provider }}/configure_routing_{{ cloud_vpn_routing }}.j2" | ||
| delegate_to: initiator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
|
|
||
| - name: Push VPN configuration to CSR device | ||
| ios_config: | ||
| src: "cloud_vpn/providers/csr/initiator/{{ cloud_vpn_responder_provider }}/configure_vpn.j2" | ||
| delegate_to: initiator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| --- | ||
|
|
||
| - name: Set ansible_connection fact to 'network_cli' | ||
| set_fact: | ||
| cloud_vpn_initiator_ansible_connection: network_cli | ||
|
|
||
| - name: Set initiator user fact to 'ec2-user' if not defined | ||
| set_fact: | ||
| cloud_vpn_initiator_user: "{{ cloud_vpn_initiator_user | default('ec2-user') }}" | ||
|
|
||
| - name: Set initiator outside interface fact to 'GigabitEthernet1' if not defined | ||
| set_fact: | ||
| cloud_vpn_initiator_outside_interface: "{{ cloud_vpn_initiator_outside_interface | default('GigabitEthernet1') }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
|
|
||
| - name: Show initiator IP and user | ||
| debug: | ||
| msg: "Initiator can be reached at {{ cloud_vpn_initiator_user}}@{{ cloud_vpn_initiator_public_ip }}" | ||
| when: cloud_vpn_initiator_user is defined |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider set defaults initiator tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_initiator_provider }}/initiator/set_defaults.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider set defaults responder tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_responder_provider }}/responder/set_defaults.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider show login info initiator tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_initiator_provider }}/initiator/show_login_info.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| - name: Run provider show login info responder tasks | ||
| include_tasks: "{{ role_path }}/tasks/cloud_vpn/providers/{{ cloud_vpn_responder_provider }}/responder/show_login_info.yaml" |
13 changes: 13 additions & 0 deletions
13
templates/cloud_vpn/providers/csr/initiator/aws_vpn/configure_routing_bgp.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| router bgp {{ cloud_vpn_initiator_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_failover_ip }} remote-as {{ cloud_vpn_responder_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_failover_ip }} activate | ||
| neighbor {{ cloud_vpn_responder_tunnel_failover_ip }} timers 10 30 30 | ||
| address-family ipv4 unicast | ||
| neighbor {{ cloud_vpn_responder_tunnel_failover_ip }} remote-as {{ cloud_vpn_responder_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_failover_ip }} timers 10 30 30 | ||
| neighbor {{ cloud_vpn_responder_tunnel_failover_ip }} default-originate | ||
| neighbor {{ cloud_vpn_responder_tunnel_failover_ip }} activate | ||
| neighbor {{ cloud_vpn_responder_tunnel_failover_ip }} soft-reconfiguration inbound | ||
| network 0.0.0.0 | ||
| exit | ||
| exit |
2 changes: 2 additions & 0 deletions
2
templates/cloud_vpn/providers/csr/initiator/aws_vpn/configure_routing_static.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| ip route {{ cloud_vpn_responder_cidr | ipaddr('network') }} {{ cloud_vpn_responder_cidr | ipaddr('netmask') }} Tunnel1 track 100 | ||
| ip route {{ cloud_vpn_responder_cidr | ipaddr('network') }} {{ cloud_vpn_responder_cidr | ipaddr('netmask') }} Tunnel2 track 200 |
115 changes: 115 additions & 0 deletions
115
templates/cloud_vpn/providers/csr/initiator/aws_vpn/configure_vpn.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
| crypto isakmp policy 200 | ||
| encryption aes 128 | ||
| authentication pre-share | ||
| group 2 | ||
| lifetime 28800 | ||
| hash sha | ||
| exit | ||
|
|
||
| crypto keyring {{ cloud_vpn_name }}-0 | ||
| local-address {{ cloud_vpn_initiator_outside_interface }} | ||
| pre-shared-key address {{ cloud_vpn_responder_public_ip }} key {{ cloud_vpn_psk }} | ||
| exit | ||
|
|
||
| crypto isakmp profile {{ cloud_vpn_name }}-0 | ||
| local-address {{ cloud_vpn_initiator_outside_interface }} | ||
| match identity address {{ cloud_vpn_responder_public_ip }} | ||
| keyring {{ cloud_vpn_name }}-0 | ||
| exit | ||
|
|
||
| crypto ipsec transform-set {{ cloud_vpn_name }}-0 esp-aes 128 esp-sha-hmac | ||
| mode tunnel | ||
| exit | ||
|
|
||
| crypto ipsec profile {{ cloud_vpn_name }}-0 | ||
| set pfs group2 | ||
| set security-association lifetime seconds 3600 | ||
| set transform-set {{ cloud_vpn_name }}-0 | ||
| exit | ||
|
|
||
| crypto ipsec df-bit clear | ||
|
|
||
| crypto isakmp keepalive 10 10 on-demand | ||
|
|
||
| crypto ipsec security-association replay window-size 128 | ||
|
|
||
| crypto ipsec fragmentation before-encryption | ||
|
|
||
| interface Tunnel1 | ||
| ip address {{ cloud_vpn_initiator_tunnel_ip }} 255.255.255.252 | ||
| ip virtual-reassembly | ||
| tunnel source {{ cloud_vpn_initiator_outside_interface }} | ||
| tunnel destination {{ cloud_vpn_responder_public_ip }} | ||
| tunnel mode ipsec ipv4 | ||
| tunnel protection ipsec profile {{ cloud_vpn_name }}-0 | ||
| ! This option causes the router to reduce the Maximum Segment Size of | ||
| ! TCP packets to prevent packet fragmentation. | ||
| ip tcp adjust-mss 1379 | ||
| no shutdown | ||
| exit | ||
|
|
||
| ip sla 100 | ||
| icmp-echo {{ cloud_vpn_responder_tunnel_ip }} source-interface Tunnel1 | ||
| timeout 5000 | ||
| frequency 5 | ||
| exit | ||
| ip sla schedule 100 life forever start-time now | ||
| track 100 ip sla 100 reachability | ||
|
|
||
| crypto isakmp policy 201 | ||
| encryption aes 128 | ||
| authentication pre-share | ||
| group 2 | ||
| lifetime 28800 | ||
| hash sha | ||
| exit | ||
|
|
||
| crypto keyring {{ cloud_vpn_name }}-1 | ||
| local-address {{ cloud_vpn_initiator_outside_interface }} | ||
| pre-shared-key address {{ cloud_vpn_responder_failover_ip }} key {{ cloud_vpn_psk }} | ||
| exit | ||
|
|
||
| crypto isakmp profile {{ cloud_vpn_name }}-1 | ||
| local-address {{ cloud_vpn_initiator_outside_interface }} | ||
| match identity address {{ cloud_vpn_responder_failover_ip }} | ||
| keyring {{ cloud_vpn_name }}-1 | ||
| exit | ||
|
|
||
| crypto ipsec transform-set {{ cloud_vpn_name }}-1 esp-aes 128 esp-sha-hmac | ||
| mode tunnel | ||
| exit | ||
|
|
||
| crypto ipsec profile {{ cloud_vpn_name }}-1 | ||
| set pfs group2 | ||
| set security-association lifetime seconds 3600 | ||
| set transform-set {{ cloud_vpn_name }}-1 | ||
| exit | ||
|
|
||
| crypto ipsec df-bit clear | ||
|
|
||
| crypto isakmp keepalive 10 10 on-demand | ||
|
|
||
| crypto ipsec security-association replay window-size 128 | ||
|
|
||
| crypto ipsec fragmentation before-encryption | ||
|
|
||
| interface Tunnel2 | ||
| ip address {{ cloud_vpn_initiator_tunnel_failover_ip }} 255.255.255.252 | ||
| ip virtual-reassembly | ||
| tunnel source {{ cloud_vpn_initiator_outside_interface }} | ||
| tunnel destination {{ cloud_vpn_responder_failover_ip }} | ||
| tunnel mode ipsec ipv4 | ||
| tunnel protection ipsec profile {{ cloud_vpn_name }}-1 | ||
| ! This option causes the router to reduce the Maximum Segment Size of | ||
| ! TCP packets to prevent packet fragmentation. | ||
| ip tcp adjust-mss 1379 | ||
| no shutdown | ||
| exit | ||
|
|
||
| ip sla 200 | ||
| icmp-echo {{ cloud_vpn_responder_tunnel_failover_ip }} source-interface Tunnel2 | ||
| timeout 5000 | ||
| frequency 5 | ||
| exit | ||
| ip sla schedule 200 life forever start-time now | ||
| track 200 ip sla 200 reachability |
71 changes: 71 additions & 0 deletions
71
templates/cloud_vpn/providers/csr/initiator/vyos/configure_bgp.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| crypto isakmp policy 200 | ||
| encryption aes 128 | ||
| authentication pre-share | ||
| group 2 | ||
| lifetime 28800 | ||
| hash sha | ||
| exit | ||
|
|
||
| crypto keyring {{ cloud_vpn_name }}-0 | ||
| local-address {{ cloud_vpn_initiator_outside_interface }} | ||
| pre-shared-key address {{ cloud_vpn_responder_public_ip }} key {{ cloud_vpn_psk }} | ||
| exit | ||
|
|
||
| crypto isakmp profile {{ cloud_vpn_name }}-0 | ||
| local-address {{ cloud_vpn_initiator_outside_interface }} | ||
| match identity address {{ cloud_vpn_responder_public_ip }} | ||
| keyring {{ cloud_vpn_name }}-0 | ||
| exit | ||
|
|
||
| crypto ipsec transform-set {{ cloud_vpn_name }}-0 esp-aes 128 esp-sha-hmac | ||
| mode tunnel | ||
| exit | ||
|
|
||
| crypto ipsec profile {{ cloud_vpn_name }}-0 | ||
| set pfs group2 | ||
| set security-association lifetime seconds 3600 | ||
| set transform-set {{ cloud_vpn_name }}-0 | ||
| exit | ||
|
|
||
| crypto ipsec df-bit clear | ||
|
|
||
| crypto isakmp keepalive 10 10 on-demand | ||
|
|
||
| crypto ipsec security-association replay window-size 128 | ||
|
|
||
| crypto ipsec fragmentation before-encryption | ||
|
|
||
| interface Tunnel1 | ||
| ip address {{ cloud_vpn_initiator_tunnel_ip }} 255.255.255.252 | ||
| ip virtual-reassembly | ||
| tunnel source {{ cloud_vpn_initiator_outside_interface }} | ||
| tunnel destination {{ cloud_vpn_responder_public_ip }} | ||
| tunnel mode ipsec ipv4 | ||
| tunnel protection ipsec profile {{ cloud_vpn_name }}-0 | ||
| ! This option causes the router to reduce the Maximum Segment Size of | ||
| ! TCP packets to prevent packet fragmentation. | ||
| ip tcp adjust-mss 1379 | ||
| no shutdown | ||
| exit | ||
|
|
||
| ip sla 100 | ||
| icmp-echo {{ cloud_vpn_responder_tunnel_ip }} source-interface Tunnel1 | ||
| timeout 5000 | ||
| frequency 5 | ||
| exit | ||
| ip sla schedule 100 life forever start-time now | ||
| track 100 ip sla 100 reachability | ||
|
|
||
| router bgp {{ cloud_vpn_initiator_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} remote-as {{ cloud_vpn_responder_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} activate | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} timers 10 30 30 | ||
| address-family ipv4 unicast | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} remote-as {{ cloud_vpn_responder_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} timers 10 30 30 | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} default-originate | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} activate | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} soft-reconfiguration inbound | ||
| network 0.0.0.0 | ||
| exit | ||
| exit |
13 changes: 13 additions & 0 deletions
13
templates/cloud_vpn/providers/csr/initiator/vyos/configure_routing_bgp.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| router bgp {{ cloud_vpn_initiator_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} remote-as {{ cloud_vpn_responder_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} activate | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} timers 10 30 30 | ||
| address-family ipv4 unicast | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} remote-as {{ cloud_vpn_responder_bgp_asn }} | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} timers 10 30 30 | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} default-originate | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} activate | ||
| neighbor {{ cloud_vpn_responder_tunnel_ip }} soft-reconfiguration inbound | ||
| network 0.0.0.0 | ||
| exit | ||
| exit |
1 change: 1 addition & 0 deletions
1
templates/cloud_vpn/providers/csr/initiator/vyos/configure_routing_static.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ip route {{ cloud_vpn_responder_cidr | ipaddr('network') }} {{ cloud_vpn_responder_cidr | ipaddr('netmask') }} Tunnel1 track 100 |
59 changes: 59 additions & 0 deletions
59
templates/cloud_vpn/providers/csr/initiator/vyos/configure_static.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| crypto isakmp policy 200 | ||
| encryption aes 128 | ||
| authentication pre-share | ||
| group 2 | ||
| lifetime 28800 | ||
| hash sha | ||
| exit | ||
|
|
||
| crypto keyring {{ cloud_vpn_name }} | ||
| local-address {{ cloud_vpn_initiator_outside_interface }} | ||
| pre-shared-key address {{ cloud_vpn_responder_public_ip }} key {{ cloud_vpn_psk }} | ||
| exit | ||
|
|
||
| crypto isakmp profile {{ cloud_vpn_name }} | ||
| local-address {{ cloud_vpn_initiator_outside_interface }} | ||
| match identity address {{ cloud_vpn_responder_public_ip }} | ||
| keyring {{ cloud_vpn_name }} | ||
| exit | ||
|
|
||
| crypto ipsec transform-set {{ cloud_vpn_name }} esp-aes 128 esp-sha-hmac | ||
| mode tunnel | ||
| exit | ||
|
|
||
| crypto ipsec profile {{ cloud_vpn_name }} | ||
| set pfs group2 | ||
| set security-association lifetime seconds 3600 | ||
| set transform-set {{ cloud_vpn_name }} | ||
| exit | ||
|
|
||
| crypto ipsec df-bit clear | ||
|
|
||
| crypto isakmp keepalive 10 10 on-demand | ||
|
|
||
| crypto ipsec security-association replay window-size 128 | ||
|
|
||
| crypto ipsec fragmentation before-encryption | ||
|
|
||
| interface Tunnel1 | ||
| ip address {{ cloud_vpn_initiator_tunnel_ip }} 255.255.255.252 | ||
| ip virtual-reassembly | ||
| tunnel source {{ cloud_vpn_initiator_outside_interface }} | ||
| tunnel destination {{ cloud_vpn_responder_public_ip }} | ||
| tunnel mode ipsec ipv4 | ||
| tunnel protection ipsec profile {{ cloud_vpn_name }} | ||
| ! This option causes the router to reduce the Maximum Segment Size of | ||
| ! TCP packets to prevent packet fragmentation. | ||
| ip tcp adjust-mss 1379 | ||
| no shutdown | ||
| exit | ||
|
|
||
| ip sla 100 | ||
| icmp-echo {{ cloud_vpn_responder_tunnel_ip }} source-interface Tunnel1 | ||
| timeout 5000 | ||
| frequency 5 | ||
| exit | ||
| ip sla schedule 100 life forever start-time now | ||
| track 100 ip sla 100 reachability | ||
|
|
||
| ip route {{ cloud_vpn_responder_cidr | ipaddr('network') }} {{ cloud_vpn_responder_cidr | ipaddr('netmask') }} Tunnel1 track 100 |
Oops, something went wrong.