Closed letoams closed 3 years ago
It seems a little more complicated. Possibly a race condition or perhaps the first node and second node being treated differently. This is my inventory:
all:
hosts:
west:
ansible_host: 192.1.2.45
ansible_user: root
ansible_password: swan
ansible_ssh_common_args: -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
east:
ansible_host: 192.1.2.23
ansible_user: root
ansible_password: swan
ansible_ssh_common_args: -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
vars:
vpn_auth_method: cert
vpn_connections:
- hosts:
west:
cert_name: west
east:
cert_name: east
auto: ondemand
I run this with:
---
- name: Ensure that the role runs with default parameters
hosts: all
roles:
- linux-system-roles.vpn
Then on west, I only seem to have east's configuration, that is with leftcert=east On east, I end up with both configurations, east-to-west. and west-to-east.
The same happens for the mesh.conf. It seems when adding a mesh for east and west, I ended up with only the mesh.conf of east on both nodes, so both had leftcert=east configured
Duh. This was a bug in my test cases in the upstream libreswan. Fixed in https://github.com/libreswan/libreswan/commit/8db1d6e8e37a12de65836d611f950fcbf1190d6d
When I tried certificate based deployment, I noticed duplicate configs were installed. eg for a two node inventory with "east" and "west", both machines end up with east-to-west.conf and west-to-east.conf with basically the same config (but left/right mirrored)
They should only get one config file for this.