search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.98k stars 2.32k forks source link

deploy_client.yml - 'ciphers' is undefined #525

Closed GMNGeoffrey closed 7 years ago

GMNGeoffrey commented 7 years ago

OS / Environment

Ubuntu 16.04 LTS

Ansible version

2.2.0.0

Version of components from requirements.txt

Name: msrestazure Version: 0.4.7 Summary: AutoRest swagger generator Python client runtime. Azure-specific module. Home-page: https://github.com/Azure/msrestazure-for-python Author: Microsoft Corporation Author-email: UNKNOWN License: MIT License Location: /home/geoffrey/algo-master/env/lib/python2.7/site-packages Requires: keyring, msrest, adal Name: boto3 Version: 1.4.4 Summary: The AWS SDK for Python Home-page: https://github.com/boto/boto3 Author: Amazon Web Services Author-email: UNKNOWN License: Apache License 2.0 Location: /home/geoffrey/algo-master/env/lib/python2.7/site-packages Requires: s3transfer, jmespath, botocore Name: apache-libcloud Version: 2.0.0 Summary: A standard Python library that abstracts away differences among multiple cloud provider APIs. For more information and documentation, please see http://libcloud.apache.org Home-page: http://libcloud.apache.org/ Author: Apache Software Foundation Author-email: dev@libcloud.apache.org License: Apache License (2.0) Location: /home/geoffrey/algo-master/env/lib/python2.7/site-packages Requires: requests Name: six Version: 1.10.0 Summary: Python 2 and 3 compatibility utilities Home-page: http://pypi.python.org/pypi/six/ Author: Benjamin Peterson Author-email: benjamin@python.org License: MIT Location: /home/geoffrey/algo-master/env/lib/python2.7/site-packages Requires: Name: pyOpenSSL Version: 17.0.0 Summary: Python wrapper module around the OpenSSL library Home-page: https://pyopenssl.readthedocs.io/ Author: Hynek Schlawack Author-email: hs@ox.cx License: Apache License, Version 2.0 Location: /home/geoffrey/algo-master/env/lib/python2.7/site-packages Requires: cryptography, six

Summary of the problem

When I run Linux client setup I get an error:

TASK [client : Setup the ipsec config] *****************************************
failed: [localhost] (item=gcmn) => {"failed": true, "item": "gcmn", "msg": "AnsibleUndefinedVariable: 'ciphers' is undefined"}

It looks like it's an issue accessing the ciphers in roles/vpn/templates/client_ipsec.conf.j2 from roles/client/tasks/main.yml. Any guidance on the issue here?

Steps to reproduce the behavior

The way of deployment (cloud or local)

Cloud

Expected behavior

Can setup a linux client using these instructions.

Actual behavior

Setup fails at setting up ipsec config

Full log

For Client setup

$ ansible-playbook deploy_client.yml -e 'client_ip=localhost vpn_user=gcmn server_ip=104.198.8.238 server_ssh_user=root'

PLAY [Configure the client] ****************************************************

TASK [setup] *******************************************************************
ok: [localhost]

TASK [Add the droplet to an inventory group] ***********************************
changed: [localhost]

PLAY [Configure the client and install required software] **********************

TASK [Get the OS] **************************************************************
changed: [localhost]

TASK [Modify the server name fact] *********************************************
ok: [localhost]

TASK [Ubuntu Xenial | Install prerequisites] ***********************************
skipping: [localhost]

TASK [Fedora 25 | Install prerequisites] ***************************************
skipping: [localhost]

TASK [client : Gather Facts] ***************************************************
ok: [localhost]

TASK [client : set_fact] *******************************************************
skipping: [localhost]

TASK [client : set_fact] *******************************************************
ok: [localhost]

TASK [client : set_fact] *******************************************************
skipping: [localhost]

TASK [client : set_fact] *******************************************************
skipping: [localhost]

TASK [client : Checking the signature algorithm] *******************************
changed: [localhost -> localhost]

TASK [client : Change the algorithm to RSA] ************************************
skipping: [localhost]

TASK [client : Install prerequisites] ******************************************

TASK [client : Install strongSwan] *********************************************
ok: [localhost]

TASK [client : Setup the ipsec config] *****************************************
failed: [localhost] (item=gcmn) => {"failed": true, "item": "gcmn", "msg": "AnsibleUndefinedVariable: 'ciphers' is undefined"}

PLAY RECAP *********************************************************************
localhost                  : ok=8    changed=3    unreachable=0    failed=1

For Server setup

$ ./algo
  What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Microsoft Azure
    4. Google Compute Engine (only for testing, see issue #369)
    5. Install to existing Ubuntu 16.04 server

Enter the number of your desired provider
: 4

Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):
: Algo-VPN-7633089d1f21.json

Name the vpn server:
[algo]: 

  What zone should the server be located in?
    1. Western US       (Oregon A)
    2. Western US       (Oregon B)
    3. Central US       (Iowa A)
    4. Central US       (Iowa B)
    5. Central US       (Iowa C)
    6. Central US       (Iowa F)
    7. Eastern US       (South Carolina B)
    8. Eastern US       (South Carolina C)
    9. Eastern US       (South Carolina D)
    10. Western Europe  (Belgium B)
    11. Western Europe  (Belgium C)
    12. Western Europe  (Belgium D)
    13. East Asia       (Taiwan A)
    14. East Asia       (Taiwan B)
    15. East Asia       (Taiwan C)
Please choose the number of your zone. Press enter for default (#8) zone.
[8]: 1

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]: 

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: 

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]: y

Do you want each user to have their own account for SSH tunneling?
[y/N]: y

Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
[y/N]: y

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]: y

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: y

PLAY [Configure the server] ****************************************************

TASK [setup] *******************************************************************
ok: [localhost]

TASK [Generate the SSH private key] ********************************************
ok: [localhost -> localhost]

TASK [Generate the SSH public key] *********************************************
ok: [localhost -> localhost]

TASK [Change mode for the SSH private key] *************************************
ok: [localhost -> localhost]

TASK [Ensure the dynamic inventory exists] *************************************
ok: [localhost]

TASK [cloud-gce : set_fact] ****************************************************
ok: [localhost]

TASK [cloud-gce : set_fact] ****************************************************
ok: [localhost]

TASK [cloud-gce : set_fact] ****************************************************
ok: [localhost]

TASK [cloud-gce : Creating a new instance...] **********************************
changed: [localhost]

TASK [cloud-gce : Add the instance to an inventory group] **********************
changed: [localhost]

TASK [cloud-gce : Firewall configured] *****************************************
changed: [localhost -> localhost]

TASK [cloud-gce : set_fact] ****************************************************
ok: [localhost]

TASK [cloud-gce : Ensure the group gce exists in the dynamic inventory file] ***
changed: [localhost]

TASK [cloud-gce : Populate the dynamic inventory] ******************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *****************************************
ok: [localhost -> localhost]

TASK [A short pause, in order to be sure the instance is ready] ****************
Pausing for 10 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [localhost]

TASK [Ensure the local ssh directory is exist] *********************************
changed: [localhost -> localhost]

TASK [Copy the algo ssh key to the local ssh directory] ************************
changed: [localhost -> localhost]

PLAY [Configure the server and install required software] **********************

TASK [Check the system] ********************************************************
changed: [104.198.8.238]

TASK [Ubuntu | Install prerequisites] ******************************************
changed: [104.198.8.238]

TASK [Ubuntu | Configure defaults] *********************************************
changed: [104.198.8.238]

TASK [FreeBSD / HardenedBSD | Install prerequisites] ***************************
skipping: [104.198.8.238]

TASK [FreeBSD / HardenedBSD | Configure defaults] ******************************
skipping: [104.198.8.238]

TASK [set_fact] ****************************************************************
skipping: [104.198.8.238]

TASK [Gather Facts] ************************************************************
ok: [104.198.8.238]

TASK [Ensure the algo ssh key exist on the server] *****************************
ok: [104.198.8.238]

TASK [Enable IPv6] *************************************************************
skipping: [104.198.8.238]

TASK [Set facts if the deployment in a cloud] **********************************
ok: [104.198.8.238]

TASK [Generate password for the CA key] ****************************************
changed: [104.198.8.238 -> localhost]

TASK [Define password facts] ***************************************************
ok: [104.198.8.238]

TASK [Define the commonName] ***************************************************
ok: [104.198.8.238]

TASK [common : Install software updates] ***************************************
changed: [104.198.8.238]

TASK [common : Check if reboot is required] ************************************
changed: [104.198.8.238]

TASK [common : Reboot] *********************************************************
skipping: [104.198.8.238]

TASK [common : Wait until SSH becomes ready...] ********************************
skipping: [104.198.8.238]

TASK [common : Disable MOTD on login and SSHD] *********************************
changed: [104.198.8.238] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [104.198.8.238] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] *******************************
changed: [104.198.8.238]

TASK [common : Loopback included into the network config] **********************
changed: [104.198.8.238]

RUNNING HANDLER [common : restart loopback] ************************************
changed: [104.198.8.238]

TASK [common : Check apparmor support] *****************************************
changed: [104.198.8.238]

TASK [common : set_fact] *******************************************************
ok: [104.198.8.238]

TASK [common : set_fact] *******************************************************
ok: [104.198.8.238]

TASK [common : set_fact] *******************************************************
skipping: [104.198.8.238]

TASK [common : Loopback included into the rc config] ***************************
skipping: [104.198.8.238]

TASK [common : Enable the gateway features] ************************************
skipping: [104.198.8.238] => (item={u'value': u'"YES"', u'param': u'firewall_enable'}) 
skipping: [104.198.8.238] => (item={u'value': u'"open"', u'param': u'firewall_type'}) 
skipping: [104.198.8.238] => (item={u'value': u'"YES"', u'param': u'gateway_enable'}) 
skipping: [104.198.8.238] => (item={u'value': u'"YES"', u'param': u'natd_enable'}) 
skipping: [104.198.8.238] => (item={u'value': u'""', u'param': u'natd_interface'}) 
skipping: [104.198.8.238] => (item={u'value': u'"-dynamic -m"', u'param': u'natd_flags'}) 

TASK [common : FreeBSD | Activate IPFW] ****************************************
skipping: [104.198.8.238]

TASK [common : Install tools] **************************************************
changed: [104.198.8.238] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'sendmail', u'iptables-persistent', u'cgroup-tools', u'openssl'])

TASK [common : Sysctl tuning] **************************************************
changed: [104.198.8.238] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [104.198.8.238] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [104.198.8.238] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [security : Install tools] ************************************************
ok: [104.198.8.238] => (item=[u'unattended-upgrades'])

TASK [security : Configure unattended-upgrades] ********************************
changed: [104.198.8.238]

TASK [security : Periodic upgrades configured] *********************************
changed: [104.198.8.238]

TASK [security : Find directories for minimizing access] ***********************
ok: [104.198.8.238] => (item=/usr/local/sbin)
ok: [104.198.8.238] => (item=/usr/local/bin)
ok: [104.198.8.238] => (item=/usr/sbin)
ok: [104.198.8.238] => (item=/usr/bin)
ok: [104.198.8.238] => (item=/sbin)
ok: [104.198.8.238] => (item=/bin)

TASK [security : Minimize access] **********************************************
ok: [104.198.8.238] => (item=(censored due to no_log))
ok: [104.198.8.238] => (item=(censored due to no_log))
ok: [104.198.8.238] => (item=(censored due to no_log))
ok: [104.198.8.238] => (item=(censored due to no_log))
ok: [104.198.8.238] => (item=(censored due to no_log))
ok: [104.198.8.238] => (item=(censored due to no_log))

TASK [security : Change shadow ownership to root and mode to 0600] *************
changed: [104.198.8.238]

TASK [security : change su-binary to only be accessible to user and group root] 
changed: [104.198.8.238]

TASK [security : Collect Use of privileged commands] ***************************
changed: [104.198.8.238]

TASK [security : Restrict core dumps (with PAM)] *******************************
changed: [104.198.8.238]

TASK [security : Restrict core dumps (with sysctl)] ****************************
changed: [104.198.8.238]

TASK [security : Disable Source Routed Packet Acceptance] **********************
changed: [104.198.8.238] => (item=net.ipv4.conf.all.accept_source_route)
changed: [104.198.8.238] => (item=net.ipv4.conf.default.accept_source_route)

TASK [security : Disable ICMP Redirect Acceptance] *****************************
changed: [104.198.8.238] => (item=net.ipv4.conf.all.accept_redirects)
changed: [104.198.8.238] => (item=net.ipv4.conf.default.accept_redirects)

TASK [security : Disable Secure ICMP Redirect Acceptance] **********************
changed: [104.198.8.238] => (item=net.ipv4.conf.all.secure_redirects)
changed: [104.198.8.238] => (item=net.ipv4.conf.default.secure_redirects)

TASK [security : Enable Bad Error Message Protection] **************************
changed: [104.198.8.238]

TASK [security : Enable RFC-recommended Source Route Validation] ***************
changed: [104.198.8.238] => (item=net.ipv4.conf.all.rp_filter)
changed: [104.198.8.238] => (item=net.ipv4.conf.default.rp_filter)

TASK [security : Do not send ICMP redirects (we are not a router)] *************
changed: [104.198.8.238]

TASK [security : SSH config] ***************************************************
changed: [104.198.8.238]

TASK [dns_adblocking : Dnsmasq installed] **************************************
changed: [104.198.8.238]

TASK [dns_adblocking : Ensure that the dnsmasq user exist] *********************
changed: [104.198.8.238]

TASK [dns_adblocking : The dnsmasq directory created] **************************
changed: [104.198.8.238]

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] *******
changed: [104.198.8.238]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] ***********
changed: [104.198.8.238]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] ***
changed: [104.198.8.238]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***
changed: [104.198.8.238]

TASK [dns_adblocking : FreeBSD / HardenedBSD | Enable dnsmasq] *****************
skipping: [104.198.8.238]

TASK [dns_adblocking : Dnsmasq configured] *************************************
changed: [104.198.8.238]

TASK [dns_adblocking : Adblock script created] *********************************
changed: [104.198.8.238]

TASK [dns_adblocking : Adblock script added to cron] ***************************
changed: [104.198.8.238]

TASK [dns_adblocking : Update adblock hosts] ***********************************
changed: [104.198.8.238]
 [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

RUNNING HANDLER [common : flush routing cache] *********************************
changed: [104.198.8.238]

RUNNING HANDLER [security : restart ssh] ***************************************
changed: [104.198.8.238]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] *****************************
changed: [104.198.8.238]

RUNNING HANDLER [vpn : daemon-reload] ******************************************
changed: [104.198.8.238]

TASK [dns_adblocking : Dnsmasq enabled and started] ****************************
ok: [104.198.8.238]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ****
changed: [104.198.8.238]

TASK [ssh_tunneling : Ensure that the algo group exist] ************************
changed: [104.198.8.238]

TASK [ssh_tunneling : Ensure that the jail directory exist] ********************
changed: [104.198.8.238]

TASK [ssh_tunneling : Ensure that the SSH users exist] *************************
changed: [104.198.8.238] => (item=gcmn)

TASK [ssh_tunneling : The authorized keys file created] ************************
changed: [104.198.8.238] => (item=gcmn)

TASK [ssh_tunneling : Generate SSH fingerprints] *******************************
changed: [104.198.8.238]

TASK [ssh_tunneling : Fetch users SSH private keys] ****************************
changed: [104.198.8.238] => (item=gcmn)

TASK [ssh_tunneling : Change mode for SSH private keys] ************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [ssh_tunneling : Fetch the known_hosts file] ******************************
changed: [104.198.8.238 -> localhost]

TASK [ssh_tunneling : Build the client ssh config] *****************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [vpn : Ensure that the strongswan group exist] ****************************
changed: [104.198.8.238]

TASK [vpn : Ensure that the strongswan user exist] *****************************
changed: [104.198.8.238]

TASK [vpn : set_fact] **********************************************************
ok: [104.198.8.238]

TASK [vpn : Configure apt to use the Xenial release by default] ****************
changed: [104.198.8.238]

TASK [vpn : Configure packages preferences] ************************************
changed: [104.198.8.238]

TASK [vpn : Configure the Ubuntu Zesty repository] *****************************
changed: [104.198.8.238]

TASK [vpn : Ubuntu | Install strongSwan] ***************************************
changed: [104.198.8.238]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ****************************
changed: [104.198.8.238] => (item=/usr/lib/ipsec/charon)
changed: [104.198.8.238] => (item=/usr/lib/ipsec/lookip)
changed: [104.198.8.238] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ******************************************
ok: [104.198.8.238] => (item=apparmor)
ok: [104.198.8.238] => (item=strongswan)
ok: [104.198.8.238] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *******
changed: [104.198.8.238]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********
changed: [104.198.8.238]

TASK [vpn : Iptables configured] ***********************************************
changed: [104.198.8.238] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ***********************************************
skipping: [104.198.8.238] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'}) 

TASK [vpn : FreeBSD / HardenedBSD | Get the existing kernel parameters] ********
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | Set the rebuild_needed fact] ***************
skipping: [104.198.8.238] => (item=IPSEC) 
skipping: [104.198.8.238] => (item=IPSEC_NAT_T) 
skipping: [104.198.8.238] => (item=crypto) 

TASK [vpn : FreeBSD / HardenedBSD | Make the kernel config] ********************
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | Ensure the all options are enabled] ********
skipping: [104.198.8.238] => (item=options  IPSEC) 
skipping: [104.198.8.238] => (item=options IPSEC_NAT_T) 
skipping: [104.198.8.238] => (item=device   crypto) 

TASK [vpn : HardenedBSD | Determine the sources] *******************************
skipping: [104.198.8.238]

TASK [vpn : FreeBSD | Determine the sources] ***********************************
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | Increase the git postBuffer size] **********
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *******************
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *******************
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] **************
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] **************
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | Reboot] ************************************
skipping: [104.198.8.238]

TASK [vpn : FreeBSD / HardenedBSD | Enable strongswan] *************************
skipping: [104.198.8.238]

TASK [vpn : Install strongSwan] ************************************************
ok: [104.198.8.238]

TASK [vpn : Get StrongSwan versions] *******************************************
changed: [104.198.8.238]

TASK [vpn : Setup the config files from our templates] *************************
changed: [104.198.8.238] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [104.198.8.238] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [104.198.8.238] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] ************************************************
changed: [104.198.8.238]

TASK [vpn : Disable unneeded plugins] ******************************************
changed: [104.198.8.238] => (item=md4)
changed: [104.198.8.238] => (item=test-vectors)
changed: [104.198.8.238] => (item=xcbc)
changed: [104.198.8.238] => (item=updown)
changed: [104.198.8.238] => (item=dnskey)
skipping: [104.198.8.238] => (item=kernel-netlink) 
changed: [104.198.8.238] => (item=md5)
skipping: [104.198.8.238] => (item=pkcs12) 
skipping: [104.198.8.238] => (item=socket-default) 
changed: [104.198.8.238] => (item=attr)
changed: [104.198.8.238] => (item=eap-mschapv2)
changed: [104.198.8.238] => (item=sha1)
skipping: [104.198.8.238] => (item=gcm) 
skipping: [104.198.8.238] => (item=aes) 
changed: [104.198.8.238] => (item=gmp)
skipping: [104.198.8.238] => (item=nonce) 
skipping: [104.198.8.238] => (item=pkcs8) 
changed: [104.198.8.238] => (item=xauth-generic)
skipping: [104.198.8.238] => (item=revocation) 
changed: [104.198.8.238] => (item=connmark)
skipping: [104.198.8.238] => (item=pubkey) 
changed: [104.198.8.238] => (item=pkcs1)
changed: [104.198.8.238] => (item=agent)
skipping: [104.198.8.238] => (item=openssl) 
skipping: [104.198.8.238] => (item=pem) 
changed: [104.198.8.238] => (item=aesni)
skipping: [104.198.8.238] => (item=pkcs7) 
changed: [104.198.8.238] => (item=ccm)
skipping: [104.198.8.238] => (item=stroke) 
changed: [104.198.8.238] => (item=resolve)
changed: [104.198.8.238] => (item=constraints)
changed: [104.198.8.238] => (item=fips-prf)
skipping: [104.198.8.238] => (item=x509) 
skipping: [104.198.8.238] => (item=hmac) 
changed: [104.198.8.238] => (item=sshkey)
changed: [104.198.8.238] => (item=rc2)
skipping: [104.198.8.238] => (item=random) 
skipping: [104.198.8.238] => (item=pgp) 
skipping: [104.198.8.238] => (item=sha2) 

TASK [vpn : Ensure that required plugins are enabled] **************************
skipping: [104.198.8.238] => (item=md4) 
skipping: [104.198.8.238] => (item=test-vectors) 
skipping: [104.198.8.238] => (item=xcbc) 
skipping: [104.198.8.238] => (item=updown) 
skipping: [104.198.8.238] => (item=dnskey) 
changed: [104.198.8.238] => (item=kernel-netlink)
skipping: [104.198.8.238] => (item=md5) 
changed: [104.198.8.238] => (item=pkcs12)
changed: [104.198.8.238] => (item=socket-default)
skipping: [104.198.8.238] => (item=attr) 
skipping: [104.198.8.238] => (item=eap-mschapv2) 
skipping: [104.198.8.238] => (item=sha1) 
changed: [104.198.8.238] => (item=gcm)
changed: [104.198.8.238] => (item=aes)
skipping: [104.198.8.238] => (item=gmp) 
changed: [104.198.8.238] => (item=nonce)
changed: [104.198.8.238] => (item=pkcs8)
skipping: [104.198.8.238] => (item=xauth-generic) 
changed: [104.198.8.238] => (item=revocation)
skipping: [104.198.8.238] => (item=connmark) 
changed: [104.198.8.238] => (item=pubkey)
skipping: [104.198.8.238] => (item=pkcs1) 
skipping: [104.198.8.238] => (item=agent) 
changed: [104.198.8.238] => (item=openssl)
changed: [104.198.8.238] => (item=pem)
skipping: [104.198.8.238] => (item=aesni) 
changed: [104.198.8.238] => (item=pkcs7)
skipping: [104.198.8.238] => (item=ccm) 
changed: [104.198.8.238] => (item=stroke)
skipping: [104.198.8.238] => (item=resolve) 
skipping: [104.198.8.238] => (item=constraints) 
skipping: [104.198.8.238] => (item=fips-prf) 
changed: [104.198.8.238] => (item=x509)
changed: [104.198.8.238] => (item=hmac)
skipping: [104.198.8.238] => (item=sshkey) 
skipping: [104.198.8.238] => (item=rc2) 
changed: [104.198.8.238] => (item=random)
changed: [104.198.8.238] => (item=pgp)
changed: [104.198.8.238] => (item=sha2)

TASK [vpn : Ensure the pki directory is not exist] *****************************
skipping: [104.198.8.238]

TASK [vpn : Ensure the pki directories are exist] ******************************
changed: [104.198.8.238 -> localhost] => (item=ecparams)
changed: [104.198.8.238 -> localhost] => (item=certs)
changed: [104.198.8.238 -> localhost] => (item=crl)
changed: [104.198.8.238 -> localhost] => (item=newcerts)
changed: [104.198.8.238 -> localhost] => (item=private)
changed: [104.198.8.238 -> localhost] => (item=reqs)

TASK [vpn : Ensure the files are exist] ****************************************
changed: [104.198.8.238 -> localhost] => (item=.rnd)
changed: [104.198.8.238 -> localhost] => (item=private/.rnd)
changed: [104.198.8.238 -> localhost] => (item=index.txt)
changed: [104.198.8.238 -> localhost] => (item=index.txt.attr)
changed: [104.198.8.238 -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *******************************
changed: [104.198.8.238 -> localhost]

TASK [vpn : Build the CA pair] *************************************************
changed: [104.198.8.238 -> localhost]

TASK [vpn : Copy the CA certificate] *******************************************
changed: [104.198.8.238 -> localhost]

TASK [vpn : Generate the serial number] ****************************************
changed: [104.198.8.238 -> localhost]

TASK [vpn : Build the server pair] *********************************************
changed: [104.198.8.238 -> localhost]

TASK [vpn : Build the client's pair] *******************************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [vpn : Build the client's p12] ********************************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [vpn : Copy the p12 certificates] *****************************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [vpn : Copy the keys to the strongswan directory] *************************
changed: [104.198.8.238] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/104.198.8.238/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [104.198.8.238] => (item={u'dest': u'/etc/ipsec.d/certs/104.198.8.238.crt', u'src': u'configs/104.198.8.238/pki/certs/104.198.8.238.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [104.198.8.238] => (item={u'dest': u'/etc/ipsec.d/private/104.198.8.238.key', u'src': u'configs/104.198.8.238/pki/private/104.198.8.238.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Register p12 PayloadContent] ***************************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [vpn : Set facts for mobileconfigs] ***************************************
ok: [104.198.8.238]

TASK [vpn : Build the mobileconfigs] *******************************************
changed: [104.198.8.238 -> localhost] => (item=(censored due to no_log))

TASK [vpn : Build the strongswan app android config] ***************************
changed: [104.198.8.238 -> localhost] => (item=(censored due to no_log))

TASK [vpn : Build the client ipsec config file] ********************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [vpn : Build the client ipsec secret file] ********************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [vpn : Build the windows client powershell script] ************************
changed: [104.198.8.238 -> localhost] => (item=gcmn)

TASK [vpn : Restrict permissions for the local private directories] ************
changed: [104.198.8.238 -> localhost] => (item=configs/104.198.8.238)

RUNNING HANDLER [security : restart ssh] ***************************************
changed: [104.198.8.238]

RUNNING HANDLER [dns_adblocking : restart apparmor] ****************************
changed: [104.198.8.238]

RUNNING HANDLER [vpn : restart strongswan] *************************************
changed: [104.198.8.238]

RUNNING HANDLER [vpn : daemon-reload] ******************************************
changed: [104.198.8.238]

RUNNING HANDLER [vpn : restart iptables] ***************************************
changed: [104.198.8.238]

TASK [vpn : strongSwan started] ************************************************
ok: [104.198.8.238]

TASK [debug] *******************************************************************
ok: [104.198.8.238] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#               Local DNS resolver 172.16.0.1              #\"", 
            ""
        ], 
        "    \"#                The p12 and SSH keys password is [REDACTED]             #\"\n", 
        "    \"#                  The CA key password is [REDACTED]                 #\"\n", 
        "    \"#      Shell access: ssh -i configs/algo.pem ubuntu@104.198.8.238        #\"\n"
    ]
}

TASK [Delete the CA key] *******************************************************
skipping: [104.198.8.238]

PLAY RECAP *********************************************************************
104.198.8.238              : ok=107  changed=90   unreachable=0    failed=0   
localhost                  : ok=18   changed=7    unreachable=0    failed=0
defunctio commented 7 years ago

This is indeed a bug, cipher defaults are defined in the vpn role here and are not under the client role. This is likely the result of previous refactoring. I'll tag @gunph1ld in hopes he has time to fix this one.

GMNGeoffrey commented 7 years ago

Awesome, thanks :-)