Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 7. Configuring VPN connections with IPsec by using the vpn RHEL System Role

With the vpn System Role, you can configure VPN connections on RHEL systems by using Red Hat Ansible Automation Platform. You can use it to set up host-to-host, network-to-network, VPN Remote Access Server, and mesh configurations.

For host-to-host connections, the role sets up a VPN tunnel between each pair of hosts in the list of vpn_connections using the default parameters, including generating keys as needed. Alternatively, you can configure it to create an opportunistic mesh configuration between all hosts listed. The role assumes that the names of the hosts under hosts are the same as the names of the hosts used in the Ansible inventory, and that you can use those names to configure the tunnels.


The vpn RHEL System Role currently supports only Libreswan, which is an IPsec implementation, as the VPN provider.

7.1. Creating a host-to-host VPN with IPsec using the vpn System Role

You can use the vpn System Role to configure host-to-host connections by running an Ansible playbook on the control node, which configures all managed nodes listed in an inventory file.


  • You have prepared the control node and the managed nodes
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.


  1. Create a playbook file, for example ~/vpn-playbook.yml, with the following content:

    - name: Host to host VPN
      hosts: <managed_node1>, <managed_node2>
        - rhel-system-roles.vpn
          - hosts:
        vpn_manage_firewall: true
        vpn_manage_selinux: true

    This playbook configures the connection <managed_node1>-to-<managed_node2> using pre-shared key authentication with keys auto-generated by the system role. Because vpn_manage_firewall and vpn_manage_selinux are both set to true, the vpn role uses the firewall and selinux roles to manage the ports used by the vpn role.

  2. Optional: Configure connections from managed hosts to external hosts that are not listed in the inventory file by adding the following section to the vpn_connections list of hosts:

          - hosts:
                hostname: <>

    This configures two additional connections: <managed_node1>-to-<external_node> and <managed_node2>-to-<external_node>.


    The connections are configured only on the managed nodes and not on the external node.

  3. Optional: You can specify multiple VPN connections for the managed nodes by using additional sections within vpn_connections, for example, a control plane and a data plane:

    - name: Multiple VPN
      hosts: <managed_node1>, <managed_node2>
        - rhel-system-roles.vpn
          - name: control_plane_vpn
                hostname: # IP for the control plane
          - name: data_plane_vpn
                hostname: # IP for the data plane
  4. Optional: You can modify the variables according to your preferences. For more details, see the /usr/share/doc/rhel-system-roles/vpn/ file.
  5. Validate the playbook syntax:

    # ansible-playbook ~/vpn-playbook.yml --syntax-check

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  6. Run the playbook:

    # ansible-playbook ~/vpn-playbook.yml


  1. On the managed nodes, confirm that the connection is successfully loaded:

    # ipsec status | grep <connection_name>

    Replace <connection_name> with the name of the connection from this node, for example managed_node1-to-managed_node2.


    By default, the role generates a descriptive name for each connection it creates from the perspective of each system. For example, when creating a connection between managed_node1 and managed_node2, the descriptive name of this connection on managed_node1 is managed_node1-to-managed_node2 but on managed_node2 the connection is named managed_node2-to-managed_node1.

  2. On the managed nodes, confirm that the connection is successfully started:

    # ipsec trafficstatus | grep <connection_name>
  3. Optional: If a connection does not successfully load, manually add the connection by entering the following command. This provides more specific information indicating why the connection failed to establish:

    # ipsec auto --add <connection_name>

    Any errors that may occur during the process of loading and starting the connection are reported in the /var/log/pluto.log file. Because these logs are hard to parse, manually add the connection to obtain log messages from the standard output instead.

7.2. Creating an opportunistic mesh VPN connection with IPsec by using the vpn System Role

You can use the vpn System Role to configure an opportunistic mesh VPN connection that uses certificates for authentication by running an Ansible playbook on the control node, which will configure all the managed nodes listed in an inventory file.

Authentication with certificates is configured by defining the auth_method: cert parameter in the playbook. The vpn System Role assumes that the IPsec Network Security Services (NSS) crypto library, which is defined in the /etc/ipsec.d directory, contains the necessary certificates. By default, the node name is used as the certificate nickname. In this example, this is managed_node1. You can define different certificate names by using the cert_name attribute in your inventory.

In the following example procedure, the control node, which is the system from which you will run the Ansible playbook, shares the same classless inter-domain routing (CIDR) number as both of the managed nodes ( and has the IP address Therefore, the control node falls under the private policy which is automatically created for CIDR

To prevent SSH connection loss during the play, a clear policy for the control node is included in the list of policies. Note that there is also an item in the policies list where the CIDR is equal to default. This is because this playbook overrides the rule from the default policy to make it private instead of private-or-clear.


  • You have prepared the control node and the managed nodes
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.


  1. Create a playbook file, for example ~/mesh-vpn-playbook.yml, with the following content:

    - name: Mesh VPN
      hosts: managed_node1, managed_node2, managed_node3
        - rhel-system-roles.vpn
          - opportunistic: true
            auth_method: cert
              - policy: private
                cidr: default
              - policy: private-or-clear
              - policy: private
              - policy: clear
        vpn_manage_firewall: true
        vpn_manage_selinux: true

    Because vpn_manage_firewall and vpn_manage_selinux are both set to true, the vpn role uses the firewall and selinux roles to manage the ports used by the vpn role.

  2. Optional: You can modify the variables according to your preferences. For more details, see the /usr/share/doc/rhel-system-roles/vpn/ file.
  3. Validate the playbook syntax:

    # ansible-playbook ~/mesh-vpn-playbook.yml --syntax-check

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  4. Run the playbook:

    # ansible-playbook ~/mesh-vpn-playbook.yml

7.3. Additional resources

  • For details about the parameters used in the vpn System Role and additional information about the role, see the /usr/share/doc/rhel-system-roles/vpn/ file.
  • For details about the ansible-playbook command, see the ansible-playbook(1) man page.