roles/dch-vpn-server: Deploy pyrocufflink VPN

The *dch-vpn-server* role configures strongSwan to act as an IPsec
responder for `vpn.pyrocufflink.net` and provide an IKEv2/IPsec VPN for
remote access clients, as well as the reverse VPN to FireMon.

roles/dch-vpn-server/files/vpn.pyrocufflink.net.ipsec.conf

@@ -0,0 +1,29 @@
+conn dhatch-d4b
+	keyexchange = ikev2
+	dpdaction = clear
+	dpddelay = 300s
+	left = %defaultroute
+	leftauth = pubkey
+	leftid = @vpn.pyrocufflink.net
+	leftcert = vpn.pyrocufflink.net.cer
+	leftsubnet = 172.31.0.0/27
+	leftfirewall = yes
+	right = %any
+	rightauth = pubkey
+	rightid = "C=US, O=Dustin C. Hatch, CN=dhatch-d4b.securepassage.com"
+	rightsubnet = 0.0.0.0/0
+	auto = add
+
+conn remote-access
+	keyexchange = ikev2
+	dpdaction = clear
+	dpddelay = 300s
+	left = %defaultroute
+	leftid = @vpn.pyrocufflink.net
+	leftcert = vpn.pyrocufflink.net.cer
+	leftsubnet = 0.0.0.0/0
+	right = %any
+	rightsourceip = 172.31.0.64/28
+	rightauth = pubkey
+	rightdns = 172.31.0.4,172.31.0.10
+	auto = add