diff --git a/roles/strongswan/files/ipsec.secrets b/roles/strongswan/files/ipsec.secrets
new file mode 100644
index 0000000..9185be8
--- /dev/null
+++ b/roles/strongswan/files/ipsec.secrets
@@ -0,0 +1 @@
+include ipsec.secrets.d/*
diff --git a/roles/strongswan/handlers/main.yml b/roles/strongswan/handlers/main.yml
new file mode 100644
index 0000000..eee56cf
--- /dev/null
+++ b/roles/strongswan/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart strongswan
+  service:
+    name=strongswan
+    state=restarted
diff --git a/roles/strongswan/tasks/main.yml b/roles/strongswan/tasks/main.yml
new file mode 100644
index 0000000..267c3b9
--- /dev/null
+++ b/roles/strongswan/tasks/main.yml
@@ -0,0 +1,34 @@
+- name: ensure strongswan is installed
+  package:
+    name=strongswan
+    state=present
+  tags:
+  - install
+
+- name: ensure strongswan ipsec.conf is configured
+  template:
+    src=ipsec.conf.j2
+    dest=/etc/strongswan/ipsec.conf
+    mode=0644
+  notify: restart strongswan
+- name: ensure strongswan conns directory exists
+  file:
+    path=/etc/strongswan/ipsec.d/conns
+    mode=0755
+    state=directory
+- name: ensure strongswan ipsec.secrets is configured
+  copy:
+    src=ipsec.secrets
+    dest=/etc/strongswan/ipsec.secrets
+    mode=0600
+  notify: restart strongswan
+- name: ensure strongswan ipsec.secrets.d directory exists
+  file:
+    path=/etc/strongswan/ipsec.secrets.d
+    mode=0700
+    state=directory
+
+- name: ensure strongswan starts at boot
+  service:
+    name=strongswan
+    enabled=yes
diff --git a/roles/strongswan/templates/ipsec.conf.j2 b/roles/strongswan/templates/ipsec.conf.j2
new file mode 100644
index 0000000..e2ec978
--- /dev/null
+++ b/roles/strongswan/templates/ipsec.conf.j2
@@ -0,0 +1,10 @@
+# ipsec.conf - strongSwan IPsec configuration file
+
+# basic configuration
+
+config setup
+	# strictcrlpolicy=yes
+	# uniqueids = no
+
+# Define VPN connectsions in files under the ipsec.d/conns directory
+include /etc/strongswan/ipsec.d/conns/*.conf