TrailOfBits released their ansible scripts for StrongS/WAN, which has sensible secure defaults (IPSec using AES-GCM only).
They are calling the project algo.
https://github.com/trailofbits/algo
Specifically, compare their IKE setups:
https://github.com/jlund/streisand/blob/master/playbooks/rol...
https://github.com/trailofbits/algo/blob/master/roles/vpn/te...
Algo's is much more conservative. Streisand lets 3des and SHA1 into the mix. If you allow it, users will end up using it.
Otherwise, I think you are spot on and I prefer Algo (having used both for various things and just playing around).
https://github.com/jlund/streisand/blob/master/playbooks/str...
Comment out any roles you don't want with a # at the beginning of the line, YAML is very picky about syntax.
comment edit: Think of roles in ansible like building blocks or common chores you can apply to any server. It might be nice to not have so much stuff by default, but this tool isn't meant for complete technical novices, so it is expected (in my opinion) that you go in and prune anything out you don't want/need. What is nice is that you have lots of options and if you ever need to add a role you can just uncomment it and re-run the playbook.
[0] http://docs.ansible.com/ansible/playbooks_tags.html
