Fix Ubuntu 22.04 compatibility issues (#14824)

This commit addresses two critical issues preventing Algo from working
on Ubuntu 22.04:

1. Load af_key kernel module for StrongSwan
   - Ubuntu 22.04 minimal installs don't load af_key by default
   - Without this module, StrongSwan fails with namespace errors
   - Added modprobe task to ensure module is loaded persistently

2. Force iptables-legacy mode on Ubuntu 22.04+
   - Ubuntu 22.04 uses iptables-nft backend by default
   - This causes firewall rules to be reordered incorrectly
   - VPN traffic gets blocked by misplaced DROP rules
   - Switching to iptables-legacy ensures correct rule ordering

These changes restore full VPN functionality (both WireGuard and IPsec)
on Ubuntu 22.04 installations.

Closes #14820

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <[email protected]>

Author: dguido

roles/common/tasks/ubuntu.yml

@@ -161,5 +161,31 @@
   include_tasks: aip/main.yml
   when: alternative_ingress_ip
 
+- name: Ubuntu 22.04+ | Use iptables-legacy for compatibility
+  block:
+    - name: Install iptables packages
+      apt:
+        name:
+          - iptables
+          - iptables-persistent
+        state: present
+        update_cache: true
+
+    - name: Configure iptables-legacy as default
+      alternatives:
+        name: "{{ item }}"
+        path: "/usr/sbin/{{ item }}-legacy"
+      with_items:
+        - iptables
+        - ip6tables
+        - iptables-save
+        - iptables-restore
+        - ip6tables-save
+        - ip6tables-restore
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_version is version('22.04', '>=')
+  tags: iptables
+
 - include_tasks: iptables.yml
   tags: iptables

roles/strongswan/tasks/ubuntu.yml

@@ -2,6 +2,13 @@
 - name: Set OS specific facts
   set_fact:
     strongswan_additional_plugins: []
+
+- name: Ubuntu | Ensure af_key kernel module is loaded
+  modprobe:
+    name: af_key
+    state: present
+    persistent: present
+
 - name: Ubuntu | Install strongSwan (individual)
   apt:
     name: strongswan