A cookbook to configure VPN connections to AWS endpoints.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
attributes
providers
recipes
resources
templates/default
test
.gitignore
.kitchen.yml
Berksfile
CHANGELOG.md
Gemfile
LICENSE
README.md
Thorfile
Vagrantfile
chefignore
metadata.rb

README.md

StrongSwan AWS Cookbook

Contents

Summary

The StrongSwan AWS Cookbook creates an AWS-compatible IPSec tunnel on a node.

Requirements

This cookbook works with StrongSwan, an open-source IPSec-based VPN solution.

It has been tested with StrongSwan 5.1.2, as packaged for Ubuntu.

Supported Platforms

.------------------------.
| Distribution | Version |
|------------------------|
| Ubuntu       | 14.04   |
'------------------------'

Cookbook Dependencies

This cookbook does not depend on any other cookbooks.

Attributes

This cookbook uses the following attributes.

.-------------------------------------------------------------------------------------------.
| Key                          | Type    | Description                           | Default  |
|-------------------------------------------------------------------------------------------|
| ['awsstrongswan']['debug']   | Boolean | Cause charon to log debug information | true     |
| ['awsstrongswan']['tunnels'] | Array   | Tunnels to which to connect           | empty [] |
'-------------------------------------------------------------------------------------------'

These attributes can be set as below.

['awsstrongswan']['debug']:

"default_attributes": {
  "strongswanaws": {
    "debug": true
  }
}

['awsstrongswan']['tunnels']:

"default_attributes": {
  "strongswanaws": {
    "tunnels": [
      {
        "name": "tunnel-to-other-vpc",
        "local_network": "10.10.0.0/16",
        "remote_network": "10.11.0.0/16",
        "tunnel_ip": "1.2.3.4"
      }
    ]
  }
}

Data Bags

This cookbook makes use of a data bag named strongswanaws.

The data bag should contain a single item named tunnel_keys.

The item tunnel_keys should look as shown below.

{
  "id": "tunnel_keys",
  "key_configs": [
    {
      "name": "tunnel-to-other-vpc",
      "psk": "Ep53A1ZqY6f.KWO90LABLzfRZyf62GyM",
      "source_ips": [
        "1.2.3.4"
      ]
    }
  ]
}

There may be zero or more tunnels in the tunnel_keys list.

Recipes

This cookbook contains the following recipes.

  • strongswanaws::default - This recipe is empty. It allows the cookbook to be included without running an action.

  • strongswanaws::server - This recipe does the following.

    • Installs StrongSwan
    • Sets system-wide limits with sysctl
    • Runs Charon
    • Sets StrongSwan start on boot
  • strongswanaws::tunnels - This recipe does the following.

    • Writes PSK's to the secrets file
    • Configures tunnels to which StrongSwan will connect

Usage

Include the server recipe to only install StrongSwan and set system limits.

"run_list": [
  "recipe[strongswanaws::server]"
]

Include both server and tunnels recipes to configure StrongSwan to establish one or more IPSec sessions.

"run_list": [
  "recipe[strongswanaws::server]",
  "recipe[strongswanaws::tunnels]",
]

Resources

strongswanaws::connection - Add an IPSec session for StrongSwan to establish

Parameters:

  • connection_name - A string to label an IPSec session (name attribute)
  • local_network - A CIDR-formatted network address (required)
  • remote_network - A CIDR-formatted network address (required)
  • remote_gateway - An IPv4 address (required)
  • startup_operation - A string to indicate the desired initial state of the tunnel (one of 'add', 'route', 'start')

Example:

strongswanaws_connection 'remote_tunnel' do
  connection_name   'remote_tunnel'
  local_network     '10.10.0.0/16'
  remote_network    '10.11.0.0/16'
  remote_gateway    '1.2.3.4'
  startup_operation 'start'
end