Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Add gen_ipsec module.

  • Loading branch information...
commit c6037368cd45009502668dd4634cce826ee88957 1 parent 71a11e6
Thomas Ronner authored
12 gen_ipsec/files/ipsec-tools.conf_header
... ... @@ -0,0 +1,12 @@
  1 +#!/usr/sbin/setkey -f
  2 +
  3 +# NOTE: Do not use this file if you use racoon with racoon-tool
  4 +# utility. racoon-tool will setup SAs and SPDs automatically using
  5 +# /etc/racoon/racoon-tool.conf configuration.
  6 +#
  7 +
  8 +## Flush the SAD and SPD
  9 +#
  10 +flush;
  11 +spdflush;
  12 +
96 gen_ipsec/manifests/init.pp
... ... @@ -0,0 +1,96 @@
  1 +# Author: Kumina bv <support@kumina.nl>
  2 +
  3 +# Class: gen_ipsec
  4 +#
  5 +# Actions:
  6 +# Configure basic ipsec settings; needs at least one gen_ipsec::peer.
  7 +#
  8 +# Parameters:
  9 +# listen
  10 +# The IP address(es) that racoon listens on
  11 +# ssl_path
  12 +# The default path to ssl certificates
  13 +#
  14 +# Depends:
  15 +# gen_puppet
  16 +#
  17 +class gen_ipsec ($listen=false, $ssl_path="/etc/ssl") {
  18 + kpackage {
  19 + ["ipsec-tools","racoon"]:;
  20 + }
  21 +
  22 + service {
  23 + "setkey":
  24 + require => Package["ipsec-tools"];
  25 + "racoon":
  26 + ensure => running,
  27 + hasstatus => false,
  28 + pattern => "/usr/sbin/racoon",
  29 + require => Package["racoon"];
  30 + }
  31 +
  32 + $itc = "/etc/ipsec-tools.conf"
  33 +
  34 + concat {
  35 + $itc:
  36 + mode => 744,
  37 + notify => Service["setkey"],
  38 + require => Package["ipsec-tools"];
  39 + }
  40 +
  41 + concat::fragment { "ipsec-tools.conf_header":
  42 + target => $itc,
  43 + order => 1,
  44 + source => "gen_ipsec/ipsec-tools.conf_header";
  45 + }
  46 +
  47 + kfile {
  48 + "/etc/racoon/racoon.conf":
  49 + ensure => present,
  50 + content => template("gen_ipsec/racoon.conf.erb"),
  51 + notify => Service["racoon"],
  52 + require => Package["racoon"];
  53 + "/etc/racoon/peers.d":
  54 + ensure => directory;
  55 + }
  56 +
  57 +}
  58 +
  59 +# Define: gen_ipsec::peer
  60 +#
  61 +# Actions:
  62 +# Configure an ipsec peer
  63 +#
  64 +# Parameters:
  65 +# local_ip
  66 +# Local endpoint of the ipsec tunnel
  67 +# peer_ip
  68 +# Remote endpoint of the ipsec tunnel
  69 +# peer_asn1dn
  70 +# Peer's ASN.1 DN (Everything after "Subject: " in output of openssl x509 -text)
  71 +# local_cidr
  72 +# (List of) local networks (e.g. ["10.1.2.0/24","10.1.4.0/23"])
  73 +# remote_cidr
  74 +# (List of) remote networks
  75 +# cert
  76 +# Path to certificate file (optional)
  77 +# key
  78 +# Path to private key file (optional)
  79 +#
  80 +# Depends:
  81 +# gen_puppet
  82 +#
  83 +define gen_ipsec::peer ($local_ip, $peer_ip, $peer_asn1dn, $local_cidr, $remote_cidr, $cert="certs/${fqdn}.pem", $key="private/${fqdn}.key") {
  84 + concat::fragment { "ipsec-tools.conf_fragment_$name":
  85 + target => "/etc/ipsec-tools.conf",
  86 + order => 10,
  87 + content => template("gen_ipsec/ipsec-tools.conf_fragment.erb");
  88 + }
  89 +
  90 + file { "/etc/racoon/peers.d/$name.conf":
  91 + ensure => present,
  92 + content => template("gen_ipsec/racoon-peer.conf.erb"),
  93 + require => [ Package["racoon"], File["/etc/racoon/peers.d"] ],
  94 + notify => Service["racoon"];
  95 + }
  96 +}
10 gen_ipsec/templates/ipsec-tools.conf_fragment.erb
... ... @@ -0,0 +1,10 @@
  1 +<% local_cidr.each do |local| -%>
  2 +<% remote_cidr.each do |remote| -%>
  3 +spdadd <%= local %> <%= remote %> any -P out ipsec
  4 + esp/tunnel/<%= local_ip %>-<%= peer_ip %>/unique;
  5 +
  6 +spdadd <%= remote %> <%= local %> any -P in ipsec
  7 + esp/tunnel/<%= peer_ip %>-<%= local_ip %>/unique;
  8 +
  9 +<% end -%>
  10 +<% end -%>
27 gen_ipsec/templates/racoon-peer.conf.erb
... ... @@ -0,0 +1,27 @@
  1 +remote <%= peer_ip %> {
  2 + exchange_mode main;
  3 + certificate_type x509 "certs/<%= hostname %>.pem" "private/<%= hostname %>.key";
  4 + verify_cert on;
  5 + my_identifier asn1dn;
  6 + peers_identifier asn1dn "<%= peer_asn1dn %>";
  7 + ca_type x509 "/etc/ssl/cacert.pem";
  8 +
  9 + proposal {
  10 + encryption_algorithm aes 256;
  11 + hash_algorithm sha1;
  12 + authentication_method rsasig;
  13 + dh_group 5;
  14 + }
  15 +}
  16 +
  17 +<% local_cidr.each do |local| -%>
  18 +<% remote_cidr.each do |remote| -%>
  19 +sainfo address <%= local %> any address <%= remote %> any {
  20 + pfs_group 5;
  21 + encryption_algorithm aes 256;
  22 + authentication_algorithm hmac_sha1;
  23 + compression_algorithm deflate;
  24 +}
  25 +
  26 +<% end -%>
  27 +<% end -%>
31 gen_ipsec/templates/racoon.conf.erb
... ... @@ -0,0 +1,31 @@
  1 +#
  2 +# NOTE: This file will not be used if you use racoon-tool(8) to manage your
  3 +# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
  4 +# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
  5 +# of this file.
  6 +#
  7 +# Simple racoon.conf
  8 +#
  9 +#
  10 +# Please look in /usr/share/doc/racoon/examples for
  11 +# examples that come with the source.
  12 +#
  13 +# Please read racoon.conf(5) for details, and alsoread setkey(8).
  14 +#
  15 +#
  16 +# Also read the Linux IPSEC Howto up at
  17 +# http://www.ipsec-howto.org/t1.html
  18 +#
  19 +
  20 +path certificate "<%= ssl_path %>";
  21 +path include "/etc/racoon/peers.d";
  22 +
  23 +<% if listen -%>
  24 +listen {
  25 +<% listen.each do |ip| -%>
  26 + isakmp <%= ip %> [500];
  27 +<% end %->
  28 +}
  29 +<% end %->
  30 +
  31 +include "peers.d/*.conf";

0 comments on commit c603736

Please sign in to comment.
Something went wrong with that request. Please try again.