Skip to content
Browse files

Add gen_ipsec module.

  • Loading branch information...
1 parent 71a11e6 commit c6037368cd45009502668dd4634cce826ee88957 Thomas Ronner committed Dec 9, 2011
View
12 gen_ipsec/files/ipsec-tools.conf_header
@@ -0,0 +1,12 @@
+#!/usr/sbin/setkey -f
+
+# NOTE: Do not use this file if you use racoon with racoon-tool
+# utility. racoon-tool will setup SAs and SPDs automatically using
+# /etc/racoon/racoon-tool.conf configuration.
+#
+
+## Flush the SAD and SPD
+#
+flush;
+spdflush;
+
View
96 gen_ipsec/manifests/init.pp
@@ -0,0 +1,96 @@
+# Author: Kumina bv <support@kumina.nl>
+
+# Class: gen_ipsec
+#
+# Actions:
+# Configure basic ipsec settings; needs at least one gen_ipsec::peer.
+#
+# Parameters:
+# listen
+# The IP address(es) that racoon listens on
+# ssl_path
+# The default path to ssl certificates
+#
+# Depends:
+# gen_puppet
+#
+class gen_ipsec ($listen=false, $ssl_path="/etc/ssl") {
+ kpackage {
+ ["ipsec-tools","racoon"]:;
+ }
+
+ service {
+ "setkey":
+ require => Package["ipsec-tools"];
+ "racoon":
+ ensure => running,
+ hasstatus => false,
+ pattern => "/usr/sbin/racoon",
+ require => Package["racoon"];
+ }
+
+ $itc = "/etc/ipsec-tools.conf"
+
+ concat {
+ $itc:
+ mode => 744,
+ notify => Service["setkey"],
+ require => Package["ipsec-tools"];
+ }
+
+ concat::fragment { "ipsec-tools.conf_header":
+ target => $itc,
+ order => 1,
+ source => "gen_ipsec/ipsec-tools.conf_header";
+ }
+
+ kfile {
+ "/etc/racoon/racoon.conf":
+ ensure => present,
+ content => template("gen_ipsec/racoon.conf.erb"),
+ notify => Service["racoon"],
+ require => Package["racoon"];
+ "/etc/racoon/peers.d":
+ ensure => directory;
+ }
+
+}
+
+# Define: gen_ipsec::peer
+#
+# Actions:
+# Configure an ipsec peer
+#
+# Parameters:
+# local_ip
+# Local endpoint of the ipsec tunnel
+# peer_ip
+# Remote endpoint of the ipsec tunnel
+# peer_asn1dn
+# Peer's ASN.1 DN (Everything after "Subject: " in output of openssl x509 -text)
+# local_cidr
+# (List of) local networks (e.g. ["10.1.2.0/24","10.1.4.0/23"])
+# remote_cidr
+# (List of) remote networks
+# cert
+# Path to certificate file (optional)
+# key
+# Path to private key file (optional)
+#
+# Depends:
+# gen_puppet
+#
+define gen_ipsec::peer ($local_ip, $peer_ip, $peer_asn1dn, $local_cidr, $remote_cidr, $cert="certs/${fqdn}.pem", $key="private/${fqdn}.key") {
+ concat::fragment { "ipsec-tools.conf_fragment_$name":
+ target => "/etc/ipsec-tools.conf",
+ order => 10,
+ content => template("gen_ipsec/ipsec-tools.conf_fragment.erb");
+ }
+
+ file { "/etc/racoon/peers.d/$name.conf":
+ ensure => present,
+ content => template("gen_ipsec/racoon-peer.conf.erb"),
+ require => [ Package["racoon"], File["/etc/racoon/peers.d"] ],
+ notify => Service["racoon"];
+ }
+}
View
10 gen_ipsec/templates/ipsec-tools.conf_fragment.erb
@@ -0,0 +1,10 @@
+<% local_cidr.each do |local| -%>
+<% remote_cidr.each do |remote| -%>
+spdadd <%= local %> <%= remote %> any -P out ipsec
+ esp/tunnel/<%= local_ip %>-<%= peer_ip %>/unique;
+
+spdadd <%= remote %> <%= local %> any -P in ipsec
+ esp/tunnel/<%= peer_ip %>-<%= local_ip %>/unique;
+
+<% end -%>
+<% end -%>
View
27 gen_ipsec/templates/racoon-peer.conf.erb
@@ -0,0 +1,27 @@
+remote <%= peer_ip %> {
+ exchange_mode main;
+ certificate_type x509 "certs/<%= hostname %>.pem" "private/<%= hostname %>.key";
+ verify_cert on;
+ my_identifier asn1dn;
+ peers_identifier asn1dn "<%= peer_asn1dn %>";
+ ca_type x509 "/etc/ssl/cacert.pem";
+
+ proposal {
+ encryption_algorithm aes 256;
+ hash_algorithm sha1;
+ authentication_method rsasig;
+ dh_group 5;
+ }
+}
+
+<% local_cidr.each do |local| -%>
+<% remote_cidr.each do |remote| -%>
+sainfo address <%= local %> any address <%= remote %> any {
+ pfs_group 5;
+ encryption_algorithm aes 256;
+ authentication_algorithm hmac_sha1;
+ compression_algorithm deflate;
+}
+
+<% end -%>
+<% end -%>
View
31 gen_ipsec/templates/racoon.conf.erb
@@ -0,0 +1,31 @@
+#
+# NOTE: This file will not be used if you use racoon-tool(8) to manage your
+# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
+# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
+# of this file.
+#
+# Simple racoon.conf
+#
+#
+# Please look in /usr/share/doc/racoon/examples for
+# examples that come with the source.
+#
+# Please read racoon.conf(5) for details, and alsoread setkey(8).
+#
+#
+# Also read the Linux IPSEC Howto up at
+# http://www.ipsec-howto.org/t1.html
+#
+
+path certificate "<%= ssl_path %>";
+path include "/etc/racoon/peers.d";
+
+<% if listen -%>
+listen {
+<% listen.each do |ip| -%>
+ isakmp <%= ip %> [500];
+<% end %->
+}
+<% end %->
+
+include "peers.d/*.conf";

0 comments on commit c603736

Please sign in to comment.
Something went wrong with that request. Please try again.