tohe
/
7u83-ipsec
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Strongswan support

This commit is contained in:
7u83 2018-02-23 16:02:21 +00:00
parent 30f23f612a
commit 26b2806652
10 changed files with 47 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
manifests/init.pp
View File

@ -55,7 +55,7 @@ class ipsec(
$ike_daemon = 'isakmpd' $ike_daemon = 'isakmpd'
} }
default: { default: {
$ike_daemon = 'racoon' $ike_daemon = 'strongswan'
} }
} }
} }
@ -80,8 +80,8 @@ define ipsec::tunnel (
$psk, $psk,
$hash = 'sha256', $hash = 'sha256',
$encryption = 'aes256', $encryption = 'aes256',
$lifetime = '86400', $lifetime = '86400 sec',
$dh_group = 14, $dh_group = 'modp2048',
) )
{ {
@ -98,7 +98,7 @@ define ipsec::tunnel (
lifetime => $lifetime, lifetime => $lifetime,
hash => $hash, hash => $hash,
encryption => $encryption, encryption => $encryption,
dh_group => 14, dh_group => $dh_group,
} }
} }

30
manifests/racoon.pp
View File

@ -14,7 +14,7 @@ class ipsec::racoon (
service {'racoon': service {'racoon':
name => "$racoon_service", name => "$racoon_service",
ensure => 'running', ensure => 'running',
require => Concat["$racoon_conf"], #File['racoon_conf'], require => Concat["$racoon_conf"],
subscribe => Concat["$racoon_conf"], subscribe => Concat["$racoon_conf"],
enable => true, enable => true,
} }
@ -50,7 +50,7 @@ class ipsec::racoon (
concat::fragment { "ipsec_conf_header": concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf", target => "$ipsec_conf",
order => '00', order => '00',
content => template('ipsec/ipsec_top.erb'), content => template('ipsec/racoon/ipsec.conf.header.erb'),
} }
concat { "$racoon_pskfile": concat { "$racoon_pskfile":
@ -73,21 +73,18 @@ class ipsec::racoon (
define ipsec::racoon::tunnel ( define ipsec::racoon::tunnel (
$local_ip, $local_ip,
$remote_ip, $remote_ip,
$encryption = 'blowfish', $encryption,
$hash = 'sha256', $hash,
$dh_group = 'modp3072', $dh_group,
$lifetime = '86400 sec', $lifetime,
$nets, $nets,
$proto = "any", $proto,
$psk $psk
) )
{ {
concat::fragment { "$title": concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf", target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/ipsec_tunnel.erb') content => template('ipsec/racoon/ipsec.conf.tunnel.erb')
} }
concat::fragment { "psk_$title": concat::fragment { "psk_$title":
@ -99,17 +96,15 @@ define ipsec::racoon::tunnel (
target => "$::ipsec::racoon_params::racoon_conf", target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/racoon.conf.erb') content => template('ipsec/racoon/racoon.conf.erb')
} }
} }
define ipsec::racoon::transport ( define ipsec::racoon::transport (
$local_ip, $local_ip,
$remote_ip, $remote_ip,
$proto = "any", $proto,
$encryption = 'blowfish', $encryption,
$hash = 'sha256', $hash,
$dh_group = 'mopd3072', $dh_group,
$psk $psk
) )
@ -123,6 +118,5 @@ define ipsec::racoon::transport (
target => "$::ipsec::racoon_params::racoon_pskfile", target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n" content => "$remote_ip $psk\n"
} }
} }

7
manifests/strongswan.pp
View File

@ -41,10 +41,15 @@ class ipsec::strongswan (
define ipsec::strongswan::tunnel ( define ipsec::strongswan::tunnel (
$local_ip, $local_ip,
$remote_ip, $remote_ip,
$encryption,
$hash,
$dh_group,
$lifetime,
$nets, $nets,
$proto = "any", $proto,
$psk $psk
){ ){

12
templates/ipsec_tunnel.erb
View File

@ -1,12 +0,0 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %>

28
templates/racoon.conf.erb
View File

@ -1,28 +0,0 @@
#
# racoon.conf Managed by Puppet
#
log notify;
path pre_shared_key "<%= @racoon_pskfile %>";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm aes_256;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy on;
}
sainfo anonymous{
pfs_group 2;
encryption_algorithm aes_256;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

0
templates/ipsec_top.erb → templates/racoon/ipsec.conf.header.erb
View File

13
templates/racoon/ipsec.conf.tunnel.erb
View File

@ -1,12 +1,13 @@
# #
# Tunnel # IPSec Tunnel
# Name: <%= @title %> # Name: <%= @title %>
# #
# <%- @nets.each do |net| -%>
<%- @netproto = net['proto'] ? net['proto'] : 'any' -%>
<% @nets.each do |net| -%> spdadd <%= net['local'] %> <%= net['remote'] %> <%= @netproto %> -P out ipsec
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require; esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec spdadd <%= net['remote'] %> <%= net['local'] %> <%= @netproto %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require; esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %> <%- end -%>

7
templates/racoon/racoon.conf.erb
View File

@ -18,14 +18,15 @@ remote <%= @remote_ip %> {
<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %> <%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %> <%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %> <%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
<%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5' %> <%- @p2hash = net['hash'] ? net['hash'] : @hash %>
<%- @netproto = net['proto'] ? net['proto'] : 'any' -%>
sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %> sainfo address <%= net['local'] %> <%= @netproto %> address <%= net['remote'] %> <%= @netproto %>
{ {
pfs_group <%= @pfs_group %>; pfs_group <%= @pfs_group %>;
encryption_algorithm <%= @saencryption %>; encryption_algorithm <%= @saencryption %>;
authentication_algorithm <%= @p2hash %>; authentication_algorithm hmac_<%= @p2hash %>;
compression_algorithm deflate; compression_algorithm deflate;
lifetime time <%= @salifetime %>; lifetime time <%= @salifetime %>;
} }

5
templates/sainfo.erb Normal file
View File

@ -0,0 +1,5 @@
<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
<%- @p2hash = net['hash'] ? net['hash'] : @hash %>

15
templates/strongswan/ipsec.conf.tunnel.erb
View File

@ -1,14 +1,17 @@
<%- @nets.each do |net| -%>
<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" -%>
<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption -%>
<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group -%>
<%- @p2hash = net['hash'] ? net['hash'] : @hash -%>
<% @nets.each do |net| -%> conn "<%= @title %>"
conn <%= @title %>
left=<%= @local_ip %> left=<%= @local_ip %>
leftsubnet=<%= net['local'] %> leftsubnet=<%= net['local'] %>
right=<%= @remote_ip %> right=<%= @remote_ip %>
rightsubnet=<%= net['remote'] %> rightsubnet=<%= net['remote'] %>
ike=aes256-md5-modp1024 ike=<%= @encryption %>-<%= @hash %>-<%= @dh_group %>
esp=aes256-md5-modp1024! esp=<%= @saencryption %>-<%= @p2hash %>-<%= @pfs_group %>
auto=start auto=start
authby=secret authby=secret
keyexchange=ikev1 keyexchange=ikev1
<% end %> <% end -%>