Strongswan support

2018-02-23 16:02:21 +00:00 · 2018-02-23 16:02:21 +00:00 · 26b2806652
parent 30f23f612a
commit 26b2806652
10 changed files with 47 additions and 78 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -55,7 +55,7 @@ class ipsec(
 				$ike_daemon = 'isakmpd'
 			}
 			default: {
-				$ike_daemon = 'racoon'
+				$ike_daemon = 'strongswan'
 			}
 		}
 	}
@ -80,8 +80,8 @@ define ipsec::tunnel (
 	$psk,
        $hash = 'sha256',
        $encryption = 'aes256',
-        $lifetime = '86400',
-	$dh_group = 14,
+        $lifetime = '86400 sec',
+	$dh_group = 'modp2048',

 )
 {
@ -98,7 +98,7 @@ define ipsec::tunnel (
 		lifetime => $lifetime,
 		hash => $hash,
 		encryption => $encryption,
-		dh_group => 14,
+		dh_group => $dh_group,
 	}

 }
--- a/manifests/racoon.pp
+++ b/manifests/racoon.pp
@ -14,7 +14,7 @@ class ipsec::racoon (
 	service {'racoon':
 		name => "$racoon_service",
 		ensure => 'running',
-		require => Concat["$racoon_conf"], #File['racoon_conf'],
+		require => Concat["$racoon_conf"], 
 		subscribe => Concat["$racoon_conf"],
 		enable => true,
 	}
@ -50,7 +50,7 @@ class ipsec::racoon (
 	concat::fragment { "ipsec_conf_header":
 		target => "$ipsec_conf",
 		order => '00',
-		content => template('ipsec/ipsec_top.erb'),
+		content => template('ipsec/racoon/ipsec.conf.header.erb'),
 	}
 	
 	concat { "$racoon_pskfile": 
@ -73,21 +73,18 @@ class ipsec::racoon (
 define ipsec::racoon::tunnel (
 	$local_ip,
 	$remote_ip,
-	$encryption = 'blowfish',
-	$hash = 'sha256',
-	$dh_group = 'modp3072',
-	$lifetime = '86400 sec',
-
+	$encryption,
+	$hash,
+	$dh_group,
+	$lifetime,
 	$nets,
-	$proto = "any",
-
+	$proto,
 	$psk 
-
 )
 {
 	concat::fragment { "$title":
 		target => "$::ipsec::racoon_params::ipsec_conf",
-		content => template('ipsec/ipsec_tunnel.erb')
+		content => template('ipsec/racoon/ipsec.conf.tunnel.erb')
 	}
 	
 	concat::fragment { "psk_$title":
@ -99,17 +96,15 @@ define ipsec::racoon::tunnel (
 		target => "$::ipsec::racoon_params::racoon_conf",
 		content => template('ipsec/racoon/racoon.conf.erb')
 	}
-
-
 }

 define ipsec::racoon::transport (
 	$local_ip,
 	$remote_ip,
-	$proto = "any",
-	$encryption = 'blowfish',
-	$hash = 'sha256',
-	$dh_group = 'mopd3072',
+	$proto,
+	$encryption,
+	$hash,
+	$dh_group,
 	$psk 

 )
@ -123,6 +118,5 @@ define ipsec::racoon::transport (
 		target => "$::ipsec::racoon_params::racoon_pskfile",
 		content => "$remote_ip $psk\n"
 	}
-
 }

--- a/manifests/strongswan.pp
+++ b/manifests/strongswan.pp
@ -41,10 +41,15 @@ class ipsec::strongswan  (


 define ipsec::strongswan::tunnel (
+
 	$local_ip,
 	$remote_ip,
+	$encryption,
+	$hash,
+	$dh_group,
+	$lifetime,
 	$nets,
-	$proto = "any",
+	$proto,
 	$psk 

 ){
--- a/templates/ipsec_tunnel.erb
+++ b/templates/ipsec_tunnel.erb
@ -1,12 +0,0 @@
-#
-# Tunnel
-# Name: <%= @title %>
-#
-#
-
-<% @nets.each do |net| -%>
-spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec 
-	esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
-spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec 
-	esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
-<% end %>
--- a/templates/racoon.conf.erb
+++ b/templates/racoon.conf.erb
@ -1,28 +0,0 @@
-# 
-# racoon.conf Managed by Puppet
-#
-
-log notify;
-path pre_shared_key "<%= @racoon_pskfile %>";
-
-path certificate "/etc/racoon/certs";
-
-remote anonymous {
-        exchange_mode main;
-        proposal {
-                encryption_algorithm aes_256;
-                hash_algorithm md5;
-                authentication_method pre_shared_key;
-                dh_group modp1024;
-        }
-        generate_policy on;
-}
-
-sainfo anonymous{
-        pfs_group 2;
-        encryption_algorithm aes_256;
-        authentication_algorithm hmac_md5;
-        compression_algorithm deflate;
-}
-
-
--- a/templates/racoon/ipsec.conf.header.erb
+++ b/templates/racoon/ipsec.conf.header.erb
--- a/templates/racoon/ipsec.conf.tunnel.erb
+++ b/templates/racoon/ipsec.conf.tunnel.erb
@ -1,12 +1,13 @@
 #
-# Tunnel
+# IPSec Tunnel
 # Name: <%= @title %>
 #
-#
+<%- @nets.each do |net| -%>
+<%- @netproto = net['proto'] ? net['proto'] : 'any' -%>

-<% @nets.each do |net| -%>
-spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec 
+spdadd <%= net['local'] %> <%= net['remote'] %> <%= @netproto %> -P out ipsec 
 	esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
-spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec 
+spdadd <%= net['remote'] %> <%= net['local'] %> <%= @netproto %> -P in ipsec 
 	esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
-<% end %>
+<%- end -%>
+
--- a/templates/racoon/racoon.conf.erb
+++ b/templates/racoon/racoon.conf.erb
@ -18,14 +18,15 @@ remote <%= @remote_ip %> {
 	<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
 	<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
 	<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
-	<%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5'  %>
+	<%- @p2hash = net['hash'] ? net['hash'] : @hash  %>
+	<%- @netproto = net['proto'] ? net['proto'] : 'any' -%>


-sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %>
+sainfo address <%= net['local'] %> <%= @netproto %> address <%= net['remote'] %> <%= @netproto %>
 {
 	pfs_group <%= @pfs_group %>;
 	encryption_algorithm <%= @saencryption %>;
-	authentication_algorithm <%= @p2hash %>;
+	authentication_algorithm hmac_<%= @p2hash %>;
 	compression_algorithm deflate;
 	lifetime time <%= @salifetime %>;
 }
--- a/templates/sainfo.erb
+++ b/templates/sainfo.erb
@ -0,0 +1,5 @@
+<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
+<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
+<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
+<%- @p2hash = net['hash'] ? net['hash'] : @hash  %>
+
--- a/templates/strongswan/ipsec.conf.tunnel.erb
+++ b/templates/strongswan/ipsec.conf.tunnel.erb
@ -1,14 +1,17 @@
+<%- @nets.each do |net| -%>
+<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" -%>
+<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption -%>
+<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group -%>
+<%- @p2hash = net['hash'] ? net['hash'] : @hash  -%>

-<% @nets.each do |net| -%>
-conn <%= @title %>
+conn "<%= @title %>"
        left=<%= @local_ip %>
 	leftsubnet=<%= net['local'] %>
 	right=<%= @remote_ip %>
        rightsubnet=<%= net['remote'] %>
-        ike=aes256-md5-modp1024
-        esp=aes256-md5-modp1024!
+	ike=<%= @encryption %>-<%= @hash %>-<%= @dh_group %>
+	esp=<%= @saencryption %>-<%= @p2hash %>-<%= @pfs_group %>
 	auto=start
 	authby=secret
        keyexchange=ikev1
-<% end %>
-
+<% end -%>