Browse Source

Initial commit

master
7u83 5 years ago
parent
commit
42784659bc
  1. 18
      Gemfile
  2. 90
      README.md
  3. 32
      Rakefile
  4. 12
      examples/init.pp
  5. 126
      manifests/init.pp
  6. 61
      manifests/isakmpd.pp
  7. 33
      manifests/isakmpd_params.pp
  8. 42
      manifests/params.pp
  9. 128
      manifests/racoon.pp
  10. 39
      manifests/racoon_params.pp
  11. 63
      manifests/strongswan.pp
  12. 35
      manifests/strongswan_params.pp
  13. 23
      metadata.json
  14. BIN
      pkg/7u83-ipsec-0.1.0.tar.gz
  15. 18
      pkg/7u83-ipsec-0.1.0/Gemfile
  16. 89
      pkg/7u83-ipsec-0.1.0/README.md
  17. 32
      pkg/7u83-ipsec-0.1.0/Rakefile
  18. 29
      pkg/7u83-ipsec-0.1.0/checksums.json
  19. 12
      pkg/7u83-ipsec-0.1.0/examples/init.pp
  20. 126
      pkg/7u83-ipsec-0.1.0/manifests/init.pp
  21. 61
      pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp
  22. 33
      pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp
  23. 42
      pkg/7u83-ipsec-0.1.0/manifests/params.pp
  24. 128
      pkg/7u83-ipsec-0.1.0/manifests/racoon.pp
  25. 39
      pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp
  26. 63
      pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp
  27. 35
      pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp
  28. 21
      pkg/7u83-ipsec-0.1.0/metadata.json
  29. 6
      pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb
  30. 1
      pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb
  31. 5
      pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb
  32. 12
      pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb
  33. 3
      pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb
  34. 16
      pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb
  35. 28
      pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb
  36. 10
      pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb
  37. 12
      pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb
  38. 33
      pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb
  39. 29
      pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb
  40. 1
      pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb
  41. 14
      pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb
  42. 2
      pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb
  43. 6
      spec/classes/init_spec.rb
  44. 1
      spec/spec_helper.rb
  45. 5
      templates/ipsec_top.erb
  46. 12
      templates/ipsec_tunnel.erb
  47. 3
      templates/isakmpd_ipsec_conf_header.erb
  48. 16
      templates/isakmpd_tunnel.erb
  49. 28
      templates/racoon.conf.erb
  50. 10
      templates/racoon/ipsec.conf.transport.erb
  51. 12
      templates/racoon/ipsec.conf.tunnel.erb
  52. 33
      templates/racoon/racoon.conf.erb
  53. 29
      templates/racoon/racoon.conf.header.erb
  54. 1
      templates/strongswan/ipsec.conf.header.erb
  55. 14
      templates/strongswan/ipsec.conf.tunnel.erb
  56. 2
      templates/strongswan/ipsec.secrets.erb

18
Gemfile

@ -0,0 +1,18 @@
source ENV['GEM_SOURCE'] || 'https://rubygems.org'
puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3']
gem 'metadata-json-lint'
gem 'puppet', puppetversion
gem 'puppetlabs_spec_helper', '>= 1.2.0'
gem 'puppet-lint', '>= 1.0.0'
gem 'facter', '>= 1.7.0'
gem 'rspec-puppet'
# rspec must be v2 for ruby 1.8.7
if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
gem 'rspec', '~> 2.0'
gem 'rake', '~> 10.0'
else
# rubocop requires ruby >= 1.9
gem 'rubocop'
end

90
README.md

@ -1 +1,89 @@
# 7u83-ipsec
# ipsec
#### Table of Contents
1. [Description](#description)
1. [Setup - The basics of getting started with ipsec](#setup)
* [What ipsec affects](#what-ipsec-affects)
* [Setup requirements](#setup-requirements)
* [Beginning with ipsec](#beginning-with-ipsec)
1. [Usage - Configuration options and additional functionality](#usage)
1. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
1. [Limitations - OS compatibility, etc.](#limitations)
1. [Development - Guide for contributing to the module](#development)
## Description
Start with a one- or two-sentence summary of what the module does and/or what
problem it solves. This is your 30-second elevator pitch for your module.
Consider including OS/Puppet version it works with.
You can give more descriptive information in a second paragraph. This paragraph
should answer the questions: "What does this module *do*?" and "Why would I use
it?" If your module has a range of functionality (installation, configuration,
management, etc.), this is the time to mention it.
## Setup
### What ipsec affects **OPTIONAL**
If it's obvious what your module touches, you can skip this section. For
example, folks can probably figure out that your mysql_instance module affects
their MySQL instances.
If there's more that they should know about, though, this is the place to mention:
* A list of files, packages, services, or operations that the module will alter,
impact, or execute.
* Dependencies that your module automatically installs.
* Warnings or other important notices.
### Setup Requirements **OPTIONAL**
If your module requires anything extra before setting up (pluginsync enabled,
etc.), mention it here.
If your most recent release breaks compatibility or requires particular steps
for upgrading, you might want to include an additional "Upgrading" section
here.
### Beginning with ipsec
The very basic steps needed for a user to get the module up and running. This
can include setup steps, if necessary, or it can be an example of the most
basic use of the module.
## Usage
This section is where you describe how to customize, configure, and do the
fancy stuff with your module here. It's especially helpful if you include usage
examples and code samples for doing things with your module.
## Reference
Users need a complete list of your module's classes, types, defined types providers, facts, and functions, along with the parameters for each. You can provide this list either via Puppet Strings code comments or as a complete list in this Reference section.
* If you are using Puppet Strings code comments, this Reference section should include Strings information so that your users know how to access your documentation.
* If you are not using Puppet Strings, include a list of all of your classes, defined types, and so on, along with their parameters. Each element in this listing should include:
* The data type, if applicable.
* A description of what the element does.
* Valid values, if the data type doesn't make it obvious.
* Default value, if any.
## Limitations
This is where you list OS compatibility, version compatibility, etc. If there
are Known Issues, you might want to include them under their own heading here.
## Development
Since your module is awesome, other users will want to play with it. Let them
know what the ground rules for contributing are.
## Release Notes/Contributors/Etc. **Optional**
If you aren't using changelog, put your release notes here (though you should
consider using changelog). You can also add any additional sections you feel
are necessary or important to include here. Please use the `## ` header.

32
Rakefile

@ -0,0 +1,32 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'metadata-json-lint/rake_task'
if RUBY_VERSION >= '1.9'
require 'rubocop/rake_task'
RuboCop::RakeTask.new
end
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.relative = true
PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp']
desc 'Validate manifests, templates, and ruby files'
task :validate do
Dir['manifests/**/*.pp'].each do |manifest|
sh "puppet parser validate --noop #{manifest}"
end
Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file|
sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures}
end
Dir['templates/**/*.erb'].each do |template|
sh "erb -P -x -T '-' #{template} | ruby -c"
end
end
desc 'Run lint, validate, and spec tests.'
task :test do
[:lint, :validate, :spec].each do |test|
Rake::Task[test].invoke
end
end

12
examples/init.pp

@ -0,0 +1,12 @@
# The baseline for module testing used by Puppet Inc. is that each manifest
# should have a corresponding test manifest that declares that class or defined
# type.
#
# Tests are then run by using puppet apply --noop (to check for compilation
# errors and view a log of events) or by fully applying the test in a virtual
# environment (to compare the resulting system state to the desired state).
#
# Learn more about module testing here:
# https://docs.puppet.com/guides/tests_smoke.html
#
include ::ipsec

126
manifests/init.pp

@ -0,0 +1,126 @@
# Class: ipsec
# ===========================
#
# Full description of class ipsec here.
#
# Parameters
# ----------
#
# Document parameters here.
#
# * `sample parameter`
# Explanation of what this parameter affects and what it defaults to.
# e.g. "Specify one or more upstream ntp servers as an array."
#
# Variables
# ----------
#
# Here you should define a list of variables that this module would require.
#
# * `sample variable`
# Explanation of how this variable affects the function of this class and if
# it has a default. e.g. "The parameter enc_ntp_servers must be set by the
# External Node Classifier as a comma separated list of hostnames." (Note,
# global variables should be avoided in favor of class parameters as
# of Puppet 2.6.)
#
# Examples
# --------
#
# @example
# class { 'ipsec':
# }
#
# Authors
# -------
#
# 7u83 <7u83@mail.ru>
#
# Copyright
# ---------
#
# Copyright 2018 7u83@mail.ru
#
class ipsec(
$version = 'latest',
$ikedaemon = undef
){
if $ikedaemon == undef {
case $::osfamily {
'FreeBSD':{
$ike_daemon = 'racoon'
}
'OpenBSD':{
$ike_daemon = 'isakmpd'
}
default: {
$ike_daemon = 'racoon'
}
}
}
else {
$ike_daemon = $ikedaemon
}
$res = "ipsec::${ike_daemon}"
class { "$res":
version => $version
}
}
define ipsec::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk,
$hash = 'sha256',
$encryption = 'aes256',
$lifetime = '86400',
$dh_group = 14,
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::tunnel"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
nets => $nets,
proto => $proto,
psk => $psk,
lifetime => $lifetime,
hash => $hash,
encryption => $encryption,
dh_group => 14,
}
}
define ipsec::transport (
$local_ip,
$remote_ip,
$proto = "any",
$psk
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::transport"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
proto => $proto,
psk => $psk
}
}

61
manifests/isakmpd.pp

@ -0,0 +1,61 @@
##
class ipsec::isakmpd (
$version = 'latest'
) inherits ipsec::isakmpd_params {
if $pkg_name != false {
# if $pkg_provider_p != false {
# $provider = $pkg_provider_p
# }
# else {
# $provider = $pkg_provider
# }
package { 'isakmpd':
name => $pkg_name,
provider => $pkg_provider
}
}
concat { "$ipsec_conf":
mode => '0600'
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
}
exec { "$setkey_cmd":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
}
define ipsec::isakmpd::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk
){
notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": }
concat::fragment { "$title":
target => "$::ipsec::isakmpd_params::ipsec_conf",
content => template('ipsec/isakmpd_tunnel.erb')
}
}

33
manifests/isakmpd_params.pp

@ -0,0 +1,33 @@
#
class ipsec::isakmpd_params {
case $::osfamily {
'FreeBSD':{
$pkg_name = "security/isakmpd"
$pkg_provider = "portsng"
$ipsec_conf = '/etc/ipsec.conf'
$isakmpd_service = 'isakmpd'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
'OpenBSD':{
$isakmpd_service = 'isakmpd'
$pkg_name = false
$pkg_provider = undef
$ipsec_conf = '/etc/ipsec.conf'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/racoon-tools.conf'
$racoon_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

42
manifests/params.pp

@ -0,0 +1,42 @@
#params
class ipsec::params {
case $::osfamily {
'FreeBSD':{
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
'OpenBSD':{
$ikedaemon = 'isakmpd'
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec-tools.conf'
$ipsec_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

128
manifests/racoon.pp

@ -0,0 +1,128 @@
# Racoon IPSec
class ipsec::racoon (
$version = 'latest'
)inherits ipsec::racoon_params{
package {'racoon':
name => "$racoon_pkg",
ensure => "$version",
}
service {'racoon':
name => "$racoon_service",
ensure => 'running',
require => Concat["$racoon_conf"], #File['racoon_conf'],
subscribe => Concat["$racoon_conf"],
enable => true,
}
service {'ipsec':
name => "$ipsec_service",
enable => true,
}
exec { "$setkey_cmd -f $ipsec_conf":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
concat { "$racoon_conf":
ensure => present
}
concat::fragment { "$racoon_conf header":
target => "$racoon_conf",
order => '00',
content => template('ipsec/racoon/racoon.conf.header.erb'),
}
concat { "$ipsec_conf":
ensure => present
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/ipsec_top.erb'),
}
concat { "$racoon_pskfile":
owner => "$racoon_usr",
group => "$racoon_grp",
mode => '0600',
ensure => present
}
concat::fragment { "pskfile_header":
target => "$racoon_pskfile",
order => '00',
content => "#racoon psks\n",
}
}
define ipsec::racoon::tunnel (
$local_ip,
$remote_ip,
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'modp3072',
$lifetime = '86400 sec',
$nets,
$proto = "any",
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/ipsec_tunnel.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
concat::fragment { "racoon_conf_$title":
target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/racoon.conf.erb')
}
}
define ipsec::racoon::transport (
$local_ip,
$remote_ip,
$proto = "any",
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'mopd3072',
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/racoon/ipsec.conf.transport.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
}

39
manifests/racoon_params.pp

@ -0,0 +1,39 @@
class ipsec::racoon_params {
case $::osfamily {
'FreeBSD':{
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
'OpenBSD':{
$ikedaemon = 'isakmpd'
$racoon_pkg = 'racoon-tools'
# $racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
# $racoon_conf = '/etc/racoon.conf'
$ipsec_service = 'racoon'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec-tools.conf'
$ipsec_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

63
manifests/strongswan.pp

@ -0,0 +1,63 @@
##
class ipsec::strongswan (
$version = 'latest',
$enable = $::ipsec::strongswan_params::service_enable
) inherits ipsec::strongswan_params {
package { 'strongswan':
name => $pkg_name,
provider => $pkg_provider,
ensure => $version
}
service { 'strongswan':
ensure => running,
require => Package['strongswan'],
subscribe => Concat[ "$ipsec_conf" ],
enable => $enable
}
concat { "$secrets_file":
owner => "$secrets_usr",
group => "$secrets_grp",
mode => '0600'
}
concat::fragment { "pskfile_header":
target => "$secrets_file",
order => '00',
content => "#strongswan psks\n",
}
concat { "$ipsec_conf":
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/strongswan/ipsec.conf.header.erb'),
}
}
define ipsec::strongswan::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk
){
concat::fragment { "$title":
target => "$::ipsec::strongswan_params::ipsec_conf",
content => template('ipsec/strongswan/ipsec.conf.tunnel.erb')
}
concat::fragment { "$title psk":
target => "$::ipsec::strongswan_params::secrets_file",
content => template('ipsec/strongswan/ipsec.secrets.erb')
}
}

35
manifests/strongswan_params.pp

@ -0,0 +1,35 @@
#
class ipsec::strongswan_params {
case $::osfamily {
'FreeBSD':{
$pkg_name = "strongswan"
$ipsec_conf = '/usr/local/etc/ipsec.conf'
$service_name = 'strongswan'
# strongswan's startup script confuses pupets
# service enable, so we cannot enable the service
$service_enable = undef
$secrets_usr = 'root'
$secrets_grp = 'wheel'
$secrets_file = '/usr/local/etc/ipsec.secrets'
}
'OpenBSD':{
$isakmpd_service = 'isakmpd'
$pkg_name = false
$pkg_provider = undef
$ipsec_conf = '/etc/ipsec.conf'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
default: {
$pkg_name = "strongswan"
$ipsec_conf = '/etc/ipsec.conf'
$service_name = 'strongswan'
$service_enable = true
$secrets_usr = 'root'
$secrets_grp = 'root'
$secrets_file = '/etc/ipsec.secrets'
}
}
}

23
metadata.json

@ -0,0 +1,23 @@
{
"name": "7u83-ipsec",
"version": "0.1.0",
"author": "7u83",
"summary": "IPSec with racoon",
"license": "Apache-2.0",
"source": "",
"project_page": null,
"issues_url": null,
"dependencies": [
{
"name": "puppetlabs-stdlib",
"version_requirement": ">= 1.0.0"
},
{
"name": "puppetlabs-concat",
"version_requirement": ">= 1.0.0"
}
],
"data_provider": null
}

BIN
pkg/7u83-ipsec-0.1.0.tar.gz

18
pkg/7u83-ipsec-0.1.0/Gemfile

@ -0,0 +1,18 @@
source ENV['GEM_SOURCE'] || 'https://rubygems.org'
puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3']
gem 'metadata-json-lint'
gem 'puppet', puppetversion
gem 'puppetlabs_spec_helper', '>= 1.2.0'
gem 'puppet-lint', '>= 1.0.0'
gem 'facter', '>= 1.7.0'
gem 'rspec-puppet'
# rspec must be v2 for ruby 1.8.7
if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
gem 'rspec', '~> 2.0'
gem 'rake', '~> 10.0'
else
# rubocop requires ruby >= 1.9
gem 'rubocop'
end

89
pkg/7u83-ipsec-0.1.0/README.md

@ -0,0 +1,89 @@
# ipsec
#### Table of Contents
1. [Description](#description)
1. [Setup - The basics of getting started with ipsec](#setup)
* [What ipsec affects](#what-ipsec-affects)
* [Setup requirements](#setup-requirements)
* [Beginning with ipsec](#beginning-with-ipsec)
1. [Usage - Configuration options and additional functionality](#usage)
1. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
1. [Limitations - OS compatibility, etc.](#limitations)
1. [Development - Guide for contributing to the module](#development)
## Description
Start with a one- or two-sentence summary of what the module does and/or what
problem it solves. This is your 30-second elevator pitch for your module.
Consider including OS/Puppet version it works with.
You can give more descriptive information in a second paragraph. This paragraph
should answer the questions: "What does this module *do*?" and "Why would I use
it?" If your module has a range of functionality (installation, configuration,
management, etc.), this is the time to mention it.
## Setup
### What ipsec affects **OPTIONAL**
If it's obvious what your module touches, you can skip this section. For
example, folks can probably figure out that your mysql_instance module affects
their MySQL instances.
If there's more that they should know about, though, this is the place to mention:
* A list of files, packages, services, or operations that the module will alter,
impact, or execute.
* Dependencies that your module automatically installs.
* Warnings or other important notices.
### Setup Requirements **OPTIONAL**
If your module requires anything extra before setting up (pluginsync enabled,
etc.), mention it here.
If your most recent release breaks compatibility or requires particular steps
for upgrading, you might want to include an additional "Upgrading" section
here.
### Beginning with ipsec
The very basic steps needed for a user to get the module up and running. This
can include setup steps, if necessary, or it can be an example of the most
basic use of the module.
## Usage
This section is where you describe how to customize, configure, and do the
fancy stuff with your module here. It's especially helpful if you include usage
examples and code samples for doing things with your module.
## Reference
Users need a complete list of your module's classes, types, defined types providers, facts, and functions, along with the parameters for each. You can provide this list either via Puppet Strings code comments or as a complete list in this Reference section.
* If you are using Puppet Strings code comments, this Reference section should include Strings information so that your users know how to access your documentation.
* If you are not using Puppet Strings, include a list of all of your classes, defined types, and so on, along with their parameters. Each element in this listing should include:
* The data type, if applicable.
* A description of what the element does.
* Valid values, if the data type doesn't make it obvious.
* Default value, if any.
## Limitations
This is where you list OS compatibility, version compatibility, etc. If there
are Known Issues, you might want to include them under their own heading here.
## Development
Since your module is awesome, other users will want to play with it. Let them
know what the ground rules for contributing are.
## Release Notes/Contributors/Etc. **Optional**
If you aren't using changelog, put your release notes here (though you should
consider using changelog). You can also add any additional sections you feel
are necessary or important to include here. Please use the `## ` header.

32
pkg/7u83-ipsec-0.1.0/Rakefile

@ -0,0 +1,32 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'metadata-json-lint/rake_task'
if RUBY_VERSION >= '1.9'
require 'rubocop/rake_task'
RuboCop::RakeTask.new
end
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.relative = true
PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp']
desc 'Validate manifests, templates, and ruby files'
task :validate do
Dir['manifests/**/*.pp'].each do |manifest|
sh "puppet parser validate --noop #{manifest}"
end
Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file|
sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures}
end
Dir['templates/**/*.erb'].each do |template|
sh "erb -P -x -T '-' #{template} | ruby -c"
end
end
desc 'Run lint, validate, and spec tests.'
task :test do
[:lint, :validate, :spec].each do |test|
Rake::Task[test].invoke
end
end

29
pkg/7u83-ipsec-0.1.0/checksums.json

@ -0,0 +1,29 @@
{
"Gemfile": "0b0ef34a57239868636b26141342423f",
"README.md": "a5b4536f36ecfaf9b006108e3eef7c19",
"Rakefile": "158b889261acd98356f6e0f2a031b6b9",
"examples/init.pp": "43f2a9901e66401685dfe3d4db835c34",
"manifests/init.pp": "93c3f7d6596d15b3fdfa1c49e4863437",
"manifests/isakmpd.pp": "424a6dae7d294cdb79c71f3f1fe8660d",
"manifests/isakmpd_params.pp": "a75273d0f3577c540a48dc71be0423d9",
"manifests/params.pp": "c4981d62b9ea633cd59a034eb9c846d0",
"manifests/racoon.pp": "0b40af7e75e6481324193c9d86fcd6e7",
"manifests/racoon_params.pp": "5582629736d3cd7d8f4c55a24603f665",
"manifests/strongswan.pp": "9652c2c317e5f910f71559744216daf4",
"manifests/strongswan_params.pp": "39fa38f2249f9f0e26620f5ece60f4df",
"metadata.json": "65900ebf8697e32ecc5c5c8232efab54",
"spec/classes/init_spec.rb": "4bf5fa4da7c89cacc52ee8de94848bc5",
"spec/spec_helper.rb": "0db89c9a486df193c0e40095422e19dc",
"templates/ipsec_top.erb": "e84bf026bd13924bba8606192219162e",
"templates/ipsec_tunnel.erb": "6419c0f349a26aa7d2623b99cd724012",
"templates/isakmpd_ipsec_conf_header.erb": "e13d611da756f7dced378eb6afb12b7f",
"templates/isakmpd_tunnel.erb": "d7155f03563e5d9ff437846d8373cc1f",
"templates/racoon/ipsec.conf.transport.erb": "b65510f46b902b6806b26055bcb474c2",
"templates/racoon/ipsec.conf.tunnel.erb": "6419c0f349a26aa7d2623b99cd724012",
"templates/racoon/racoon.conf.erb": "9f5be0e2ad7abe40c55d9ffb606931a7",
"templates/racoon/racoon.conf.header.erb": "aa534ff37ee53159ade7e952bbb8a155",
"templates/racoon.conf.erb": "2a719ba6af007ca9df04fd86a06381c0",
"templates/strongswan/ipsec.conf.header.erb": "07a651b7d80189be95a8aa81ea4e1cd7",
"templates/strongswan/ipsec.conf.tunnel.erb": "169545c847f3a04711e63b27ef63e849",
"templates/strongswan/ipsec.secrets.erb": "0b76db8372d2083ac0a1abb89aad6ab2"
}

12
pkg/7u83-ipsec-0.1.0/examples/init.pp

@ -0,0 +1,12 @@
# The baseline for module testing used by Puppet Inc. is that each manifest
# should have a corresponding test manifest that declares that class or defined
# type.
#
# Tests are then run by using puppet apply --noop (to check for compilation
# errors and view a log of events) or by fully applying the test in a virtual
# environment (to compare the resulting system state to the desired state).
#
# Learn more about module testing here:
# https://docs.puppet.com/guides/tests_smoke.html
#
include ::ipsec

126
pkg/7u83-ipsec-0.1.0/manifests/init.pp

@ -0,0 +1,126 @@
# Class: ipsec
# ===========================
#
# Full description of class ipsec here.
#
# Parameters
# ----------
#
# Document parameters here.
#
# * `sample parameter`
# Explanation of what this parameter affects and what it defaults to.
# e.g. "Specify one or more upstream ntp servers as an array."
#
# Variables
# ----------
#
# Here you should define a list of variables that this module would require.
#
# * `sample variable`
# Explanation of how this variable affects the function of this class and if
# it has a default. e.g. "The parameter enc_ntp_servers must be set by the
# External Node Classifier as a comma separated list of hostnames." (Note,
# global variables should be avoided in favor of class parameters as
# of Puppet 2.6.)
#
# Examples
# --------
#
# @example
# class { 'ipsec':
# }
#
# Authors
# -------
#
# 7u83 <7u83@mail.ru>
#
# Copyright
# ---------
#
# Copyright 2018 7u83@mail.ru
#
class ipsec(
$version = 'latest',
$ikedaemon = undef
){
if $ikedaemon == undef {
case $::osfamily {
'FreeBSD':{
$ike_daemon = 'racoon'
}
'OpenBSD':{
$ike_daemon = 'isakmpd'
}
default: {
$ike_daemon = 'racoon'
}
}
}
else {
$ike_daemon = $ikedaemon
}
$res = "ipsec::${ike_daemon}"
class { "$res":
version => $version
}
}
define ipsec::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk,
$hash = 'sha256',
$encryption = 'aes256',
$lifetime = '86400',
$dh_group = 14,
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::tunnel"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
nets => $nets,
proto => $proto,
psk => $psk,
lifetime => $lifetime,
hash => $hash,
encryption => $encryption,
dh_group => 14,
}
}
define ipsec::transport (
$local_ip,
$remote_ip,
$proto = "any",
$psk
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::transport"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
proto => $proto,
psk => $psk
}
}

61
pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp

@ -0,0 +1,61 @@
##
class ipsec::isakmpd (
$version = 'latest'
) inherits ipsec::isakmpd_params {
if $pkg_name != false {
# if $pkg_provider_p != false {
# $provider = $pkg_provider_p
# }
# else {
# $provider = $pkg_provider
# }
package { 'isakmpd':
name => $pkg_name,
provider => $pkg_provider
}
}
concat { "$ipsec_conf":
mode => '0600'
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
}
exec { "$setkey_cmd":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
}
define ipsec::isakmpd::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk
){
notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": }
concat::fragment { "$title":
target => "$::ipsec::isakmpd_params::ipsec_conf",
content => template('ipsec/isakmpd_tunnel.erb')
}
}

33
pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp

@ -0,0 +1,33 @@
#
class ipsec::isakmpd_params {
case $::osfamily {
'FreeBSD':{
$pkg_name = "security/isakmpd"
$pkg_provider = "portsng"
$ipsec_conf = '/etc/ipsec.conf'
$isakmpd_service = 'isakmpd'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
'OpenBSD':{
$isakmpd_service = 'isakmpd'
$pkg_name = false
$pkg_provider = undef
$ipsec_conf = '/etc/ipsec.conf'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/racoon-tools.conf'
$racoon_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

42
pkg/7u83-ipsec-0.1.0/manifests/params.pp

@ -0,0 +1,42 @@
#params
class ipsec::params {
case $::osfamily {
'FreeBSD':{
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
'OpenBSD':{
$ikedaemon = 'isakmpd'
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec-tools.conf'
$ipsec_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

128
pkg/7u83-ipsec-0.1.0/manifests/racoon.pp

@ -0,0 +1,128 @@
# Racoon IPSec
class ipsec::racoon (
$version = 'latest'
)inherits ipsec::racoon_params{
package {'racoon':
name => "$racoon_pkg",
ensure => "$version",
}
service {'racoon':
name => "$racoon_service",
ensure => 'running',
require => Concat["$racoon_conf"], #File['racoon_conf'],
subscribe => Concat["$racoon_conf"],
enable => true,
}
service {'ipsec':
name => "$ipsec_service",
enable => true,
}
exec { "$setkey_cmd -f $ipsec_conf":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
concat { "$racoon_conf":
ensure => present
}
concat::fragment { "$racoon_conf header":
target => "$racoon_conf",
order => '00',
content => template('ipsec/racoon/racoon.conf.header.erb'),
}
concat { "$ipsec_conf":
ensure => present
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/ipsec_top.erb'),
}
concat { "$racoon_pskfile":
owner => "$racoon_usr",
group => "$racoon_grp",
mode => '0600',
ensure => present
}
concat::fragment { "pskfile_header":
target => "$racoon_pskfile",
order => '00',
content => "#racoon psks\n",
}
}
define ipsec::racoon::tunnel (
$local_ip,
$remote_ip,
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'modp3072',
$lifetime = '86400 sec',
$nets,
$proto = "any",
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/ipsec_tunnel.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
concat::fragment { "racoon_conf_$title":
target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/racoon.conf.erb')
}
}
define ipsec::racoon::transport (
$local_ip,
$remote_ip,
$proto = "any",
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'mopd3072',
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/racoon/ipsec.conf.transport.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
}

39
pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp

@ -0,0 +1,39 @@
class ipsec::racoon_params {
case $::osfamily {
'FreeBSD':{
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
'OpenBSD':{
$ikedaemon = 'isakmpd'
$racoon_pkg = 'racoon-tools'
# $racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
# $racoon_conf = '/etc/racoon.conf'
$ipsec_service = 'racoon'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec-tools.conf'
$ipsec_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

63
pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp

@ -0,0 +1,63 @@
##
class ipsec::strongswan (
$version = 'latest',
$enable = $::ipsec::strongswan_params::service_enable
) inherits ipsec::strongswan_params {
package { 'strongswan':
name => $pkg_name,
provider => $pkg_provider,
ensure => $version
}
service { 'strongswan':
ensure => running,
require => Package['strongswan'],
subscribe => Concat[ "$ipsec_conf" ],
enable => $enable
}
concat { "$secrets_file":
owner => "$secrets_usr",
group => "$secrets_grp",
mode => '0600'
}
concat::fragment { "pskfile_header":
target => "$secrets_file",
order => '00',
content => "#strongswan psks\n",
}
concat { "$ipsec_conf":
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/strongswan/ipsec.conf.header.erb'),
}
}
define ipsec::strongswan::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk
){
concat::fragment { "$title":
target => "$::ipsec::strongswan_params::ipsec_conf",
content => template('ipsec/strongswan/ipsec.conf.tunnel.erb')
}
concat::fragment { "$title psk":
target => "$::ipsec::strongswan_params::secrets_file",
content => template('ipsec/strongswan/ipsec.secrets.erb')
}
}

35
pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp

@ -0,0 +1,35 @@
#
class ipsec::strongswan_params {
case $::osfamily {
'FreeBSD':{
$pkg_name = "strongswan"
$ipsec_conf = '/usr/local/etc/ipsec.conf'
$service_name = 'strongswan'
# strongswan's startup script confuses pupets
# service enable, so we cannot enable the service
$service_enable = undef
$secrets_usr = 'root'
$secrets_grp = 'wheel'
$secrets_file = '/usr/local/etc/ipsec.secrets'
}
'OpenBSD':{
$isakmpd_service = 'isakmpd'
$pkg_name = false
$pkg_provider = undef
$ipsec_conf = '/etc/ipsec.conf'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
default: {
$pkg_name = "strongswan"
$ipsec_conf = '/etc/ipsec.conf'
$service_name = 'strongswan'
$service_enable = true
$secrets_usr = 'root'
$secrets_grp = 'root'
$secrets_file = '/etc/ipsec.secrets'
}
}
}

21
pkg/7u83-ipsec-0.1.0/metadata.json

@ -0,0 +1,21 @@
{
"name": "7u83-ipsec",
"version": "0.1.0",
"author": "7u83",
"summary": "IPSec with racoon",
"license": "Apache-2.0",
"source": "",
"project_page": null,
"issues_url": null,
"dependencies": [
{
"name": "puppetlabs-stdlib",
"version_requirement": ">= 1.0.0"
},
{
"name": "puppetlabs-concat",
"version_requirement": ">= 1.0.0"
}
],
"data_provider": null
}

6
pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb

@ -0,0 +1,6 @@
require 'spec_helper'
describe 'ipsec' do
context 'with default values for all parameters' do
it { should contain_class('ipsec') }
end
end

1
pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb

@ -0,0 +1 @@
require 'puppetlabs_spec_helper/module_spec_helper'

5
pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb

@ -0,0 +1,5 @@
# Managed by puppet
#
flush;
spdflush;

12
pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb

@ -0,0 +1,12 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %>

3
pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb

@ -0,0 +1,3 @@
#
# Managed by Puppet
#

16
pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb

@ -0,0 +1,16 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
ike esp from <%= net['local'] %> to <%= net['remote'] %> \
local <%= @local_ip %> peer <%= @remote_ip %> \
main auth hmac-md5 enc aes-256 group modp1024 \
quick auth hmac-md5 enc aes-256 group modp1024 \
psk "<%= @psk %>"
<% end %>

28
pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb

@ -0,0 +1,28 @@
#
# racoon.conf Managed by Puppet
#
log notify;
path pre_shared_key "<%= @racoon_pskfile %>";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm aes_256;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy on;
}
sainfo anonymous{
pfs_group 2;
encryption_algorithm aes_256;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

10
pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb

@ -0,0 +1,10 @@
#
# Transport
# Name: <%= @title %>
#
spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec
esp/transport//require;
spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec
esp/transport//require;

12
pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb

@ -0,0 +1,12 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %>

33
pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb

@ -0,0 +1,33 @@
#
# remote $title
#
remote <%= @remote_ip %> {
exchange_mode main;
proposal {
encryption_algorithm <%= @encryption %>;
hash_algorithm <%= @hash %>;
dh_group <%= @dh_group %>;
lifetime time <%= @lifetime %>;
authentication_method pre_shared_key;
}
# generate_policy on;
}
<% @nets.each do |net| -%>
<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
<%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5' %>
sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %>
{
pfs_group <%= @pfs_group %>;
encryption_algorithm <%= @saencryption %>;
authentication_algorithm <%= @p2hash %>;
compression_algorithm deflate;
lifetime time <%= @salifetime %>;
}
<% end -%>

29
pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb

@ -0,0 +1,29 @@
#
# racoon.conf Managed by Puppet
# will be overwritten at next puppet run
#
log notify;
path pre_shared_key "<%= @racoon_pskfile %>";
path certificate "/etc/racoon/certs";
#remote anonymous {
# exchange_mode main;
# proposal {
# encryption_algorithm aes_256;
# hash_algorithm md5;
# authentication_method pre_shared_key;
# dh_group modp1024;
# }
# generate_policy on;
#}
#sainfo anonymous{
# pfs_group 2;
# encryption_algorithm aes_256;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}

1
pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb

@ -0,0 +1 @@
#managed by puppet

14
pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb

@ -0,0 +1,14 @@
<% @nets.each do |net| -%>
conn <%= @title %>
left=<%= @local_ip %>
leftsubnet=<%= net['local'] %>
right=<%= @remote_ip %>
rightsubnet=<%= net['remote'] %>
ike=aes256-md5-modp1024
esp=aes256-md5-modp1024!
auto=start
authby=secret
keyexchange=ikev1
<% end %>

2
pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb

@ -0,0 +1,2 @@
<%= @local_ip %> <% @remote_ip %> : PSK "<%= @psk %>"

6
spec/classes/init_spec.rb

@ -0,0 +1,6 @@
require 'spec_helper'
describe 'ipsec' do
context 'with default values for all parameters' do
it { should contain_class('ipsec') }
end
end

1
spec/spec_helper.rb

@ -0,0 +1 @@
require 'puppetlabs_spec_helper/module_spec_helper'

5
templates/ipsec_top.erb

@ -0,0 +1,5 @@
# Managed by puppet
#
flush;
spdflush;

12
templates/ipsec_tunnel.erb

@ -0,0 +1,12 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %>

3
templates/isakmpd_ipsec_conf_header.erb

@ -0,0 +1,3 @@
#
# Managed by Puppet
#

16
templates/isakmpd_tunnel.erb

@ -0,0 +1,16 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
ike esp from <%= net['local'] %> to <%= net['remote'] %> \
local <%= @local_ip %> peer <%= @remote_ip %> \
main auth hmac-md5 enc aes-256 group modp1024 \
quick auth hmac-md5 enc aes-256 group modp1024 \
psk "<%= @psk %>"
<% end %>