From 42784659bca63d874abf01e6a74deff2b2b66074 Mon Sep 17 00:00:00 2001
From: 7u83 <7u83@mail.ru>
Date: Wed, 21 Feb 2018 16:31:53 +0100
Subject: [PATCH] Initial commit

---
 Gemfile                                       |  18 +++
 README.md                                     |  90 +++++++++++-
 Rakefile                                      |  32 +++++
 examples/init.pp                              |  12 ++
 manifests/init.pp                             | 126 +++++++++++++++++
 manifests/isakmpd.pp                          |  61 +++++++++
 manifests/isakmpd_params.pp                   |  33 +++++
 manifests/params.pp                           |  42 ++++++
 manifests/racoon.pp                           | 128 ++++++++++++++++++
 manifests/racoon_params.pp                    |  39 ++++++
 manifests/strongswan.pp                       |  63 +++++++++
 manifests/strongswan_params.pp                |  35 +++++
 metadata.json                                 |  23 ++++
 pkg/7u83-ipsec-0.1.0.tar.gz                   | Bin 0 -> 7747 bytes
 pkg/7u83-ipsec-0.1.0/Gemfile                  |  18 +++
 pkg/7u83-ipsec-0.1.0/README.md                |  89 ++++++++++++
 pkg/7u83-ipsec-0.1.0/Rakefile                 |  32 +++++
 pkg/7u83-ipsec-0.1.0/checksums.json           |  29 ++++
 pkg/7u83-ipsec-0.1.0/examples/init.pp         |  12 ++
 pkg/7u83-ipsec-0.1.0/manifests/init.pp        | 126 +++++++++++++++++
 pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp     |  61 +++++++++
 .../manifests/isakmpd_params.pp               |  33 +++++
 pkg/7u83-ipsec-0.1.0/manifests/params.pp      |  42 ++++++
 pkg/7u83-ipsec-0.1.0/manifests/racoon.pp      | 128 ++++++++++++++++++
 .../manifests/racoon_params.pp                |  39 ++++++
 pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp  |  63 +++++++++
 .../manifests/strongswan_params.pp            |  35 +++++
 pkg/7u83-ipsec-0.1.0/metadata.json            |  21 +++
 .../spec/classes/init_spec.rb                 |   6 +
 pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb      |   1 +
 pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb  |   5 +
 .../templates/ipsec_tunnel.erb                |  12 ++
 .../templates/isakmpd_ipsec_conf_header.erb   |   3 +
 .../templates/isakmpd_tunnel.erb              |  16 +++
 .../templates/racoon.conf.erb                 |  28 ++++
 .../templates/racoon/ipsec.conf.transport.erb |  10 ++
 .../templates/racoon/ipsec.conf.tunnel.erb    |  12 ++
 .../templates/racoon/racoon.conf.erb          |  33 +++++
 .../templates/racoon/racoon.conf.header.erb   |  29 ++++
 .../strongswan/ipsec.conf.header.erb          |   1 +
 .../strongswan/ipsec.conf.tunnel.erb          |  14 ++
 .../templates/strongswan/ipsec.secrets.erb    |   2 +
 spec/classes/init_spec.rb                     |   6 +
 spec/spec_helper.rb                           |   1 +
 templates/ipsec_top.erb                       |   5 +
 templates/ipsec_tunnel.erb                    |  12 ++
 templates/isakmpd_ipsec_conf_header.erb       |   3 +
 templates/isakmpd_tunnel.erb                  |  16 +++
 templates/racoon.conf.erb                     |  28 ++++
 templates/racoon/ipsec.conf.transport.erb     |  10 ++
 templates/racoon/ipsec.conf.tunnel.erb        |  12 ++
 templates/racoon/racoon.conf.erb              |  33 +++++
 templates/racoon/racoon.conf.header.erb       |  29 ++++
 templates/strongswan/ipsec.conf.header.erb    |   1 +
 templates/strongswan/ipsec.conf.tunnel.erb    |  14 ++
 templates/strongswan/ipsec.secrets.erb        |   2 +
 56 files changed, 1773 insertions(+), 1 deletion(-)
 create mode 100644 Gemfile
 create mode 100644 Rakefile
 create mode 100644 examples/init.pp
 create mode 100644 manifests/init.pp
 create mode 100644 manifests/isakmpd.pp
 create mode 100644 manifests/isakmpd_params.pp
 create mode 100644 manifests/params.pp
 create mode 100644 manifests/racoon.pp
 create mode 100644 manifests/racoon_params.pp
 create mode 100644 manifests/strongswan.pp
 create mode 100644 manifests/strongswan_params.pp
 create mode 100644 metadata.json
 create mode 100644 pkg/7u83-ipsec-0.1.0.tar.gz
 create mode 100644 pkg/7u83-ipsec-0.1.0/Gemfile
 create mode 100644 pkg/7u83-ipsec-0.1.0/README.md
 create mode 100644 pkg/7u83-ipsec-0.1.0/Rakefile
 create mode 100644 pkg/7u83-ipsec-0.1.0/checksums.json
 create mode 100644 pkg/7u83-ipsec-0.1.0/examples/init.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/manifests/init.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/manifests/params.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/manifests/racoon.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp
 create mode 100644 pkg/7u83-ipsec-0.1.0/metadata.json
 create mode 100644 pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb
 create mode 100644 pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb
 create mode 100644 pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb
 create mode 100644 spec/classes/init_spec.rb
 create mode 100644 spec/spec_helper.rb
 create mode 100644 templates/ipsec_top.erb
 create mode 100644 templates/ipsec_tunnel.erb
 create mode 100644 templates/isakmpd_ipsec_conf_header.erb
 create mode 100644 templates/isakmpd_tunnel.erb
 create mode 100644 templates/racoon.conf.erb
 create mode 100644 templates/racoon/ipsec.conf.transport.erb
 create mode 100644 templates/racoon/ipsec.conf.tunnel.erb
 create mode 100644 templates/racoon/racoon.conf.erb
 create mode 100644 templates/racoon/racoon.conf.header.erb
 create mode 100644 templates/strongswan/ipsec.conf.header.erb
 create mode 100644 templates/strongswan/ipsec.conf.tunnel.erb
 create mode 100644 templates/strongswan/ipsec.secrets.erb

diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..4333d23
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,18 @@
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3']
+gem 'metadata-json-lint'
+gem 'puppet', puppetversion
+gem 'puppetlabs_spec_helper', '>= 1.2.0'
+gem 'puppet-lint', '>= 1.0.0'
+gem 'facter', '>= 1.7.0'
+gem 'rspec-puppet'
+
+# rspec must be v2 for ruby 1.8.7
+if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
+  gem 'rspec', '~> 2.0'
+  gem 'rake', '~> 10.0'
+else
+  # rubocop requires ruby >= 1.9
+  gem 'rubocop'
+end
diff --git a/README.md b/README.md
index 6005606..7c319ac 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,89 @@
-# 7u83-ipsec
+# ipsec
+
+#### Table of Contents
+
+1. [Description](#description)
+1. [Setup - The basics of getting started with ipsec](#setup)
+    * [What ipsec affects](#what-ipsec-affects)
+    * [Setup requirements](#setup-requirements)
+    * [Beginning with ipsec](#beginning-with-ipsec)
+1. [Usage - Configuration options and additional functionality](#usage)
+1. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
+1. [Limitations - OS compatibility, etc.](#limitations)
+1. [Development - Guide for contributing to the module](#development)
+
+## Description
+
+Start with a one- or two-sentence summary of what the module does and/or what
+problem it solves. This is your 30-second elevator pitch for your module.
+Consider including OS/Puppet version it works with.
+
+You can give more descriptive information in a second paragraph. This paragraph
+should answer the questions: "What does this module *do*?" and "Why would I use
+it?" If your module has a range of functionality (installation, configuration,
+management, etc.), this is the time to mention it.
+
+## Setup
+
+### What ipsec affects **OPTIONAL**
+
+If it's obvious what your module touches, you can skip this section. For
+example, folks can probably figure out that your mysql_instance module affects
+their MySQL instances.
+
+If there's more that they should know about, though, this is the place to mention:
+
+* A list of files, packages, services, or operations that the module will alter,
+  impact, or execute.
+* Dependencies that your module automatically installs.
+* Warnings or other important notices.
+
+### Setup Requirements **OPTIONAL**
+
+If your module requires anything extra before setting up (pluginsync enabled,
+etc.), mention it here.
+
+If your most recent release breaks compatibility or requires particular steps
+for upgrading, you might want to include an additional "Upgrading" section
+here.
+
+### Beginning with ipsec
+
+The very basic steps needed for a user to get the module up and running. This
+can include setup steps, if necessary, or it can be an example of the most
+basic use of the module.
+
+## Usage
+
+This section is where you describe how to customize, configure, and do the
+fancy stuff with your module here. It's especially helpful if you include usage
+examples and code samples for doing things with your module.
+
+## Reference
+
+Users need a complete list of your module's classes, types, defined types providers, facts, and functions, along with the parameters for each. You can provide this list either via Puppet Strings code comments or as a complete list in this Reference section.
+
+* If you are using Puppet Strings code comments, this Reference section should include Strings information so that your users know how to access your documentation.
+
+* If you are not using Puppet Strings, include a list of all of your classes, defined types, and so on, along with their parameters. Each element in this listing should include:
+
+  * The data type, if applicable.
+  * A description of what the element does.
+  * Valid values, if the data type doesn't make it obvious.
+  * Default value, if any.
+
+## Limitations
+
+This is where you list OS compatibility, version compatibility, etc. If there
+are Known Issues, you might want to include them under their own heading here.
+
+## Development
+
+Since your module is awesome, other users will want to play with it. Let them
+know what the ground rules for contributing are.
+
+## Release Notes/Contributors/Etc. **Optional**
+
+If you aren't using changelog, put your release notes here (though you should
+consider using changelog). You can also add any additional sections you feel
+are necessary or important to include here. Please use the `## ` header.
diff --git a/Rakefile b/Rakefile
new file mode 100644
index 0000000..df59df7
--- /dev/null
+++ b/Rakefile
@@ -0,0 +1,32 @@
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+require 'metadata-json-lint/rake_task'
+
+if RUBY_VERSION >= '1.9'
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new
+end
+
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.relative = true
+PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp']
+
+desc 'Validate manifests, templates, and ruby files'
+task :validate do
+  Dir['manifests/**/*.pp'].each do |manifest|
+    sh "puppet parser validate --noop #{manifest}"
+  end
+  Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file|
+    sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures}
+  end
+  Dir['templates/**/*.erb'].each do |template|
+    sh "erb -P -x -T '-' #{template} | ruby -c"
+  end
+end
+
+desc 'Run lint, validate, and spec tests.'
+task :test do
+  [:lint, :validate, :spec].each do |test|
+    Rake::Task[test].invoke
+  end
+end
diff --git a/examples/init.pp b/examples/init.pp
new file mode 100644
index 0000000..c2a2360
--- /dev/null
+++ b/examples/init.pp
@@ -0,0 +1,12 @@
+# The baseline for module testing used by Puppet Inc. is that each manifest
+# should have a corresponding test manifest that declares that class or defined
+# type.
+#
+# Tests are then run by using puppet apply --noop (to check for compilation
+# errors and view a log of events) or by fully applying the test in a virtual
+# environment (to compare the resulting system state to the desired state).
+#
+# Learn more about module testing here:
+# https://docs.puppet.com/guides/tests_smoke.html
+#
+include ::ipsec
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..2376602
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,126 @@
+# Class: ipsec
+# ===========================
+#
+# Full description of class ipsec here.
+#
+# Parameters
+# ----------
+#
+# Document parameters here.
+#
+# * `sample parameter`
+# Explanation of what this parameter affects and what it defaults to.
+# e.g. "Specify one or more upstream ntp servers as an array."
+#
+# Variables
+# ----------
+#
+# Here you should define a list of variables that this module would require.
+#
+# * `sample variable`
+#  Explanation of how this variable affects the function of this class and if
+#  it has a default. e.g. "The parameter enc_ntp_servers must be set by the
+#  External Node Classifier as a comma separated list of hostnames." (Note,
+#  global variables should be avoided in favor of class parameters as
+#  of Puppet 2.6.)
+#
+# Examples
+# --------
+#
+# @example
+#    class { 'ipsec':
+#    }
+#
+# Authors
+# -------
+#
+# 7u83 <7u83@mail.ru>
+#
+# Copyright
+# ---------
+#
+# Copyright 2018 7u83@mail.ru
+#
+class ipsec(
+	$version = 'latest',
+	$ikedaemon = undef
+){
+
+	if $ikedaemon == undef {	
+		case $::osfamily {
+			'FreeBSD':{
+				$ike_daemon = 'racoon'
+			}
+			'OpenBSD':{
+				$ike_daemon = 'isakmpd'
+			}
+			default: {
+				$ike_daemon = 'racoon'
+			}
+		}
+	}
+	else {
+		$ike_daemon = $ikedaemon
+	}
+
+	$res = "ipsec::${ike_daemon}"
+
+	class { "$res": 
+		version => $version
+	}
+
+}
+
+
+define ipsec::tunnel (
+	$local_ip,
+	$remote_ip,
+	$nets,
+	$proto = "any",
+	$psk,
+        $hash = 'sha256',
+        $encryption = 'aes256',
+        $lifetime = '86400',
+	$dh_group = 14,
+
+)
+{
+	include ::ipsec
+	$ikedaemon = $::ipsec::ike_daemon
+	$res = "ipsec::${ikedaemon}::tunnel"
+
+	Resource[$res] { "$title":
+		local_ip => $local_ip,
+		remote_ip => $remote_ip,
+		nets => $nets,
+		proto => $proto,
+		psk => $psk,
+		lifetime => $lifetime,
+		hash => $hash,
+		encryption => $encryption,
+		dh_group => 14,
+	}
+
+}
+
+define ipsec::transport (
+	$local_ip,
+	$remote_ip,
+	$proto = "any",
+	$psk 
+)
+{
+	include ::ipsec
+	$ikedaemon = $::ipsec::ike_daemon
+	$res = "ipsec::${ikedaemon}::transport"
+
+	Resource[$res] { "$title":
+		local_ip => $local_ip,
+		remote_ip => $remote_ip,
+		proto => $proto,
+		psk => $psk
+	}
+
+}
+
+
diff --git a/manifests/isakmpd.pp b/manifests/isakmpd.pp
new file mode 100644
index 0000000..dd88331
--- /dev/null
+++ b/manifests/isakmpd.pp
@@ -0,0 +1,61 @@
+##
+
+class ipsec::isakmpd  (
+	$version = 'latest'
+
+) inherits ipsec::isakmpd_params {
+	
+	if $pkg_name != false {
+#		if $pkg_provider_p != false {
+#			$provider = $pkg_provider_p
+#		}
+#		else {
+#			$provider = $pkg_provider
+#		}
+
+		package { 'isakmpd':
+			name => $pkg_name,
+			provider => $pkg_provider
+		}
+	}	
+
+
+	concat { "$ipsec_conf": 
+		mode  => '0600'
+
+	}
+
+	concat::fragment { "ipsec_conf_header":
+		target => "$ipsec_conf",
+		order => '00',
+		content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
+
+	}
+
+	exec { "$setkey_cmd":
+		subscribe => Concat[ "$ipsec_conf" ],
+		refreshonly => true
+	}	
+
+
+
+}
+
+
+define ipsec::isakmpd::tunnel (
+	$local_ip,
+	$remote_ip,
+	$nets,
+	$proto = "any",
+	$psk 
+
+){
+	notify { "$title:  $::ipsec::isakmpd_params::ipsec_conf": }
+
+	concat::fragment { "$title":
+		target => "$::ipsec::isakmpd_params::ipsec_conf",
+		content => template('ipsec/isakmpd_tunnel.erb')
+	}
+
+}
+
diff --git a/manifests/isakmpd_params.pp b/manifests/isakmpd_params.pp
new file mode 100644
index 0000000..5de299d
--- /dev/null
+++ b/manifests/isakmpd_params.pp
@@ -0,0 +1,33 @@
+#
+
+class ipsec::isakmpd_params {
+	case $::osfamily {
+		'FreeBSD':{
+			$pkg_name = "security/isakmpd"
+			$pkg_provider = "portsng"
+			$ipsec_conf = '/etc/ipsec.conf'
+	
+			$isakmpd_service = 'isakmpd'
+			$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
+		}
+		'OpenBSD':{
+			$isakmpd_service = 'isakmpd'
+			$pkg_name = false
+			$pkg_provider = undef
+			$ipsec_conf = '/etc/ipsec.conf'
+			$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
+		}
+		default: {
+			$racoon_pkg = 'racoon'
+			$racoon_conf = '/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/racoon-tools.conf'
+			$racoon_service = 'setkey'
+			$setkey_cmd = '/usr/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'root'
+		}
+	}	
+}
+
diff --git a/manifests/params.pp b/manifests/params.pp
new file mode 100644
index 0000000..8a3c100
--- /dev/null
+++ b/manifests/params.pp
@@ -0,0 +1,42 @@
+
+#params
+
+class ipsec::params {
+	case $::osfamily {
+		'FreeBSD':{
+			$racoon_pkg = 'ipsec-tools'
+			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec.conf'
+			$ipsec_service = 'ipsec'
+			$setkey_cmd = '/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'wheel'
+		}
+		'OpenBSD':{
+			$ikedaemon = 'isakmpd'
+			$racoon_pkg = 'ipsec-tools'
+			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec.conf'
+			$ipsec_service = 'ipsec'
+			$setkey_cmd = '/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'wheel'
+		}
+		default: {
+			$racoon_pkg = 'racoon'
+			$racoon_conf = '/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec-tools.conf'
+			$ipsec_service = 'setkey'
+			$setkey_cmd = '/usr/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'root'
+		}
+	}	
+}
+
diff --git a/manifests/racoon.pp b/manifests/racoon.pp
new file mode 100644
index 0000000..29fd4d7
--- /dev/null
+++ b/manifests/racoon.pp
@@ -0,0 +1,128 @@
+# Racoon IPSec
+
+class ipsec::racoon (
+	$version = 'latest'
+
+)inherits ipsec::racoon_params{
+
+
+	package {'racoon':
+		name => "$racoon_pkg",
+		ensure => "$version",
+	}
+
+	service {'racoon':
+		name => "$racoon_service",
+		ensure => 'running',
+		require => Concat["$racoon_conf"], #File['racoon_conf'],
+		subscribe => Concat["$racoon_conf"],
+		enable => true,
+	}
+
+	service {'ipsec':
+		name => "$ipsec_service",
+		enable => true,
+	}
+
+	exec { "$setkey_cmd -f $ipsec_conf":
+		subscribe => Concat[ "$ipsec_conf" ],
+		refreshonly => true
+	}	
+
+
+	concat { "$racoon_conf": 
+		ensure => present
+	}
+	
+	concat::fragment { "$racoon_conf header":
+		target => "$racoon_conf",
+		order => '00',
+		content => template('ipsec/racoon/racoon.conf.header.erb'),
+	}
+	
+
+
+	concat { "$ipsec_conf": 
+		ensure => present
+
+	}
+
+	concat::fragment { "ipsec_conf_header":
+		target => "$ipsec_conf",
+		order => '00',
+		content => template('ipsec/ipsec_top.erb'),
+	}
+	
+	concat { "$racoon_pskfile": 
+		owner => "$racoon_usr",
+		group => "$racoon_grp",
+		mode  => '0600',
+		ensure => present
+
+	}
+	concat::fragment { "pskfile_header":
+		target => "$racoon_pskfile",
+		order => '00',
+		content => "#racoon psks\n",
+	}
+	
+}
+
+
+
+define ipsec::racoon::tunnel (
+	$local_ip,
+	$remote_ip,
+	$encryption = 'blowfish',
+	$hash = 'sha256',
+	$dh_group = 'modp3072',
+	$lifetime = '86400 sec',
+
+	$nets,
+	$proto = "any",
+
+	$psk 
+
+)
+{
+	concat::fragment { "$title":
+		target => "$::ipsec::racoon_params::ipsec_conf",
+		content => template('ipsec/ipsec_tunnel.erb')
+	}
+	
+	concat::fragment { "psk_$title":
+		target => "$::ipsec::racoon_params::racoon_pskfile",
+		content => "$remote_ip $psk\n"
+	}
+
+	concat::fragment { "racoon_conf_$title":
+		target => "$::ipsec::racoon_params::racoon_conf",
+		content => template('ipsec/racoon/racoon.conf.erb')
+	}
+
+
+}
+
+define ipsec::racoon::transport (
+	$local_ip,
+	$remote_ip,
+	$proto = "any",
+	$encryption = 'blowfish',
+	$hash = 'sha256',
+	$dh_group = 'mopd3072',
+	$psk 
+
+)
+{
+	concat::fragment { "$title":
+		target => "$::ipsec::racoon_params::ipsec_conf",
+		content => template('ipsec/racoon/ipsec.conf.transport.erb')
+	}
+	
+	concat::fragment { "psk_$title":
+		target => "$::ipsec::racoon_params::racoon_pskfile",
+		content => "$remote_ip $psk\n"
+	}
+
+}
+
diff --git a/manifests/racoon_params.pp b/manifests/racoon_params.pp
new file mode 100644
index 0000000..2ce6d1d
--- /dev/null
+++ b/manifests/racoon_params.pp
@@ -0,0 +1,39 @@
+class ipsec::racoon_params {
+	case $::osfamily {
+		'FreeBSD':{
+			$racoon_pkg = 'ipsec-tools'
+			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec.conf'
+			$ipsec_service = 'ipsec'
+			$setkey_cmd = '/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'wheel'
+		}
+		'OpenBSD':{
+			$ikedaemon = 'isakmpd'
+			$racoon_pkg = 'racoon-tools'
+#			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+#			$racoon_conf = '/etc/racoon.conf'
+			$ipsec_service = 'racoon'
+			$setkey_cmd = '/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'wheel'
+		}
+		default: {
+			$racoon_pkg = 'racoon'
+			$racoon_conf = '/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec-tools.conf'
+			$ipsec_service = 'setkey'
+			$setkey_cmd = '/usr/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'root'
+		}
+	}	
+}
+
diff --git a/manifests/strongswan.pp b/manifests/strongswan.pp
new file mode 100644
index 0000000..ffa9813
--- /dev/null
+++ b/manifests/strongswan.pp
@@ -0,0 +1,63 @@
+##
+
+class ipsec::strongswan  (
+	$version = 'latest',
+	$enable = $::ipsec::strongswan_params::service_enable
+) inherits ipsec::strongswan_params {
+	
+	package { 'strongswan':
+		name => $pkg_name,
+		provider => $pkg_provider,
+		ensure => $version
+	}
+	
+	service { 'strongswan':
+		ensure => running,
+		require => Package['strongswan'],
+		subscribe => Concat[ "$ipsec_conf" ],
+		enable => $enable
+	}
+
+	concat { "$secrets_file": 
+		owner => "$secrets_usr",
+		group => "$secrets_grp",
+		mode  => '0600'
+	}
+	concat::fragment { "pskfile_header":
+		target => "$secrets_file",
+		order => '00',
+		content => "#strongswan psks\n",
+	}
+
+	concat { "$ipsec_conf": 
+	}
+
+	concat::fragment { "ipsec_conf_header":
+		target => "$ipsec_conf",
+		order => '00',
+		content => template('ipsec/strongswan/ipsec.conf.header.erb'),
+	}
+}
+
+
+define ipsec::strongswan::tunnel (
+	$local_ip,
+	$remote_ip,
+	$nets,
+	$proto = "any",
+	$psk 
+
+){
+
+	concat::fragment { "$title":
+		target => "$::ipsec::strongswan_params::ipsec_conf",
+		content => template('ipsec/strongswan/ipsec.conf.tunnel.erb')
+	}
+
+	concat::fragment { "$title psk":
+		target => "$::ipsec::strongswan_params::secrets_file",
+		content => template('ipsec/strongswan/ipsec.secrets.erb')
+	}
+
+}
+
diff --git a/manifests/strongswan_params.pp b/manifests/strongswan_params.pp
new file mode 100644
index 0000000..d16eeb1
--- /dev/null
+++ b/manifests/strongswan_params.pp
@@ -0,0 +1,35 @@
+#
+
+class ipsec::strongswan_params {
+	case $::osfamily {
+		'FreeBSD':{
+			$pkg_name = "strongswan"
+			$ipsec_conf = '/usr/local/etc/ipsec.conf'
+			$service_name = 'strongswan'
+			# strongswan's startup script confuses pupets 
+			# service enable, so we cannot enable the service
+			$service_enable = undef
+			$secrets_usr = 'root'
+			$secrets_grp = 'wheel'
+			$secrets_file = '/usr/local/etc/ipsec.secrets'
+
+		}
+		'OpenBSD':{
+			$isakmpd_service = 'isakmpd'
+			$pkg_name = false
+			$pkg_provider = undef
+			$ipsec_conf = '/etc/ipsec.conf'
+			$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
+		}
+		default: {
+			$pkg_name = "strongswan"
+			$ipsec_conf = '/etc/ipsec.conf'
+			$service_name = 'strongswan'
+			$service_enable = true
+			$secrets_usr = 'root'
+			$secrets_grp = 'root'
+			$secrets_file = '/etc/ipsec.secrets'
+		}
+	}	
+}
+
diff --git a/metadata.json b/metadata.json
new file mode 100644
index 0000000..d20788b
--- /dev/null
+++ b/metadata.json
@@ -0,0 +1,23 @@
+{
+  "name": "7u83-ipsec",
+  "version": "0.1.0",
+  "author": "7u83",
+  "summary": "IPSec with racoon",
+  "license": "Apache-2.0",
+  "source": "",
+  "project_page": null,
+  "issues_url": null,
+  "dependencies": [
+    {
+      "name": "puppetlabs-stdlib",
+      "version_requirement": ">= 1.0.0"
+    },
+    {
+      "name": "puppetlabs-concat",
+      "version_requirement": ">= 1.0.0"
+    }
+
+  ],
+  "data_provider": null
+}
+
diff --git a/pkg/7u83-ipsec-0.1.0.tar.gz b/pkg/7u83-ipsec-0.1.0.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..e8bf6ba197dcec8cffad9f248162e63f5fac5f51
GIT binary patch
literal 7747
zcmV-J9=zcniwFQrV~tt>1MNL)m)o|n{kr@WsFYM*pOuzxN=i15CQffo^YFEu^z^ts
z3P^%0b|sP}s9ozi+uwd?0Pv;9YG0PqR7h-#cnk(JgPGv~1iZ!2>c<&pL0=yj1O4<5
zkDqj1_Z)}dzmQh{l@Eqx+Lq}Wj$sqsux!Ko199F1E^BGQ3z`Eed72hC)w`N9HoKvG
zb#VV7$y??BU)Vf~XY4Wi0D8E#y`BG_V<Z19&vXpWv4H=!X9EBA$3$XV`Y-1{PZxQ>
z$g>}Qe%<@av+pM_fBfmiSI>HH$gjVW-n1w(K0ZCo7yj~`&G{hB&wHAdEwYRimn`RT
znvgSWJh))X&!6<3|MdL%vsaU!pS^hb?T<h7j>+c|@=E?2GA6HkpPdnFVD;W;0GjmX
zte_z+X#bx)P5QGqDSEO%_SQQgt!|rTGwSmR&sZ>-vRTG*sEfdjfjQ7yKqT0*RIf@S
z8WfFYUR97I)V{(%)4D`tkU0nq@fo=^NtEUU$pg)X15b-1^5UmI|GgY30eC%8(j$NR
zQ@iL>EE)AQLh7y%g@1oW1m0yny<jTa5E!!=XHeM1Zqp#mNY4JXh;zmz9%2Nes<o^G
zt&&jN#Q(MV|Kiz~Uw{8>Fb^M3#&*nq&v4AO`EQtq`M;0UC4%`N+mOgB>dzQSBl1<6
z6f7yYrWphB`fJ96JkAQ3cW<6_!}{r16u)G}A|rkBYRZUDc^q&Aan6b&PR<F^w_qW;
zii@f23}A3<atu;R$W!wAZ&O;xB0{5x1qFvHSCFYBQ)O25Wrs@c=ZI$svfs?C>i?OY
z$4P?7w2<)2>^^48zT}90;`E%sh=2@He7?vj4wj^1%$(39Bs2_Te4;ZFEs{X~jEg0J
zU0`Dg=LL&c&XNFOeVLF&60*EsOj&=LrXk4~yC5)f94UcZGEc(=&_CuROc7h`XqsLD
z%)A67;eHp-<AO?T`sBx#BuM8OJo_=?a6(uS44~Dlu6C>#dC6vJhSY&}e_6yK6B;Z4
zcIUCb5DY8Q1~P)*Rik5+6Vea|O?!##m2{;fO<11*yy7bDbA}=WL+6Y6oaRfEiPe#Y
zDHG&8g*I5GWqAq`I45yIcsjded;n4f^nm}DV5x|u16;s1By7emX#wrBxCo|V6rzTN
zJkWr39EO*ZI0<Hp5C`_-%hTsVm6OtTK{r=ve!&I)15NvTx*!2f$a#E;IOc$1IabJs
z6X<0wWg$*rxC)hw=JY(L*;FB0J!^cLE@mJs3BLkNaNz%1FfJG}CLJO6f&>LNQ#5%R
zrcXcb2;M`DB_N0(z9kD#`*8s!-$u=mk|_lelAI>zV&=A_kvxeLn18dGK>7svT+8!`
zHm3=QDl%4z%<+lDB<2FwBAzpp2CN{dH4yw4(@$s&vOaUk)2BZ^e+35a%kQ2()igjh
zE_$F4{L469a47*z^ow*6Oc_7HOhJ2o5oZz&fQtPN$Tw-OvA1-d&DaTWdIk)`nkX!w
zu$DxO2}Zv_;i}*-`M+ipF@BUn)t$mpgYm^V`F{EGf4?JT9X=5FLQ&3oT=KtA61yad
zmlsKTMW_#bA+gfM`Ls>6Y(|47)yA6klzd5MF}MuK9`LPUuo(?5fb{T-v-~m+@E1sM
z3f_yF*2T(Hxr%2qLTBKooPb)3VY&x}Xv5yJU{Qd?KZS{zft`m*7c<_Zgc|yyNKtwN
zkcTBvg2A!f-)N3%kP8%W_y|AEfhYw@(ju0m>6WY~FB(dAo!`wqE8m1BOP~@=LiV=E
zDL79NQkN?m0WhCrvjwPQzDxqb60}3%iKc|I7C?f$88o{AvgRy6g_eU#pd3t4&L~Pq
zQzhcaDqLWG!k88_nuBp-8P`yGEHap~s3xQ&&g1hbC<mkf@KWj!AYsx}{GFf5Hl0#d
zHH9D2YLnH`G&GW+ewNZwN(4y4SO_K(@t`=-bL<ohXj1@yMyM0=g@7qljfT^pL{1n$
z3Gjq~BboqNI0wxu!~|%Em3=V?HJMN#We>d2BtFo2ohvmdPI+Mv5&3#rqQGC_a0R`j
zo&@M%uMqhF{Hk;w{~xQB4*bLcgu=XN5zIK4RK+5SBz;;s4XH@JMa99;FOG%CqIVxH
zW;izNvK+Utx21lN);UO#9x4N=D($I|K)%+U9AagwHSH(hfMg1=1LbJO3RX?wMoYji
zm{HDg`WDL!{|Q+XC(uwlqKdjiD+C4jlEEbjN*#@lv$PZtp*_HKz?%?uk7zR*fKe%}
zk^&~xjlhP*Vzyq!lqk#g66`pRQBVL-mva>5im#0YY?uI5dnu*HMV%$57@;{*7^!zt
z4<}n7m0GjpRoS>{N_pDQRSQ9Sp=6aL(E!C*mWFAt!2akaEJ0Ik#Pp<|z7-Eao+?&W
z9Bi>patd%myV>Rv7>=4x1M&=*gzkv&s!Ez-N5cDUjUS8wI;5xr@LgB*B<3p3vKc65
zAB7QXd`TK!cFS`rJ3_xf*8LeweMm0pY{BHjFPh**#iUn|IlM@s7EqR0w*8t#bTKPr
zYl%s+l=GqCW2%YYn(%^>>z-%nS#5AgNoiX(<knw-#R>VA^F?X=H>+G|F_(_BB0V;n
zGNE=!rEN*Wvjv|tMiFc(6hNI`F`mw0kkZ0QK@(QB>=I1(Qt9eqK)#decdiLxtmuE9
zrwgHmOV!fyooQZa6KRZoNDIbKzbfmbIX``dv;eD_Ni$MgO>B*vl0qCz(WRTE=NS1=
zv!gU|2|^X4Cr_jkBHBw~(}L3VT>*4ls}ec`$p%w~>~5MgHEqRoBN4pu3SL!~L>Q9F
zHE3{2D(vSHJG3E4s$YN(zX)Eje6TV4a7Z6It;c^rO+0b{ct`xla4mf${^RJLb%_7$
zBPpkNTPXDu!;h1K@(bS6R_cmq>ZvF@ZN^vYdh0RW8eUJ^5-b%V(F%kLU^d$k@&Yoy
zO0)48h4mF=4ia`HLY$g3{og@XgVxLLfJ5<<UKn#UvXh|>S~2In<LwPV*HZD?e@2RY
z!M0b7&l7l;nSi;Qa;W^ehx9vr`t<baAj>dxn_Zk&k8d;$Ej#H6t4+ZbgO~6)VqEx8
z4BRuwQ_hEo=ZY7`o`ypw<IA#9m;xETj`P>Os(IbT0NqCPvwtlMe-)81J|!K=DD+?O
zEu(_h?<Z-Rk?y;)#dQaoAVpO-^_X%W$25!m>ao!wqC7#A>mJ1@`T@YM3a>k0(P!w@
zRaxZh-{j-`o#-Zt-xlz?z^~gVRMe3jvv$vAY27hYApPg0|CaP$kzT(C7?hQ+$*)A=
zRgP0gk7Uh@MM6+mPb&H-XAoom1=4y@G6bI_GhUBnlX2Z<j15{SmYhJj9gk6RUt{K*
zL7ZHs7p#HGzUKd${x9F79&sV~?(4sfX*q}W-+iPt{@42C(fYUt|7}A*@P8j^o&U;a
z571^mP9MA0|6SWy;lF$E|MryLfz9b8bj~_s(y4`^gF)twdYQ)}AsjN7F5s0jFYC)Z
zwZ?;)-#&i{W>UOH=QK#6xu`LV1D0^n&6gQiMAkP;fN~E4mdNKUPyY$;q2N)SV{WpT
z%|w1If(4UBK5OQNji5K=zZM4eo%p*kwA#Jx^CATAMRX;qs8LQDONZE^+#}Et^{!8L
z!UeA|pv7I`!ryP?IAGFE%6Op~pmzPf9f7s^FFdfv?c?tH-?kj%p#S%g*7#q0*^k!8
zz3l(N|JzGi<3DKT-~!Y+e>?|ZhyAx~+gi2%mVU7Rdr89nt398>&iguxESox>X^n>N
z(6wA2*kT)&ZQ7<4Nef+V62m6c@omR)Bg<t$M5B=p>^AfvvlxrKz!<3}Dz1nv3}@&M
zha-SXgK#vo95-^A9+_0P4Bz!ti|S1@PU2#aW!TcTpw?)l8_acWkdvVkM$8KB&<7}i
zWy_ZJJ4~bL$O^2;3teaAhKA!?Q5aDput&^>LE4tL)|AtWc@~x(n>KYr%Dm7V*+J-g
zqrfvFD>5QBbX`5%(t08minszoJ;(H{P>(Ff^8&}#sXYt<j?Z+UZ8%y5(rOH-4vo+?
z{Sl+CWd)%#0(#lZ9|c3(4fWN=()m)2bssv5JmxvfwTC#_44}s-9J)~ux@>LmvT+-G
z#~GTgIr1zwgx<Yy7}<g2P}6pGD{@_D6$UTzG&$#2v_xX$I%Z%7mf<lc8X0=z8ICjZ
zY}+(|w9y*#Y5;9StWiX*VPu;2C>ljNGhNrzBZmdd)gwDpGTM5P!DhgDU1xqYbVnYu
zOcn$V{5Le=XGDERbuauMwInFSM}$KMxi6%^kDQ3wA@zdcD4+nrWNa9+kv+7Be&94f
zG=iwAu?|8y3P!+lH;j<{I<s|s<k+Ukj8Uk3?%Mtetvo5x3`1QAfDNI4-E{rXutuis
z`*i5SR2!M5F*00}Z2_=I5;iMgz`NEc00Fc|)O0BYadu71AB}*aCQK-E4Th3q2@3<C
z6SbgIB4t>iYZyQhn8jWgu+Z{`%y((z8>a6?+W@xF3Q-gy9W;T(oNyFHFd<Q@hn8mr
zfw2Zf%BLKm2*(bJoF*Jsrb>{$>o_1|Hs}-G^xdJ3icEJLKk#kO4%SAx0px=yr{Jk+
zC;%!*qsW07&rBM6)CU=WS%gFOfte%Apx!MYwRu3PW7$z;d5k%h0eT^19veBP@B2dv
zgxw6Vg_B7=W8_m{8#rqL9fgr@N1z_4?pi}5&{sj!bF)dYHd?wzUB~c2Q|QKU<O4=@
zNa@gE)Mf^d?RGHRTrgaiFfeOvFS4j^dj?nn%Qrn1f#eMB(N37~Cuaq(aP&PFjfZE3
zrarW2pi_ea*+!IxF7?fhcKxAE^m|P=`2Q{a^N>Dv#eZ~1t^Zjb`~?5c1Q|T+|K3aL
zlJCVP(2)2`^@WAj)uP#gPe0Lk7OG!|)%)LR+CBd(^?UC=cFliyd64tp2J`HR`44X#
zhxxyc)YZD=m0&Ua_<_#Zn0)&28Tq1!iy0#ye+J5+t7)HpOuk5j)hyRC;ptb>hjP#n
zxQ_@MLEh`$EDh+a_Xe8Qc{!V>1zX9?^0Y{0UjMn+yDj&TYe$S{r&8=r1ug<4c%V?V
zFES)NnRBYbtDmf4va#1q=(RD4ldXs}`|YoyRwDw`Vo8X^`_SCooo<@{H@W_I>0_t;
zFZchr@So?x{I^W!@crjr63+jI2k^Y~06sKchqRw`i~0Xx4`A2)w>__#|E_Mp{5K5S
zJ<R`oqzBvo_=4d#8YIfoIoW7ui*&P1{)Z+ikyS&A-$mwR&EP_PqSBn==XZ-@N~Uuf
z^yi@i1~(v-@xJM}VvBZ$JHInSH|<6{u+PE8?HfYNql{mWj=%+fef(LcVcoUg!E4bC
z^IwIX9^Qw3=k-4qG{Is0Zy#wV|EnnB{rlLV{|!Sol>T>3+cWX~&ocFc{@+LH5<JzS
z=JZBq5ES*f_z*N&exl(%XOiV?!lyK6;pBoXm4+-AjrfJw(F@A*6HQhRSPqTj0Jj=<
zPFWF@$^{EJR+E~Z&?HTkbNo>FU8S|zTlodcWR72)q3-{rDuY+IEahNC>grXqB*>TI
z8=DE8ou_$ROy{WSC!py+S*tyzeA=i7mSMdP8V>vtH4yv0Cv#Rz@hkooDb`zs(@EQ|
z)K#vlU*{~rFMru2OJ{MgBq@yXTGKei59MmA)T7KIuE3f#yxR?VWf*l$w270}$nh(#
zoN?Z+7qSR7guw7W-va)3ryKNtW9j5!ecavtd#-67?EgN}?fAcOiSO2Z?2P}Ia{mu_
z0=DPk`yZ|YAMF1=Qg^<#{PUqvI;1_OJJ0`nM1yw5e_UP7f6For2j{<QAN>Elq?<xJ
z!0%)w8dN%lGZqzRtAQKs2($UZ2MA{yB0<_wj-U9St%Y_fu%dhwKqF>URg5p#8927!
z*J2Q-U%J+{C(N@=<$u(U@D!XgaVDAgJ@uDoa!W|n7QFcKmE#Qhxip#~pAXHi$4+;d
z|BbCPcj{xO{dc``{(}!F=D+Sbhxxycv=)3teb5TKj>+?ve_e@z{_dv1e{I?w|J}C7
z^7eh~n*WyVs`>92uA}4pxAFU*!~B2$Nv!{rY~8v9)ZAOKqAgZeX{4UO9TnSlc9gxH
zZrr-D0oq!JcLje?S6kEF=KuXxf_Ke-wg1bO-~HhJFViy*`#<-R4*S0j`@e3U{|{dV
z+%f+R*LGz5SGO(CL;v4!59fdHC*k~8Yi}QkIS<d(YTUX#zVoWw(b2|5DFL}I0nnd7
z)s;m!Q3>-@akY{r3aTerIEy1D4=l#N<m4=~u*Sm{^Qx7)?zW}68&u@cryuvp7eJ2^
zpHdg8XHY$#ujSx(ZY~HC9>zc#KpI3-VCtM2P%Ce|LTUx8UP3JOV3|?FX=aUEG%tae
zf<X!b{;nIVr!nc3D~mlM_sx{+nqi2mi?`O!YxQ>+77gUD9;I|0t4AR=+l8}5X;F9U
zx~T+g){?qo*>sbvHlzbVT$e_q|DJ<RchmpxW&f{Xc&7CKOvm(O{1<*6^#4B6ZT5f2
zQ&N3K(o2?KfiM>=!Fvl5_O?)qMtCgsem079H|!MY-ei=j!iH7ql9hDx&WW|^n|6z=
zRl1#pS!=dozerW*y8gMz40XW{b=UWd)D&oL8mWnPyRqM5+elS+hXU*#HjeyO(&qDj
z%J1JFrw{$^`#-^A9QJ?gBW>n?`|yH?_OUDe1EnkH|9XaZ*#EzmwCns|d4789cC~}%
z{vD;8^?&pHll%9vYyO*Z|5rW#P2D<t|GS@5&HvU6uWobc3DM}uBaZQ=19bU&;&8{X
zd3A)m3IT7`sBgwltq5K^@vgiG17U!JIuR1~M1emh<x$W3Jo@;M{&3^@zv}F)hxf5#
z{@c3SJpau=|Ia(j|NW#c`3h&^SY1!mC1=|ct_6{A7BI<IE~gQbS*@DLD_OAS^GXxI
zL%&L*>}z$APxHc~y5&>yi@dz4F8&3wpS{gyG@&b3;;0MvM6K!)Iy|mjl!NY3ii(pW
z1@MFo&IhFP5^t4?@U@xYr6%I8w?)Q_oY6T+icH+ghFIafNeQ8OPM3p@!0u<7$9Rdr
zhGG3rc{`5McJfA{#=S$AW!v(8xBA{cdC#BH$E$QG+aVcN=^*Y&LO^AuiVAoMOL^Cn
zywxjK7gh-Z#SucoOVz~XP>N0iMWI*C>!>hDFafemO0tw!;Br=As0eTL5|}|<yhr8-
zjK2uUildm-w@=OS(nN%cH-eT#nWntJ^K|*3L!RJ;IVT9~e3tqEsiv5sDc)dqnZ|fu
zTAYvwe&@9eHpGb{f3QT|24xQ1!LcCgGj*_FgMT9b3w7e4jAKZE?@ALmmburW=9l6K
z<OTqdi@KD2ihqAGr}1o%FU0aG`6|tpVrOGhVA>_b)Qur&Hih!Ww0fc)eN<n#+!F!X
zqIUwh@dXPhn~QwBCMnX6-)Y)W9Fb;`DkJZXw4<W{FX{PcJWhE;=kaVQmT8W9-{g$_
z`Q_KWv3L}aCl%<PjKlS?=vq|&F=NU0>gwb1y1tUGF}V$N_yhmrO~;~oyK+4)tOX>%
zJN?c`M-XZ}{^(s@`?>?=B_lgnu`?zBup;GWq$I0=g>fl0XB9NL{7aDj<y!BF=u$0;
z;R7!F;J<QP3SdH$Wk+Q2i<4>z=_9pJ(&JNVI&QB~(puB$$$hKM^2WkZZ|K^(E;wHW
z3eSjPpJ>`KE_aj{GL6Slp|=I(Bb5#RR5aR5Kt;cj07%CdOdizz8tcCi1QjcWoiQ%I
zl?&lW(gvlD>g7W$Y0~Wo=_Ya&0gn^`AxHcYS^Pp~ASoNGe4-omaH5tDMJE0@X)Qa7
z?E3MfxsnJ)NIS**71ozKiEifpCa#nB#f%cA_ri~x$zM&75ACuX(j%su{Qv3z+z0lt
zYyHpF)%hQuZWxA%@jqKX?El<L>UOoJp8>i^a-ERPE(e$yaJ#@&kBikN>X2Tv*wX*V
zF3u<D*O5P-fuAOgdH1L)D(^a&WGfYfP8CI{CEHc8{2Kpax2P^FqZ*UfEemf>IVPwi
zj|6r?zbRBv=N;AHK3jn&J(D91y$W&LgV4J50a?<!5Q~r4xTm{dt2ODS$Ohwal+$zZ
z>hn%1`R37DLU)5e;@!UhpamOoOLK)+PdWidA|{iF%H_(vimKdvepm1KMB#<^M~h*A
zD}TY3lK@Zk2FQHjs~`}-{z@SKx{VNCT!9890{b&f6L2IE3%n~$(rAM_rEq$<Uqv+Z
zbC2X&b8Y*^q-j=La;dUQK5b)3!-h8ba2uev<VU@Wws%|_)ekoRckBQ9?CtyZu}lA3
zp8Eb*w=o!u@n6q6?El+K+M@m&x_sl?;>ycnt?FTx0-Obyhh-^1ovKDdPj}FZ<;l4$
ztS1qg8nN%A-ge$YdxDh|Y8Zlu1Gf5>+0b7C2=`;Pc|9m*q#u!Wu;N{F<wbU9H;thR
zo3&|l@<seMBfCG|?HB5g$~`p~=PU2iWl0N%^}SuKy5-KCmFkc^DBc#WstqzVJKZpD
zS==wubjH`aY`~EO*+`rP&n1DHbrb|B6Ij4RZsninSu<Z+@DHhTe@p2G{r_OSU#1=U
z-_&ij{s%7tF7E#}JkvSo|GgxwE7`na2JWc-+sa3ZlbGk5H4x5X;q~2B7j10#Fs-zz
zjb)Xl@)zOXt(yAoibzP(R_oIU5Vh^jfyVcx@qe79Y%upGsvYd)Aw4wRVE?NNq#oMG
zuJwPjT>r=WfAITnu>aQK{O`S_E_or?OvJUVD_($<fbEgM)j(kD*06UNC948&rOLy&
zN*Q(QG*od%uG#QKu8PXLXXWC|QK|NB2Bd1O0PE$8B#D#ro(xyX4NrAYtJBo`oi`_>
z`weLH*S$t=Pei&lMZ{Jci;l%2yo!ab;a@H%H_>mY_Rdxy8$xyXg4hZ`K1$@S8QpA-
zPlPvX!r~r(mK0*Kc1tv^X;Qa@IGY{ZHO6`4H%b`e6sX-Cu3aC`hYHv>FI=jS-@psy
zbV&5mt3>wDX&89XceTXXX_$CXvJ#;_*-C|tL{QytqreK1yQt9VDm4QQ_&?Ny7mmkj
z@L1NnUF^8Mr0&nst0?AEv2MP$4&Pcz@8M@RmhPFNU~T0czsKxh=zLprx(-j{3h;d*
z%q=Z?rvUTHg*`I7yk%wrl9M}PvVpNpKGqBn>&3vz?enNH=kJNdZ3wdY3w9NCUtjRA
z<m;Xb{|}M5EUaYiLy6Ch^L~CC(sXzqdEB(q|9|-M&n@DAZt4HKo`vT>>5g~s|M!wM
z`1^NV`#A)r_8t6duB7zj7Kq;jl{aEigSm;&O-3C;fQJy^A?+vKVE<e9w?CwhUH0G7
z%k!UY&oPDlKivPdr?j^Jujcx;Er9Y>M~0^wyRGVmm5Z+w)kN0buyb&&jodug*sfRC
zXobvL8}_#D*K5Z$nmhfE8WFj*PU<EqaJUjTd@j*@-E6ltK)5OJRtNVKA)7DCD!?a>
zTApkS^OS`f;yh*1mO#&aLpm*Vb_aACGSm#}+!TfTAOW{sH(aO~-1;`gy5VE(WW3+I
z{)Rbs`}h4_=liQT$qk4hckhJUnjGB)JzgI_{u|gh`8!Fsvi}c^0qolUX?x}QueRgZ
zc>k~AScmU__mZ}o{|9XWt)Oh&-`Rf0T;C5Vy#@uWX=SmzOBxxRh^rjH{K*fJ@qB@3
z!5PPM$?)?s)k4{NX>CskPstS{0Zo#$P?_RmSyiuvM&;_%n>rf?xcwT{Fu$!=(4&?G
z-AV&h3BMTlJ#9_BgJj%89@ZHp7c%d_r}cu?3;hanepm0sYx-Y(1O14{KkPjJ#gpeh
zHqL)?9p~`=x0lo<_?^EG3Vw$EZ6wY@5a$u#yB@sz5YVQL(;&&WNiZO>I=?`ibz6E2
zTDSZ}e@ZWz_})Ly8PC!rL^ueqsw<m^3~Wzc9)=+85Fj9Z?GWG<%S;`G@CscL0+mru
zC-`E9I4w9rR!30MECbWj?<Z-Rktg712U8YYh#}#5gz-$An1Clh<awIQBM>fQc7?|?
zq~~~20J{WVlpiAw06bdE0G@y<@SjSW;Hd)?8iLiKcxXCH;CGq`&sg*deJMN%j1BZ4
zw&qI?4lY`&g5izWSQ;`8Z<L|TJeK49j?p}k$5Bup4@F<$1|E`uM-fbmBID!J(=ZLd
zFB1d+l{r5>Ux1$Hr&yg&_&mK}gK04bJhj!2kw3KL9nv8k(jgtvAsx~o9nyzL{}1l|
J)?)z3007Z?UdR9d

literal 0
HcmV?d00001

diff --git a/pkg/7u83-ipsec-0.1.0/Gemfile b/pkg/7u83-ipsec-0.1.0/Gemfile
new file mode 100644
index 0000000..4333d23
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/Gemfile
@@ -0,0 +1,18 @@
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3']
+gem 'metadata-json-lint'
+gem 'puppet', puppetversion
+gem 'puppetlabs_spec_helper', '>= 1.2.0'
+gem 'puppet-lint', '>= 1.0.0'
+gem 'facter', '>= 1.7.0'
+gem 'rspec-puppet'
+
+# rspec must be v2 for ruby 1.8.7
+if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
+  gem 'rspec', '~> 2.0'
+  gem 'rake', '~> 10.0'
+else
+  # rubocop requires ruby >= 1.9
+  gem 'rubocop'
+end
diff --git a/pkg/7u83-ipsec-0.1.0/README.md b/pkg/7u83-ipsec-0.1.0/README.md
new file mode 100644
index 0000000..7c319ac
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/README.md
@@ -0,0 +1,89 @@
+# ipsec
+
+#### Table of Contents
+
+1. [Description](#description)
+1. [Setup - The basics of getting started with ipsec](#setup)
+    * [What ipsec affects](#what-ipsec-affects)
+    * [Setup requirements](#setup-requirements)
+    * [Beginning with ipsec](#beginning-with-ipsec)
+1. [Usage - Configuration options and additional functionality](#usage)
+1. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
+1. [Limitations - OS compatibility, etc.](#limitations)
+1. [Development - Guide for contributing to the module](#development)
+
+## Description
+
+Start with a one- or two-sentence summary of what the module does and/or what
+problem it solves. This is your 30-second elevator pitch for your module.
+Consider including OS/Puppet version it works with.
+
+You can give more descriptive information in a second paragraph. This paragraph
+should answer the questions: "What does this module *do*?" and "Why would I use
+it?" If your module has a range of functionality (installation, configuration,
+management, etc.), this is the time to mention it.
+
+## Setup
+
+### What ipsec affects **OPTIONAL**
+
+If it's obvious what your module touches, you can skip this section. For
+example, folks can probably figure out that your mysql_instance module affects
+their MySQL instances.
+
+If there's more that they should know about, though, this is the place to mention:
+
+* A list of files, packages, services, or operations that the module will alter,
+  impact, or execute.
+* Dependencies that your module automatically installs.
+* Warnings or other important notices.
+
+### Setup Requirements **OPTIONAL**
+
+If your module requires anything extra before setting up (pluginsync enabled,
+etc.), mention it here.
+
+If your most recent release breaks compatibility or requires particular steps
+for upgrading, you might want to include an additional "Upgrading" section
+here.
+
+### Beginning with ipsec
+
+The very basic steps needed for a user to get the module up and running. This
+can include setup steps, if necessary, or it can be an example of the most
+basic use of the module.
+
+## Usage
+
+This section is where you describe how to customize, configure, and do the
+fancy stuff with your module here. It's especially helpful if you include usage
+examples and code samples for doing things with your module.
+
+## Reference
+
+Users need a complete list of your module's classes, types, defined types providers, facts, and functions, along with the parameters for each. You can provide this list either via Puppet Strings code comments or as a complete list in this Reference section.
+
+* If you are using Puppet Strings code comments, this Reference section should include Strings information so that your users know how to access your documentation.
+
+* If you are not using Puppet Strings, include a list of all of your classes, defined types, and so on, along with their parameters. Each element in this listing should include:
+
+  * The data type, if applicable.
+  * A description of what the element does.
+  * Valid values, if the data type doesn't make it obvious.
+  * Default value, if any.
+
+## Limitations
+
+This is where you list OS compatibility, version compatibility, etc. If there
+are Known Issues, you might want to include them under their own heading here.
+
+## Development
+
+Since your module is awesome, other users will want to play with it. Let them
+know what the ground rules for contributing are.
+
+## Release Notes/Contributors/Etc. **Optional**
+
+If you aren't using changelog, put your release notes here (though you should
+consider using changelog). You can also add any additional sections you feel
+are necessary or important to include here. Please use the `## ` header.
diff --git a/pkg/7u83-ipsec-0.1.0/Rakefile b/pkg/7u83-ipsec-0.1.0/Rakefile
new file mode 100644
index 0000000..df59df7
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/Rakefile
@@ -0,0 +1,32 @@
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+require 'metadata-json-lint/rake_task'
+
+if RUBY_VERSION >= '1.9'
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new
+end
+
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.relative = true
+PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp']
+
+desc 'Validate manifests, templates, and ruby files'
+task :validate do
+  Dir['manifests/**/*.pp'].each do |manifest|
+    sh "puppet parser validate --noop #{manifest}"
+  end
+  Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file|
+    sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures}
+  end
+  Dir['templates/**/*.erb'].each do |template|
+    sh "erb -P -x -T '-' #{template} | ruby -c"
+  end
+end
+
+desc 'Run lint, validate, and spec tests.'
+task :test do
+  [:lint, :validate, :spec].each do |test|
+    Rake::Task[test].invoke
+  end
+end
diff --git a/pkg/7u83-ipsec-0.1.0/checksums.json b/pkg/7u83-ipsec-0.1.0/checksums.json
new file mode 100644
index 0000000..0b66030
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/checksums.json
@@ -0,0 +1,29 @@
+{
+  "Gemfile": "0b0ef34a57239868636b26141342423f",
+  "README.md": "a5b4536f36ecfaf9b006108e3eef7c19",
+  "Rakefile": "158b889261acd98356f6e0f2a031b6b9",
+  "examples/init.pp": "43f2a9901e66401685dfe3d4db835c34",
+  "manifests/init.pp": "93c3f7d6596d15b3fdfa1c49e4863437",
+  "manifests/isakmpd.pp": "424a6dae7d294cdb79c71f3f1fe8660d",
+  "manifests/isakmpd_params.pp": "a75273d0f3577c540a48dc71be0423d9",
+  "manifests/params.pp": "c4981d62b9ea633cd59a034eb9c846d0",
+  "manifests/racoon.pp": "0b40af7e75e6481324193c9d86fcd6e7",
+  "manifests/racoon_params.pp": "5582629736d3cd7d8f4c55a24603f665",
+  "manifests/strongswan.pp": "9652c2c317e5f910f71559744216daf4",
+  "manifests/strongswan_params.pp": "39fa38f2249f9f0e26620f5ece60f4df",
+  "metadata.json": "65900ebf8697e32ecc5c5c8232efab54",
+  "spec/classes/init_spec.rb": "4bf5fa4da7c89cacc52ee8de94848bc5",
+  "spec/spec_helper.rb": "0db89c9a486df193c0e40095422e19dc",
+  "templates/ipsec_top.erb": "e84bf026bd13924bba8606192219162e",
+  "templates/ipsec_tunnel.erb": "6419c0f349a26aa7d2623b99cd724012",
+  "templates/isakmpd_ipsec_conf_header.erb": "e13d611da756f7dced378eb6afb12b7f",
+  "templates/isakmpd_tunnel.erb": "d7155f03563e5d9ff437846d8373cc1f",
+  "templates/racoon/ipsec.conf.transport.erb": "b65510f46b902b6806b26055bcb474c2",
+  "templates/racoon/ipsec.conf.tunnel.erb": "6419c0f349a26aa7d2623b99cd724012",
+  "templates/racoon/racoon.conf.erb": "9f5be0e2ad7abe40c55d9ffb606931a7",
+  "templates/racoon/racoon.conf.header.erb": "aa534ff37ee53159ade7e952bbb8a155",
+  "templates/racoon.conf.erb": "2a719ba6af007ca9df04fd86a06381c0",
+  "templates/strongswan/ipsec.conf.header.erb": "07a651b7d80189be95a8aa81ea4e1cd7",
+  "templates/strongswan/ipsec.conf.tunnel.erb": "169545c847f3a04711e63b27ef63e849",
+  "templates/strongswan/ipsec.secrets.erb": "0b76db8372d2083ac0a1abb89aad6ab2"
+}
\ No newline at end of file
diff --git a/pkg/7u83-ipsec-0.1.0/examples/init.pp b/pkg/7u83-ipsec-0.1.0/examples/init.pp
new file mode 100644
index 0000000..c2a2360
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/examples/init.pp
@@ -0,0 +1,12 @@
+# The baseline for module testing used by Puppet Inc. is that each manifest
+# should have a corresponding test manifest that declares that class or defined
+# type.
+#
+# Tests are then run by using puppet apply --noop (to check for compilation
+# errors and view a log of events) or by fully applying the test in a virtual
+# environment (to compare the resulting system state to the desired state).
+#
+# Learn more about module testing here:
+# https://docs.puppet.com/guides/tests_smoke.html
+#
+include ::ipsec
diff --git a/pkg/7u83-ipsec-0.1.0/manifests/init.pp b/pkg/7u83-ipsec-0.1.0/manifests/init.pp
new file mode 100644
index 0000000..2376602
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/manifests/init.pp
@@ -0,0 +1,126 @@
+# Class: ipsec
+# ===========================
+#
+# Full description of class ipsec here.
+#
+# Parameters
+# ----------
+#
+# Document parameters here.
+#
+# * `sample parameter`
+# Explanation of what this parameter affects and what it defaults to.
+# e.g. "Specify one or more upstream ntp servers as an array."
+#
+# Variables
+# ----------
+#
+# Here you should define a list of variables that this module would require.
+#
+# * `sample variable`
+#  Explanation of how this variable affects the function of this class and if
+#  it has a default. e.g. "The parameter enc_ntp_servers must be set by the
+#  External Node Classifier as a comma separated list of hostnames." (Note,
+#  global variables should be avoided in favor of class parameters as
+#  of Puppet 2.6.)
+#
+# Examples
+# --------
+#
+# @example
+#    class { 'ipsec':
+#    }
+#
+# Authors
+# -------
+#
+# 7u83 <7u83@mail.ru>
+#
+# Copyright
+# ---------
+#
+# Copyright 2018 7u83@mail.ru
+#
+class ipsec(
+	$version = 'latest',
+	$ikedaemon = undef
+){
+
+	if $ikedaemon == undef {	
+		case $::osfamily {
+			'FreeBSD':{
+				$ike_daemon = 'racoon'
+			}
+			'OpenBSD':{
+				$ike_daemon = 'isakmpd'
+			}
+			default: {
+				$ike_daemon = 'racoon'
+			}
+		}
+	}
+	else {
+		$ike_daemon = $ikedaemon
+	}
+
+	$res = "ipsec::${ike_daemon}"
+
+	class { "$res": 
+		version => $version
+	}
+
+}
+
+
+define ipsec::tunnel (
+	$local_ip,
+	$remote_ip,
+	$nets,
+	$proto = "any",
+	$psk,
+        $hash = 'sha256',
+        $encryption = 'aes256',
+        $lifetime = '86400',
+	$dh_group = 14,
+
+)
+{
+	include ::ipsec
+	$ikedaemon = $::ipsec::ike_daemon
+	$res = "ipsec::${ikedaemon}::tunnel"
+
+	Resource[$res] { "$title":
+		local_ip => $local_ip,
+		remote_ip => $remote_ip,
+		nets => $nets,
+		proto => $proto,
+		psk => $psk,
+		lifetime => $lifetime,
+		hash => $hash,
+		encryption => $encryption,
+		dh_group => 14,
+	}
+
+}
+
+define ipsec::transport (
+	$local_ip,
+	$remote_ip,
+	$proto = "any",
+	$psk 
+)
+{
+	include ::ipsec
+	$ikedaemon = $::ipsec::ike_daemon
+	$res = "ipsec::${ikedaemon}::transport"
+
+	Resource[$res] { "$title":
+		local_ip => $local_ip,
+		remote_ip => $remote_ip,
+		proto => $proto,
+		psk => $psk
+	}
+
+}
+
+
diff --git a/pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp b/pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp
new file mode 100644
index 0000000..dd88331
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp
@@ -0,0 +1,61 @@
+##
+
+class ipsec::isakmpd  (
+	$version = 'latest'
+
+) inherits ipsec::isakmpd_params {
+	
+	if $pkg_name != false {
+#		if $pkg_provider_p != false {
+#			$provider = $pkg_provider_p
+#		}
+#		else {
+#			$provider = $pkg_provider
+#		}
+
+		package { 'isakmpd':
+			name => $pkg_name,
+			provider => $pkg_provider
+		}
+	}	
+
+
+	concat { "$ipsec_conf": 
+		mode  => '0600'
+
+	}
+
+	concat::fragment { "ipsec_conf_header":
+		target => "$ipsec_conf",
+		order => '00',
+		content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
+
+	}
+
+	exec { "$setkey_cmd":
+		subscribe => Concat[ "$ipsec_conf" ],
+		refreshonly => true
+	}	
+
+
+
+}
+
+
+define ipsec::isakmpd::tunnel (
+	$local_ip,
+	$remote_ip,
+	$nets,
+	$proto = "any",
+	$psk 
+
+){
+	notify { "$title:  $::ipsec::isakmpd_params::ipsec_conf": }
+
+	concat::fragment { "$title":
+		target => "$::ipsec::isakmpd_params::ipsec_conf",
+		content => template('ipsec/isakmpd_tunnel.erb')
+	}
+
+}
+
diff --git a/pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp b/pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp
new file mode 100644
index 0000000..5de299d
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp
@@ -0,0 +1,33 @@
+#
+
+class ipsec::isakmpd_params {
+	case $::osfamily {
+		'FreeBSD':{
+			$pkg_name = "security/isakmpd"
+			$pkg_provider = "portsng"
+			$ipsec_conf = '/etc/ipsec.conf'
+	
+			$isakmpd_service = 'isakmpd'
+			$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
+		}
+		'OpenBSD':{
+			$isakmpd_service = 'isakmpd'
+			$pkg_name = false
+			$pkg_provider = undef
+			$ipsec_conf = '/etc/ipsec.conf'
+			$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
+		}
+		default: {
+			$racoon_pkg = 'racoon'
+			$racoon_conf = '/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/racoon-tools.conf'
+			$racoon_service = 'setkey'
+			$setkey_cmd = '/usr/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'root'
+		}
+	}	
+}
+
diff --git a/pkg/7u83-ipsec-0.1.0/manifests/params.pp b/pkg/7u83-ipsec-0.1.0/manifests/params.pp
new file mode 100644
index 0000000..8a3c100
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/manifests/params.pp
@@ -0,0 +1,42 @@
+
+#params
+
+class ipsec::params {
+	case $::osfamily {
+		'FreeBSD':{
+			$racoon_pkg = 'ipsec-tools'
+			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec.conf'
+			$ipsec_service = 'ipsec'
+			$setkey_cmd = '/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'wheel'
+		}
+		'OpenBSD':{
+			$ikedaemon = 'isakmpd'
+			$racoon_pkg = 'ipsec-tools'
+			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec.conf'
+			$ipsec_service = 'ipsec'
+			$setkey_cmd = '/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'wheel'
+		}
+		default: {
+			$racoon_pkg = 'racoon'
+			$racoon_conf = '/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec-tools.conf'
+			$ipsec_service = 'setkey'
+			$setkey_cmd = '/usr/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'root'
+		}
+	}	
+}
+
diff --git a/pkg/7u83-ipsec-0.1.0/manifests/racoon.pp b/pkg/7u83-ipsec-0.1.0/manifests/racoon.pp
new file mode 100644
index 0000000..29fd4d7
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/manifests/racoon.pp
@@ -0,0 +1,128 @@
+# Racoon IPSec
+
+class ipsec::racoon (
+	$version = 'latest'
+
+)inherits ipsec::racoon_params{
+
+
+	package {'racoon':
+		name => "$racoon_pkg",
+		ensure => "$version",
+	}
+
+	service {'racoon':
+		name => "$racoon_service",
+		ensure => 'running',
+		require => Concat["$racoon_conf"], #File['racoon_conf'],
+		subscribe => Concat["$racoon_conf"],
+		enable => true,
+	}
+
+	service {'ipsec':
+		name => "$ipsec_service",
+		enable => true,
+	}
+
+	exec { "$setkey_cmd -f $ipsec_conf":
+		subscribe => Concat[ "$ipsec_conf" ],
+		refreshonly => true
+	}	
+
+
+	concat { "$racoon_conf": 
+		ensure => present
+	}
+	
+	concat::fragment { "$racoon_conf header":
+		target => "$racoon_conf",
+		order => '00',
+		content => template('ipsec/racoon/racoon.conf.header.erb'),
+	}
+	
+
+
+	concat { "$ipsec_conf": 
+		ensure => present
+
+	}
+
+	concat::fragment { "ipsec_conf_header":
+		target => "$ipsec_conf",
+		order => '00',
+		content => template('ipsec/ipsec_top.erb'),
+	}
+	
+	concat { "$racoon_pskfile": 
+		owner => "$racoon_usr",
+		group => "$racoon_grp",
+		mode  => '0600',
+		ensure => present
+
+	}
+	concat::fragment { "pskfile_header":
+		target => "$racoon_pskfile",
+		order => '00',
+		content => "#racoon psks\n",
+	}
+	
+}
+
+
+
+define ipsec::racoon::tunnel (
+	$local_ip,
+	$remote_ip,
+	$encryption = 'blowfish',
+	$hash = 'sha256',
+	$dh_group = 'modp3072',
+	$lifetime = '86400 sec',
+
+	$nets,
+	$proto = "any",
+
+	$psk 
+
+)
+{
+	concat::fragment { "$title":
+		target => "$::ipsec::racoon_params::ipsec_conf",
+		content => template('ipsec/ipsec_tunnel.erb')
+	}
+	
+	concat::fragment { "psk_$title":
+		target => "$::ipsec::racoon_params::racoon_pskfile",
+		content => "$remote_ip $psk\n"
+	}
+
+	concat::fragment { "racoon_conf_$title":
+		target => "$::ipsec::racoon_params::racoon_conf",
+		content => template('ipsec/racoon/racoon.conf.erb')
+	}
+
+
+}
+
+define ipsec::racoon::transport (
+	$local_ip,
+	$remote_ip,
+	$proto = "any",
+	$encryption = 'blowfish',
+	$hash = 'sha256',
+	$dh_group = 'mopd3072',
+	$psk 
+
+)
+{
+	concat::fragment { "$title":
+		target => "$::ipsec::racoon_params::ipsec_conf",
+		content => template('ipsec/racoon/ipsec.conf.transport.erb')
+	}
+	
+	concat::fragment { "psk_$title":
+		target => "$::ipsec::racoon_params::racoon_pskfile",
+		content => "$remote_ip $psk\n"
+	}
+
+}
+
diff --git a/pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp b/pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp
new file mode 100644
index 0000000..2ce6d1d
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp
@@ -0,0 +1,39 @@
+class ipsec::racoon_params {
+	case $::osfamily {
+		'FreeBSD':{
+			$racoon_pkg = 'ipsec-tools'
+			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec.conf'
+			$ipsec_service = 'ipsec'
+			$setkey_cmd = '/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'wheel'
+		}
+		'OpenBSD':{
+			$ikedaemon = 'isakmpd'
+			$racoon_pkg = 'racoon-tools'
+#			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+#			$racoon_conf = '/etc/racoon.conf'
+			$ipsec_service = 'racoon'
+			$setkey_cmd = '/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'wheel'
+		}
+		default: {
+			$racoon_pkg = 'racoon'
+			$racoon_conf = '/etc/racoon/racoon.conf'
+			$racoon_pskfile = '/etc/racoon/psk.txt'
+			$racoon_service = 'racoon'
+			$ipsec_conf = '/etc/ipsec-tools.conf'
+			$ipsec_service = 'setkey'
+			$setkey_cmd = '/usr/sbin/setkey'
+			$racoon_usr = 'root'
+			$racoon_grp = 'root'
+		}
+	}	
+}
+
diff --git a/pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp b/pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp
new file mode 100644
index 0000000..ffa9813
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp
@@ -0,0 +1,63 @@
+##
+
+class ipsec::strongswan  (
+	$version = 'latest',
+	$enable = $::ipsec::strongswan_params::service_enable
+) inherits ipsec::strongswan_params {
+	
+	package { 'strongswan':
+		name => $pkg_name,
+		provider => $pkg_provider,
+		ensure => $version
+	}
+	
+	service { 'strongswan':
+		ensure => running,
+		require => Package['strongswan'],
+		subscribe => Concat[ "$ipsec_conf" ],
+		enable => $enable
+	}
+
+	concat { "$secrets_file": 
+		owner => "$secrets_usr",
+		group => "$secrets_grp",
+		mode  => '0600'
+	}
+	concat::fragment { "pskfile_header":
+		target => "$secrets_file",
+		order => '00',
+		content => "#strongswan psks\n",
+	}
+
+	concat { "$ipsec_conf": 
+	}
+
+	concat::fragment { "ipsec_conf_header":
+		target => "$ipsec_conf",
+		order => '00',
+		content => template('ipsec/strongswan/ipsec.conf.header.erb'),
+	}
+}
+
+
+define ipsec::strongswan::tunnel (
+	$local_ip,
+	$remote_ip,
+	$nets,
+	$proto = "any",
+	$psk 
+
+){
+
+	concat::fragment { "$title":
+		target => "$::ipsec::strongswan_params::ipsec_conf",
+		content => template('ipsec/strongswan/ipsec.conf.tunnel.erb')
+	}
+
+	concat::fragment { "$title psk":
+		target => "$::ipsec::strongswan_params::secrets_file",
+		content => template('ipsec/strongswan/ipsec.secrets.erb')
+	}
+
+}
+
diff --git a/pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp b/pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp
new file mode 100644
index 0000000..d16eeb1
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp
@@ -0,0 +1,35 @@
+#
+
+class ipsec::strongswan_params {
+	case $::osfamily {
+		'FreeBSD':{
+			$pkg_name = "strongswan"
+			$ipsec_conf = '/usr/local/etc/ipsec.conf'
+			$service_name = 'strongswan'
+			# strongswan's startup script confuses pupets 
+			# service enable, so we cannot enable the service
+			$service_enable = undef
+			$secrets_usr = 'root'
+			$secrets_grp = 'wheel'
+			$secrets_file = '/usr/local/etc/ipsec.secrets'
+
+		}
+		'OpenBSD':{
+			$isakmpd_service = 'isakmpd'
+			$pkg_name = false
+			$pkg_provider = undef
+			$ipsec_conf = '/etc/ipsec.conf'
+			$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
+		}
+		default: {
+			$pkg_name = "strongswan"
+			$ipsec_conf = '/etc/ipsec.conf'
+			$service_name = 'strongswan'
+			$service_enable = true
+			$secrets_usr = 'root'
+			$secrets_grp = 'root'
+			$secrets_file = '/etc/ipsec.secrets'
+		}
+	}	
+}
+
diff --git a/pkg/7u83-ipsec-0.1.0/metadata.json b/pkg/7u83-ipsec-0.1.0/metadata.json
new file mode 100644
index 0000000..fdcca38
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/metadata.json
@@ -0,0 +1,21 @@
+{
+  "name": "7u83-ipsec",
+  "version": "0.1.0",
+  "author": "7u83",
+  "summary": "IPSec with racoon",
+  "license": "Apache-2.0",
+  "source": "",
+  "project_page": null,
+  "issues_url": null,
+  "dependencies": [
+    {
+      "name": "puppetlabs-stdlib",
+      "version_requirement": ">= 1.0.0"
+    },
+    {
+      "name": "puppetlabs-concat",
+      "version_requirement": ">= 1.0.0"
+    }
+  ],
+  "data_provider": null
+}
diff --git a/pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb b/pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb
new file mode 100644
index 0000000..ea5195c
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb
@@ -0,0 +1,6 @@
+require 'spec_helper'
+describe 'ipsec' do
+  context 'with default values for all parameters' do
+    it { should contain_class('ipsec') }
+  end
+end
diff --git a/pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb b/pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb
new file mode 100644
index 0000000..2c6f566
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb
@@ -0,0 +1 @@
+require 'puppetlabs_spec_helper/module_spec_helper'
diff --git a/pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb b/pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb
new file mode 100644
index 0000000..eeb2dd9
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb
@@ -0,0 +1,5 @@
+# Managed by puppet
+#
+flush;
+spdflush;
+
diff --git a/pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb b/pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb
new file mode 100644
index 0000000..fc3d0c3
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb
@@ -0,0 +1,12 @@
+#
+# Tunnel
+# Name: <%= @title %>
+#
+#
+
+<% @nets.each do |net| -%>
+spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec 
+	esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
+spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec 
+	esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
+<% end %>
diff --git a/pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb b/pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb
new file mode 100644
index 0000000..5176fb7
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb
@@ -0,0 +1,3 @@
+#
+# Managed by Puppet
+#
diff --git a/pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb b/pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb
new file mode 100644
index 0000000..06d42c7
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb
@@ -0,0 +1,16 @@
+#
+# Tunnel
+# Name: <%= @title %>
+#
+#
+
+<% @nets.each do |net| -%>
+ike esp from  <%= net['local'] %> to <%= net['remote'] %> \
+local <%= @local_ip %> peer <%= @remote_ip %> \
+        main auth hmac-md5 enc aes-256 group modp1024 \
+        quick auth hmac-md5 enc aes-256 group modp1024  \
+	psk "<%= @psk %>"
+<% end %>
+
+
+
diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb
new file mode 100644
index 0000000..2897df0
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb
@@ -0,0 +1,28 @@
+# 
+# racoon.conf Managed by Puppet
+#
+
+log notify;
+path pre_shared_key "<%= @racoon_pskfile %>";
+
+path certificate "/etc/racoon/certs";
+
+remote anonymous {
+        exchange_mode main;
+        proposal {
+                encryption_algorithm aes_256;
+                hash_algorithm md5;
+                authentication_method pre_shared_key;
+                dh_group modp1024;
+        }
+        generate_policy on;
+}
+
+sainfo anonymous{
+        pfs_group 2;
+        encryption_algorithm aes_256;
+        authentication_algorithm hmac_md5;
+        compression_algorithm deflate;
+}
+
+
diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb
new file mode 100644
index 0000000..50c0970
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb
@@ -0,0 +1,10 @@
+#
+# Transport
+# Name: <%= @title %>
+#
+
+spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
+	esp/transport//require;
+spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec 
+	esp/transport//require;
+
diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb
new file mode 100644
index 0000000..fc3d0c3
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb
@@ -0,0 +1,12 @@
+#
+# Tunnel
+# Name: <%= @title %>
+#
+#
+
+<% @nets.each do |net| -%>
+spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec 
+	esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
+spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec 
+	esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
+<% end %>
diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb
new file mode 100644
index 0000000..580a939
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb
@@ -0,0 +1,33 @@
+#
+# remote $title
+# 
+
+remote <%= @remote_ip %> {
+        exchange_mode main;
+        proposal {
+		encryption_algorithm <%= @encryption %>;
+		hash_algorithm <%= @hash %>;
+		dh_group <%= @dh_group %>;
+		lifetime time <%= @lifetime %>;
+                authentication_method pre_shared_key;
+        }
+       # generate_policy on;
+}
+
+<% @nets.each do |net| -%>
+	<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
+	<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
+	<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
+	<%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5'  %>
+
+
+sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %>
+{
+	pfs_group <%= @pfs_group %>;
+	encryption_algorithm <%= @saencryption %>;
+	authentication_algorithm <%= @p2hash %>;
+	compression_algorithm deflate;
+	lifetime time <%= @salifetime %>;
+}
+<% end -%>
+
diff --git a/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb b/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb
new file mode 100644
index 0000000..1b6f400
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb
@@ -0,0 +1,29 @@
+# 
+# racoon.conf Managed by Puppet
+# will be overwritten at next puppet run
+#
+
+log notify;
+path pre_shared_key "<%= @racoon_pskfile %>";
+
+path certificate "/etc/racoon/certs";
+
+#remote anonymous {
+#        exchange_mode main;
+#        proposal {
+#                encryption_algorithm aes_256;
+#                hash_algorithm md5;
+#                authentication_method pre_shared_key;
+#                dh_group modp1024;
+#        }
+#        generate_policy on;
+#}
+
+#sainfo anonymous{
+#        pfs_group 2;
+#        encryption_algorithm aes_256;
+#        authentication_algorithm hmac_md5;
+#        compression_algorithm deflate;
+#}
+
+
diff --git a/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb
new file mode 100644
index 0000000..654ce6a
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb
@@ -0,0 +1 @@
+#managed by puppet
diff --git a/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb
new file mode 100644
index 0000000..8ac832a
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb
@@ -0,0 +1,14 @@
+
+<% @nets.each do |net| -%>
+conn <%= @title %>
+        left=<%= @local_ip %>
+	leftsubnet=<%= net['local'] %>
+	right=<%= @remote_ip %>
+        rightsubnet=<%= net['remote'] %>
+        ike=aes256-md5-modp1024
+        esp=aes256-md5-modp1024!
+	auto=start
+	authby=secret
+        keyexchange=ikev1
+<% end %>
+
diff --git a/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb
new file mode 100644
index 0000000..303e6e7
--- /dev/null
+++ b/pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb
@@ -0,0 +1,2 @@
+<%= @local_ip %> <% @remote_ip %> : PSK "<%= @psk %>"
+
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
new file mode 100644
index 0000000..ea5195c
--- /dev/null
+++ b/spec/classes/init_spec.rb
@@ -0,0 +1,6 @@
+require 'spec_helper'
+describe 'ipsec' do
+  context 'with default values for all parameters' do
+    it { should contain_class('ipsec') }
+  end
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
new file mode 100644
index 0000000..2c6f566
--- /dev/null
+++ b/spec/spec_helper.rb
@@ -0,0 +1 @@
+require 'puppetlabs_spec_helper/module_spec_helper'
diff --git a/templates/ipsec_top.erb b/templates/ipsec_top.erb
new file mode 100644
index 0000000..eeb2dd9
--- /dev/null
+++ b/templates/ipsec_top.erb
@@ -0,0 +1,5 @@
+# Managed by puppet
+#
+flush;
+spdflush;
+
diff --git a/templates/ipsec_tunnel.erb b/templates/ipsec_tunnel.erb
new file mode 100644
index 0000000..fc3d0c3
--- /dev/null
+++ b/templates/ipsec_tunnel.erb
@@ -0,0 +1,12 @@
+#
+# Tunnel
+# Name: <%= @title %>
+#
+#
+
+<% @nets.each do |net| -%>
+spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec 
+	esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
+spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec 
+	esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
+<% end %>
diff --git a/templates/isakmpd_ipsec_conf_header.erb b/templates/isakmpd_ipsec_conf_header.erb
new file mode 100644
index 0000000..5176fb7
--- /dev/null
+++ b/templates/isakmpd_ipsec_conf_header.erb
@@ -0,0 +1,3 @@
+#
+# Managed by Puppet
+#
diff --git a/templates/isakmpd_tunnel.erb b/templates/isakmpd_tunnel.erb
new file mode 100644
index 0000000..06d42c7
--- /dev/null
+++ b/templates/isakmpd_tunnel.erb
@@ -0,0 +1,16 @@
+#
+# Tunnel
+# Name: <%= @title %>
+#
+#
+
+<% @nets.each do |net| -%>
+ike esp from  <%= net['local'] %> to <%= net['remote'] %> \
+local <%= @local_ip %> peer <%= @remote_ip %> \
+        main auth hmac-md5 enc aes-256 group modp1024 \
+        quick auth hmac-md5 enc aes-256 group modp1024  \
+	psk "<%= @psk %>"
+<% end %>
+
+
+
diff --git a/templates/racoon.conf.erb b/templates/racoon.conf.erb
new file mode 100644
index 0000000..2897df0
--- /dev/null
+++ b/templates/racoon.conf.erb
@@ -0,0 +1,28 @@
+# 
+# racoon.conf Managed by Puppet
+#
+
+log notify;
+path pre_shared_key "<%= @racoon_pskfile %>";
+
+path certificate "/etc/racoon/certs";
+
+remote anonymous {
+        exchange_mode main;
+        proposal {
+                encryption_algorithm aes_256;
+                hash_algorithm md5;
+                authentication_method pre_shared_key;
+                dh_group modp1024;
+        }
+        generate_policy on;
+}
+
+sainfo anonymous{
+        pfs_group 2;
+        encryption_algorithm aes_256;
+        authentication_algorithm hmac_md5;
+        compression_algorithm deflate;
+}
+
+
diff --git a/templates/racoon/ipsec.conf.transport.erb b/templates/racoon/ipsec.conf.transport.erb
new file mode 100644
index 0000000..50c0970
--- /dev/null
+++ b/templates/racoon/ipsec.conf.transport.erb
@@ -0,0 +1,10 @@
+#
+# Transport
+# Name: <%= @title %>
+#
+
+spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
+	esp/transport//require;
+spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec 
+	esp/transport//require;
+
diff --git a/templates/racoon/ipsec.conf.tunnel.erb b/templates/racoon/ipsec.conf.tunnel.erb
new file mode 100644
index 0000000..fc3d0c3
--- /dev/null
+++ b/templates/racoon/ipsec.conf.tunnel.erb
@@ -0,0 +1,12 @@
+#
+# Tunnel
+# Name: <%= @title %>
+#
+#
+
+<% @nets.each do |net| -%>
+spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec 
+	esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
+spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec 
+	esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
+<% end %>
diff --git a/templates/racoon/racoon.conf.erb b/templates/racoon/racoon.conf.erb
new file mode 100644
index 0000000..580a939
--- /dev/null
+++ b/templates/racoon/racoon.conf.erb
@@ -0,0 +1,33 @@
+#
+# remote $title
+# 
+
+remote <%= @remote_ip %> {
+        exchange_mode main;
+        proposal {
+		encryption_algorithm <%= @encryption %>;
+		hash_algorithm <%= @hash %>;
+		dh_group <%= @dh_group %>;
+		lifetime time <%= @lifetime %>;
+                authentication_method pre_shared_key;
+        }
+       # generate_policy on;
+}
+
+<% @nets.each do |net| -%>
+	<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
+	<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
+	<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
+	<%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5'  %>
+
+
+sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %>
+{
+	pfs_group <%= @pfs_group %>;
+	encryption_algorithm <%= @saencryption %>;
+	authentication_algorithm <%= @p2hash %>;
+	compression_algorithm deflate;
+	lifetime time <%= @salifetime %>;
+}
+<% end -%>
+
diff --git a/templates/racoon/racoon.conf.header.erb b/templates/racoon/racoon.conf.header.erb
new file mode 100644
index 0000000..1b6f400
--- /dev/null
+++ b/templates/racoon/racoon.conf.header.erb
@@ -0,0 +1,29 @@
+# 
+# racoon.conf Managed by Puppet
+# will be overwritten at next puppet run
+#
+
+log notify;
+path pre_shared_key "<%= @racoon_pskfile %>";
+
+path certificate "/etc/racoon/certs";
+
+#remote anonymous {
+#        exchange_mode main;
+#        proposal {
+#                encryption_algorithm aes_256;
+#                hash_algorithm md5;
+#                authentication_method pre_shared_key;
+#                dh_group modp1024;
+#        }
+#        generate_policy on;
+#}
+
+#sainfo anonymous{
+#        pfs_group 2;
+#        encryption_algorithm aes_256;
+#        authentication_algorithm hmac_md5;
+#        compression_algorithm deflate;
+#}
+
+
diff --git a/templates/strongswan/ipsec.conf.header.erb b/templates/strongswan/ipsec.conf.header.erb
new file mode 100644
index 0000000..654ce6a
--- /dev/null
+++ b/templates/strongswan/ipsec.conf.header.erb
@@ -0,0 +1 @@
+#managed by puppet
diff --git a/templates/strongswan/ipsec.conf.tunnel.erb b/templates/strongswan/ipsec.conf.tunnel.erb
new file mode 100644
index 0000000..8ac832a
--- /dev/null
+++ b/templates/strongswan/ipsec.conf.tunnel.erb
@@ -0,0 +1,14 @@
+
+<% @nets.each do |net| -%>
+conn <%= @title %>
+        left=<%= @local_ip %>
+	leftsubnet=<%= net['local'] %>
+	right=<%= @remote_ip %>
+        rightsubnet=<%= net['remote'] %>
+        ike=aes256-md5-modp1024
+        esp=aes256-md5-modp1024!
+	auto=start
+	authby=secret
+        keyexchange=ikev1
+<% end %>
+
diff --git a/templates/strongswan/ipsec.secrets.erb b/templates/strongswan/ipsec.secrets.erb
new file mode 100644
index 0000000..303e6e7
--- /dev/null
+++ b/templates/strongswan/ipsec.secrets.erb
@@ -0,0 +1,2 @@
+<%= @local_ip %> <% @remote_ip %> : PSK "<%= @psk %>"
+