tohe
/
7u83-ipsec
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit

This commit is contained in:
7u83 2018-02-21 16:31:53 +01:00
parent 374478ad84
commit 42784659bc
56 changed files with 1773 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Gemfile Normal file
View File

@ -0,0 +1,18 @@
source ENV['GEM_SOURCE'] || 'https://rubygems.org'
puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3']
gem 'metadata-json-lint'
gem 'puppet', puppetversion
gem 'puppetlabs_spec_helper', '>= 1.2.0'
gem 'puppet-lint', '>= 1.0.0'
gem 'facter', '>= 1.7.0'
gem 'rspec-puppet'
# rspec must be v2 for ruby 1.8.7
if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
gem 'rspec', '~> 2.0'
gem 'rake', '~> 10.0'
else
# rubocop requires ruby >= 1.9
gem 'rubocop'
end

90
README.md
View File

@ -1 +1,89 @@
# 7u83-ipsec
# ipsec
#### Table of Contents
1. [Description](#description)
1. [Setup - The basics of getting started with ipsec](#setup)
* [What ipsec affects](#what-ipsec-affects)
* [Setup requirements](#setup-requirements)
* [Beginning with ipsec](#beginning-with-ipsec)
1. [Usage - Configuration options and additional functionality](#usage)
1. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
1. [Limitations - OS compatibility, etc.](#limitations)
1. [Development - Guide for contributing to the module](#development)
## Description
Start with a one- or two-sentence summary of what the module does and/or what
problem it solves. This is your 30-second elevator pitch for your module.
Consider including OS/Puppet version it works with.
You can give more descriptive information in a second paragraph. This paragraph
should answer the questions: "What does this module *do*?" and "Why would I use
it?" If your module has a range of functionality (installation, configuration,
management, etc.), this is the time to mention it.
## Setup
### What ipsec affects **OPTIONAL**
If it's obvious what your module touches, you can skip this section. For
example, folks can probably figure out that your mysql_instance module affects
their MySQL instances.
If there's more that they should know about, though, this is the place to mention:
* A list of files, packages, services, or operations that the module will alter,
impact, or execute.
* Dependencies that your module automatically installs.
* Warnings or other important notices.
### Setup Requirements **OPTIONAL**
If your module requires anything extra before setting up (pluginsync enabled,
etc.), mention it here.
If your most recent release breaks compatibility or requires particular steps
for upgrading, you might want to include an additional "Upgrading" section
here.
### Beginning with ipsec
The very basic steps needed for a user to get the module up and running. This
can include setup steps, if necessary, or it can be an example of the most
basic use of the module.
## Usage
This section is where you describe how to customize, configure, and do the
fancy stuff with your module here. It's especially helpful if you include usage
examples and code samples for doing things with your module.
## Reference
Users need a complete list of your module's classes, types, defined types providers, facts, and functions, along with the parameters for each. You can provide this list either via Puppet Strings code comments or as a complete list in this Reference section.
* If you are using Puppet Strings code comments, this Reference section should include Strings information so that your users know how to access your documentation.
* If you are not using Puppet Strings, include a list of all of your classes, defined types, and so on, along with their parameters. Each element in this listing should include:
* The data type, if applicable.
* A description of what the element does.
* Valid values, if the data type doesn't make it obvious.
* Default value, if any.
## Limitations
This is where you list OS compatibility, version compatibility, etc. If there
are Known Issues, you might want to include them under their own heading here.
## Development
Since your module is awesome, other users will want to play with it. Let them
know what the ground rules for contributing are.
## Release Notes/Contributors/Etc. **Optional**
If you aren't using changelog, put your release notes here (though you should
consider using changelog). You can also add any additional sections you feel
are necessary or important to include here. Please use the `## ` header.

32
Rakefile Normal file
View File

@ -0,0 +1,32 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'metadata-json-lint/rake_task'
if RUBY_VERSION >= '1.9'
require 'rubocop/rake_task'
RuboCop::RakeTask.new
end
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.relative = true
PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp']
desc 'Validate manifests, templates, and ruby files'
task :validate do
Dir['manifests/**/*.pp'].each do |manifest|
sh "puppet parser validate --noop #{manifest}"
end
Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file|
sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures}
end
Dir['templates/**/*.erb'].each do |template|
sh "erb -P -x -T '-' #{template} | ruby -c"
end
end
desc 'Run lint, validate, and spec tests.'
task :test do
[:lint, :validate, :spec].each do |test|
Rake::Task[test].invoke
end
end

12
examples/init.pp Normal file
View File

@ -0,0 +1,12 @@
# The baseline for module testing used by Puppet Inc. is that each manifest
# should have a corresponding test manifest that declares that class or defined
# type.
#
# Tests are then run by using puppet apply --noop (to check for compilation
# errors and view a log of events) or by fully applying the test in a virtual
# environment (to compare the resulting system state to the desired state).
#
# Learn more about module testing here:
# https://docs.puppet.com/guides/tests_smoke.html
#
include ::ipsec

126
manifests/init.pp Normal file
View File

@ -0,0 +1,126 @@
# Class: ipsec
# ===========================
#
# Full description of class ipsec here.
#
# Parameters
# ----------
#
# Document parameters here.
#
# * `sample parameter`
# Explanation of what this parameter affects and what it defaults to.
# e.g. "Specify one or more upstream ntp servers as an array."
#
# Variables
# ----------
#
# Here you should define a list of variables that this module would require.
#
# * `sample variable`
# Explanation of how this variable affects the function of this class and if
# it has a default. e.g. "The parameter enc_ntp_servers must be set by the
# External Node Classifier as a comma separated list of hostnames." (Note,
# global variables should be avoided in favor of class parameters as
# of Puppet 2.6.)
#
# Examples
# --------
#
# @example
# class { 'ipsec':
# }
#
# Authors
# -------
#
# 7u83 <7u83@mail.ru>
#
# Copyright
# ---------
#
# Copyright 2018 7u83@mail.ru
#
class ipsec(
$version = 'latest',
$ikedaemon = undef
){
if $ikedaemon == undef {
case $::osfamily {
'FreeBSD':{
$ike_daemon = 'racoon'
}
'OpenBSD':{
$ike_daemon = 'isakmpd'
}
default: {
$ike_daemon = 'racoon'
}
}
}
else {
$ike_daemon = $ikedaemon
}
$res = "ipsec::${ike_daemon}"
class { "$res":
version => $version
}
}
define ipsec::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk,
$hash = 'sha256',
$encryption = 'aes256',
$lifetime = '86400',
$dh_group = 14,
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::tunnel"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
nets => $nets,
proto => $proto,
psk => $psk,
lifetime => $lifetime,
hash => $hash,
encryption => $encryption,
dh_group => 14,
}
}
define ipsec::transport (
$local_ip,
$remote_ip,
$proto = "any",
$psk
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::transport"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
proto => $proto,
psk => $psk
}
}

61
manifests/isakmpd.pp Normal file
View File

@ -0,0 +1,61 @@
##
class ipsec::isakmpd (
$version = 'latest'
) inherits ipsec::isakmpd_params {
if $pkg_name != false {
# if $pkg_provider_p != false {
# $provider = $pkg_provider_p
# }
# else {
# $provider = $pkg_provider
# }
package { 'isakmpd':
name => $pkg_name,
provider => $pkg_provider
}
}
concat { "$ipsec_conf":
mode => '0600'
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
}
exec { "$setkey_cmd":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
}
define ipsec::isakmpd::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk
){
notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": }
concat::fragment { "$title":
target => "$::ipsec::isakmpd_params::ipsec_conf",
content => template('ipsec/isakmpd_tunnel.erb')
}
}

33
manifests/isakmpd_params.pp Normal file
View File

@ -0,0 +1,33 @@
#
class ipsec::isakmpd_params {
case $::osfamily {
'FreeBSD':{
$pkg_name = "security/isakmpd"
$pkg_provider = "portsng"
$ipsec_conf = '/etc/ipsec.conf'
$isakmpd_service = 'isakmpd'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
'OpenBSD':{
$isakmpd_service = 'isakmpd'
$pkg_name = false
$pkg_provider = undef
$ipsec_conf = '/etc/ipsec.conf'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/racoon-tools.conf'
$racoon_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

42
manifests/params.pp Normal file
View File

@ -0,0 +1,42 @@
#params
class ipsec::params {
case $::osfamily {
'FreeBSD':{
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
'OpenBSD':{
$ikedaemon = 'isakmpd'
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec-tools.conf'
$ipsec_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

128
manifests/racoon.pp Normal file
View File

@ -0,0 +1,128 @@
# Racoon IPSec
class ipsec::racoon (
$version = 'latest'
)inherits ipsec::racoon_params{
package {'racoon':
name => "$racoon_pkg",
ensure => "$version",
}
service {'racoon':
name => "$racoon_service",
ensure => 'running',
require => Concat["$racoon_conf"], #File['racoon_conf'],
subscribe => Concat["$racoon_conf"],
enable => true,
}
service {'ipsec':
name => "$ipsec_service",
enable => true,
}
exec { "$setkey_cmd -f $ipsec_conf":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
concat { "$racoon_conf":
ensure => present
}
concat::fragment { "$racoon_conf header":
target => "$racoon_conf",
order => '00',
content => template('ipsec/racoon/racoon.conf.header.erb'),
}
concat { "$ipsec_conf":
ensure => present
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/ipsec_top.erb'),
}
concat { "$racoon_pskfile":
owner => "$racoon_usr",
group => "$racoon_grp",
mode => '0600',
ensure => present
}
concat::fragment { "pskfile_header":
target => "$racoon_pskfile",
order => '00',
content => "#racoon psks\n",
}
}
define ipsec::racoon::tunnel (
$local_ip,
$remote_ip,
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'modp3072',
$lifetime = '86400 sec',
$nets,
$proto = "any",
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/ipsec_tunnel.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
concat::fragment { "racoon_conf_$title":
target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/racoon.conf.erb')
}
}
define ipsec::racoon::transport (
$local_ip,
$remote_ip,
$proto = "any",
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'mopd3072',
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/racoon/ipsec.conf.transport.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
}

39
manifests/racoon_params.pp Normal file
View File

@ -0,0 +1,39 @@
class ipsec::racoon_params {
case $::osfamily {
'FreeBSD':{
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
'OpenBSD':{
$ikedaemon = 'isakmpd'
$racoon_pkg = 'racoon-tools'
# $racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
# $racoon_conf = '/etc/racoon.conf'
$ipsec_service = 'racoon'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec-tools.conf'
$ipsec_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

63
manifests/strongswan.pp Normal file
View File

@ -0,0 +1,63 @@
##
class ipsec::strongswan (
$version = 'latest',
$enable = $::ipsec::strongswan_params::service_enable
) inherits ipsec::strongswan_params {
package { 'strongswan':
name => $pkg_name,
provider => $pkg_provider,
ensure => $version
}
service { 'strongswan':
ensure => running,
require => Package['strongswan'],
subscribe => Concat[ "$ipsec_conf" ],
enable => $enable
}
concat { "$secrets_file":
owner => "$secrets_usr",
group => "$secrets_grp",
mode => '0600'
}
concat::fragment { "pskfile_header":
target => "$secrets_file",
order => '00',
content => "#strongswan psks\n",
}
concat { "$ipsec_conf":
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/strongswan/ipsec.conf.header.erb'),
}
}
define ipsec::strongswan::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk
){
concat::fragment { "$title":
target => "$::ipsec::strongswan_params::ipsec_conf",
content => template('ipsec/strongswan/ipsec.conf.tunnel.erb')
}
concat::fragment { "$title psk":
target => "$::ipsec::strongswan_params::secrets_file",
content => template('ipsec/strongswan/ipsec.secrets.erb')
}
}

35
manifests/strongswan_params.pp Normal file
View File

@ -0,0 +1,35 @@
#
class ipsec::strongswan_params {
case $::osfamily {
'FreeBSD':{
$pkg_name = "strongswan"
$ipsec_conf = '/usr/local/etc/ipsec.conf'
$service_name = 'strongswan'
# strongswan's startup script confuses pupets
# service enable, so we cannot enable the service
$service_enable = undef
$secrets_usr = 'root'
$secrets_grp = 'wheel'
$secrets_file = '/usr/local/etc/ipsec.secrets'
}
'OpenBSD':{
$isakmpd_service = 'isakmpd'
$pkg_name = false
$pkg_provider = undef
$ipsec_conf = '/etc/ipsec.conf'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
default: {
$pkg_name = "strongswan"
$ipsec_conf = '/etc/ipsec.conf'
$service_name = 'strongswan'
$service_enable = true
$secrets_usr = 'root'
$secrets_grp = 'root'
$secrets_file = '/etc/ipsec.secrets'
}
}
}

23
metadata.json Normal file
View File

@ -0,0 +1,23 @@
{
"name": "7u83-ipsec",
"version": "0.1.0",
"author": "7u83",
"summary": "IPSec with racoon",
"license": "Apache-2.0",
"source": "",
"project_page": null,
"issues_url": null,
"dependencies": [
{
"name": "puppetlabs-stdlib",
"version_requirement": ">= 1.0.0"
},
{
"name": "puppetlabs-concat",
"version_requirement": ">= 1.0.0"
}
],
"data_provider": null
}

BIN
pkg/7u83-ipsec-0.1.0.tar.gz Normal file
View File

Binary file not shown.

18
pkg/7u83-ipsec-0.1.0/Gemfile Normal file
View File

@ -0,0 +1,18 @@
source ENV['GEM_SOURCE'] || 'https://rubygems.org'
puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3']
gem 'metadata-json-lint'
gem 'puppet', puppetversion
gem 'puppetlabs_spec_helper', '>= 1.2.0'
gem 'puppet-lint', '>= 1.0.0'
gem 'facter', '>= 1.7.0'
gem 'rspec-puppet'
# rspec must be v2 for ruby 1.8.7
if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9'
gem 'rspec', '~> 2.0'
gem 'rake', '~> 10.0'
else
# rubocop requires ruby >= 1.9
gem 'rubocop'
end

89
pkg/7u83-ipsec-0.1.0/README.md Normal file
View File

@ -0,0 +1,89 @@
# ipsec
#### Table of Contents
1. [Description](#description)
1. [Setup - The basics of getting started with ipsec](#setup)
* [What ipsec affects](#what-ipsec-affects)
* [Setup requirements](#setup-requirements)
* [Beginning with ipsec](#beginning-with-ipsec)
1. [Usage - Configuration options and additional functionality](#usage)
1. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
1. [Limitations - OS compatibility, etc.](#limitations)
1. [Development - Guide for contributing to the module](#development)
## Description
Start with a one- or two-sentence summary of what the module does and/or what
problem it solves. This is your 30-second elevator pitch for your module.
Consider including OS/Puppet version it works with.
You can give more descriptive information in a second paragraph. This paragraph
should answer the questions: "What does this module *do*?" and "Why would I use
it?" If your module has a range of functionality (installation, configuration,
management, etc.), this is the time to mention it.
## Setup
### What ipsec affects **OPTIONAL**
If it's obvious what your module touches, you can skip this section. For
example, folks can probably figure out that your mysql_instance module affects
their MySQL instances.
If there's more that they should know about, though, this is the place to mention:
* A list of files, packages, services, or operations that the module will alter,
impact, or execute.
* Dependencies that your module automatically installs.
* Warnings or other important notices.
### Setup Requirements **OPTIONAL**
If your module requires anything extra before setting up (pluginsync enabled,
etc.), mention it here.
If your most recent release breaks compatibility or requires particular steps
for upgrading, you might want to include an additional "Upgrading" section
here.
### Beginning with ipsec
The very basic steps needed for a user to get the module up and running. This
can include setup steps, if necessary, or it can be an example of the most
basic use of the module.
## Usage
This section is where you describe how to customize, configure, and do the
fancy stuff with your module here. It's especially helpful if you include usage
examples and code samples for doing things with your module.
## Reference
Users need a complete list of your module's classes, types, defined types providers, facts, and functions, along with the parameters for each. You can provide this list either via Puppet Strings code comments or as a complete list in this Reference section.
* If you are using Puppet Strings code comments, this Reference section should include Strings information so that your users know how to access your documentation.
* If you are not using Puppet Strings, include a list of all of your classes, defined types, and so on, along with their parameters. Each element in this listing should include:
* The data type, if applicable.
* A description of what the element does.
* Valid values, if the data type doesn't make it obvious.
* Default value, if any.
## Limitations
This is where you list OS compatibility, version compatibility, etc. If there
are Known Issues, you might want to include them under their own heading here.
## Development
Since your module is awesome, other users will want to play with it. Let them
know what the ground rules for contributing are.
## Release Notes/Contributors/Etc. **Optional**
If you aren't using changelog, put your release notes here (though you should
consider using changelog). You can also add any additional sections you feel
are necessary or important to include here. Please use the `## ` header.

32
pkg/7u83-ipsec-0.1.0/Rakefile Normal file
View File

@ -0,0 +1,32 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'metadata-json-lint/rake_task'
if RUBY_VERSION >= '1.9'
require 'rubocop/rake_task'
RuboCop::RakeTask.new
end
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.relative = true
PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp']
desc 'Validate manifests, templates, and ruby files'
task :validate do
Dir['manifests/**/*.pp'].each do |manifest|
sh "puppet parser validate --noop #{manifest}"
end
Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file|
sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures}
end
Dir['templates/**/*.erb'].each do |template|
sh "erb -P -x -T '-' #{template} | ruby -c"
end
end
desc 'Run lint, validate, and spec tests.'
task :test do
[:lint, :validate, :spec].each do |test|
Rake::Task[test].invoke
end
end

29
pkg/7u83-ipsec-0.1.0/checksums.json Normal file
View File

@ -0,0 +1,29 @@
{
"Gemfile": "0b0ef34a57239868636b26141342423f",
"README.md": "a5b4536f36ecfaf9b006108e3eef7c19",
"Rakefile": "158b889261acd98356f6e0f2a031b6b9",
"examples/init.pp": "43f2a9901e66401685dfe3d4db835c34",
"manifests/init.pp": "93c3f7d6596d15b3fdfa1c49e4863437",
"manifests/isakmpd.pp": "424a6dae7d294cdb79c71f3f1fe8660d",
"manifests/isakmpd_params.pp": "a75273d0f3577c540a48dc71be0423d9",
"manifests/params.pp": "c4981d62b9ea633cd59a034eb9c846d0",
"manifests/racoon.pp": "0b40af7e75e6481324193c9d86fcd6e7",
"manifests/racoon_params.pp": "5582629736d3cd7d8f4c55a24603f665",
"manifests/strongswan.pp": "9652c2c317e5f910f71559744216daf4",
"manifests/strongswan_params.pp": "39fa38f2249f9f0e26620f5ece60f4df",
"metadata.json": "65900ebf8697e32ecc5c5c8232efab54",
"spec/classes/init_spec.rb": "4bf5fa4da7c89cacc52ee8de94848bc5",
"spec/spec_helper.rb": "0db89c9a486df193c0e40095422e19dc",
"templates/ipsec_top.erb": "e84bf026bd13924bba8606192219162e",
"templates/ipsec_tunnel.erb": "6419c0f349a26aa7d2623b99cd724012",
"templates/isakmpd_ipsec_conf_header.erb": "e13d611da756f7dced378eb6afb12b7f",
"templates/isakmpd_tunnel.erb": "d7155f03563e5d9ff437846d8373cc1f",
"templates/racoon/ipsec.conf.transport.erb": "b65510f46b902b6806b26055bcb474c2",
"templates/racoon/ipsec.conf.tunnel.erb": "6419c0f349a26aa7d2623b99cd724012",
"templates/racoon/racoon.conf.erb": "9f5be0e2ad7abe40c55d9ffb606931a7",
"templates/racoon/racoon.conf.header.erb": "aa534ff37ee53159ade7e952bbb8a155",
"templates/racoon.conf.erb": "2a719ba6af007ca9df04fd86a06381c0",
"templates/strongswan/ipsec.conf.header.erb": "07a651b7d80189be95a8aa81ea4e1cd7",
"templates/strongswan/ipsec.conf.tunnel.erb": "169545c847f3a04711e63b27ef63e849",
"templates/strongswan/ipsec.secrets.erb": "0b76db8372d2083ac0a1abb89aad6ab2"
}

12
pkg/7u83-ipsec-0.1.0/examples/init.pp Normal file
View File

@ -0,0 +1,12 @@
# The baseline for module testing used by Puppet Inc. is that each manifest
# should have a corresponding test manifest that declares that class or defined
# type.
#
# Tests are then run by using puppet apply --noop (to check for compilation
# errors and view a log of events) or by fully applying the test in a virtual
# environment (to compare the resulting system state to the desired state).
#
# Learn more about module testing here:
# https://docs.puppet.com/guides/tests_smoke.html
#
include ::ipsec

126
pkg/7u83-ipsec-0.1.0/manifests/init.pp Normal file
View File

@ -0,0 +1,126 @@
# Class: ipsec
# ===========================
#
# Full description of class ipsec here.
#
# Parameters
# ----------
#
# Document parameters here.
#
# * `sample parameter`
# Explanation of what this parameter affects and what it defaults to.
# e.g. "Specify one or more upstream ntp servers as an array."
#
# Variables
# ----------
#
# Here you should define a list of variables that this module would require.
#
# * `sample variable`
# Explanation of how this variable affects the function of this class and if
# it has a default. e.g. "The parameter enc_ntp_servers must be set by the
# External Node Classifier as a comma separated list of hostnames." (Note,
# global variables should be avoided in favor of class parameters as
# of Puppet 2.6.)
#
# Examples
# --------
#
# @example
# class { 'ipsec':
# }
#
# Authors
# -------
#
# 7u83 <7u83@mail.ru>
#
# Copyright
# ---------
#
# Copyright 2018 7u83@mail.ru
#
class ipsec(
$version = 'latest',
$ikedaemon = undef
){
if $ikedaemon == undef {
case $::osfamily {
'FreeBSD':{
$ike_daemon = 'racoon'
}
'OpenBSD':{
$ike_daemon = 'isakmpd'
}
default: {
$ike_daemon = 'racoon'
}
}
}
else {
$ike_daemon = $ikedaemon
}
$res = "ipsec::${ike_daemon}"
class { "$res":
version => $version
}
}
define ipsec::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk,
$hash = 'sha256',
$encryption = 'aes256',
$lifetime = '86400',
$dh_group = 14,
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::tunnel"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
nets => $nets,
proto => $proto,
psk => $psk,
lifetime => $lifetime,
hash => $hash,
encryption => $encryption,
dh_group => 14,
}
}
define ipsec::transport (
$local_ip,
$remote_ip,
$proto = "any",
$psk
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::transport"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
proto => $proto,
psk => $psk
}
}

61
pkg/7u83-ipsec-0.1.0/manifests/isakmpd.pp Normal file
View File

@ -0,0 +1,61 @@
##
class ipsec::isakmpd (
$version = 'latest'
) inherits ipsec::isakmpd_params {
if $pkg_name != false {
# if $pkg_provider_p != false {
# $provider = $pkg_provider_p
# }
# else {
# $provider = $pkg_provider
# }
package { 'isakmpd':
name => $pkg_name,
provider => $pkg_provider
}
}
concat { "$ipsec_conf":
mode => '0600'
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
}
exec { "$setkey_cmd":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
}
define ipsec::isakmpd::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk
){
notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": }
concat::fragment { "$title":
target => "$::ipsec::isakmpd_params::ipsec_conf",
content => template('ipsec/isakmpd_tunnel.erb')
}
}

33
pkg/7u83-ipsec-0.1.0/manifests/isakmpd_params.pp Normal file
View File

@ -0,0 +1,33 @@
#
class ipsec::isakmpd_params {
case $::osfamily {
'FreeBSD':{
$pkg_name = "security/isakmpd"
$pkg_provider = "portsng"
$ipsec_conf = '/etc/ipsec.conf'
$isakmpd_service = 'isakmpd'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
'OpenBSD':{
$isakmpd_service = 'isakmpd'
$pkg_name = false
$pkg_provider = undef
$ipsec_conf = '/etc/ipsec.conf'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/racoon-tools.conf'
$racoon_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

42
pkg/7u83-ipsec-0.1.0/manifests/params.pp Normal file
View File

@ -0,0 +1,42 @@
#params
class ipsec::params {
case $::osfamily {
'FreeBSD':{
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
'OpenBSD':{
$ikedaemon = 'isakmpd'
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec-tools.conf'
$ipsec_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

128
pkg/7u83-ipsec-0.1.0/manifests/racoon.pp Normal file
View File

@ -0,0 +1,128 @@
# Racoon IPSec
class ipsec::racoon (
$version = 'latest'
)inherits ipsec::racoon_params{
package {'racoon':
name => "$racoon_pkg",
ensure => "$version",
}
service {'racoon':
name => "$racoon_service",
ensure => 'running',
require => Concat["$racoon_conf"], #File['racoon_conf'],
subscribe => Concat["$racoon_conf"],
enable => true,
}
service {'ipsec':
name => "$ipsec_service",
enable => true,
}
exec { "$setkey_cmd -f $ipsec_conf":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
concat { "$racoon_conf":
ensure => present
}
concat::fragment { "$racoon_conf header":
target => "$racoon_conf",
order => '00',
content => template('ipsec/racoon/racoon.conf.header.erb'),
}
concat { "$ipsec_conf":
ensure => present
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/ipsec_top.erb'),
}
concat { "$racoon_pskfile":
owner => "$racoon_usr",
group => "$racoon_grp",
mode => '0600',
ensure => present
}
concat::fragment { "pskfile_header":
target => "$racoon_pskfile",
order => '00',
content => "#racoon psks\n",
}
}
define ipsec::racoon::tunnel (
$local_ip,
$remote_ip,
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'modp3072',
$lifetime = '86400 sec',
$nets,
$proto = "any",
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/ipsec_tunnel.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
concat::fragment { "racoon_conf_$title":
target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/racoon.conf.erb')
}
}
define ipsec::racoon::transport (
$local_ip,
$remote_ip,
$proto = "any",
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'mopd3072',
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/racoon/ipsec.conf.transport.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
}

39
pkg/7u83-ipsec-0.1.0/manifests/racoon_params.pp Normal file
View File

@ -0,0 +1,39 @@
class ipsec::racoon_params {
case $::osfamily {
'FreeBSD':{
$racoon_pkg = 'ipsec-tools'
$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec.conf'
$ipsec_service = 'ipsec'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
'OpenBSD':{
$ikedaemon = 'isakmpd'
$racoon_pkg = 'racoon-tools'
# $racoon_conf = '/usr/local/etc/racoon/racoon.conf'
$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
$racoon_service = 'racoon'
# $racoon_conf = '/etc/racoon.conf'
$ipsec_service = 'racoon'
$setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'wheel'
}
default: {
$racoon_pkg = 'racoon'
$racoon_conf = '/etc/racoon/racoon.conf'
$racoon_pskfile = '/etc/racoon/psk.txt'
$racoon_service = 'racoon'
$ipsec_conf = '/etc/ipsec-tools.conf'
$ipsec_service = 'setkey'
$setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root'
$racoon_grp = 'root'
}
}
}

63
pkg/7u83-ipsec-0.1.0/manifests/strongswan.pp Normal file
View File

@ -0,0 +1,63 @@
##
class ipsec::strongswan (
$version = 'latest',
$enable = $::ipsec::strongswan_params::service_enable
) inherits ipsec::strongswan_params {
package { 'strongswan':
name => $pkg_name,
provider => $pkg_provider,
ensure => $version
}
service { 'strongswan':
ensure => running,
require => Package['strongswan'],
subscribe => Concat[ "$ipsec_conf" ],
enable => $enable
}
concat { "$secrets_file":
owner => "$secrets_usr",
group => "$secrets_grp",
mode => '0600'
}
concat::fragment { "pskfile_header":
target => "$secrets_file",
order => '00',
content => "#strongswan psks\n",
}
concat { "$ipsec_conf":
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/strongswan/ipsec.conf.header.erb'),
}
}
define ipsec::strongswan::tunnel (
$local_ip,
$remote_ip,
$nets,
$proto = "any",
$psk
){
concat::fragment { "$title":
target => "$::ipsec::strongswan_params::ipsec_conf",
content => template('ipsec/strongswan/ipsec.conf.tunnel.erb')
}
concat::fragment { "$title psk":
target => "$::ipsec::strongswan_params::secrets_file",
content => template('ipsec/strongswan/ipsec.secrets.erb')
}
}

35
pkg/7u83-ipsec-0.1.0/manifests/strongswan_params.pp Normal file
View File

@ -0,0 +1,35 @@
#
class ipsec::strongswan_params {
case $::osfamily {
'FreeBSD':{
$pkg_name = "strongswan"
$ipsec_conf = '/usr/local/etc/ipsec.conf'
$service_name = 'strongswan'
# strongswan's startup script confuses pupets
# service enable, so we cannot enable the service
$service_enable = undef
$secrets_usr = 'root'
$secrets_grp = 'wheel'
$secrets_file = '/usr/local/etc/ipsec.secrets'
}
'OpenBSD':{
$isakmpd_service = 'isakmpd'
$pkg_name = false
$pkg_provider = undef
$ipsec_conf = '/etc/ipsec.conf'
$setkey_cmd = '/sbin/ipsecctl -f /etc/ipsec.conf'
}
default: {
$pkg_name = "strongswan"
$ipsec_conf = '/etc/ipsec.conf'
$service_name = 'strongswan'
$service_enable = true
$secrets_usr = 'root'
$secrets_grp = 'root'
$secrets_file = '/etc/ipsec.secrets'
}
}
}

21
pkg/7u83-ipsec-0.1.0/metadata.json Normal file
View File

@ -0,0 +1,21 @@
{
"name": "7u83-ipsec",
"version": "0.1.0",
"author": "7u83",
"summary": "IPSec with racoon",
"license": "Apache-2.0",
"source": "",
"project_page": null,
"issues_url": null,
"dependencies": [
{
"name": "puppetlabs-stdlib",
"version_requirement": ">= 1.0.0"
},
{
"name": "puppetlabs-concat",
"version_requirement": ">= 1.0.0"
}
],
"data_provider": null
}

6
pkg/7u83-ipsec-0.1.0/spec/classes/init_spec.rb Normal file
View File

@ -0,0 +1,6 @@
require 'spec_helper'
describe 'ipsec' do
context 'with default values for all parameters' do
it { should contain_class('ipsec') }
end
end

1
pkg/7u83-ipsec-0.1.0/spec/spec_helper.rb Normal file
View File

@ -0,0 +1 @@
require 'puppetlabs_spec_helper/module_spec_helper'

5
pkg/7u83-ipsec-0.1.0/templates/ipsec_top.erb Normal file
View File

@ -0,0 +1,5 @@
# Managed by puppet
#
flush;
spdflush;

12
pkg/7u83-ipsec-0.1.0/templates/ipsec_tunnel.erb Normal file
View File

@ -0,0 +1,12 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %>

3
pkg/7u83-ipsec-0.1.0/templates/isakmpd_ipsec_conf_header.erb Normal file
View File

@ -0,0 +1,3 @@
#
# Managed by Puppet
#

16
pkg/7u83-ipsec-0.1.0/templates/isakmpd_tunnel.erb Normal file
View File

@ -0,0 +1,16 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
ike esp from <%= net['local'] %> to <%= net['remote'] %> \
local <%= @local_ip %> peer <%= @remote_ip %> \
main auth hmac-md5 enc aes-256 group modp1024 \
quick auth hmac-md5 enc aes-256 group modp1024 \
psk "<%= @psk %>"
<% end %>

28
pkg/7u83-ipsec-0.1.0/templates/racoon.conf.erb Normal file
View File

@ -0,0 +1,28 @@
#
# racoon.conf Managed by Puppet
#
log notify;
path pre_shared_key "<%= @racoon_pskfile %>";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm aes_256;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy on;
}
sainfo anonymous{
pfs_group 2;
encryption_algorithm aes_256;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

10
pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.transport.erb Normal file
View File

@ -0,0 +1,10 @@
#
# Transport
# Name: <%= @title %>
#
spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec
esp/transport//require;
spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec
esp/transport//require;

12
pkg/7u83-ipsec-0.1.0/templates/racoon/ipsec.conf.tunnel.erb Normal file
View File

@ -0,0 +1,12 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %>

33
pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.erb Normal file
View File

@ -0,0 +1,33 @@
#
# remote $title
#
remote <%= @remote_ip %> {
exchange_mode main;
proposal {
encryption_algorithm <%= @encryption %>;
hash_algorithm <%= @hash %>;
dh_group <%= @dh_group %>;
lifetime time <%= @lifetime %>;
authentication_method pre_shared_key;
}
# generate_policy on;
}
<% @nets.each do |net| -%>
<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
<%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5' %>
sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %>
{
pfs_group <%= @pfs_group %>;
encryption_algorithm <%= @saencryption %>;
authentication_algorithm <%= @p2hash %>;
compression_algorithm deflate;
lifetime time <%= @salifetime %>;
}
<% end -%>

29
pkg/7u83-ipsec-0.1.0/templates/racoon/racoon.conf.header.erb Normal file
View File

@ -0,0 +1,29 @@
#
# racoon.conf Managed by Puppet
# will be overwritten at next puppet run
#
log notify;
path pre_shared_key "<%= @racoon_pskfile %>";
path certificate "/etc/racoon/certs";
#remote anonymous {
# exchange_mode main;
# proposal {
# encryption_algorithm aes_256;
# hash_algorithm md5;
# authentication_method pre_shared_key;
# dh_group modp1024;
# }
# generate_policy on;
#}
#sainfo anonymous{
# pfs_group 2;
# encryption_algorithm aes_256;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}

1
pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.header.erb Normal file
View File

@ -0,0 +1 @@
#managed by puppet

14
pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.conf.tunnel.erb Normal file
View File

@ -0,0 +1,14 @@
<% @nets.each do |net| -%>
conn <%= @title %>
left=<%= @local_ip %>
leftsubnet=<%= net['local'] %>
right=<%= @remote_ip %>
rightsubnet=<%= net['remote'] %>
ike=aes256-md5-modp1024
esp=aes256-md5-modp1024!
auto=start
authby=secret
keyexchange=ikev1
<% end %>

2
pkg/7u83-ipsec-0.1.0/templates/strongswan/ipsec.secrets.erb Normal file
View File

@ -0,0 +1,2 @@
<%= @local_ip %> <% @remote_ip %> : PSK "<%= @psk %>"

6
spec/classes/init_spec.rb Normal file
View File

@ -0,0 +1,6 @@
require 'spec_helper'
describe 'ipsec' do
context 'with default values for all parameters' do
it { should contain_class('ipsec') }
end
end

1
spec/spec_helper.rb Normal file
View File

@ -0,0 +1 @@
require 'puppetlabs_spec_helper/module_spec_helper'

5
templates/ipsec_top.erb Normal file
View File

@ -0,0 +1,5 @@
# Managed by puppet
#
flush;
spdflush;

12
templates/ipsec_tunnel.erb Normal file
View File

@ -0,0 +1,12 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %>

3
templates/isakmpd_ipsec_conf_header.erb Normal file
View File

@ -0,0 +1,3 @@
#
# Managed by Puppet
#

16
templates/isakmpd_tunnel.erb Normal file
View File

@ -0,0 +1,16 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
ike esp from <%= net['local'] %> to <%= net['remote'] %> \
local <%= @local_ip %> peer <%= @remote_ip %> \
main auth hmac-md5 enc aes-256 group modp1024 \
quick auth hmac-md5 enc aes-256 group modp1024 \
psk "<%= @psk %>"
<% end %>

28
templates/racoon.conf.erb Normal file
View File

@ -0,0 +1,28 @@
#
# racoon.conf Managed by Puppet
#
log notify;
path pre_shared_key "<%= @racoon_pskfile %>";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm aes_256;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy on;
}
sainfo anonymous{
pfs_group 2;
encryption_algorithm aes_256;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

10
templates/racoon/ipsec.conf.transport.erb Normal file
View File

@ -0,0 +1,10 @@
#
# Transport
# Name: <%= @title %>
#
spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec
esp/transport//require;
spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec
esp/transport//require;

12
templates/racoon/ipsec.conf.tunnel.erb Normal file
View File

@ -0,0 +1,12 @@
#
# Tunnel
# Name: <%= @title %>
#
#
<% @nets.each do |net| -%>
spdadd <%= net['local'] %> <%= net['remote'] %> <%= net['proto'] %> -P out ipsec
esp/tunnel/<%= @local_ip %>-<%= @remote_ip %>/require;
spdadd <%= net['remote'] %> <%= net['local'] %> <%= net['proto'] %> -P in ipsec
esp/tunnel/<%= @remote_ip %>-<%= @local_ip %>/require;
<% end %>

33
templates/racoon/racoon.conf.erb Normal file
View File

@ -0,0 +1,33 @@
#
# remote $title
#
remote <%= @remote_ip %> {
exchange_mode main;
proposal {
encryption_algorithm <%= @encryption %>;
hash_algorithm <%= @hash %>;
dh_group <%= @dh_group %>;
lifetime time <%= @lifetime %>;
authentication_method pre_shared_key;
}
# generate_policy on;
}
<% @nets.each do |net| -%>
<%- @salifetime = net['lifetime'] ? net['lifetime'] : "3600 sec" %>
<%- @saencryption = net['encryption'] ? net['encryption'] : @encryption %>
<%- @pfs_group = net['pfs_group'] ? net['pfs_group'] : @dh_group %>
<%- @p2hash = net['hash'] ? net['hash'] : 'hmac_md5' %>
sainfo address <%= net['local'] %> <%= net['proto'] %> address <%= net['remote'] %> <%= net['proto'] %>
{
pfs_group <%= @pfs_group %>;
encryption_algorithm <%= @saencryption %>;
authentication_algorithm <%= @p2hash %>;
compression_algorithm deflate;
lifetime time <%= @salifetime %>;
}
<% end -%>

29
templates/racoon/racoon.conf.header.erb Normal file
View File

@ -0,0 +1,29 @@
#
# racoon.conf Managed by Puppet
# will be overwritten at next puppet run
#
log notify;
path pre_shared_key "<%= @racoon_pskfile %>";
path certificate "/etc/racoon/certs";
#remote anonymous {
# exchange_mode main;
# proposal {
# encryption_algorithm aes_256;
# hash_algorithm md5;
# authentication_method pre_shared_key;
# dh_group modp1024;
# }
# generate_policy on;
#}
#sainfo anonymous{
# pfs_group 2;
# encryption_algorithm aes_256;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}

1
templates/strongswan/ipsec.conf.header.erb Normal file
View File

@ -0,0 +1 @@
#managed by puppet

14
templates/strongswan/ipsec.conf.tunnel.erb Normal file
View File

@ -0,0 +1,14 @@
<% @nets.each do |net| -%>
conn <%= @title %>
left=<%= @local_ip %>
leftsubnet=<%= net['local'] %>
right=<%= @remote_ip %>
rightsubnet=<%= net['remote'] %>
ike=aes256-md5-modp1024
esp=aes256-md5-modp1024!
auto=start
authby=secret
keyexchange=ikev1
<% end %>

2
templates/strongswan/ipsec.secrets.erb Normal file
View File

@ -0,0 +1,2 @@
<%= @local_ip %> <% @remote_ip %> : PSK "<%= @psk %>"