Implementation of racoon transport

2019-11-21 22:12:51 +00:00 · 2019-11-21 22:12:51 +00:00 · 8bfb1bfeb3
parent 0fa26d8ed1
commit 8bfb1bfeb3
4 changed files with 31 additions and 49 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -44,20 +44,10 @@
 class ipsec(
 	$version = 'latest',
 	$ikedaemon = undef
-){
+) inherits ipsec::params {

 	if $ikedaemon == undef {	
-		case $::osfamily {
-			'FreeBSD':{
-				$ike_daemon = 'racoon'
-			}
-			'OpenBSD':{
-				$ike_daemon = 'isakmpd'
-			}
-			default: {
-				$ike_daemon = 'strongswan'
-			}
-		}
+		$ike_daemon = $default_ike_daemon
 	}
 	else {
 		$ike_daemon = $ikedaemon
@ -107,7 +97,12 @@ define ipsec::transport (
 	$local_ip,
 	$remote_ip,
 	$proto = "any",
-	$psk 
+	$psk,
+	$encryption = ['aes256'],
+	$hash = 'sha256',
+	$p2hash = ['sha256'],
+	$dh_group = 'modp2048',
+	$lifetime = 3600,
 )
 {
 	include ::ipsec
@ -118,7 +113,12 @@ define ipsec::transport (
 		local_ip => $local_ip,
 		remote_ip => $remote_ip,
 		proto => $proto,
-		psk => $psk
+		psk => $psk,
+		encryption => $encryption,
+		hash => $hash,
+		p2hash => $p2hash,
+		dh_group => $dh_group,
+		lifetime => $lifetime
 	}

 }
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -4,38 +4,13 @@
 class ipsec::params {
 	case $::osfamily {
 		'FreeBSD':{
-			$racoon_pkg = 'ipsec-tools'
-			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
-			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
-			$racoon_service = 'racoon'
-			$ipsec_conf = '/etc/ipsec.conf'
-			$ipsec_service = 'ipsec'
-			$setkey_cmd = '/sbin/setkey'
-			$racoon_usr = 'root'
-			$racoon_grp = 'wheel'
+			$default_ike_daemon = 'racoon'
 		}
 		'OpenBSD':{
-			$ikedaemon = 'isakmpd'
-			$racoon_pkg = 'ipsec-tools'
-			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
-			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
-			$racoon_service = 'racoon'
-			$ipsec_conf = '/etc/ipsec.conf'
-			$ipsec_service = 'ipsec'
-			$setkey_cmd = '/sbin/setkey'
-			$racoon_usr = 'root'
-			$racoon_grp = 'wheel'
+			$default_ike_daemon = 'isakmpd'
 		}
 		default: {
-			$racoon_pkg = 'racoon'
-			$racoon_conf = '/etc/racoon/racoon.conf'
-			$racoon_pskfile = '/etc/racoon/psk.txt'
-			$racoon_service = 'racoon'
-			$ipsec_conf = '/etc/ipsec-tools.conf'
-			$ipsec_service = 'setkey'
-			$setkey_cmd = '/usr/sbin/setkey'
-			$racoon_usr = 'root'
-			$racoon_grp = 'root'
+			$default_ike_daemon = 'strongswan'
 		}
 	}	
 }
--- a/manifests/racoon.pp
+++ b/manifests/racoon.pp
@ -59,8 +59,8 @@ class ipsec::racoon (
 		mode  => '0600',
 		ensure => present,
 		require => Package['racoon']
-
 	}
+
 	concat::fragment { "pskfile_header":
 		target => "$racoon_pskfile",
 		order => '00',
@ -95,7 +95,7 @@ define ipsec::racoon::tunnel (

 	concat::fragment { "racoon_conf_$title":
 		target => "$::ipsec::racoon_params::racoon_conf",
-		content => template('ipsec/racoon/racoon.conf.erb')
+		content => template('ipsec/racoon/racoon-tunnel.conf.erb')
 	}
 }

@ -106,8 +106,9 @@ define ipsec::racoon::transport (
 	$encryption,
 	$hash,
 	$dh_group,
-	$psk 
-
+	$psk,
+	$p2hash,
+	$lifetime,
 )
 {
 	concat::fragment { "$title":
@ -119,5 +120,11 @@ define ipsec::racoon::transport (
 		target => "$::ipsec::racoon_params::racoon_pskfile",
 		content => "$remote_ip $psk\n"
 	}
+
+	concat::fragment { "racoon_conf_$title":
+		target => "$::ipsec::racoon_params::racoon_conf",
+		content => template('ipsec/racoon/racoon-transport.conf.erb')
+	}
+
 }

--- a/templates/racoon/ipsec.conf.transport.erb
+++ b/templates/racoon/ipsec.conf.transport.erb
@ -4,7 +4,7 @@
 #

 spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
-	esp/transport//unique;
-spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec 
-	esp/transport//unique;
+	esp/transport//require;
+spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P in ipsec 
+	esp/transport//require;