From 8bfb1bfeb33cfb7a1781bf3af92f30016ee12edd Mon Sep 17 00:00:00 2001
From: 7u83 <7u83@mail.ru>
Date: Thu, 21 Nov 2019 22:12:51 +0000
Subject: [PATCH] Implementation of racoon transport

---
 manifests/init.pp                         | 28 ++++++++++----------
 manifests/params.pp                       | 31 +++--------------------
 manifests/racoon.pp                       | 15 ++++++++---
 templates/racoon/ipsec.conf.transport.erb |  6 ++---
 4 files changed, 31 insertions(+), 49 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index a7320e3..f8ddf58 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -44,20 +44,10 @@
 class ipsec(
 	$version = 'latest',
 	$ikedaemon = undef
-){
+) inherits ipsec::params {
 
 	if $ikedaemon == undef {	
-		case $::osfamily {
-			'FreeBSD':{
-				$ike_daemon = 'racoon'
-			}
-			'OpenBSD':{
-				$ike_daemon = 'isakmpd'
-			}
-			default: {
-				$ike_daemon = 'strongswan'
-			}
-		}
+		$ike_daemon = $default_ike_daemon
 	}
 	else {
 		$ike_daemon = $ikedaemon
@@ -107,7 +97,12 @@ define ipsec::transport (
 	$local_ip,
 	$remote_ip,
 	$proto = "any",
-	$psk 
+	$psk,
+	$encryption = ['aes256'],
+	$hash = 'sha256',
+	$p2hash = ['sha256'],
+	$dh_group = 'modp2048',
+	$lifetime = 3600,
 )
 {
 	include ::ipsec
@@ -118,7 +113,12 @@ define ipsec::transport (
 		local_ip => $local_ip,
 		remote_ip => $remote_ip,
 		proto => $proto,
-		psk => $psk
+		psk => $psk,
+		encryption => $encryption,
+		hash => $hash,
+		p2hash => $p2hash,
+		dh_group => $dh_group,
+		lifetime => $lifetime
 	}
 
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 8a3c100..4be5162 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -4,38 +4,13 @@
 class ipsec::params {
 	case $::osfamily {
 		'FreeBSD':{
-			$racoon_pkg = 'ipsec-tools'
-			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
-			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
-			$racoon_service = 'racoon'
-			$ipsec_conf = '/etc/ipsec.conf'
-			$ipsec_service = 'ipsec'
-			$setkey_cmd = '/sbin/setkey'
-			$racoon_usr = 'root'
-			$racoon_grp = 'wheel'
+			$default_ike_daemon = 'racoon'
 		}
 		'OpenBSD':{
-			$ikedaemon = 'isakmpd'
-			$racoon_pkg = 'ipsec-tools'
-			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
-			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
-			$racoon_service = 'racoon'
-			$ipsec_conf = '/etc/ipsec.conf'
-			$ipsec_service = 'ipsec'
-			$setkey_cmd = '/sbin/setkey'
-			$racoon_usr = 'root'
-			$racoon_grp = 'wheel'
+			$default_ike_daemon = 'isakmpd'
 		}
 		default: {
-			$racoon_pkg = 'racoon'
-			$racoon_conf = '/etc/racoon/racoon.conf'
-			$racoon_pskfile = '/etc/racoon/psk.txt'
-			$racoon_service = 'racoon'
-			$ipsec_conf = '/etc/ipsec-tools.conf'
-			$ipsec_service = 'setkey'
-			$setkey_cmd = '/usr/sbin/setkey'
-			$racoon_usr = 'root'
-			$racoon_grp = 'root'
+			$default_ike_daemon = 'strongswan'
 		}
 	}	
 }
diff --git a/manifests/racoon.pp b/manifests/racoon.pp
index 5a18f03..86865b7 100644
--- a/manifests/racoon.pp
+++ b/manifests/racoon.pp
@@ -59,8 +59,8 @@ class ipsec::racoon (
 		mode  => '0600',
 		ensure => present,
 		require => Package['racoon']
-
 	}
+
 	concat::fragment { "pskfile_header":
 		target => "$racoon_pskfile",
 		order => '00',
@@ -95,7 +95,7 @@ define ipsec::racoon::tunnel (
 
 	concat::fragment { "racoon_conf_$title":
 		target => "$::ipsec::racoon_params::racoon_conf",
-		content => template('ipsec/racoon/racoon.conf.erb')
+		content => template('ipsec/racoon/racoon-tunnel.conf.erb')
 	}
 }
 
@@ -106,8 +106,9 @@ define ipsec::racoon::transport (
 	$encryption,
 	$hash,
 	$dh_group,
-	$psk 
-
+	$psk,
+	$p2hash,
+	$lifetime,
 )
 {
 	concat::fragment { "$title":
@@ -119,5 +120,11 @@ define ipsec::racoon::transport (
 		target => "$::ipsec::racoon_params::racoon_pskfile",
 		content => "$remote_ip $psk\n"
 	}
+
+	concat::fragment { "racoon_conf_$title":
+		target => "$::ipsec::racoon_params::racoon_conf",
+		content => template('ipsec/racoon/racoon-transport.conf.erb')
+	}
+
 }
 
diff --git a/templates/racoon/ipsec.conf.transport.erb b/templates/racoon/ipsec.conf.transport.erb
index e0d5158..1f64e0b 100644
--- a/templates/racoon/ipsec.conf.transport.erb
+++ b/templates/racoon/ipsec.conf.transport.erb
@@ -4,7 +4,7 @@
 #
 
 spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
-	esp/transport//unique;
-spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec 
-	esp/transport//unique;
+	esp/transport//require;
+spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P in ipsec 
+	esp/transport//require;