Implementation of racoon transport

2019-11-21 22:12:51 +00:00 · 2019-11-21 22:12:51 +00:00 · 8bfb1bfeb3
parent 0fa26d8ed1
commit 8bfb1bfeb3
4 changed files with 31 additions and 49 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -44,20 +44,10 @@
 class ipsec(
 	$version = 'latest',
 	$ikedaemon = undef
-){
+) inherits ipsec::params {
 	if $ikedaemon == undef {	
-		case $::osfamily {
+		$ike_daemon = $default_ike_daemon
 			'FreeBSD':{
 				$ike_daemon = 'racoon'
 			}
 			'OpenBSD':{
 				$ike_daemon = 'isakmpd'
 			}
 			default: {
 				$ike_daemon = 'strongswan'
 			}
 		}
 	}
 	else {
 		$ike_daemon = $ikedaemon
@ -107,7 +97,12 @@ define ipsec::transport (
 	$local_ip,
 	$remote_ip,
 	$proto = "any",
-	$psk 
+	$psk,
 	$encryption = ['aes256'],
 	$hash = 'sha256',
 	$p2hash = ['sha256'],
 	$dh_group = 'modp2048',
 	$lifetime = 3600,
 )
 {
 	include ::ipsec
@ -118,7 +113,12 @@ define ipsec::transport (
 		local_ip => $local_ip,
 		remote_ip => $remote_ip,
 		proto => $proto,
-		psk => $psk
+		psk => $psk,
 		encryption => $encryption,
 		hash => $hash,
 		p2hash => $p2hash,
 		dh_group => $dh_group,
 		lifetime => $lifetime
 	}
 }
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -4,38 +4,13 @@
 class ipsec::params {
 	case $::osfamily {
 		'FreeBSD':{
-			$racoon_pkg = 'ipsec-tools'
+			$default_ike_daemon = 'racoon'
 			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
 			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
 			$racoon_service = 'racoon'
 			$ipsec_conf = '/etc/ipsec.conf'
 			$ipsec_service = 'ipsec'
 			$setkey_cmd = '/sbin/setkey'
 			$racoon_usr = 'root'
 			$racoon_grp = 'wheel'
 		}
 		'OpenBSD':{
-			$ikedaemon = 'isakmpd'
+			$default_ike_daemon = 'isakmpd'
 			$racoon_pkg = 'ipsec-tools'
 			$racoon_conf = '/usr/local/etc/racoon/racoon.conf'
 			$racoon_pskfile = '/usr/local/etc/racoon/psk.txt'
 			$racoon_service = 'racoon'
 			$ipsec_conf = '/etc/ipsec.conf'
 			$ipsec_service = 'ipsec'
 			$setkey_cmd = '/sbin/setkey'
 			$racoon_usr = 'root'
 			$racoon_grp = 'wheel'
 		}
 		default: {
-			$racoon_pkg = 'racoon'
+			$default_ike_daemon = 'strongswan'
 			$racoon_conf = '/etc/racoon/racoon.conf'
 			$racoon_pskfile = '/etc/racoon/psk.txt'
 			$racoon_service = 'racoon'
 			$ipsec_conf = '/etc/ipsec-tools.conf'
 			$ipsec_service = 'setkey'
 			$setkey_cmd = '/usr/sbin/setkey'
 			$racoon_usr = 'root'
 			$racoon_grp = 'root'
 		}
 	}	
 }
--- a/manifests/racoon.pp
+++ b/manifests/racoon.pp
@ -59,8 +59,8 @@ class ipsec::racoon (
 		mode  => '0600',
 		ensure => present,
 		require => Package['racoon']
 	}
 	concat::fragment { "pskfile_header":
 		target => "$racoon_pskfile",
 		order => '00',
@ -95,7 +95,7 @@ define ipsec::racoon::tunnel (
 	concat::fragment { "racoon_conf_$title":
 		target => "$::ipsec::racoon_params::racoon_conf",
-		content => template('ipsec/racoon/racoon.conf.erb')
+		content => template('ipsec/racoon/racoon-tunnel.conf.erb')
 	}
 }
@ -106,8 +106,9 @@ define ipsec::racoon::transport (
 	$encryption,
 	$hash,
 	$dh_group,
-	$psk 
+	$psk,
-
+	$p2hash,
 	$lifetime,
 )
 {
 	concat::fragment { "$title":
@ -119,5 +120,11 @@ define ipsec::racoon::transport (
 		target => "$::ipsec::racoon_params::racoon_pskfile",
 		content => "$remote_ip $psk\n"
 	}
 	concat::fragment { "racoon_conf_$title":
 		target => "$::ipsec::racoon_params::racoon_conf",
 		content => template('ipsec/racoon/racoon-transport.conf.erb')
 	}
 }
--- a/templates/racoon/ipsec.conf.transport.erb
+++ b/templates/racoon/ipsec.conf.transport.erb
@ -4,7 +4,7 @@
 #
 spdadd <%= @local_ip %> <%= @remote_ip %> <%= @proto %> -P out ipsec 
-	esp/transport//unique;
+	esp/transport//require;
-spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P out ipsec 
+spdadd <%= @remote_ip %> <%= @local_ip %> <%= @proto %> -P in ipsec 
-	esp/transport//unique;
+	esp/transport//require;