Racoon uses own templates sub-directory

3 years ago · b195b993b0
5 changed files with 263 additions and 51 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -43,9 +43,36 @@
 #
 class ipsec(
 	$version = 'latest',
-	$ikedaemon = undef
+	$ikedaemon = undef,
+
+        $exchange_mode = "main",
+
+        $generate_policy =  "off",
+
+
+	$ike_auth_method = "rsasig",
+ 
+	$proposals = [
+		{
+			encryption => 'aes256',
+			hash => 'sha256',
+			dh_group => 'modp2048',
+		},
+	],
+
+	# use puppet's certs and keys by default
+	$ca_cert = "$ipsec_puppet_ssldir/certs/ca.pem",
+	$client_cert = "$ipsec_puppet_ssldir/certs/${facts[clientcert]}.pem",
+	$client_key = "$ipsec_puppet_ssldir/private_keys/${facts[clientcert]}.pem",
+	$crl = "ipsec_$puppet_ssldir/crl.pem",
+
+
+	$use_global = false
+
 ) inherits ipsec::params {

+
+
 	if $ikedaemon == undef {	
 		$ike_daemon = $default_ike_daemon
 	}
@ -57,68 +84,105 @@ class ipsec(

 	class { "$res": 
 		version => $version
-	}
+	}	

 }

+define ipsec::transport (
+
+	$local_ip = undef,
+	$local_port = 'any',

-define ipsec::tunnel (
-	$local_ip,
 	$remote_ip,
-	$nets,
+	$remote_id = undef, 
+	$remote_port = 'any',
+
 	$proto = "any",
-	$psk,
-        $hash = 'sha256',
-        $encryption = 'aes256',
-        $lifetime = '86400 sec',
+	$ipv6 = false,
+
+	$exchange_mode = $ipsec::exchange_mode,
+
+	$proposals=$ipsec::proposals,
+
+	$encryption = ['aes256'],
+	$hash = ['sha256'],
+	$p2hash = ['sha256'],
 	$dh_group = 'modp2048',
+	$lifetime = 3600,
+
+	# 	
+	$psk = undef,
+
+	# use puppet's certs and keys by default
+	$ca_cert = $ipsec::ca_cert,
+	$client_cert = $ipsec::client_cert,
+	$client_key = $ipsec::client_key,
+	$crl = $ipsec::crl,
+

 )
 {
 	include ::ipsec
 	$ikedaemon = $::ipsec::ike_daemon
-	$res = "ipsec::${ikedaemon}::tunnel"
+	$res = "ipsec::${ikedaemon}::transport"

 	Resource[$res] { "$title":
 		local_ip => $local_ip,
+		local_port => $local_port,
+		
 		remote_ip => $remote_ip,
-		nets => $nets,
+		remote_id => $remote_id ? { undef => $remote_ip, default => $remote_id }, 
+		remote_port => $remote_port,
+
 		proto => $proto,
-		psk => $psk,
-		lifetime => $lifetime,
-		hash => $hash,
+
+		exchange_mode => $exchange_mode,
+		proposals => $proposals,
+
 		encryption => $encryption,
+		hash => $hash,
+		p2hash => $p2hash,
 		dh_group => $dh_group,
+		lifetime => $lifetime,
+
+
+		psk => $psk,
+		ca_cert => $ca_cert,
+		client_cert => $client_cert,
+		client_key => $client_key,
+		crl => $crl,
 	}

 }

-define ipsec::transport (
+
+define ipsec::tunnel (
 	$local_ip,
 	$remote_ip,
+	$nets,
 	$proto = "any",
 	$psk,
-	$encryption = ['aes256'],
-	$hash = 'sha256',
-	$p2hash = ['sha256'],
+        $hash = 'sha256',
+        $encryption = 'aes256',
+        $lifetime = '86400 sec',
 	$dh_group = 'modp2048',
-	$lifetime = 3600,
+
 )
 {
 	include ::ipsec
 	$ikedaemon = $::ipsec::ike_daemon
-	$res = "ipsec::${ikedaemon}::transport"
+	$res = "ipsec::${ikedaemon}::tunnel"

 	Resource[$res] { "$title":
 		local_ip => $local_ip,
 		remote_ip => $remote_ip,
+		nets => $nets,
 		proto => $proto,
 		psk => $psk,
-		encryption => $encryption,
+		lifetime => $lifetime,
 		hash => $hash,
-		p2hash => $p2hash,
+		encryption => $encryption,
 		dh_group => $dh_group,
-		lifetime => $lifetime
 	}

 }
--- a/manifests/isakmpd.pp
+++ b/manifests/isakmpd.pp
@ -20,22 +20,35 @@ class ipsec::isakmpd  (
 	}	


-	concat { "$ipsec_conf": 
-		mode  => '0600'
-
+#	concat { "$ipsec_conf": 
+#		mode  => '0600'
+#
+#	}
+
+#	concat::fragment { "ipsec_conf_header":
+#		target => "$ipsec_conf",
+#		order => '00',
+#		content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
+
+#	}
+
+#	exec { "$setkey_cmd":
+#		subscribe => Concat[ "$ipsec_conf" ],
+#		refreshonly => true
+#	}	
+
+	file {"/etc/isakmpd/private/openbsda.pem":
+		source => $ipsec::client_key,
+		mode => '600',
 	}
-
-	concat::fragment { "ipsec_conf_header":
-		target => "$ipsec_conf",
-		order => '00',
-		content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
-
+	file {"/etc/isakmpd/certs/ca.pem":
+		source => $ipsec::ca_cert,
+		mode => '600',
+	}
+	file {"/etc/isakmpd/certs/openbsda.pem":
+		source => $ipsec::client_cert,
+		mode => '600',
 	}
-
-	exec { "$setkey_cmd":
-		subscribe => Concat[ "$ipsec_conf" ],
-		refreshonly => true
-	}	



@ -47,7 +60,11 @@ define ipsec::isakmpd::tunnel (
 	$remote_ip,
 	$nets,
 	$proto = "any",
-	$psk 
+	$psk, 
+	$lifetime,
+		$hash,
+		$encryption,
+		$dh_group,

 ){
 	notify { "$title:  $::ipsec::isakmpd_params::ipsec_conf": }
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -15,10 +15,11 @@ class ipsec::params {
 			$openssl_cmd = "/usr/bin/openssl"
 		}
 	}
-	
+
 	$puppet_ca_cert = "$ipsec_puppet_ssldir/certs/ca.pem"
 	$puppet_client_cert = "$ipsec_puppet_ssldir/certs/${facts[clientcert]}.pem"
 	$puppet_client_key = "$ipsec_puppet_ssldir/private_keys/${facts[clientcert]}.pem"
 	$puppet_crl = "ipsec_$puppet_ssldir/crl.pem"
+	
 }

--- a/manifests/racoon.pp
+++ b/manifests/racoon.pp
@ -1,7 +1,8 @@
 # Racoon IPSec

 class ipsec::racoon (
-	$version = 'latest'
+	$version = 'latest',
+		

 )inherits ipsec::racoon_params{

@ -11,6 +12,14 @@ class ipsec::racoon (
 		ensure => "$version",
 	}

+	file {$racoon_certs:
+		ensure => directory,
+		require => Package['racoon']
+	} ->
+	exec {"/bin/ln -s ${ipsec::puppet_crl} $racoon_certs/`${ipsec::openssl_cmd} crl -noout -hash < ${ipsec::puppet_crl}`.r0 && touch /tmp/i":
+		creates => "/tmp/i"
+	}	
+
 	service {'racoon':
 		name => "$racoon_service",
 		ensure => 'running',
@ -39,9 +48,15 @@ class ipsec::racoon (
 		order => '00',
 		content => template('ipsec/racoon/racoon.conf.header.erb'),
 	}
-	

+	$default_proposals = $::ipsec::default_proposals

+#	concat::fragment { "$racoon_conf footer":
+#		target => "$racoon_conf",
+#		order => '99',
+#		content => template('ipsec/racoon/racoon.conf.footer.erb'),	
+#	}
+	
 	concat { "$ipsec_conf": 
 		ensure => present,
 		require => Package['racoon']
@ -64,12 +79,75 @@ class ipsec::racoon (
 	concat::fragment { "pskfile_header":
 		target => "$racoon_pskfile",
 		order => '00',
-		content => "#racoon psks\n",
+		content => "# PSKs for Racoon managed by puppet\n",
 	}
+
+
+	if $ipsec::use_global {
+		ipsec::racoon::remote {"default":
+			remote_id => 'anonymous',
+			exchange_mode => $ipsec::exchange_mode,
+			client_cert => $ipsec::puppet_client_cert,
+			client_key => $ipsec::puppet_client_key,
+			ca_cert => $ipsec::puppet_ca_cert,
+
+			proposals => $ipsec::proposals,
+		}
+		ipsec::racoon::sainfo {"default":
+			saparam => "anonymous",
+			lifetime => 3600,
+			pfs_group => "modp2048",
+			encryption => ["3des"],
+			hash => ["md5"],
+			compression => "deflate",	
+		}
+	}
+	
+	
 	
 }

+define ipsec::racoon::remote
+(
+	$remote_id,
+	$exchange_mode,
+	$generate_policy = "off",
+	$proposals,
+	$order = undef,
+
+
+	$ca_cert = undef,
+	$client_cert = undef,
+	$client_key = undef,
+	$crl = undef,
+	$psk = undef,
+
+
+) {
+	concat::fragment { "p1_$title":
+		target => "$::ipsec::racoon_params::racoon_conf",
+		content => template('ipsec/racoon/remote.erb')
+	}
+}
+
+define ipsec::racoon::sainfo
+(
+	$pfs_group,
+	$encryption,
+	$hash,
+	$compression,
+	$lifetime,
+
+	$saparam,
+	$order = undef
+	
+){
+	concat::fragment { "sainfo_$title":
+		target => "$::ipsec::racoon_params::racoon_conf",
+		content => template('ipsec/racoon/sainfo.erb')
+	}

+}

 define ipsec::racoon::tunnel (
 	$local_ip,
@ -101,30 +179,79 @@ define ipsec::racoon::tunnel (

 define ipsec::racoon::transport (
 	$local_ip,
+	$local_port,
 	$remote_ip,
+	$remote_id,
+	$remote_port,
 	$proto,
+
 	$encryption,
 	$hash,
 	$dh_group,
-	$psk,
 	$p2hash,
 	$lifetime,
+
+	$exchange_mode,
+
+	$psk,
+	$ca_cert,
+	$client_cert,
+	$client_key,
+	$crl,
+
+	$proposals,
 )
 {
+	if ! $ipsec::use_global {
+		ipsec::racoon::remote {"$title":
+			remote_id => $remote_id,
+			exchange_mode => $exchange_mode,
+			proposals => $proposals,
+
+			psk => $psk,
+			ca_cert => $ca_cert,
+			client_cert => $client_cert,
+			client_key => $client_key,
+			crl => $crl,
+		}
+
+		if ! $local_ip {
+			$arg_local_ip = "anonymous"
+		}
+		else{
+			$arg_local_ip= "address $local_ip[$local_port] $proto"
+		}
+
+
+	
+		ipsec::racoon::sainfo {"$title":
+			saparam => "$arg_local_ip address $remote_ip[$remote_port] $proto ",
+			lifetime => 3600,
+			pfs_group => "modp2048",
+			encryption => ["aes256"],
+			hash => ["sha256"],
+			compression => "deflate",	
+		}
+	}
+
 	concat::fragment { "$title":
 		target => "$::ipsec::racoon_params::ipsec_conf",
 		content => template('ipsec/racoon/ipsec.conf.transport.erb')
 	}
-	
-	concat::fragment { "psk_$title":
-		target => "$::ipsec::racoon_params::racoon_pskfile",
-		content => "$remote_ip $psk\n"
-	}

-	concat::fragment { "racoon_conf_$title":
-		target => "$::ipsec::racoon_params::racoon_conf",
-		content => template('ipsec/racoon/racoon-transport.conf.erb')
+	if $psk {	
+		concat::fragment { "psk_$title":
+			target => "$::ipsec::racoon_params::racoon_pskfile",
+			content => "$remote_ip $psk\n"
+		}
 	}

+
+
+#	concat::fragment { "racoon_conf_$title":
+#		target => "$::ipsec::racoon_params::racoon_conf",
+#		content => template('ipsec/racoon/racoon-transport.conf.erb')
+#	}
+
 }

--- a/manifests/racoon_params.pp
+++ b/manifests/racoon_params.pp
@ -10,6 +10,7 @@ class ipsec::racoon_params {
 			$setkey_cmd = '/sbin/setkey'
 			$racoon_usr = 'root'
 			$racoon_grp = 'wheel'
+			$racoon_certs = "/usr/local/etc/racoon/certs"
 		}
 		'OpenBSD':{
 			$ikedaemon = 'isakmpd'
@ -22,6 +23,7 @@ class ipsec::racoon_params {
 			$setkey_cmd = '/sbin/setkey'
 			$racoon_usr = 'root'
 			$racoon_grp = 'wheel'
+			$racoon_certs = "/usr/local/etc/racoon/certs"
 		}
 		default: {
 			$racoon_pkg = 'racoon'
@ -33,6 +35,7 @@ class ipsec::racoon_params {
 			$setkey_cmd = '/usr/sbin/setkey'
 			$racoon_usr = 'root'
 			$racoon_grp = 'root'
+			$racoon_certs = "/etc/racoon/certs"
 		}
 	}	
 }