|
|
@ -1,7 +1,8 @@ |
|
|
|
# Racoon IPSec |
|
|
|
|
|
|
|
class ipsec::racoon ( |
|
|
|
$version = 'latest' |
|
|
|
$version = 'latest', |
|
|
|
|
|
|
|
|
|
|
|
)inherits ipsec::racoon_params{ |
|
|
|
|
|
|
@ -11,6 +12,14 @@ class ipsec::racoon ( |
|
|
|
ensure => "$version", |
|
|
|
} |
|
|
|
|
|
|
|
file {$racoon_certs: |
|
|
|
ensure => directory, |
|
|
|
require => Package['racoon'] |
|
|
|
} -> |
|
|
|
exec {"/bin/ln -s ${ipsec::puppet_crl} $racoon_certs/`${ipsec::openssl_cmd} crl -noout -hash < ${ipsec::puppet_crl}`.r0 && touch /tmp/i": |
|
|
|
creates => "/tmp/i" |
|
|
|
} |
|
|
|
|
|
|
|
service {'racoon': |
|
|
|
name => "$racoon_service", |
|
|
|
ensure => 'running', |
|
|
@ -39,9 +48,15 @@ class ipsec::racoon ( |
|
|
|
order => '00', |
|
|
|
content => template('ipsec/racoon/racoon.conf.header.erb'), |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
$default_proposals = $::ipsec::default_proposals |
|
|
|
|
|
|
|
# concat::fragment { "$racoon_conf footer": |
|
|
|
# target => "$racoon_conf", |
|
|
|
# order => '99', |
|
|
|
# content => template('ipsec/racoon/racoon.conf.footer.erb'), |
|
|
|
# } |
|
|
|
|
|
|
|
concat { "$ipsec_conf": |
|
|
|
ensure => present, |
|
|
|
require => Package['racoon'] |
|
|
@ -64,12 +79,75 @@ class ipsec::racoon ( |
|
|
|
concat::fragment { "pskfile_header": |
|
|
|
target => "$racoon_pskfile", |
|
|
|
order => '00', |
|
|
|
content => "#racoon psks\n", |
|
|
|
content => "# PSKs for Racoon managed by puppet\n", |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
if $ipsec::use_global { |
|
|
|
ipsec::racoon::remote {"default": |
|
|
|
remote_id => 'anonymous', |
|
|
|
exchange_mode => $ipsec::exchange_mode, |
|
|
|
client_cert => $ipsec::puppet_client_cert, |
|
|
|
client_key => $ipsec::puppet_client_key, |
|
|
|
ca_cert => $ipsec::puppet_ca_cert, |
|
|
|
|
|
|
|
proposals => $ipsec::proposals, |
|
|
|
} |
|
|
|
ipsec::racoon::sainfo {"default": |
|
|
|
saparam => "anonymous", |
|
|
|
lifetime => 3600, |
|
|
|
pfs_group => "modp2048", |
|
|
|
encryption => ["3des"], |
|
|
|
hash => ["md5"], |
|
|
|
compression => "deflate", |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
define ipsec::racoon::remote |
|
|
|
( |
|
|
|
$remote_id, |
|
|
|
$exchange_mode, |
|
|
|
$generate_policy = "off", |
|
|
|
$proposals, |
|
|
|
$order = undef, |
|
|
|
|
|
|
|
|
|
|
|
$ca_cert = undef, |
|
|
|
$client_cert = undef, |
|
|
|
$client_key = undef, |
|
|
|
$crl = undef, |
|
|
|
$psk = undef, |
|
|
|
|
|
|
|
|
|
|
|
) { |
|
|
|
concat::fragment { "p1_$title": |
|
|
|
target => "$::ipsec::racoon_params::racoon_conf", |
|
|
|
content => template('ipsec/racoon/remote.erb') |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
define ipsec::racoon::sainfo |
|
|
|
( |
|
|
|
$pfs_group, |
|
|
|
$encryption, |
|
|
|
$hash, |
|
|
|
$compression, |
|
|
|
$lifetime, |
|
|
|
|
|
|
|
$saparam, |
|
|
|
$order = undef |
|
|
|
|
|
|
|
){ |
|
|
|
concat::fragment { "sainfo_$title": |
|
|
|
target => "$::ipsec::racoon_params::racoon_conf", |
|
|
|
content => template('ipsec/racoon/sainfo.erb') |
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
define ipsec::racoon::tunnel ( |
|
|
|
$local_ip, |
|
|
@ -101,30 +179,79 @@ define ipsec::racoon::tunnel ( |
|
|
|
|
|
|
|
define ipsec::racoon::transport ( |
|
|
|
$local_ip, |
|
|
|
$local_port, |
|
|
|
$remote_ip, |
|
|
|
$remote_id, |
|
|
|
$remote_port, |
|
|
|
$proto, |
|
|
|
|
|
|
|
$encryption, |
|
|
|
$hash, |
|
|
|
$dh_group, |
|
|
|
$psk, |
|
|
|
$p2hash, |
|
|
|
$lifetime, |
|
|
|
|
|
|
|
$exchange_mode, |
|
|
|
|
|
|
|
$psk, |
|
|
|
$ca_cert, |
|
|
|
$client_cert, |
|
|
|
$client_key, |
|
|
|
$crl, |
|
|
|
|
|
|
|
$proposals, |
|
|
|
) |
|
|
|
{ |
|
|
|
if ! $ipsec::use_global { |
|
|
|
ipsec::racoon::remote {"$title": |
|
|
|
remote_id => $remote_id, |
|
|
|
exchange_mode => $exchange_mode, |
|
|
|
proposals => $proposals, |
|
|
|
|
|
|
|
psk => $psk, |
|
|
|
ca_cert => $ca_cert, |
|
|
|
client_cert => $client_cert, |
|
|
|
client_key => $client_key, |
|
|
|
crl => $crl, |
|
|
|
} |
|
|
|
|
|
|
|
if ! $local_ip { |
|
|
|
$arg_local_ip = "anonymous" |
|
|
|
} |
|
|
|
else{ |
|
|
|
$arg_local_ip= "address $local_ip[$local_port] $proto" |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ipsec::racoon::sainfo {"$title": |
|
|
|
saparam => "$arg_local_ip address $remote_ip[$remote_port] $proto ", |
|
|
|
lifetime => 3600, |
|
|
|
pfs_group => "modp2048", |
|
|
|
encryption => ["aes256"], |
|
|
|
hash => ["sha256"], |
|
|
|
compression => "deflate", |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
concat::fragment { "$title": |
|
|
|
target => "$::ipsec::racoon_params::ipsec_conf", |
|
|
|
content => template('ipsec/racoon/ipsec.conf.transport.erb') |
|
|
|
} |
|
|
|
|
|
|
|
concat::fragment { "psk_$title": |
|
|
|
target => "$::ipsec::racoon_params::racoon_pskfile", |
|
|
|
content => "$remote_ip $psk\n" |
|
|
|
} |
|
|
|
|
|
|
|
concat::fragment { "racoon_conf_$title": |
|
|
|
target => "$::ipsec::racoon_params::racoon_conf", |
|
|
|
content => template('ipsec/racoon/racoon-transport.conf.erb') |
|
|
|
if $psk { |
|
|
|
concat::fragment { "psk_$title": |
|
|
|
target => "$::ipsec::racoon_params::racoon_pskfile", |
|
|
|
content => "$remote_ip $psk\n" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# concat::fragment { "racoon_conf_$title": |
|
|
|
# target => "$::ipsec::racoon_params::racoon_conf", |
|
|
|
# content => template('ipsec/racoon/racoon-transport.conf.erb') |
|
|
|
# } |
|
|
|
|
|
|
|
} |
|
|
|
|