From b195b993b03997b91652534eb92db2717e221397 Mon Sep 17 00:00:00 2001 From: 7u83 <7u83@mail.ru> Date: Fri, 22 May 2020 10:20:45 +0000 Subject: [PATCH] Racoon uses own templates sub-directory --- manifests/init.pp | 126 ++++++++++++++++++++++-------- manifests/isakmpd.pp | 45 +++++++---- manifests/params.pp | 3 +- manifests/racoon.pp | 153 +++++++++++++++++++++++++++++++++---- manifests/racoon_params.pp | 3 + 5 files changed, 271 insertions(+), 59 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index f8ddf58..48384f9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -43,9 +43,36 @@ # class ipsec( $version = 'latest', - $ikedaemon = undef + $ikedaemon = undef, + + $exchange_mode = "main", + + $generate_policy = "off", + + + $ike_auth_method = "rsasig", + + $proposals = [ + { + encryption => 'aes256', + hash => 'sha256', + dh_group => 'modp2048', + }, + ], + + # use puppet's certs and keys by default + $ca_cert = "$ipsec_puppet_ssldir/certs/ca.pem", + $client_cert = "$ipsec_puppet_ssldir/certs/${facts[clientcert]}.pem", + $client_key = "$ipsec_puppet_ssldir/private_keys/${facts[clientcert]}.pem", + $crl = "ipsec_$puppet_ssldir/crl.pem", + + + $use_global = false + ) inherits ipsec::params { + + if $ikedaemon == undef { $ike_daemon = $default_ike_daemon } @@ -57,6 +84,73 @@ class ipsec( class { "$res": version => $version + } + +} + +define ipsec::transport ( + + $local_ip = undef, + $local_port = 'any', + + $remote_ip, + $remote_id = undef, + $remote_port = 'any', + + $proto = "any", + $ipv6 = false, + + $exchange_mode = $ipsec::exchange_mode, + + $proposals=$ipsec::proposals, + + $encryption = ['aes256'], + $hash = ['sha256'], + $p2hash = ['sha256'], + $dh_group = 'modp2048', + $lifetime = 3600, + + # + $psk = undef, + + # use puppet's certs and keys by default + $ca_cert = $ipsec::ca_cert, + $client_cert = $ipsec::client_cert, + $client_key = $ipsec::client_key, + $crl = $ipsec::crl, + + +) +{ + include ::ipsec + $ikedaemon = $::ipsec::ike_daemon + $res = "ipsec::${ikedaemon}::transport" + + Resource[$res] { "$title": + local_ip => $local_ip, + local_port => $local_port, + + remote_ip => $remote_ip, + remote_id => $remote_id ? { undef => $remote_ip, default => $remote_id }, + remote_port => $remote_port, + + proto => $proto, + + exchange_mode => $exchange_mode, + proposals => $proposals, + + encryption => $encryption, + hash => $hash, + p2hash => $p2hash, + dh_group => $dh_group, + lifetime => $lifetime, + + + psk => $psk, + ca_cert => $ca_cert, + client_cert => $client_cert, + client_key => $client_key, + crl => $crl, } } @@ -93,34 +187,4 @@ define ipsec::tunnel ( } -define ipsec::transport ( - $local_ip, - $remote_ip, - $proto = "any", - $psk, - $encryption = ['aes256'], - $hash = 'sha256', - $p2hash = ['sha256'], - $dh_group = 'modp2048', - $lifetime = 3600, -) -{ - include ::ipsec - $ikedaemon = $::ipsec::ike_daemon - $res = "ipsec::${ikedaemon}::transport" - - Resource[$res] { "$title": - local_ip => $local_ip, - remote_ip => $remote_ip, - proto => $proto, - psk => $psk, - encryption => $encryption, - hash => $hash, - p2hash => $p2hash, - dh_group => $dh_group, - lifetime => $lifetime - } - -} - diff --git a/manifests/isakmpd.pp b/manifests/isakmpd.pp index dd88331..446168d 100644 --- a/manifests/isakmpd.pp +++ b/manifests/isakmpd.pp @@ -20,22 +20,35 @@ class ipsec::isakmpd ( } - concat { "$ipsec_conf": - mode => '0600' +# concat { "$ipsec_conf": +# mode => '0600' +# +# } +# concat::fragment { "ipsec_conf_header": +# target => "$ipsec_conf", +# order => '00', +# content => template('ipsec/isakmpd_ipsec_conf_header.erb'), + +# } + +# exec { "$setkey_cmd": +# subscribe => Concat[ "$ipsec_conf" ], +# refreshonly => true +# } + + file {"/etc/isakmpd/private/openbsda.pem": + source => $ipsec::client_key, + mode => '600', } - - concat::fragment { "ipsec_conf_header": - target => "$ipsec_conf", - order => '00', - content => template('ipsec/isakmpd_ipsec_conf_header.erb'), - + file {"/etc/isakmpd/certs/ca.pem": + source => $ipsec::ca_cert, + mode => '600', + } + file {"/etc/isakmpd/certs/openbsda.pem": + source => $ipsec::client_cert, + mode => '600', } - - exec { "$setkey_cmd": - subscribe => Concat[ "$ipsec_conf" ], - refreshonly => true - } @@ -47,7 +60,11 @@ define ipsec::isakmpd::tunnel ( $remote_ip, $nets, $proto = "any", - $psk + $psk, + $lifetime, + $hash, + $encryption, + $dh_group, ){ notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": } diff --git a/manifests/params.pp b/manifests/params.pp index ef39e90..429bbb3 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -15,10 +15,11 @@ class ipsec::params { $openssl_cmd = "/usr/bin/openssl" } } - + $puppet_ca_cert = "$ipsec_puppet_ssldir/certs/ca.pem" $puppet_client_cert = "$ipsec_puppet_ssldir/certs/${facts[clientcert]}.pem" $puppet_client_key = "$ipsec_puppet_ssldir/private_keys/${facts[clientcert]}.pem" $puppet_crl = "ipsec_$puppet_ssldir/crl.pem" + } diff --git a/manifests/racoon.pp b/manifests/racoon.pp index 86865b7..b29e3e0 100644 --- a/manifests/racoon.pp +++ b/manifests/racoon.pp @@ -1,7 +1,8 @@ # Racoon IPSec class ipsec::racoon ( - $version = 'latest' + $version = 'latest', + )inherits ipsec::racoon_params{ @@ -11,6 +12,14 @@ class ipsec::racoon ( ensure => "$version", } + file {$racoon_certs: + ensure => directory, + require => Package['racoon'] + } -> + exec {"/bin/ln -s ${ipsec::puppet_crl} $racoon_certs/`${ipsec::openssl_cmd} crl -noout -hash < ${ipsec::puppet_crl}`.r0 && touch /tmp/i": + creates => "/tmp/i" + } + service {'racoon': name => "$racoon_service", ensure => 'running', @@ -39,9 +48,15 @@ class ipsec::racoon ( order => '00', content => template('ipsec/racoon/racoon.conf.header.erb'), } + + $default_proposals = $::ipsec::default_proposals + +# concat::fragment { "$racoon_conf footer": +# target => "$racoon_conf", +# order => '99', +# content => template('ipsec/racoon/racoon.conf.footer.erb'), +# } - - concat { "$ipsec_conf": ensure => present, require => Package['racoon'] @@ -64,13 +79,76 @@ class ipsec::racoon ( concat::fragment { "pskfile_header": target => "$racoon_pskfile", order => '00', - content => "#racoon psks\n", + content => "# PSKs for Racoon managed by puppet\n", } + + + if $ipsec::use_global { + ipsec::racoon::remote {"default": + remote_id => 'anonymous', + exchange_mode => $ipsec::exchange_mode, + client_cert => $ipsec::puppet_client_cert, + client_key => $ipsec::puppet_client_key, + ca_cert => $ipsec::puppet_ca_cert, + + proposals => $ipsec::proposals, + } + ipsec::racoon::sainfo {"default": + saparam => "anonymous", + lifetime => 3600, + pfs_group => "modp2048", + encryption => ["3des"], + hash => ["md5"], + compression => "deflate", + } + } + + } +define ipsec::racoon::remote +( + $remote_id, + $exchange_mode, + $generate_policy = "off", + $proposals, + $order = undef, + $ca_cert = undef, + $client_cert = undef, + $client_key = undef, + $crl = undef, + $psk = undef, + + +) { + concat::fragment { "p1_$title": + target => "$::ipsec::racoon_params::racoon_conf", + content => template('ipsec/racoon/remote.erb') + } +} + +define ipsec::racoon::sainfo +( + $pfs_group, + $encryption, + $hash, + $compression, + $lifetime, + + $saparam, + $order = undef + +){ + concat::fragment { "sainfo_$title": + target => "$::ipsec::racoon_params::racoon_conf", + content => template('ipsec/racoon/sainfo.erb') + } + +} + define ipsec::racoon::tunnel ( $local_ip, $remote_ip, @@ -101,30 +179,79 @@ define ipsec::racoon::tunnel ( define ipsec::racoon::transport ( $local_ip, + $local_port, $remote_ip, + $remote_id, + $remote_port, $proto, + $encryption, $hash, $dh_group, - $psk, $p2hash, $lifetime, + + $exchange_mode, + + $psk, + $ca_cert, + $client_cert, + $client_key, + $crl, + + $proposals, ) { + if ! $ipsec::use_global { + ipsec::racoon::remote {"$title": + remote_id => $remote_id, + exchange_mode => $exchange_mode, + proposals => $proposals, + + psk => $psk, + ca_cert => $ca_cert, + client_cert => $client_cert, + client_key => $client_key, + crl => $crl, + } + + if ! $local_ip { + $arg_local_ip = "anonymous" + } + else{ + $arg_local_ip= "address $local_ip[$local_port] $proto" + } + + + + ipsec::racoon::sainfo {"$title": + saparam => "$arg_local_ip address $remote_ip[$remote_port] $proto ", + lifetime => 3600, + pfs_group => "modp2048", + encryption => ["aes256"], + hash => ["sha256"], + compression => "deflate", + } + } + concat::fragment { "$title": target => "$::ipsec::racoon_params::ipsec_conf", content => template('ipsec/racoon/ipsec.conf.transport.erb') } - - concat::fragment { "psk_$title": - target => "$::ipsec::racoon_params::racoon_pskfile", - content => "$remote_ip $psk\n" + + if $psk { + concat::fragment { "psk_$title": + target => "$::ipsec::racoon_params::racoon_pskfile", + content => "$remote_ip $psk\n" + } } - concat::fragment { "racoon_conf_$title": - target => "$::ipsec::racoon_params::racoon_conf", - content => template('ipsec/racoon/racoon-transport.conf.erb') - } + + +# concat::fragment { "racoon_conf_$title": +# target => "$::ipsec::racoon_params::racoon_conf", +# content => template('ipsec/racoon/racoon-transport.conf.erb') +# } } diff --git a/manifests/racoon_params.pp b/manifests/racoon_params.pp index 2ce6d1d..e77486f 100644 --- a/manifests/racoon_params.pp +++ b/manifests/racoon_params.pp @@ -10,6 +10,7 @@ class ipsec::racoon_params { $setkey_cmd = '/sbin/setkey' $racoon_usr = 'root' $racoon_grp = 'wheel' + $racoon_certs = "/usr/local/etc/racoon/certs" } 'OpenBSD':{ $ikedaemon = 'isakmpd' @@ -22,6 +23,7 @@ class ipsec::racoon_params { $setkey_cmd = '/sbin/setkey' $racoon_usr = 'root' $racoon_grp = 'wheel' + $racoon_certs = "/usr/local/etc/racoon/certs" } default: { $racoon_pkg = 'racoon' @@ -33,6 +35,7 @@ class ipsec::racoon_params { $setkey_cmd = '/usr/sbin/setkey' $racoon_usr = 'root' $racoon_grp = 'root' + $racoon_certs = "/etc/racoon/certs" } } }