Racoon uses own templates sub-directory

This commit is contained in:
7u83 2020-05-22 10:20:45 +00:00
parent 5502042c89
commit b195b993b0
5 changed files with 271 additions and 59 deletions

View File

@ -43,9 +43,36 @@
# #
class ipsec( class ipsec(
$version = 'latest', $version = 'latest',
$ikedaemon = undef $ikedaemon = undef,
$exchange_mode = "main",
$generate_policy = "off",
$ike_auth_method = "rsasig",
$proposals = [
{
encryption => 'aes256',
hash => 'sha256',
dh_group => 'modp2048',
},
],
# use puppet's certs and keys by default
$ca_cert = "$ipsec_puppet_ssldir/certs/ca.pem",
$client_cert = "$ipsec_puppet_ssldir/certs/${facts[clientcert]}.pem",
$client_key = "$ipsec_puppet_ssldir/private_keys/${facts[clientcert]}.pem",
$crl = "ipsec_$puppet_ssldir/crl.pem",
$use_global = false
) inherits ipsec::params { ) inherits ipsec::params {
if $ikedaemon == undef { if $ikedaemon == undef {
$ike_daemon = $default_ike_daemon $ike_daemon = $default_ike_daemon
} }
@ -57,6 +84,73 @@ class ipsec(
class { "$res": class { "$res":
version => $version version => $version
}
}
define ipsec::transport (
$local_ip = undef,
$local_port = 'any',
$remote_ip,
$remote_id = undef,
$remote_port = 'any',
$proto = "any",
$ipv6 = false,
$exchange_mode = $ipsec::exchange_mode,
$proposals=$ipsec::proposals,
$encryption = ['aes256'],
$hash = ['sha256'],
$p2hash = ['sha256'],
$dh_group = 'modp2048',
$lifetime = 3600,
#
$psk = undef,
# use puppet's certs and keys by default
$ca_cert = $ipsec::ca_cert,
$client_cert = $ipsec::client_cert,
$client_key = $ipsec::client_key,
$crl = $ipsec::crl,
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::transport"
Resource[$res] { "$title":
local_ip => $local_ip,
local_port => $local_port,
remote_ip => $remote_ip,
remote_id => $remote_id ? { undef => $remote_ip, default => $remote_id },
remote_port => $remote_port,
proto => $proto,
exchange_mode => $exchange_mode,
proposals => $proposals,
encryption => $encryption,
hash => $hash,
p2hash => $p2hash,
dh_group => $dh_group,
lifetime => $lifetime,
psk => $psk,
ca_cert => $ca_cert,
client_cert => $client_cert,
client_key => $client_key,
crl => $crl,
} }
} }
@ -93,34 +187,4 @@ define ipsec::tunnel (
} }
define ipsec::transport (
$local_ip,
$remote_ip,
$proto = "any",
$psk,
$encryption = ['aes256'],
$hash = 'sha256',
$p2hash = ['sha256'],
$dh_group = 'modp2048',
$lifetime = 3600,
)
{
include ::ipsec
$ikedaemon = $::ipsec::ike_daemon
$res = "ipsec::${ikedaemon}::transport"
Resource[$res] { "$title":
local_ip => $local_ip,
remote_ip => $remote_ip,
proto => $proto,
psk => $psk,
encryption => $encryption,
hash => $hash,
p2hash => $p2hash,
dh_group => $dh_group,
lifetime => $lifetime
}
}

View File

@ -20,22 +20,35 @@ class ipsec::isakmpd (
} }
concat { "$ipsec_conf": # concat { "$ipsec_conf":
mode => '0600' # mode => '0600'
#
# }
# concat::fragment { "ipsec_conf_header":
# target => "$ipsec_conf",
# order => '00',
# content => template('ipsec/isakmpd_ipsec_conf_header.erb'),
# }
# exec { "$setkey_cmd":
# subscribe => Concat[ "$ipsec_conf" ],
# refreshonly => true
# }
file {"/etc/isakmpd/private/openbsda.pem":
source => $ipsec::client_key,
mode => '600',
} }
file {"/etc/isakmpd/certs/ca.pem":
concat::fragment { "ipsec_conf_header": source => $ipsec::ca_cert,
target => "$ipsec_conf", mode => '600',
order => '00', }
content => template('ipsec/isakmpd_ipsec_conf_header.erb'), file {"/etc/isakmpd/certs/openbsda.pem":
source => $ipsec::client_cert,
mode => '600',
} }
exec { "$setkey_cmd":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
@ -47,7 +60,11 @@ define ipsec::isakmpd::tunnel (
$remote_ip, $remote_ip,
$nets, $nets,
$proto = "any", $proto = "any",
$psk $psk,
$lifetime,
$hash,
$encryption,
$dh_group,
){ ){
notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": } notify { "$title: $::ipsec::isakmpd_params::ipsec_conf": }

View File

@ -15,10 +15,11 @@ class ipsec::params {
$openssl_cmd = "/usr/bin/openssl" $openssl_cmd = "/usr/bin/openssl"
} }
} }
$puppet_ca_cert = "$ipsec_puppet_ssldir/certs/ca.pem" $puppet_ca_cert = "$ipsec_puppet_ssldir/certs/ca.pem"
$puppet_client_cert = "$ipsec_puppet_ssldir/certs/${facts[clientcert]}.pem" $puppet_client_cert = "$ipsec_puppet_ssldir/certs/${facts[clientcert]}.pem"
$puppet_client_key = "$ipsec_puppet_ssldir/private_keys/${facts[clientcert]}.pem" $puppet_client_key = "$ipsec_puppet_ssldir/private_keys/${facts[clientcert]}.pem"
$puppet_crl = "ipsec_$puppet_ssldir/crl.pem" $puppet_crl = "ipsec_$puppet_ssldir/crl.pem"
} }

View File

@ -1,7 +1,8 @@
# Racoon IPSec # Racoon IPSec
class ipsec::racoon ( class ipsec::racoon (
$version = 'latest' $version = 'latest',
)inherits ipsec::racoon_params{ )inherits ipsec::racoon_params{
@ -11,6 +12,14 @@ class ipsec::racoon (
ensure => "$version", ensure => "$version",
} }
file {$racoon_certs:
ensure => directory,
require => Package['racoon']
} ->
exec {"/bin/ln -s ${ipsec::puppet_crl} $racoon_certs/`${ipsec::openssl_cmd} crl -noout -hash < ${ipsec::puppet_crl}`.r0 && touch /tmp/i":
creates => "/tmp/i"
}
service {'racoon': service {'racoon':
name => "$racoon_service", name => "$racoon_service",
ensure => 'running', ensure => 'running',
@ -39,9 +48,15 @@ class ipsec::racoon (
order => '00', order => '00',
content => template('ipsec/racoon/racoon.conf.header.erb'), content => template('ipsec/racoon/racoon.conf.header.erb'),
} }
$default_proposals = $::ipsec::default_proposals
# concat::fragment { "$racoon_conf footer":
# target => "$racoon_conf",
# order => '99',
# content => template('ipsec/racoon/racoon.conf.footer.erb'),
# }
concat { "$ipsec_conf": concat { "$ipsec_conf":
ensure => present, ensure => present,
require => Package['racoon'] require => Package['racoon']
@ -64,13 +79,76 @@ class ipsec::racoon (
concat::fragment { "pskfile_header": concat::fragment { "pskfile_header":
target => "$racoon_pskfile", target => "$racoon_pskfile",
order => '00', order => '00',
content => "#racoon psks\n", content => "# PSKs for Racoon managed by puppet\n",
} }
if $ipsec::use_global {
ipsec::racoon::remote {"default":
remote_id => 'anonymous',
exchange_mode => $ipsec::exchange_mode,
client_cert => $ipsec::puppet_client_cert,
client_key => $ipsec::puppet_client_key,
ca_cert => $ipsec::puppet_ca_cert,
proposals => $ipsec::proposals,
}
ipsec::racoon::sainfo {"default":
saparam => "anonymous",
lifetime => 3600,
pfs_group => "modp2048",
encryption => ["3des"],
hash => ["md5"],
compression => "deflate",
}
}
} }
define ipsec::racoon::remote
(
$remote_id,
$exchange_mode,
$generate_policy = "off",
$proposals,
$order = undef,
$ca_cert = undef,
$client_cert = undef,
$client_key = undef,
$crl = undef,
$psk = undef,
) {
concat::fragment { "p1_$title":
target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/remote.erb')
}
}
define ipsec::racoon::sainfo
(
$pfs_group,
$encryption,
$hash,
$compression,
$lifetime,
$saparam,
$order = undef
){
concat::fragment { "sainfo_$title":
target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/sainfo.erb')
}
}
define ipsec::racoon::tunnel ( define ipsec::racoon::tunnel (
$local_ip, $local_ip,
$remote_ip, $remote_ip,
@ -101,30 +179,79 @@ define ipsec::racoon::tunnel (
define ipsec::racoon::transport ( define ipsec::racoon::transport (
$local_ip, $local_ip,
$local_port,
$remote_ip, $remote_ip,
$remote_id,
$remote_port,
$proto, $proto,
$encryption, $encryption,
$hash, $hash,
$dh_group, $dh_group,
$psk,
$p2hash, $p2hash,
$lifetime, $lifetime,
$exchange_mode,
$psk,
$ca_cert,
$client_cert,
$client_key,
$crl,
$proposals,
) )
{ {
if ! $ipsec::use_global {
ipsec::racoon::remote {"$title":
remote_id => $remote_id,
exchange_mode => $exchange_mode,
proposals => $proposals,
psk => $psk,
ca_cert => $ca_cert,
client_cert => $client_cert,
client_key => $client_key,
crl => $crl,
}
if ! $local_ip {
$arg_local_ip = "anonymous"
}
else{
$arg_local_ip= "address $local_ip[$local_port] $proto"
}
ipsec::racoon::sainfo {"$title":
saparam => "$arg_local_ip address $remote_ip[$remote_port] $proto ",
lifetime => 3600,
pfs_group => "modp2048",
encryption => ["aes256"],
hash => ["sha256"],
compression => "deflate",
}
}
concat::fragment { "$title": concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf", target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/racoon/ipsec.conf.transport.erb') content => template('ipsec/racoon/ipsec.conf.transport.erb')
} }
concat::fragment { "psk_$title": if $psk {
target => "$::ipsec::racoon_params::racoon_pskfile", concat::fragment { "psk_$title":
content => "$remote_ip $psk\n" target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
} }
concat::fragment { "racoon_conf_$title":
target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/racoon-transport.conf.erb') # concat::fragment { "racoon_conf_$title":
} # target => "$::ipsec::racoon_params::racoon_conf",
# content => template('ipsec/racoon/racoon-transport.conf.erb')
# }
} }

View File

@ -10,6 +10,7 @@ class ipsec::racoon_params {
$setkey_cmd = '/sbin/setkey' $setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root' $racoon_usr = 'root'
$racoon_grp = 'wheel' $racoon_grp = 'wheel'
$racoon_certs = "/usr/local/etc/racoon/certs"
} }
'OpenBSD':{ 'OpenBSD':{
$ikedaemon = 'isakmpd' $ikedaemon = 'isakmpd'
@ -22,6 +23,7 @@ class ipsec::racoon_params {
$setkey_cmd = '/sbin/setkey' $setkey_cmd = '/sbin/setkey'
$racoon_usr = 'root' $racoon_usr = 'root'
$racoon_grp = 'wheel' $racoon_grp = 'wheel'
$racoon_certs = "/usr/local/etc/racoon/certs"
} }
default: { default: {
$racoon_pkg = 'racoon' $racoon_pkg = 'racoon'
@ -33,6 +35,7 @@ class ipsec::racoon_params {
$setkey_cmd = '/usr/sbin/setkey' $setkey_cmd = '/usr/sbin/setkey'
$racoon_usr = 'root' $racoon_usr = 'root'
$racoon_grp = 'root' $racoon_grp = 'root'
$racoon_certs = "/etc/racoon/certs"
} }
} }
} }