7u83-ipsec/manifests/racoon.pp

129 lines
2.2 KiB
Puppet

# Racoon IPSec
class ipsec::racoon (
$version = 'latest'
)inherits ipsec::racoon_params{
package {'racoon':
name => "$racoon_pkg",
ensure => "$version",
}
service {'racoon':
name => "$racoon_service",
ensure => 'running',
require => Concat["$racoon_conf"], #File['racoon_conf'],
subscribe => Concat["$racoon_conf"],
enable => true,
}
service {'ipsec':
name => "$ipsec_service",
enable => true,
}
exec { "$setkey_cmd -f $ipsec_conf":
subscribe => Concat[ "$ipsec_conf" ],
refreshonly => true
}
concat { "$racoon_conf":
ensure => present
}
concat::fragment { "$racoon_conf header":
target => "$racoon_conf",
order => '00',
content => template('ipsec/racoon/racoon.conf.header.erb'),
}
concat { "$ipsec_conf":
ensure => present
}
concat::fragment { "ipsec_conf_header":
target => "$ipsec_conf",
order => '00',
content => template('ipsec/ipsec_top.erb'),
}
concat { "$racoon_pskfile":
owner => "$racoon_usr",
group => "$racoon_grp",
mode => '0600',
ensure => present
}
concat::fragment { "pskfile_header":
target => "$racoon_pskfile",
order => '00',
content => "#racoon psks\n",
}
}
define ipsec::racoon::tunnel (
$local_ip,
$remote_ip,
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'modp3072',
$lifetime = '86400 sec',
$nets,
$proto = "any",
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/ipsec_tunnel.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
concat::fragment { "racoon_conf_$title":
target => "$::ipsec::racoon_params::racoon_conf",
content => template('ipsec/racoon/racoon.conf.erb')
}
}
define ipsec::racoon::transport (
$local_ip,
$remote_ip,
$proto = "any",
$encryption = 'blowfish',
$hash = 'sha256',
$dh_group = 'mopd3072',
$psk
)
{
concat::fragment { "$title":
target => "$::ipsec::racoon_params::ipsec_conf",
content => template('ipsec/racoon/ipsec.conf.transport.erb')
}
concat::fragment { "psk_$title":
target => "$::ipsec::racoon_params::racoon_pskfile",
content => "$remote_ip $psk\n"
}
}