191 lines
3.3 KiB
Puppet
191 lines
3.3 KiB
Puppet
# Class: ipsec
|
|
# ===========================
|
|
#
|
|
# Full description of class ipsec here.
|
|
#
|
|
# Parameters
|
|
# ----------
|
|
#
|
|
# Document parameters here.
|
|
#
|
|
# * `sample parameter`
|
|
# Explanation of what this parameter affects and what it defaults to.
|
|
# e.g. "Specify one or more upstream ntp servers as an array."
|
|
#
|
|
# Variables
|
|
# ----------
|
|
#
|
|
# Here you should define a list of variables that this module would require.
|
|
#
|
|
# * `sample variable`
|
|
# Explanation of how this variable affects the function of this class and if
|
|
# it has a default. e.g. "The parameter enc_ntp_servers must be set by the
|
|
# External Node Classifier as a comma separated list of hostnames." (Note,
|
|
# global variables should be avoided in favor of class parameters as
|
|
# of Puppet 2.6.)
|
|
#
|
|
# Examples
|
|
# --------
|
|
#
|
|
# @example
|
|
# class { 'ipsec':
|
|
# }
|
|
#
|
|
# Authors
|
|
# -------
|
|
#
|
|
# 7u83 <7u83@mail.ru>
|
|
#
|
|
# Copyright
|
|
# ---------
|
|
#
|
|
# Copyright 2018 7u83@mail.ru
|
|
#
|
|
class ipsec(
|
|
$version = 'latest',
|
|
$ikedaemon = undef,
|
|
|
|
$exchange_mode = "main",
|
|
|
|
$generate_policy = "off",
|
|
|
|
|
|
$ike_auth_method = "rsasig",
|
|
|
|
$proposals = [
|
|
{
|
|
encryption => 'aes256',
|
|
hash => 'sha256',
|
|
dh_group => 'modp2048',
|
|
},
|
|
],
|
|
|
|
# use puppet's certs and keys by default
|
|
$ca_cert = "$ipsec_puppet_ssldir/certs/ca.pem",
|
|
$client_cert = "$ipsec_puppet_ssldir/certs/${facts[clientcert]}.pem",
|
|
$client_key = "$ipsec_puppet_ssldir/private_keys/${facts[clientcert]}.pem",
|
|
$crl = "ipsec_$puppet_ssldir/crl.pem",
|
|
|
|
|
|
$use_global = false
|
|
|
|
) inherits ipsec::params {
|
|
|
|
|
|
|
|
if $ikedaemon == undef {
|
|
$ike_daemon = $default_ike_daemon
|
|
}
|
|
else {
|
|
$ike_daemon = $ikedaemon
|
|
}
|
|
|
|
$res = "ipsec::${ike_daemon}"
|
|
|
|
class { "$res":
|
|
version => $version
|
|
}
|
|
|
|
}
|
|
|
|
define ipsec::transport (
|
|
|
|
$local_ip = undef,
|
|
$local_port = 'any',
|
|
|
|
$remote_ip,
|
|
$remote_id = undef,
|
|
$remote_port = 'any',
|
|
|
|
$proto = "any",
|
|
$ipv6 = false,
|
|
|
|
$exchange_mode = $ipsec::exchange_mode,
|
|
|
|
$proposals=$ipsec::proposals,
|
|
|
|
$encryption = ['aes256'],
|
|
$hash = ['sha256'],
|
|
$p2hash = ['sha256'],
|
|
$dh_group = 'modp2048',
|
|
$lifetime = 3600,
|
|
|
|
#
|
|
$psk = undef,
|
|
|
|
# use puppet's certs and keys by default
|
|
$ca_cert = $ipsec::ca_cert,
|
|
$client_cert = $ipsec::client_cert,
|
|
$client_key = $ipsec::client_key,
|
|
$crl = $ipsec::crl,
|
|
|
|
|
|
)
|
|
{
|
|
include ::ipsec
|
|
$ikedaemon = $::ipsec::ike_daemon
|
|
$res = "ipsec::${ikedaemon}::transport"
|
|
|
|
Resource[$res] { "$title":
|
|
local_ip => $local_ip,
|
|
local_port => $local_port,
|
|
|
|
remote_ip => $remote_ip,
|
|
remote_id => $remote_id ? { undef => $remote_ip, default => $remote_id },
|
|
remote_port => $remote_port,
|
|
|
|
proto => $proto,
|
|
|
|
exchange_mode => $exchange_mode,
|
|
proposals => $proposals,
|
|
|
|
encryption => $encryption,
|
|
hash => $hash,
|
|
p2hash => $p2hash,
|
|
dh_group => $dh_group,
|
|
lifetime => $lifetime,
|
|
|
|
|
|
psk => $psk,
|
|
ca_cert => $ca_cert,
|
|
client_cert => $client_cert,
|
|
client_key => $client_key,
|
|
crl => $crl,
|
|
}
|
|
|
|
}
|
|
|
|
|
|
define ipsec::tunnel (
|
|
$local_ip,
|
|
$remote_ip,
|
|
$nets,
|
|
$proto = "any",
|
|
$psk,
|
|
$hash = 'sha256',
|
|
$encryption = 'aes256',
|
|
$lifetime = '86400 sec',
|
|
$dh_group = 'modp2048',
|
|
|
|
)
|
|
{
|
|
include ::ipsec
|
|
$ikedaemon = $::ipsec::ike_daemon
|
|
$res = "ipsec::${ikedaemon}::tunnel"
|
|
|
|
Resource[$res] { "$title":
|
|
local_ip => $local_ip,
|
|
remote_ip => $remote_ip,
|
|
nets => $nets,
|
|
proto => $proto,
|
|
psk => $psk,
|
|
lifetime => $lifetime,
|
|
hash => $hash,
|
|
encryption => $encryption,
|
|
dh_group => $dh_group,
|
|
}
|
|
|
|
}
|
|
|
|
|