fripost-ansible/certs/ipsec, branch master Fripost ansible scripts levante: Adjust pinned key material and modules due to new hardware. 2024-09-08T00:06:12+00:00 Guilhem Moulin guilhem@fripost.org 2024-09-08T00:06:12+00:00 6f7e29aa7227147a5c9038fe92d484d11e90d6fc 






Move bacula and munin master to new host levante from benjamin.
2020-11-03T03:54:39+00:00

Guilhem Moulin
guilhem@fripost.org

2020-11-03T03:54:39+00:00

e91e0e722c3d09a21905d66f3d217cdcd241d2fb












Define new host "calima" serving Nextcloud.
2018-12-03T02:43:48+00:00

Guilhem Moulin
guilhem@fripost.org

2018-12-03T02:37:19+00:00

5ad9fc5e963b9a461f60799d7f185a9e2e13522f












Rotate civett's IPsec's key.
2017-05-29T14:31:26+00:00

Guilhem Moulin
guilhem@fripost.org

2017-05-29T14:31:26+00:00

48067cfad556314f91c57f99692609084fce6f63












IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.
2016-05-24T15:12:10+00:00

Guilhem Moulin
guilhem@fripost.org

2016-05-24T15:11:11+00:00

1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9

There is no need to bother with X.509 cruft here.





There is no need to bother with X.509 cruft here.







Set up IPSec tunnels between each pair of hosts.
2016-05-22T15:53:52+00:00

Guilhem Moulin
guilhem@fripost.org

2016-05-19T23:19:27+00:00

3fafa03aeb3640a86d9cd8c639d085df6a8d085d

We use a dedicated, non-routable, IPv4 subnet for IPSec.  Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.

Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).

The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.





We use a dedicated, non-routable, IPv4 subnet for IPSec.  Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.

Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).

The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.