summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-06-29 20:14:25 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-06-29 20:14:25 +0200
commitaaba815dbccbb0d623def17d1e030383d905daa0 (patch)
tree8a566201e726304587d412d8a6508ea1d0c566db
parent0e583714e7dbba5a871b1bfdf4b85bd0b5f91632 (diff)
IPSec → IPsec
-rw-r--r--group_vars/all.yml6
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh13
-rw-r--r--roles/common/handlers/main.yml2
-rw-r--r--roles/common/tasks/ipsec.yml28
-rw-r--r--roles/common/templates/etc/iptables/services.j22
-rwxr-xr-xroles/common/templates/etc/network/if-up.d/ipsec.j26
6 files changed, 28 insertions, 29 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 9458dc0..a9bfda9 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -10,12 +10,12 @@ postfix_instance:
lists: { name: lists, port: 2527 }
-# Virtual (non-routable) IPv4 subnet for IPSec. It is always nullrouted
-# in the absence of xfrm lookup (i.e., when there is no matching IPSec
+# Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted
+# in the absence of xfrm lookup (i.e., when there is no matching IPsec
# Security Association) to avoid data leaks.
ipsec_subnet: 172.16.0.0/24
ipsec:
- # Virtual (non-routable) addresses for IPSec. They all need to be
+ # Virtual (non-routable) addresses for IPsec. They all need to be
# distinct and belong to the above subnet 'ipsec_subnet'.
antilop: 172.16.0.1
benjamin: 172.16.0.2
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 7ca9bab..b27e5ce 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -48,7 +48,7 @@ else
fi
fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S'
-IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
+IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
declare -A rss=() tables=()
usage() {
@@ -104,7 +104,7 @@ ipt-trim() {
# automatically included by third-party servers (such as strongSwan
# or fail2ban). The output is ready to be made persistent.
grep -Ev -e '^:fail2ban-\S' \
- -e "$IPSec_re" \
+ -e "$IPsec_re" \
-e '-j fail2ban-\S+$' \
-e "$fail2ban_re"
}
@@ -197,9 +197,8 @@ run() {
fi >> "$new"
if [ "$f" = 4 -a "$ipsec" = y ]; then
- # Our IPSec tunnels are IPv4 only.
- # (Host-to-host) IPSec tunnels come first.
- grep -E -- "$IPSec_re" "$old" >> "$new" || true
+ # IPsec tunnels come first (IPv4 only).
+ grep -E -- "$IPsec_re" "$old" >> "$new" || true
# Allow any IPsec $secproto protocol packets to be sent and received.
iptables -A INPUT -i $if -p $secproto -j ACCEPT
@@ -215,11 +214,11 @@ run() {
local ip
if [ "$f" = 4 -a "$ipsec" = y ]; then
# Private-use networks (RFC 1918) and link local (RFC 3927)
- local MyIPSec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
+ local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \
| sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \
| while read ip; do
- for ips in $MyIPSec; do
+ for ips in $MyIPsec; do
[ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip"
done
done
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 250c77b..73877f8 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -23,7 +23,7 @@
- name: Restart fail2ban
service: name=fail2ban state=restarted
-- name: Restart IPSec
+- name: Restart IPsec
service: name=ipsec state=restarted
- name: Reload networking
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index ca03c98..ce158fe 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -6,9 +6,9 @@
- libstrongswan-standard-plugins
notify:
- Update firewall
- - Restart IPSec
+ - Restart IPsec
-- name: Auto-create a dedicated virtual subnet for IPSec
+- name: Auto-create a dedicated virtual subnet for IPsec
template: src=etc/network/if-up.d/ipsec.j2
dest=/etc/network/if-up.d/ipsec
owner=root group=root
@@ -16,7 +16,7 @@
notify:
- Reload networking
-- name: Auto-deactivate the dedicated virtual subnet for IPSec
+- name: Auto-deactivate the dedicated virtual subnet for IPsec
file: src=../if-up.d/ipsec
dest=/etc/network/if-down.d/ipsec
owner=root group=root state=link force=yes
@@ -24,23 +24,23 @@
- meta: flush_handlers
-- name: Configure IPSec
+- name: Configure IPsec
template: src=etc/ipsec.conf.j2
dest=/etc/ipsec.conf
owner=root group=root
mode=0644
register: r1
notify:
- - Restart IPSec
+ - Restart IPsec
-- name: Configure IPSec's secrets
+- name: Configure IPsec's secrets
template: src=etc/ipsec.secrets.j2
dest=/etc/ipsec.secrets
owner=root group=root
mode=0600
register: r2
notify:
- - Restart IPSec
+ - Restart IPsec
- name: Configure Charon
copy: src=etc/strongswan.d/{{ item }}
@@ -52,9 +52,9 @@
- charon/socket-default.conf
register: r3
notify:
- - Restart IPSec
+ - Restart IPsec
-- name: Generate a key pair for IPSec public key authentication
+- name: Generate a key pair for IPsec public key authentication
command: genkeypair.sh keypair
--pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
--privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key
@@ -63,11 +63,11 @@
changed_when: r4.rc == 0
failed_when: r4.rc > 1
notify:
- - Restart IPSec
+ - Restart IPsec
tags:
- genkey
-- name: Fetch the public part of IPSec host key
+- name: Fetch the public part of IPsec host key
# Ensure we don't fetch private data
become: False
fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
@@ -78,7 +78,7 @@
# Don't copy our pubkey due to a possible race condition. Only the
# remote machine has authority regarding its key.
-- name: Copy the public part of IPSec peers' key
+- name: Copy the public part of IPsec peers' key
copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem
dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem
owner=root group=root
@@ -88,8 +88,8 @@
tags:
- genkey
notify:
- - Restart IPSec
+ - Restart IPsec
-- name: Start IPSec
+- name: Start IPsec
service: name=ipsec state=started
when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index ccbc735..247f98a 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -7,7 +7,7 @@
{% if groups.all | length > 1 %}
inout4 udp 500 500 # ISAKMP
{% if groups.NATed | length > 0 %}
-inout4 udp 4500 4500 # IPSec NAT Traversal
+inout4 udp 4500 4500 # IPsec NAT Traversal
{% endif %}
{% endif %}
diff --git a/roles/common/templates/etc/network/if-up.d/ipsec.j2 b/roles/common/templates/etc/network/if-up.d/ipsec.j2
index 7dd41d4..caa5129 100755
--- a/roles/common/templates/etc/network/if-up.d/ipsec.j2
+++ b/roles/common/templates/etc/network/if-up.d/ipsec.j2
@@ -1,7 +1,7 @@
#!/bin/sh
# A post-up/down hook to automatically create/delete a virtual subnet
-# for IPSec (inet4 only).
+# for IPsec (inet4 only).
# Copyright © 2016 Guilhem Moulin <guilhem@fripost.org>
#
# This program is free software: you can redistribute it and/or modify
@@ -35,9 +35,9 @@ vsubnet="{{ ipsec_subnet }}"
case "$MODE" in
start) ip address add "$vip/32" dev "$IFACE" scope global || true
- # Nullroute the subnet used for IPSec to avoid data leaks
+ # Nullroute the subnet used for IPsec to avoid data leaks
# in the absence of xfrm lookup (i.e., when there is no
- # matching IPSec Security Association).
+ # matching IPsec Security Association).
ip route replace prohibit "$vsubnet" proto static || true
ip route replace table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true
;;