summaryrefslogtreecommitdiffstats
path: root/group_vars/all.yml
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-05-20 01:19:27 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-05-22 17:53:52 +0200
commit3fafa03aeb3640a86d9cd8c639d085df6a8d085d (patch)
treeba1bc3707aa20e3a80c08b1dd2726524333b3d21 /group_vars/all.yml
parent1bdc6a1202f9cabea5f907c4213f2a6f902443b6 (diff)
Set up IPSec tunnels between each pair of hosts.
We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
Diffstat (limited to 'group_vars/all.yml')
-rw-r--r--group_vars/all.yml15
1 files changed, 15 insertions, 0 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 25356bf..c7900a6 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -8,3 +8,18 @@ postfix_instance:
out: { name: out, group: mta, port: 2525 }
MSA: { name: msa }
lists: { name: lists, port: 2527 }
+
+
+# Virtual (non-routable) IPv4 subnet for IPSec. It is always nullrouted
+# on in the absence of xfrm lookup (i.e., when there is no matching
+# IPSec Security Association) to avoid data leaks.
+ipsec_subnet: 172.16.0.0/24
+ipsec:
+ # Virtual (non-routable) addresses for IPSec. They all need to be
+ # distinct and belong to the above subnet 'ipsec_subnet'.
+ antilop: 172.16.0.1
+ benjamin: 172.16.0.2
+ civett: 172.16.0.3
+ elefant: 172.16.0.4
+ giraff: 172.16.0.5
+ mistral: 172.16.0.6