Set up IPSec tunnels between each pair of hosts.

We use a dedicated, non-routable, IPv4 subnet for IPSec.  Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.

Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).

The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.

1 files changed, 5 insertions, 0 deletions

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 1226d37..88d44f3 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -30,40 +30,45 @@
     - smartmontools
     - smart
   when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
 - include: haveged.yml
   tags:
     - haveged
     - entropy
 - name: Copy genkeypair.sh and gendhparam.sh
   copy: src=usr/local/bin/{{ item }}
         dest=/usr/local/bin/{{ item }}
         owner=root group=root
         mode=0755
   tags: genkey
   with_items:
     - genkeypair.sh
     - gendhparam.sh
 - name: Generate DH parameters
   command: gendhparam.sh /etc/ssl/dhparams.pem 2048
            creates=/etc/ssl/dhparams.pem
   tags: genkey
+- include: ipsec.yml
+  tags:
+    - strongswan
+    - ipsec
+  when: "groups.all | length > 1"
 - include: logging.yml
   tags: logging
 - include: ntp.yml
   tags: ntp
 - include: mail.yml
   tags:
     - mail
     - postfix
 - include: bacula.yml
   tags:
     - bacula-fd
     - bacula
 - include: munin-node.yml
   tags:
     - munin-node
     - munin
 - include: munin-node-ssl.yml
   when: "'munin-master' not in group_names"
   tags:
     - munin-node