Set up IPSec tunnels between each pair of hosts.

We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
author: Guilhem Moulin <guilhem@fripost.org> 2016-05-20 01:19:27 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-05-22 17:53:52 +0200
commit: 3fafa03aeb3640a86d9cd8c639d085df6a8d085d (patch)
tree: ba1bc3707aa20e3a80c08b1dd2726524333b3d21 /roles/common/tasks
parent: 1bdc6a1202f9cabea5f907c4213f2a6f902443b6 (diff)
3 files changed, 102 insertions, 0 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
new file mode 100644
index 0000000..b82c281
--- /dev/null
+++ b/roles/common/tasks/ipsec.yml
@@ -0,0 +1,96 @@
+- name: Install strongSwan
+  apt: pkg={{ item }}
+  with_items:
+    - strongswan-charon
+      # for the GCM and openssl plugins
+    - libstrongswan-standard-plugins
+  notify:
+    - Update firewall
+    - Restart IPSec
+
+- name: Auto-create a dedicated virtual subnet for IPSec
+  template: src=etc/network/if-up.d/ipsec.j2
+            dest=/etc/network/if-up.d/ipsec
+            owner=root group=root
+            mode=0755
+  notify:
+    - Reload networking
+
+- name: Auto-deactivate the dedicated virtual subnet for IPSec
+  file: src=../if-up.d/ipsec
+        dest=/etc/network/if-down.d/ipsec
+        owner=root group=root state=link force=yes
+
+- meta: flush_handlers
+
+
+- name: Configure IPSec
+  template: src=etc/ipsec.conf.j2
+            dest=/etc/ipsec.conf
+            owner=root group=root
+            mode=0644
+  register: r1
+  notify:
+    - Restart IPSec
+
+- name: Configure IPSec's secrets
+  template: src=etc/ipsec.secrets.j2
+            dest=/etc/ipsec.secrets
+            owner=root group=root
+            mode=0600
+  register: r2
+  notify:
+    - Restart IPSec
+
+- name: Configure Charon
+  copy: src=etc/strongswan.d/{{ item }}
+        dest=/etc/strongswan.d/{{ item }}
+        owner=root group=root
+        mode=0644
+  with_items:
+    - charon.conf
+    - charon/socket-default.conf
+  register: r3
+  notify:
+    - Restart IPSec
+
+- name: Generate a private key and a X.509 certificate for IPSec
+  command: genkeypair.sh x509
+                         --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
+                         --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key
+                         --ou=IPSec --cn={{ inventory_hostname_short }}
+                         -t rsa -b 4096 -h sha512
+  register: r4
+  changed_when: r4.rc == 0
+  failed_when: r4.rc > 1
+  notify:
+    - Restart IPSec
+  tags:
+    - genkey
+
+- name: Fetch IPSec X.509 certificate
+  # Ensure we don't fetch private data
+  become: False
+  fetch_cmd: cmd="openssl x509"
+             stdin=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
+             dest=certs/ipsec/{{ inventory_hostname_short }}.pem
+  tags:
+    - genkey
+
+# Don't copy our pubkey due to a possible race condition.  Only the
+# remote machine has authority regarding its key.
+- name: Copy IPSec X.509 certificates (except ours)
+  copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem
+        dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem
+        owner=root group=root
+        mode=0644
+  with_items: "{{ groups.all | difference([inventory_hostname]) }}"
+  register: r5
+  tags:
+    - genkey
+  notify:
+    - Restart IPSec
+
+- name: Start IPSec
+  service: name=ipsec state=started
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index 3b86294..b27fc41 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -47,6 +47,7 @@
     - ignore.d.server/common-local
     - ignore.d.server/dovecot-local
     - ignore.d.server/postfix-local
+    - ignore.d.server/strongswan-local
     # logcheck-sudo already exists, but changing the filename for our
     # local modifications would defeat the ruleset
     - violations.ignore.d/logcheck-sudo
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 1226d37..88d44f3 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -47,6 +47,11 @@
   command: gendhparam.sh /etc/ssl/dhparams.pem 2048
            creates=/etc/ssl/dhparams.pem
   tags: genkey
+- include: ipsec.yml
+  tags:
+    - strongswan
+    - ipsec
+  when: "groups.all | length > 1"
 - include: logging.yml
   tags: logging
 - include: ntp.yml
author	Guilhem Moulin <guilhem@fripost.org>	2016-05-20 01:19:27 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-05-22 17:53:52 +0200
commit	3fafa03aeb3640a86d9cd8c639d085df6a8d085d (patch)
tree	ba1bc3707aa20e3a80c08b1dd2726524333b3d21 /roles/common/tasks
parent	1bdc6a1202f9cabea5f907c4213f2a6f902443b6 (diff)