diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-20 01:19:27 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-22 17:53:52 +0200 |
commit | 3fafa03aeb3640a86d9cd8c639d085df6a8d085d (patch) | |
tree | ba1bc3707aa20e3a80c08b1dd2726524333b3d21 /roles/common/templates/etc/network | |
parent | 1bdc6a1202f9cabea5f907c4213f2a6f902443b6 (diff) |
Set up IPSec tunnels between each pair of hosts.
We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.
Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).
The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.
Diffstat (limited to 'roles/common/templates/etc/network')
-rwxr-xr-x | roles/common/templates/etc/network/if-up.d/ipsec.j2 | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/roles/common/templates/etc/network/if-up.d/ipsec.j2 b/roles/common/templates/etc/network/if-up.d/ipsec.j2 new file mode 100755 index 0000000..7dd41d4 --- /dev/null +++ b/roles/common/templates/etc/network/if-up.d/ipsec.j2 @@ -0,0 +1,47 @@ +#!/bin/sh + +# A post-up/down hook to automatically create/delete a virtual subnet +# for IPSec (inet4 only). +# Copyright © 2016 Guilhem Moulin <guilhem@fripost.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -ue +PATH=/usr/sbin:/usr/bin:/sbin:/bin + +# Ignore the loopback interface and non inet4 families. +[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0 + +# Only the device with the default, globally-scoped route, is of +# interest here. +ip="$( ip -4 -o route show to default scope global \ + | sed -nr '/^default via (\S+) dev (\S+).*/ {s//\2 \1/p;q}' )" +[ "${ip% *}" = "$IFACE" ] || exit 0 +ip="${ip##* }" + +vip="{{ ipsec[inventory_hostname_short] }}" +vsubnet="{{ ipsec_subnet }}" + +case "$MODE" in + start) ip address add "$vip/32" dev "$IFACE" scope global || true + # Nullroute the subnet used for IPSec to avoid data leaks + # in the absence of xfrm lookup (i.e., when there is no + # matching IPSec Security Association). + ip route replace prohibit "$vsubnet" proto static || true + ip route replace table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true + ;; + stop) ip route del table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true + ip route del prohibit "$vsubnet" proto static || true + ip address del "$vip/32" dev "$IFACE" scope global || true +esac |