Configure IPSec.

5 files changed, 91 insertions, 0 deletions

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index e23e099..2ef3253 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -18,3 +18,9 @@
 
 - name: Restart fail2ban
   service: name=fail2ban state=restarted
+
+- name: Missing IPSec certificate
+  fail: msg="strongswan IPsec is lacking public or private keys on '{{ ansible_fqdn }}'."
+
+- name: Restart IPSec
+  service: name=ipsec state=restarted
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
new file mode 100644
index 0000000..d4270d7
--- /dev/null
+++ b/roles/common/tasks/ipsec.yml
@@ -0,0 +1,39 @@
+- name: Install strongSwan
+  apt: pkg=strongswan-ikev2
+
+- name: Ensure we have our private key
+  file: path=/etc/ipsec.d/private/{{ inventory_hostname }}.key
+        owner=root group=root
+        mode=0600
+  notify:
+    - Missing IPSec certificate
+
+- name: Ensure we have our public key
+  file: path=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
+        owner=root group=root
+        mode=0644
+  notify:
+    - Missing IPSec certificate
+
+- name: Ensure we have the CA's public key
+  file: path=/etc/ipsec.d/cacerts/cacert.pem
+        owner=root group=root
+        mode=0644
+  notify:
+    - Missing IPSec certificate
+
+- name: Configure IPSec's secrets
+  template: src=etc/ipsec.secrets.j2
+            dest=/etc/ipsec.secrets
+            owner=root group=root
+            mode=0600
+  notify:
+    - Restart IPSec
+
+- name: Configure IPSec
+  template: src=etc/ipsec.conf.j2
+            dest=/etc/ipsec.conf
+            owner=root group=root
+            mode=0644
+  notify:
+    - Restart IPSec
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a2b7aad..ea85900 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -6,3 +6,4 @@
 - include: samhain.yml  tags=samhain
 - include: rkhunter.yml tags=rkhunter
 - include: fail2ban.yml tags=fail2ban
+- include: ipsec.yml    tags=strongswan,ipsec
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
new file mode 100644
index 0000000..ceed16a
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+config setup
+    # crlcheckinterval = 600
+    strictcrlpolicy    = no
+    # cachecrls        = yes
+    plutostart         = no
+
+# Add connections here.
+
+conn %default
+    keyexchange  = ikev2
+    ikelifetime  = 1h
+    keylife      = 15m
+    rekeymargin  = 3m
+    keyingtries  = 1
+    esp          = aes128gcm16-ecp256!
+    ike          = aes128gcm16-aesxcbc-ecp256!
+    # TODO: test DynDNS
+    mobike       = no
+    leftauth     = pubkey
+    left         = %defaultroute
+    leftcert     = {{ inventory_hostname }}.pem
+    leftid       = "C=SE, O=Fripost, OU=IPsec, CN={{ inventory_hostname }}"
+    leftca       = "C=SE, O=Fripost, OU=root CA, CN=IPsec (internal network)"
+    leftfirewall = yes
+    rightauth    = pubkey
+    rightca      = %same
+    type         = transport
+    auto         = start
+
+{% for host in groups.all|sort %}
+{% if host != inventory_hostname %}
+
+conn {{ host }}
+    right   = {{ hostvars[host]['inventory_hostname'] }}
+    rightid = "C=SE, O=Fripost, OU=IPsec, CN={{ hostvars[host]['inventory_hostname'] }}"
+{% endif -%}
+{%- endfor %}
diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2
new file mode 100644
index 0000000..da707bd
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.secrets.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+# Our VPN uses ECC only.
+: ECDSA {{ inventory_hostname }}.key