diff options
-rw-r--r-- | roles/common/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/common/tasks/ipsec.yml | 39 | ||||
-rw-r--r-- | roles/common/tasks/main.yml | 1 | ||||
-rw-r--r-- | roles/common/templates/etc/ipsec.conf.j2 | 40 | ||||
-rw-r--r-- | roles/common/templates/etc/ipsec.secrets.j2 | 5 |
5 files changed, 91 insertions, 0 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index e23e099..2ef3253 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -18,3 +18,9 @@ - name: Restart fail2ban service: name=fail2ban state=restarted + +- name: Missing IPSec certificate + fail: msg="strongswan IPsec is lacking public or private keys on '{{ ansible_fqdn }}'." + +- name: Restart IPSec + service: name=ipsec state=restarted diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml new file mode 100644 index 0000000..d4270d7 --- /dev/null +++ b/roles/common/tasks/ipsec.yml @@ -0,0 +1,39 @@ +- name: Install strongSwan + apt: pkg=strongswan-ikev2 + +- name: Ensure we have our private key + file: path=/etc/ipsec.d/private/{{ inventory_hostname }}.key + owner=root group=root + mode=0600 + notify: + - Missing IPSec certificate + +- name: Ensure we have our public key + file: path=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem + owner=root group=root + mode=0644 + notify: + - Missing IPSec certificate + +- name: Ensure we have the CA's public key + file: path=/etc/ipsec.d/cacerts/cacert.pem + owner=root group=root + mode=0644 + notify: + - Missing IPSec certificate + +- name: Configure IPSec's secrets + template: src=etc/ipsec.secrets.j2 + dest=/etc/ipsec.secrets + owner=root group=root + mode=0600 + notify: + - Restart IPSec + +- name: Configure IPSec + template: src=etc/ipsec.conf.j2 + dest=/etc/ipsec.conf + owner=root group=root + mode=0644 + notify: + - Restart IPSec diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a2b7aad..ea85900 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -6,3 +6,4 @@ - include: samhain.yml tags=samhain - include: rkhunter.yml tags=rkhunter - include: fail2ban.yml tags=fail2ban +- include: ipsec.yml tags=strongswan,ipsec diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 new file mode 100644 index 0000000..ceed16a --- /dev/null +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -0,0 +1,40 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +config setup + # crlcheckinterval = 600 + strictcrlpolicy = no + # cachecrls = yes + plutostart = no + +# Add connections here. + +conn %default + keyexchange = ikev2 + ikelifetime = 1h + keylife = 15m + rekeymargin = 3m + keyingtries = 1 + esp = aes128gcm16-ecp256! + ike = aes128gcm16-aesxcbc-ecp256! + # TODO: test DynDNS + mobike = no + leftauth = pubkey + left = %defaultroute + leftcert = {{ inventory_hostname }}.pem + leftid = "C=SE, O=Fripost, OU=IPsec, CN={{ inventory_hostname }}" + leftca = "C=SE, O=Fripost, OU=root CA, CN=IPsec (internal network)" + leftfirewall = yes + rightauth = pubkey + rightca = %same + type = transport + auto = start + +{% for host in groups.all|sort %} +{% if host != inventory_hostname %} + +conn {{ host }} + right = {{ hostvars[host]['inventory_hostname'] }} + rightid = "C=SE, O=Fripost, OU=IPsec, CN={{ hostvars[host]['inventory_hostname'] }}" +{% endif -%} +{%- endfor %} diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2 new file mode 100644 index 0000000..da707bd --- /dev/null +++ b/roles/common/templates/etc/ipsec.secrets.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +# Our VPN uses ECC only. +: ECDSA {{ inventory_hostname }}.key |