summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/common/handlers/main.yml6
-rw-r--r--roles/common/tasks/ipsec.yml39
-rw-r--r--roles/common/tasks/main.yml1
-rw-r--r--roles/common/templates/etc/ipsec.conf.j240
-rw-r--r--roles/common/templates/etc/ipsec.secrets.j25
5 files changed, 91 insertions, 0 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index e23e099..2ef3253 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -18,3 +18,9 @@
- name: Restart fail2ban
service: name=fail2ban state=restarted
+
+- name: Missing IPSec certificate
+ fail: msg="strongswan IPsec is lacking public or private keys on '{{ ansible_fqdn }}'."
+
+- name: Restart IPSec
+ service: name=ipsec state=restarted
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
new file mode 100644
index 0000000..d4270d7
--- /dev/null
+++ b/roles/common/tasks/ipsec.yml
@@ -0,0 +1,39 @@
+- name: Install strongSwan
+ apt: pkg=strongswan-ikev2
+
+- name: Ensure we have our private key
+ file: path=/etc/ipsec.d/private/{{ inventory_hostname }}.key
+ owner=root group=root
+ mode=0600
+ notify:
+ - Missing IPSec certificate
+
+- name: Ensure we have our public key
+ file: path=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
+ owner=root group=root
+ mode=0644
+ notify:
+ - Missing IPSec certificate
+
+- name: Ensure we have the CA's public key
+ file: path=/etc/ipsec.d/cacerts/cacert.pem
+ owner=root group=root
+ mode=0644
+ notify:
+ - Missing IPSec certificate
+
+- name: Configure IPSec's secrets
+ template: src=etc/ipsec.secrets.j2
+ dest=/etc/ipsec.secrets
+ owner=root group=root
+ mode=0600
+ notify:
+ - Restart IPSec
+
+- name: Configure IPSec
+ template: src=etc/ipsec.conf.j2
+ dest=/etc/ipsec.conf
+ owner=root group=root
+ mode=0644
+ notify:
+ - Restart IPSec
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a2b7aad..ea85900 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -6,3 +6,4 @@
- include: samhain.yml tags=samhain
- include: rkhunter.yml tags=rkhunter
- include: fail2ban.yml tags=fail2ban
+- include: ipsec.yml tags=strongswan,ipsec
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
new file mode 100644
index 0000000..ceed16a
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+config setup
+ # crlcheckinterval = 600
+ strictcrlpolicy = no
+ # cachecrls = yes
+ plutostart = no
+
+# Add connections here.
+
+conn %default
+ keyexchange = ikev2
+ ikelifetime = 1h
+ keylife = 15m
+ rekeymargin = 3m
+ keyingtries = 1
+ esp = aes128gcm16-ecp256!
+ ike = aes128gcm16-aesxcbc-ecp256!
+ # TODO: test DynDNS
+ mobike = no
+ leftauth = pubkey
+ left = %defaultroute
+ leftcert = {{ inventory_hostname }}.pem
+ leftid = "C=SE, O=Fripost, OU=IPsec, CN={{ inventory_hostname }}"
+ leftca = "C=SE, O=Fripost, OU=root CA, CN=IPsec (internal network)"
+ leftfirewall = yes
+ rightauth = pubkey
+ rightca = %same
+ type = transport
+ auto = start
+
+{% for host in groups.all|sort %}
+{% if host != inventory_hostname %}
+
+conn {{ host }}
+ right = {{ hostvars[host]['inventory_hostname'] }}
+ rightid = "C=SE, O=Fripost, OU=IPsec, CN={{ hostvars[host]['inventory_hostname'] }}"
+{% endif -%}
+{%- endfor %}
diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2
new file mode 100644
index 0000000..da707bd
--- /dev/null
+++ b/roles/common/templates/etc/ipsec.secrets.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+# Our VPN uses ECC only.
+: ECDSA {{ inventory_hostname }}.key