From e63b5f5e39e2012bbdf1ca8301c6eb2cd13716cb Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 2 Jul 2014 20:52:27 +0200 Subject: Remove IPSec related files. --- roles/common/files/etc/network/if-up.d/ipsec | 68 ------------------------- roles/common/handlers/main.yml | 3 -- roles/common/tasks/ipsec.yml | 75 ---------------------------- roles/common/templates/etc/ipsec.conf.j2 | 30 ----------- roles/common/templates/etc/ipsec.secrets.j2 | 5 -- 5 files changed, 181 deletions(-) delete mode 100755 roles/common/files/etc/network/if-up.d/ipsec delete mode 100644 roles/common/tasks/ipsec.yml delete mode 100644 roles/common/templates/etc/ipsec.conf.j2 delete mode 100644 roles/common/templates/etc/ipsec.secrets.j2 diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec deleted file mode 100755 index 4a84112..0000000 --- a/roles/common/files/etc/network/if-up.d/ipsec +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/sh - -# A post-up/down hook to automatically create/delete a 'sec' VLAN -# device, and a dedicated, host-scoped, IP for IPSec (v4 only). -# Copyright © 2013 Guilhem Moulin -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -set -ue -PATH=/usr/sbin:/usr/bin:/sbin:/bin - -ifsec=sec0 -ipsec=172.16.0.1/32 - -# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh. -secmark=0xA99 - -# Ignore the loopback interface and non inet4 families. -[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0 - -# Only the device with the default, globally-scoped route, is of -# interest here. -[ "$( /bin/ip -4 route show to default scope global \ - | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \ - = \ - "$IFACE" ] || exit 0 - -case "$MODE" in - start) # Don't create $ifsec if it's already there - if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then - # Create a new VLAN $IFACE on physical device $ifsec. This is - # required otherwise charon thinks the left peer is that - # host-scoped, non-routable IP. - /bin/ip link add link "$IFACE" name "$ifsec" type vlan id 2713 - /bin/ip address add "$ipsec" dev "$ifsec" scope host - /bin/ip link set dev "$ifsec" up - fi - - # If a packet retained its mark that far, it means it has - # been SNAT'ed from $ipsec, and didn't have a xfrm - # association. Hence we nullroute it to avoid to leak data - # intented to be tunneled through IPSec. /!\ The priority - # must be >220 (which the one used by strongSwan IPSec) since - # xfrm lookup must take precedence. - /bin/ip rule add fwmark "$secmark" table 666 priority 666 || true - /bin/ip route add prohibit default table 666 || true - ;; - stop) if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then - # Deactivate the VLAN - /bin/ip link set dev "$ifsec" down - fi - - # Delete the 'prohibit' rule - /bin/ip rule del fwmark "$secmark" table 666 priority 666 || true - /bin/ip route flush table 666 - ;; -esac diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 1e0a21e..d20f7b6 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -17,9 +17,6 @@ - name: Restart fail2ban service: name=fail2ban state=restarted -- name: Restart IPSec - service: name=ipsec state=restarted - - name: Reload networking # /etc/init.d/networking doesn't answer the status command; but since # it should be "up" whenever ansible has access to the machine, we use diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml deleted file mode 100644 index 36807d2..0000000 --- a/roles/common/tasks/ipsec.yml +++ /dev/null @@ -1,75 +0,0 @@ -- name: Install strongSwan - apt: pkg=strongswan-ikev2 - -- name: Generate a private key and a X.509 certificate for IPSec - command: genkeypair.sh x509 - --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem - --privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key - --dns={{ inventory_hostname }} - -t ecdsa -b secp521r1 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart IPSec - tags: - - genkey - -- name: Fetch the public part of IPSec's host key - # Ensure we don't fetch private data - sudo: False - fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem - dest=certs/ipsec/ - fail_on_missing=yes - flat=yes - tags: - - genkey - -# Don't copy our pubkey due to a possible race condition. Only the -# remote machine has authority regarding its key. -- name: Copy IPSec host pubkeys (except ours) - copy: src=certs/ipsec/{{ item }}.pem - dest=/etc/ipsec.d/certs/{{ item }}.pem - owner=root group=root - mode=0644 - with_items: groups.all | difference([inventory_hostname]) - register: r2 - notify: - - Restart IPSec - -- name: Configure IPSec's secrets - template: src=etc/ipsec.secrets.j2 - dest=/etc/ipsec.secrets - owner=root group=root - mode=0600 - register: r3 - notify: - - Restart IPSec - -- name: Configure IPSec - template: src=etc/ipsec.conf.j2 - dest=/etc/ipsec.conf - owner=root group=root - mode=0644 - register: r4 - notify: - - Restart IPSec - -- name: Start IPSec - service: name=ipsec state=started - when: not (r1.changed or r2.changed or r3.changed or r4.changed) - -- name: Auto-create a dedicated interface for IPSec - copy: src=etc/network/if-up.d/ipsec - dest=/etc/network/if-up.d/ipsec - owner=root group=root - mode=0755 - notify: - - Reload networking - -- name: Auto-deactivate the dedicated interface for IPSec - file: src=../if-up.d/ipsec - dest=/etc/network/if-down.d/ipsec - owner=root group=root state=link force=yes - -- meta: flush_handlers diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 deleted file mode 100644 index 1dbcdbd..0000000 --- a/roles/common/templates/etc/ipsec.conf.j2 +++ /dev/null @@ -1,30 +0,0 @@ -# {{ ansible_managed }} -# Do NOT edit this file directly! - -config setup - plutostart = no - -# Add connections here. - -conn %default - keyexchange = ikev2 - ikelifetime = 1h - keylife = 15m - rekeymargin = 3m - keyingtries = 1 - esp = aes128gcm16-ecp256! - ike = aes128gcm16-aesxcbc-ecp256! - # TODO: test DynDNS - mobike = no - leftauth = pubkey - left = %defaultroute - leftcert = {{ inventory_hostname }}.pem - leftfirewall = yes - rightauth = pubkey - auto = start -{% for host in groups.all | difference([inventory_hostname]) | sort %} - -conn {{ host }} - right = {{ hostvars[host]['inventory_hostname'] }} - rightcert = {{ hostvars[host]['inventory_hostname'] }}.pem -{%- endfor %} diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2 deleted file mode 100644 index da707bd..0000000 --- a/roles/common/templates/etc/ipsec.secrets.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} -# Do NOT edit this file directly! - -# Our VPN uses ECC only. -: ECDSA {{ inventory_hostname }}.key -- cgit v1.2.3