Page MenuHomeDevCentral
Files F24880632

D3988.id10401.diff
No OneTemporary
Actions

D3988.id10401.diff
View Options

diff --git a/pillar/core/network.sls b/pillar/core/network.sls
--- a/pillar/core/network.sls
+++ b/pillar/core/network.sls
@@ -8,6 +8,7 @@
# The other nodes can use the default_gateway IP.
router: router-001
default_gateway: 172.27.27.1
+ canonical_public_ipv4: 51.68.252.230
# -------------------------------------------------------------
# Drake - GRE tunnels
@@ -54,45 +55,12 @@
node:
addr: 172.27.27.35
-
-# IPsec configuration for strongswan
-
-drake_IPsec_tunnels:
- router-002:
- local_ip: 172.27.27.11
- remote_ip: 172.27.27.12
- local_ts: 172.27.27.11/28
- remote_ts: 172.27.27.12/28
-
- router-003:
- local_ip: 172.27.27.12
- remote_ip: 172.27.27.11
- local_ts: 172.27.27.12/28
- remote_ts: 172.27.27.11/28
-
-#drake_IPsec_tunnels:
-# router-002:
-# tunnels:
-# to_router003:
-# remote_ip: "172.27.27.12"
-# local_ts: "172.27.27.11/32"
-# remote_ts: "172.27.27.12/32"
-# to_windriver:
-# remote_ip: "172.27.27.35"
-# local_ts: "172.27.27.11/32"
-# remote_ts: "172.27.27.35/32"
-# to_ysul:
-# remote_ip: "172.27.27.X"
-# local_ts: "172.27.27.11/32"
-# remote_ts: "172.27.27.X/32"
-# local_ip: "172.27.27.11"
-
-
-
-
-# IPsec configuration IKE + ESP
+# -------------------------------------------------------------
+# IPsec configuration - strongSwan
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
drake_IPsec_config:
router:
ike_proposals: "aes256-sha256-modp2048"
esp_proposals: "aes256-sha256"
+ child_mode: "transport"
diff --git a/roles/core/strongswan/config.sls b/roles/core/strongswan/config.sls
--- a/roles/core/strongswan/config.sls
+++ b/roles/core/strongswan/config.sls
@@ -6,27 +6,23 @@
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
-# Strongswan(IPsec) configuration
+# strongSwan (IPsec) configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+{% set psk = salt["credentials.get_password"]('network/ipsec/key') %}
+
{{ dirs.etc }}/swanctl/swanctl.conf:
file.managed:
- - source: salt://roles/core/network/files/swanctl.conf
+ - source: salt://roles/core/strongswan/files/swanctl.conf
- user: root
- group: wheel
- mode: 600
+ - makedirs: True
- template: jinja
- context:
- tunnel_name: "IPsec"
- ike_proposals: {{ pillar.drake_IPsec_config('ike_proposals') }}
- local_ip: {{ pillar.drake_IPsec_tunnels['router-002']['local_ip'] }}
- remote_ip: {{ pillar.drake_IPsec_tunnels['router-003']['local_ip'] }}
- child_name: "gre"
- child_mode: "transport"
- esp_proposals: {{ pillar.drake_IPsec_config('esp_proposals') }}
- local_ts: {{ pillar.drake_IPsec_tunnels['router-002']['local_ts'] }}
- remote_ts: {{ pillar.drake_IPsec_tunnels['router-003']['remote_ts'] }}
- psk_secret: {{ salt["credentials.get_password"]( 'network/ipsec/key') }}
+ tunnels: {{ salt['node.resolve_gre_tunnels']() }}
+ conf: {{ pillar['drake_IPsec_config']['router'] }}
+ psk_secret: {{ psk }}
strongswan_reload:
cmd.run:
diff --git a/roles/core/strongswan/files/swanctl.conf b/roles/core/strongswan/files/swanctl.conf
--- a/roles/core/strongswan/files/swanctl.conf
+++ b/roles/core/strongswan/files/swanctl.conf
@@ -1,38 +1,57 @@
+# -------------------------------------------------------------
+# strongSwan configuration for swanctl
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/core/strongswan/files/swanctl.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
connections {
- {{ tunnel_name }} {
- version = 2
- proposals = {{ ike_proposals }}
+{% for tunnel in tunnels %}
- local_addrs = {{ local_ip }}
- remote_addrs = {{ remote_ip }}
+ IPsec_{{ tunnel.description }} {
+ version = 2
+ proposals = {{ conf.ike_proposals }}
- local {
- auth = psk
- id = {{ local_ip }}
- }
+ local_addrs = {{ tunnel.icann_src }}
+ remote_addrs = {{ tunnel.icann_dst }}
- remote {
- auth = psk
- id = {{ remote_ip }}
- }
+ local {
+ auth = psk
+ id = {{ tunnel.icann_src }}
+ }
+
+ remote {
+ auth = psk
+ id = {{ tunnel.icann_dst }}
+ }
- children {
- {{ child_name }} {
- mode = {{ child_mode }}
- esp_proposals = {{ esp_proposals }}
- local_ts = {{ local_ts }}
- remote_ts = {{ remote_ts }}
- start_action = start
+ children {
+ tunnel-{{ tunnel.description }} {
+ mode = {{ conf.child_mode }}
+ esp_proposals = {{ conf.esp_proposals }}
+ local_ts = {{ tunnel.icann_src }}/32
+ remote_ts = {{ tunnel.icann_dst }}/32
+ start_action = trap
+ }
}
- }
- }
+ }
+{% endfor %}
}
secrets {
- ike-psk {
- id-1 = {{ local_ip }}
- id-2 = {{ remote_ip }}
- secret = "{{ psk_secret }}"
- }
+{% for tunnel in tunnels_dynamiques %}
+ ike-{{ tunnel.description }} {
+ id-1 = {{ tunnel.icann_src }}
+ id-2 = {{ tunnel.icann_dst }}
+ secret = {{ psk_secret }}
+ }
+{% endfor %}
}
diff --git a/roles/core/strongswan/init.sls b/roles/core/strongswan/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/init.sls
@@ -0,0 +1,11 @@
+# -------------------------------------------------------------
+# strongSwan
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+include:
+ - .software
+ - .config
+ - .service
diff --git a/roles/core/strongswan/service.sls b/roles/core/strongswan/service.sls
--- a/roles/core/strongswan/service.sls
+++ b/roles/core/strongswan/service.sls
@@ -1,5 +1,5 @@
# -------------------------------------------------------------
-# Salt — Provision strongswan
+# Salt — Provisions strongSwan
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
@@ -8,7 +8,7 @@
{% from "map.jinja" import services with context %}
# -------------------------------------------------------------
-# strongswan service
+# strongSwan service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if services.manager == "rc" %}
diff --git a/roles/core/strongswan/software.sls b/roles/core/strongswan/software.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/strongswan/software.sls
@@ -0,0 +1,9 @@
+# -------------------------------------------------------------
+# strongSwan software installation
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+strongswan:
+ pkg.installed

File Metadata

Mime Type
text/plain
Expires
Mon, Mar 16, 13:36 (12 h, 25 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3537132
Default Alt Text
D3988.id10401.diff (7 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator