Page MenuHomeDevCentral
Differential D3988

Configure strongSwan as IPsec implementation
Needs ReviewPublic
Actions

Authored by Duranzed on Mar 2 2026, 19:29.
Tags
None
Referenced Files
F25280986: D3988.id10385.diff
Wed, Apr 8, 17:59
F25279592: D3988.id10457.diff
Wed, Apr 8, 17:14
F25276675: D3988.id10538.diff
Wed, Apr 8, 14:58
Unknown Object (File)
Wed, Apr 8, 01:59
Unknown Object (File)
Tue, Apr 7, 14:30
Unknown Object (File)
Tue, Apr 7, 10:53
Unknown Object (File)
Tue, Apr 7, 09:29
Unknown Object (File)
Tue, Apr 7, 02:21
View All Files
Subscribers
None

Details

Reviewers
dereckson
Duranzed
yousra

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
Unit
No Test Coverage
Branch
GRE-tunnel
Build Status
Buildable 6491
Build 6775: arc lint + arc unit

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
dereckson added inline comments.Mar 4 2026, 07:14
pillar/core/network.sls
58 ↗(On Diff #10353)

We can use the banner format here, to be coherent with the repository style.

73 ↗(On Diff #10353)

You can provision them as a follow-up change, uncommented instead.

93 ↗(On Diff #10353)

That comment can be safely removed: the pillar name and the ike_ esp_ keys make that clear what is it.

roles/core/strongswan/config.sls
21 ↗(On Diff #10353)

Jinja syntax allows to use dots as separator to access dictionary keys.

We can use it, but in that case, it's really coherent to use it everywhere.

22 ↗(On Diff #10353)

Won't really work beyond the scope of a test tunnel between those two links. You need a more flexible way to pass the info according the node.

Besides, if you deploy this on both router-002 and router-003 you would get twice the config router-002 to router-003 it seems.

roles/core/strongswan/files/swanctl.conf
1 ↗(On Diff #10353)

Header missing, see https://devcentral.nasqueron.org/source/snippets/browse/main/salt/file.conf

roles/core/strongswan/init.sls
1 ↗(On Diff #10353)

Header missing

4 ↗(On Diff #10353)

That one doesn't exist in the change it seems

This revision now requires changes to proceed.Mar 4 2026, 07:14
Duranzed updated this revision to Diff 10382.Mar 5 2026, 11:58

Updated strongswan config files and using a for loop for a more readable code

Harbormaster completed remote builds in B6427: Diff 10382.Mar 5 2026, 11:58
Duranzed updated this revision to Diff 10383.Mar 5 2026, 12:38

Added service.sls file

Harbormaster completed remote builds in B6428: Diff 10383.Mar 5 2026, 12:38
Duranzed updated this revision to Diff 10385.Mar 5 2026, 14:50
Duranzed marked 4 inline comments as done.

Modified Ysul IP adress in network.sls

Harbormaster completed remote builds in B6429: Diff 10385.Mar 5 2026, 14:50
Duranzed updated this revision to Diff 10395.Tue, Mar 10, 08:23

Updated config files to use node.resolve_gre_tunnels

Harbormaster completed remote builds in B6436: Diff 10395.Tue, Mar 10, 08:23
Duranzed updated this revision to Diff 10400.Tue, Mar 10, 14:57

Improved configuration files and headers

Harbormaster completed remote builds in B6441: Diff 10400.Tue, Mar 10, 14:57
Duranzed updated this revision to Diff 10401.Tue, Mar 10, 15:10

Added software.sls and modified init.sls

Harbormaster completed remote builds in B6442: Diff 10401.Tue, Mar 10, 15:10
Duranzed accepted this revision.Thu, Mar 12, 12:33
dereckson requested changes to this revision.Thu, Mar 12, 21:59
dereckson added inline comments.
roles/core/strongswan/files/swanctl.conf
50 ↗(On Diff #10401)
This revision now requires changes to proceed.Thu, Mar 12, 21:59
dereckson added a comment.Thu, Mar 12, 22:00

Test to deploy this final version on Complector with a test=True to see if it's still no-op.

Duranzed updated this revision to Diff 10425.Fri, Mar 13, 22:41
  • Modified to create tunnels from router-003
Harbormaster completed remote builds in B6461: Diff 10425.Fri, Mar 13, 22:41
Duranzed updated this revision to Diff 10426.Fri, Mar 13, 22:44
  • Roles: update network pillar
Harbormaster completed remote builds in B6462: Diff 10426.Fri, Mar 13, 22:44
Duranzed updated this revision to Diff 10427.Fri, Mar 13, 22:48

Cleaning diff

Harbormaster completed remote builds in B6463: Diff 10427.Fri, Mar 13, 22:48
Duranzed updated this revision to Diff 10453.Mon, Mar 16, 20:15

using for loop to create GRE tunnel on router-002 and 003

Harbormaster completed remote builds in B6483: Diff 10453.Mon, Mar 16, 20:15
Duranzed updated this revision to Diff 10456.Wed, Mar 18, 08:42
  • modified network.sls
Harbormaster completed remote builds in B6485: Diff 10456.Wed, Mar 18, 08:42
Duranzed updated this revision to Diff 10457.Wed, Mar 18, 09:23

testing

Harbormaster completed remote builds in B6486: Diff 10457.Wed, Mar 18, 09:23
Duranzed updated this revision to Diff 10459.Wed, Mar 18, 10:18

Added IP canonical IP addresses to router-002 and router-003

Harbormaster completed remote builds in B6488: Diff 10459.Wed, Mar 18, 10:18
Duranzed updated this revision to Diff 10462.Wed, Mar 18, 12:58

improved indentation

Harbormaster completed remote builds in B6491: Diff 10462.Wed, Mar 18, 12:58
Duranzed updated this revision to Diff 10513.Mon, Mar 23, 14:04
Duranzed marked an inline comment as done.

Removed cloudhugger

Harbormaster completed remote builds in B6526: Diff 10513.Mon, Mar 23, 14:04
dereckson added inline comments.Mon, Mar 23, 14:08
pillar/core/network.sls
37 ↗(On Diff #10513)

We can use explicit variable names.

One letter variables is an historical artefact, from the era where the maximal length for a specific code line was fixed.

See for example for COBOL this IBM documentation:
https://www.ibm.com/docs/en/developer-for-zos/15.0.x?topic=editing-setting-language-specific-maximum-line-length

Nowadays, best practice is to use clear variable name to facilitate reading the code.

9 ↗(On Diff #10453)

What's the role of the router? I think it's to get public IP for that node.

Duranzed updated this revision to Diff 10514.Mon, Mar 23, 14:14

Added router-002

Harbormaster completed remote builds in B6527: Diff 10514.Mon, Mar 23, 14:14
Duranzed updated this revision to Diff 10515.Mon, Mar 23, 14:23

updated for loop syntax

Harbormaster completed remote builds in B6528: Diff 10515.Mon, Mar 23, 14:23
Duranzed updated this revision to Diff 10517.Mon, Mar 23, 16:46

Light modifications

Harbormaster completed remote builds in B6530: Diff 10517.Mon, Mar 23, 16:46
Duranzed updated this revision to Diff 10518.Mon, Mar 23, 16:58

added router parameter

Harbormaster completed remote builds in B6531: Diff 10518.Mon, Mar 23, 16:58
Duranzed updated this revision to Diff 10519.Mon, Mar 23, 17:19

testing list format for routers

Harbormaster completed remote builds in B6532: Diff 10519.Mon, Mar 23, 17:19
Duranzed updated this revision to Diff 10520.Mon, Mar 23, 17:39

removed for loop

Harbormaster completed remote builds in B6533: Diff 10520.Mon, Mar 23, 17:39
Duranzed updated this revision to Diff 10521.Mon, Mar 23, 17:47

better variable name

Harbormaster completed remote builds in B6534: Diff 10521.Mon, Mar 23, 17:47
Duranzed updated this revision to Diff 10522.Mon, Mar 23, 18:42

removed canonical ipv4 from network.sls and corrected node function

Harbormaster completed remote builds in B6535: Diff 10522.Mon, Mar 23, 18:42
Duranzed accepted this revision.Wed, Mar 25, 10:53
yousra accepted this revision.Wed, Mar 25, 15:46
yousra added a reviewer: yousra.
Duranzed added a comment.Wed, Mar 25, 15:48

Configuration deployed and running on router-002/router-003 and WindRiver

Duranzed updated this revision to Diff 10537.Mon, Mar 30, 12:44

repair branch

Harbormaster completed remote builds in B6545: Diff 10537.Mon, Mar 30, 12:44
dereckson added inline comments.Mon, Mar 30, 17:20
roles/core/strongswan/software.sls
9 ↗(On Diff #10537)
Duranzed updated this revision to Diff 10538.Mon, Mar 30, 17:52

removed white lline

Harbormaster completed remote builds in B6546: Diff 10538.Mon, Mar 30, 17:52

Revision Contents
Changeset List

PathSize
pillar/
nodes/
4 lines

Diff 10462

View Options

pillar/nodes/nodes.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator