Skip to content

orionhealth/puppet-strongswan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

115 Commits
manifests
manifests
 
 
spec
spec
 
 
templates
templates
 
 
.fixtures.yml
.fixtures.yml
 
 
.travis.yml
.travis.yml
 
 
Gemfile
Gemfile
 
 
LICENSE
LICENSE
 
 
Modulefile
Modulefile
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 

Repository files navigation

puppet-strongswan

This Puppet module contains configurations for strongSwan.

Build status

Build Status

Example usage

strongSwan can be installed by simply doing:

include strongswan

Default configuration

conn %default configurations can be set as follows, please note that while this is a working example, the toppings should be adjusted for one's preference:

strongswan::conn { '%default':
  options => {
    "ike"         => "aes128gcm128-prfsha256-ecp256!",
    "esp"         => "aes128gcm128-ecp256!",
    "keyexchange" => "ikev2",
    "ikelifetime" => "60m",
    "lifetime"    => "20m",
    "margintime"  => "3m",
    "closeaction" => "restart",
    "dpdaction"   => "restart",
    "compress"    => "no",
  }
}

Peer configuration

Parameters for an IPsec peer:

strongswan::conn { 'peer':
  options => {
    "left"         => "10.0.1.1",
    "leftcert"     => 'peerCert.der',
    "leftfirewall" => 'no',
    "leftid"       => '"C=UK, CN=Peer 1"',
    "leftsubnet"   => "10.0.1.0/24",
    "right"        => '10.0.2.1',
    "rightauth"    => 'pubkey',
    "rightid"      => '"C=UK, CN=Peer 2"',
    "rightsubnet"  => '10.0.2.0/24',
    "auto"         => "start",
  }
}

strongswan::secrets { 'peer':
  options => {
    'ECDSA'        => 'peerKey.der',
  }
}

Gateway configuration

Parameters for an IPsec gateway server:

strongswan::conn { 'gateway':
  options => {
    "left"          => '%any',
    "leftcert"      => 'gwCert.der',
    "leftfirewall"  => "yes",
    "leftid"        => '"C=UK, CN=GW"',
    "leftsubnet"    => '10.0.0.0/24',
    "right"         => '%any',
    "rightauth"     => "pubkey",
    "rightsourceip" => '10.0.1.0/24',
    "auto"          => 'add',
  }
}

strongswan::secrets { 'peer':
  options => {
    'ECDSA'         => 'gwKey.der',
  }
}

Gateway charon configuration:

class { 'strongswan::charon':
  dns1                  => "10.0.0.5",
  initiator_only        => "no",
  integrity_test        => "yes",
  group                 => 'nogroup',
  user                  => 'strongswan',
}

Note: This module is solely intended to handle the strongSwan components of the system. Other parts of the infrastructure, such as iptables and sysctl, are to be managed by their respective modules. The following will enable packet forwarding on the gateway node, for instance:

sysctl { 'net.ipv4.ip_forward': value => '1' }

Roadwarrior configuration

Parameters for an IPsec roadwarrior connection:

strongswan::conn { 'roadwarrior':
  options => {
    "keyingtries"  => "%forever",
    "left"         => '%any',
    "leftcert"     => 'rwCert.der',
    "leftid"       => '"C=UK, CN=rw"',
    "right"        => '10.0.0.1',
    "rightid"      => '"C=UK, CN=GW"',
    "rightsubnet"  => '0.0.0.0/0',
    "auto"         => 'start',
  }
}

strongswan::secrets { 'roadwarrior':
  options => {
    'ECDSA'        => 'rwKey.der',
  }
}

charon daemon configuration can also be adjusted, for example, for a client configuration:

class { 'strongswan::charon':
  initiator_only        => "yes",
  integrity_test        => "yes",
  crypto_test_on_add    => "yes",
  crypto_test_on_create => "yes",
  crypto_test_required  => "yes",
}

Setup configuration

The IPsec 'config setup' section can be configured as follows:

class { 'strongswan::setup':
  options => {
    'strictcrlpolicy' => 'yes',
    'charondebug'     => '"ike 2, knl 3, cfg 0"'
  }
}

License

See LICENSE file.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages