- Description
- Setup - The basics of getting started with ipsec
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This puppet module is providing facility to install and configure ipsec settings. Currently using strongswan, it manages package installation, the contents of configuration files ipsec.secrets and ipsec.conf and controlling the service itself in order to reload configurations after changes. The module is designed to be fully configurable through parameter lookup, but it also allowes you to manage configuration artefacts via resource instances.
The very basic steps needed for a user to get the module up and running. This can include setup steps, if necessary, or it can be an example of the most basic use of the module.
To get startet with this module, simply include the module into your puppet manifest. Passing parameter values may happen by direct assignment or preferably via lookup.
include ipsec
The module will install strongswan on the affected nodes and care about the service to be enabled.
To add your secrets to the ipsec.secrets
file, there are two options. Passing the actual secrets to the module via ipsec::secrets
parameter or adding includes to the secrets file and file the secrets through other tools.
ipsec::secrets:
- selector: '@example.org'
secret:
type: PSK
passphrase: 'asdf1234'
- selector: 'rsa-a.example.org'
secret:
type: RSA
private_key_file: '/etc/ipsec.d/private/host-a.key'
prompt: true
- selector: 'rsa-b.example.org'
secret:
type: RSA
private_key_file: '/etc/ipsec.d/private/host-b.key'
passphrase: 'asdf1234'
- secret:
type: RSA
private_key_file: '/etc/ipsec.d/private/host-def.key'
- secret:
type: PIN
slotnr: 1
keyid: 50
pin: 1234
- secret:
type: PIN
slotnr: 1
module: opensc
keyid: 45
prompt: true
Note, that non of the above used secrets (passphrase or pin fields) are treated as sensitive content.
The other option is to use parameter ipsec::secret_includes
to include files.
ipsec::secret_includes:
- '/var/lib/strongswan/ipsec.secrets.inc'
- '/etc/ipsec.d/very.secret'
IPSec configuration is handled within ipsec.conf
file. This consists of sections of three types. All sections can be handled via ipsec::conf
parameter. The setup secion is a singleton section, therefore it is handled only via the conf parameter.
The hash passed in through ipsec::conf['setup']
is placed as key-value pairs into the setup section of the ipsec.conf
file.
The ipsec.conf
file may contain multiple ca sections each configuring a certification authority. These section may be created via ipsec::conf['authorities']
parameter.
ipsec::conf:
authorities:
myca:
auto: add
cacert: '/etc/ssl/certs/myca.pem'
crluri: 'file:///etc/ssl/crls/myca_crl.pem'
Alternatively, ca sections can be created by resource instances of type ipsec::conf::ca
.
ipsec::conf::ca { 'myca':
auto => 'add',
cacert => '/etc/ssl/certs/myca.pem',
crluri => 'file:///etc/ssl/crls/myca_crl.pem'
Connections sections are created similar to authority sections. Resource instances of ipsec::conf::conn
are created automatically from ipsec::conf['connections']
hash parameter, or may be created directly within your puppet code.
ipsec::conf:
connections:
test:
type: transport
left: %any
leftcert: hostcert.pem
right: 192.168.56.1
rightid: %any
auto: route
ipsec::conf::conn { 'test':
type => 'transport',
left => '%any'
leftcert => 'hostcert.pem',
right => '192.168.56.1',
rightid => '%any',
auto => 'route',
}
- Reference documentation is created by Puppet Strings code comments, and published as gh_pages at [https://rtib.github.io/puppet-ipsec/].
The module introduces some custom data types, which are not contained in the above reference.
Represents a time value as used in Strongswan configuration. Consisting eighter of an integer or one or more numerals followed by an optional suffix, which designate the dimensions of seconds (s), minutes (m), hours (h) or days (d).
type Ipsec::Time = Variant[Integer,Pattern[/^[0-9]+[smhd]?$/]]
The custom data structure to handle different types of secrets configuration for Strongswan is a bit more complex. It consists of an optional selector and a secret, which is a varian of some sub-types. The outer structure is defined as
type Ipsec::Secret = Struct[{
selector => Optional[Pattern[/[^:]*/]],
secret => Variant[
Ipsec::Secret::Privkey,
Ipsec::Secret::Shared,
Ipsec::Secret::Smartcard,
],
}]
Each sub-type does have a mandatory field named type, which may decide on the applicability of the particular type.
The custom type for shared secrets is handling types PSK
, EAP
and XAUTH
and storing the passphrase as string.
type Ipsec::Secret::Shared = Struct[{
type => Enum['PSK','EAP','XAUTH'],
passphrase => String,
}]
Note! The passphrase is not treated as sensitive data. Use this feature of the module with care, only in the case no other solution is possible. The secrets_include parameter is providing feature to ipsec.secrets which may support other solutions for handling secret passphrase.
Private key type secrets has one of types RSA
, ECDSA
or P12
. All Privkey secrets does need a private_key_file pointing to the file path the secret key is found. It the private key needs to be unlocked, a passphrase may be filed or the prompt option enabled.
type Ipsec::Secret::Privkey = Struct[{
type => Enum['RSA','ECDSA','P12'],
private_key_file => String,
prompt => Optional[Boolean],
passphrase => Optional[String],
}]
Note! The passphrase is not treated as sensitive data. Use this feature with care, only in the case no other solution is possible. The secrets_include parameter is providing feature to ipsec.secrets which may support other solutions for handling secret passphrase.
Smartcard based authentication is supported by a secret with type PIN
, which mandatory takes a keyid parameter, and optional the slotnr, module name. If the card needs to be unlocked, a pin may be filed or the prompt option enabled.
type Ipsec::Secret::Smartcard = Struct[{
type => Enum['PIN'],
slotnr => Optional[Integer],
module => Optional[String],
keyid => Integer,
pin => Optional[Integer],
prompt => Optional[Boolean],
}]
Note! The pin is not treated as sensitive data. Use this feature with care, only in the case no other solution is possible. The secrets_include parameter is providing feature to ipsec.secrets which may support other solutions for handling secret pin.
The module is currently tested for a few OS distributions only and needs contribution to be ported and tested on others. There are features Strongswan is providing but cannot be configured with this module, e.g. NTLM based authentication. Feel free to contribute missing features.
Puppet modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. Please follow the usual guidelines when contributing changes.
- fork the repository on GitHub
- make your improvements, preferably to a feature branch
- rebase your changes to the head of the master branch
- squash your changes into a single commit
- file a pull request and check the result of Travis-CI tests