libreswan: Installs and configures libreswan to provide IPSEC capabilities.libreswan::config: Configuresipsec.confand necessary directories.libreswan::config::firewall: Ensures that the required firewall rules are definedlibreswan::config::pki: Ensure that thesimp/pkiPKI certificates are loaded into the IPSEC NSS Database.libreswan::config::pki::nsspki: Ensure that the PKI certificates are loaded into the NSS Database used by the IPSEC process.libreswan::install: Installs the appropriate packages.libreswan::service: Ensure that the appropriate services are running.
libreswan::connection: Create a connection file in the IPSEC configuration directory.libreswan::nss::init_db: Initializes the NSS database, sets the correct password, and configures FIPS if necessary.libreswan::nss::loadcacerts: Adds the CA certificates to the NSS trust store.libreswan::nss::loadcerts: Load a server certificate into the NSS database.
Libreswan::ConnAddr: Valid libreswan connection addressesLibreswan::IP::V4::VirtualPrivate: Matches valid IPv4 CIDR Mask addresses Base Regex taken from Ruby core's Resolv::IPv4::Regex Reference: ruby/lib/resolv.rb Copyright 2010 TLibreswan::IP::V6::VirtualPrivate: Matches valid IPv4 CIDR Mask addresses Base Regex taken from Ruby core's Resolv::IPv4::Regex Reference: ruby/lib/resolv.rb Copyright 2010 TLibreswan::Interfaces: Valid libreswan interfacesLibreswan::VirtualPrivate: Valid virtual private addresses
It is very important you read the documentation that comes with libreswan before attempting to use this module.
This module is designed to install and configure system IPSEC capabilities using libreswan.
It will also configure and maintain the NSS database used by libreswan if you have chosen to let SIMP manage your PKI certificates.
To add and start tunnels that will be managed by libreswan see the manifest
libreswan::add_connection.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
-
If used independently, all SIMP-managed security subsystems are disabled by default, and must be explicitly opted into by administrators. Please review items referring to
simp_options::*for additional information. -
See the libreswan documentation https://libreswan.org/man/ipsec.conf.5.html for more information regarding these variables.
-
Any variable set to
undefwill not appear in the configuration file and will default to the value set by libreswan. Those set will appear in the configuration file but can be overwritten using Hiera. -
See also
The following parameters are available in the libreswan class:
service_namepackage_nametrusted_netsfirewallfipspkihavegednssdb_passwordmyidprotostackinterfaceslistenikeportnflog_allnat_ikeportkeep_alivevirtual_privatemyvendoridnhelpersplutoforkcrlcheckintervalstrictcrlpolicyocsp_enableocsp_strictocsp_timeoutocsp_uriocsp_trustnamesyslogklipsdebugplutodebuguniqueidsplutorestartoncrashlogfilelogappendlogtimeddos_modeddos_ike_tresholddumpdirstatsbinipsecdirsecretsfileperpeerlogperpeerlogdirfragicmphidetosoverridemtublock_cidrsclear_cidrsclear_private_cidrsprivate_cidrsprivate_clear_cidrs
Data type: String
The name of the IPSEC service.
Data type: String
The name of the libreswan package.
Data type: Simplib::Netlist
An allowed set of subnetworks (in CIDR notataion) with permitted access explicitly for IPSEC communication
Default value: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] })
Data type: Boolean
Whether to add appropriate rules to allow IPSEC traffic to the SIMP-controlled firewall
Default value: simplib::lookup('simp_options::firewall', {'default_value' => false })
Data type: Boolean
Whether server is in FIPS mode.
- Affects cryptography allowed to be used by IPSEC.
Default value: simplib::lookup('simp_options::fips', {'default_value' => false })
Data type: Variant[Boolean,Enum['simp']]
- If
'simp', includesimp/pkiand usepki::copyto manage application certs in/etc/pki/simp_apps/libreswan/x509 - If
true, do not includesimp/pki, but still usepki::copyto manage certs in/etc/pki/simp_apps/libreswan/x509 - If
false, do not includesimp/pkiand do not use pki::copy to manage certs. You will need to appropriately assign a subset of:- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', {'default_value' => false })
Data type: Boolean
Whether to use haveged to ensure adequate entropy
Default value: simplib::lookup('simp_options::haveged', {'default_value' => false })
Data type: String
Password for the NSS database used by ipsec
Default value: simplib::passgen('nssdb_password')
Data type: Optional[String]
Default value: undef
Data type: Enum['netkey','klips','mast']
Default value: 'netkey'
Data type: Optional[Libreswan::Interfaces]
Default value: undef
Data type: Optional[Simplib::IP]
Default value: undef
Data type: Simplib::Port
DEPRECATED
Default value: 500
Data type: Optional[Integer]
Default value: undef
Data type: Simplib::Port
DEPRECATED
Default value: 4500
Data type: Optional[Integer]
Default value: undef
Data type: Libreswan::VirtualPrivate
Default value: ['%v4:10.0.0.0/8','%v4:192.168.0.0/16','%v4:172.16.0.0/12']
Data type: Optional[String]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Simplib::Uri]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: String
DEPRECATED
Default value: 'none'
Data type: String
Default value: 'none'
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type:
Optional[Enum['busy',
'unlimited','auto']]Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Stdlib::Absolutepath
Default value: '/var/run/pluto'
Data type: Optional[String]
Default value: undef
Data type: Stdlib::Absolutepath
The directory to store all ipsec configuration information.
Default value: '/etc/ipsec.d'
Data type: Stdlib::Absolutepath
Default value: '/etc/ipsec.secrets'
Data type: Optional[Enum['yes','no']]
DEPRECATED
Default value: undef
Data type: Stdlib::Absolutepath
DEPRECATED
Default value: '/var/log/pluto/peer'
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Integer]
Default value: undef
Data type: Optional[Array[Simplib::IP::V4::CIDR]]
List of CIDRs to which communication should never be allowed
Default value: undef
Data type: Optional[Array[Simplib::IP::V4::CIDR]]
List of CIDRs to which communication should always be in the clear
Default value: undef
Data type: Optional[Array[Simplib::IP::V4::CIDR]]
List of CIDRs to which communication will be in the clear, or, if the other side initiates IPSEC, use encryption
Default value: undef
Data type: Optional[Array[Simplib::IP::V4::CIDR]]
List of CIDRs to which communication should always be private
Default value: undef
Data type: Array[Simplib::IP::V4::CIDR]
List of CIDRs to which communication should be private if possible but in the clear otherwise
Default value: ['0.0.0.0/0']
Configures ipsec.conf and necessary directories.
Ensures that the required firewall rules are defined
Ensure that the simp/pki PKI certificates are loaded into the IPSEC NSS Database.
The following parameters are available in the libreswan::config::pki class:
Data type: String
- If
$pki='simp'ortrue, this is the directory from which certs will be copied, viapki::copy. - If
$pki=false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
Data type: Stdlib::Absolutepath
Controls the base path of the other app_pki_* parameters.
Default value: '/etc/pki/simp_apps/libreswan/x509'
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file
Default value: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem"
Data type: Stdlib::Absolutepath
Path and name of the public SSL certificate
Default value: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub"
Data type: Stdlib::Absolutepath
Path and name of the CA.
Default value: "${app_pki_dir}/cacerts/cacerts.pem"
Called when the certificates change or when the database is initialized.
The following parameters are available in the libreswan::config::pki::nsspki class:
Data type: String[1]
The name of the certificate to be used
Default value: $facts['networking']['fqdn']
Installs the appropriate packages.
Ensure that the appropriate services are running.
You can can set up defaults for all of your connections by using the name
'default'. This will create a file default.conf with a 'conn %default'
header. Then, all settings in default.conf will be used as defaults for
connections specified in other files.
Not all available, connection-related, libreswan settings are defined
here. However, should you need a missing setting you can manually
create a correctly-formatted, connection configuration file in the
IPSEC configuration directory. This file must have a .conf suffix.
- Manually generated configuration files are not managed, or purged, by Puppet.
The following parameters correspond to libreswan settings for which the default values are different from the libreswan defaults. You can override the defaults by passing in different data in the definition parameters.
The rest of the parameters map one-to-one to libreswan settings and
are undef.
Any undef parameter will not appear in the generated configuration file for
the connection. See libreswan documentation for the setting defaults when
omitted from a connection's configuration.
https://libreswan.org/man/ipsec.conf.5.html, the CONN:SETTINGS section
The following parameters are available in the libreswan::connection defined type:
dirkeyingtriesikephase2algleftrightconnaddrfamilyleftaddresspoolleftsubnetleftsubnetsleftprotoportleftsourceipleftupdownleftcertleftrsasigkeyleftrsasigkey2leftsendcertleftnexthopleftidleftcarightidrightrsasigkeyrightrsasigkey2rightcarightaddresspoolrightsubnetsrightsubnetrightprotoportrightsourceiprightupdownrightcertrightsendcertrightnexthopautoauthbytypeikev2mobikephase2ikepadfragmentationsha2_truncbugnarrowingsareftrackleftxauthserverrightxauthserverleftxauthusernamerightxauthusernameleftxauthclientrightxauthclientleftmodecfgserverrightmodecfgserverleftmodecfgclientrightmodecfgclientxauthbyxauthfailmodecfgpullmodecfgdnsmodecfgdns1modecfgdns2modecfgdomainmodecfgdomainsmodecfgbannernat_ikev1_methoddpddelaydpdtimeoutdpdaction
Data type: Stdlib::Absolutepath
The absolute path to the IPSEC configuration directory.
Default value: '/etc/ipsec.d'
Data type: Integer
The number of times a connection will try to reconnect before exiting.
Default value: 10
Data type: String
The ciphers used in the connection.
Default value: 'aes-sha2'
Data type: String
The ciphers used in the second part of the connection.
Default value: 'aes-sha2'
Data type: Optional[Libreswan::ConnAddr]
Default value: undef
Data type: Optional[Libreswan::ConnAddr]
Default value: undef
Data type: Optional[Enum['ipv4','ipv6']]
Default value: undef
Data type: Optional[Array[Simplib::IP,2,2]]
Default value: undef
Data type:
Optional[Variant[
Enum['%no','%priv'],
Pattern['^vhost:*'],
Pattern['^vnet:*'],
Simplib::IP::CIDR]]Default value: undef
Data type: Optional[Array[Simplib::IP::CIDR]]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Simplib::IP]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type:
Optional[Enum['yes', 'no',
'never','always','sendifasked']]Default value: undef
Data type:
Optional[Variant[
Enum['%direct','%defaultroute'],
Simplib::IP]]Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Array[Simplib::IP,2,2]]
Default value: undef
Data type: Optional[Array[Simplib::IP::CIDR]]
Default value: undef
Data type:
Optional[Variant[
Enum['%no','%priv'],
Pattern['^vhost:*'],
Pattern['^vnet:*'],
Simplib::IP::CIDR]]Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Simplib::IP]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type:
Optional[Enum['yes', 'no',
'never','always','sendifasked']]Default value: undef
Data type:
Optional[Variant[
Enum['%direct','%defaultroute'],
Simplib::IP]]Default value: undef
Data type:
Optional[Enum['add','start',
'ondemand', 'ignore']]Default value: undef
Data type:
Optional[Enum['rsasig','secret',
'secret|rsasig', 'never', 'null']]Default value: undef
Data type:
Optional[Enum['tunnel','transport',
'passthough','reject','drop']]Default value: undef
Data type:
Optional[Enum['insist','permit',
'propose','never','yes', 'no']]Default value: undef
Data type: Optional[Enum['yes', 'no']]
Default value: undef
Data type: Optional[Enum['esp', 'ah']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no','force']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type:
Optional[Enum['yes','no',
'conntrack']]Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type:
Optional[Enum['file','pam',
'alwaysok']]Default value: undef
Data type: Optional[Enum['hard','soft']]
Default value: undef
Data type: Optional[Enum['yes','no']]
Default value: undef
Data type: Optional[Array[Simplib::IP]]
Support 3.23+ DNS configuration
Default value: undef
Data type: Optional[Simplib::IP]
Support <= 3.22 domain configuration
Default value: undef
Data type: Optional[Simplib::IP]
Support <= 3.22 domain configuration
Default value: undef
Data type: Optional[String]
Support <= 3.22 domain configuration
Default value: undef
Data type: Optional[Array[String]]
Support 3.23+ domains configuration
Default value: undef
Data type: Optional[String]
Default value: undef
Data type:
Optional[Enum['drafts','rfc',
'both']]Default value: undef
Data type: Optional[Pattern[/\d+[smh]$/]]
Default value: undef
Data type: Optional[Pattern[/\d+[smh]$/]]
Default value: undef
Data type:
Optional[Enum['hold', 'clear',
'restart']]Default value: undef
Initializes the NSS database, sets the correct password, and configures FIPS if necessary.
The following parameters are available in the libreswan::nss::init_db defined type:
Data type: Stdlib::Absolutepath
Directory where the NSS database will be created.
Data type: String
Password used to protect the database.
- Each NSS database is broken up into tokens used for different types of
certificates, Smart cards, FIPS compliant, non-FIPS. This util sets the
FIPS and non-FIPS token to they same password. The tokens are defined by
$libreswan::nsstoken. You can add tokens to array if there are other parts of the database you want to protect.
Data type: Boolean
If true, it will remove the existing database before running the init command.
Default value: false
Data type: Boolean
Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })
Data type: String
Default value: 'NSS Certificate DB'
Data type: Stdlib::Absolutepath
Default value: "${dbdir}/nsspassword"
Data type: Optional[String[1]]
Command used to create the cert db.
Default value: simplib::lookup('libreswan::nss::init_db::init_command', { 'default_value' => undef })
Adds the CA certificates to the NSS trust store.
The following parameters are available in the libreswan::nss::loadcacerts defined type:
Data type: Stdlib::Absolutepath
The directory where the DB is located
Data type: Stdlib::Absolutepath
Default value: "${dbdir}/nsspassword"
Data type: Stdlib::Absolutepath
The absolute path to the public portion CA certificate.
Data type: String
Default value: 'NSS Certificate DB'
Data type: Enum['PEM','DER']
The format the certificate is in. PEM and DER are currently acceptable.
Default value: 'PEM'
Load a server certificate into the NSS database.
The following parameters are available in the libreswan::nss::loadcerts defined type:
Data type: Stdlib::Absolutepath
The directory where the NSS Database is located.
Data type: Stdlib::Absolutepath
The file which contains the password if there is one.
Default value: "${dbdir}/nsspassword"
Data type: Stdlib::Absolutepath
The absolute path to the public portion of the cert.
Data type: String
Default value: 'NSS Certificate DB'
Data type: Optional[Stdlib::Absolutepath]
The absolute path to the private portion of the cert.
Default value: undef
Data type: Enum['PEM','P12']
The format the certificate is in.
Default value: 'PEM'
Valid libreswan connection addresses
Alias of
Variant[Enum[
'%any',
'%defaultroute',
'%opportunistic',
'%opportunisticgroup',
'%group'
], Simplib::IP::V4, Simplib::IP::V6, Pattern['^%[a-zA-Z]+\d+$']]Matches valid IPv4 CIDR Mask addresses Base Regex taken from Ruby core's Resolv::IPv4::Regex
Reference: ruby/lib/resolv.rb
Copyright 2010 Tanaka Akira kr@fsij.org Released under the guidance of the Ruby COPYING file section 2(a) Commit 4e3a98d383eb3c420df5208d83f9aba70b504e33
Alias of Pattern['^(?-mix:\A%v4:(!)?((?x-mi:0|1(?:[0-9][0-9]?)?|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?))\.((?x-mi:0|1(?:[0-9][0-9]?)?|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?))\.((?x-mi:0|1(?:[0-9][0-9]?)?|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?))\.((?x-mi:0|1(?:[0-9][0-9]?)?|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?))/(3[012]|[12][0-9]|[0-9])\z)$']
Matches valid IPv4 CIDR Mask addresses Base Regex taken from Ruby core's Resolv::IPv4::Regex
Reference: ruby/lib/resolv.rb
Copyright 2010 Tanaka Akira kr@fsij.org Released under the guidance of the Ruby COPYING file section 2(a) Commit 4e3a98d383eb3c420df5208d83f9aba70b504e33
Alias of Pattern['^(?x-mi:(\A%v6:(!)?(?x-mi:(?:(?x-mi:(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/(12[0-8]|1[01][0-9]|[0-9]?[0-9])\z))|(?:(?x-mi:((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)/(12[0-8]|1[01][0-9]|[0-9]?[0-9])\z))|(?:(?x-mi:((?:[0-9A-Fa-f]{1,4}:){6,6})(\d+)\.(\d+)\.(\d+)\.(\d+)/(12[0-8]|1[01][0-9]|[0-9]?[0-9])\z))|(?:(?x-mi:((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}:)*)(\d+)\.(\d+)\.(\d+)\.(\d+)/(12[0-8]|1[01][0-9]|[0-9]?[0-9]))))\z))$']
Valid libreswan interfaces
Alias of
Array[Variant[
Enum['%none','%defaultroute'],
Pattern['(\w+=\w+)']
]]Valid virtual private addresses
Alias of
Array[Variant[
Libreswan::IP::V4::VirtualPrivate,
Libreswan::IP::V6::VirtualPrivate
]]