vpn: refs #8748 - Initial approche

2025-03-14 11:29:31 +01:00 · 2025-03-14 11:29:31 +01:00 · 00239750a2
parent b897482076
commit 00239750a2
10 changed files with 148 additions and 0 deletions
--- a/playbooks/vpn-ipsec.yml
+++ b/playbooks/vpn-ipsec.yml
@ -0,0 +1,6 @@
+- name: Configure DHCP
+  hosts: all
+  tasks:
+  - name: Configure services to install in the server
+    import_role:
+      name: ipsec
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@ -0,0 +1,10 @@
+strongswan_requeriments:
+  - strongswan
+  - libstrongswan-standard-plugins
+  - strongswan-pki
+  - tcpdump
+  - iperf
+  - conntrack
+certificates:
+  - { content: '{{ cert_ipsec }}', dest: '/etc/ipsec.d/certs/cert.pem', mode: 'u=rw,g=r,o=r' }
+  - { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }
--- a/roles/ipsec/files/vn.conf
+++ b/roles/ipsec/files/vn.conf
@ -0,0 +1,19 @@
+charon {
+	cisco_unity = yes
+
+	filelog {
+		log {
+			path = /var/log/strongswan/charon.log
+			append = yes
+			default = 1
+			flush_line = yes
+			ike_name = yes
+			time_format = %Y-%m-%d %H:%M:%S
+		}
+	}
+	syslog {
+		identifier = charon
+		daemon {
+		}
+	}
+}
--- a/roles/ipsec/handlers/main.yml
+++ b/roles/ipsec/handlers/main.yml
@ -0,0 +1,4 @@
+- name: restart-ipsec
+  systemd:
+    name: strongswan-starter.service
+    state: restarted
--- a/roles/ipsec/tasks/ipsec.yml
+++ b/roles/ipsec/tasks/ipsec.yml
@ -0,0 +1,43 @@
+- name: Update apt cache
+  apt:
+   update_cache: yes
+- name: Install VPN package requirements
+  apt:
+    name: "{{ strongswan_requeriments }}"
+    state: present
+    install_recommends: no
+- name: Insert certificates
+  no_log: true
+  copy:
+    content: "{{ item.content }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop: "{{ certificates }}"
+- name: Add private key
+  copy:
+    content: "{{ lookup(passbolt, 'ipsec_private_key', folder_parent_id=passbolt_folder).description }}"
+    dest: /etc/ipsec.d/private/key.pem
+    owner: root
+    group: root
+    mode: u=r,g=r,o=
+- name: Configure ipsec.conf and charon
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop:
+    - { src: 'ipsec.conf', dest: '/etc/ipsec.conf', mode: 'u=rw,g=r,o=r' }
+    - { src: 'vn-attr.conf', dest: '/etc/strongswan.d/charon/vn-attr.conf', mode: 'u=rw,g=r,o=r' }
+    - { src: 'vn-eap-radius.conf', dest: '/etc/strongswan.d/charon/vn-eap-radius.conf', mode: 'u=r,g=,o=' }
+    - { src: 'ipsec.secrets', dest: '/etc/ipsec.secrets', mode: 'u=r,g=,o=' }
+- name: Copy Configure file
+  copy:
+    src: vn.conf
+    dest: /etc/strongswan.d/vn.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
--- a/roles/ipsec/tasks/main.yml
+++ b/roles/ipsec/tasks/main.yml
@ -0,0 +1,3 @@
+- import_tasks: ipsec.yml
+  tags: ipsec
+
--- a/roles/ipsec/templates/ipsec.conf
+++ b/roles/ipsec/templates/ipsec.conf
@ -0,0 +1,32 @@
+
+config setup
+  charondebug="ike 1, knl 1, cfg 0"
+  uniqueids=no
+
+conn %default
+  auto=add
+  compress=no
+  type=tunnel
+  keyexchange=ikev2
+  fragmentation=yes
+  forceencaps=yes
+  eap_identity=%identity
+
+  dpdaction=clear
+  dpddelay=300s
+  rekey=no
+
+  left=%any
+  leftid=@{{ leftid }}
+  leftcert=cert.pem
+  leftsendcert=always
+  leftsubnet={{ leftsubnet  }}
+
+  right=%any
+  rightid=%any
+  rightauth=eap-radius
+  rightdns={{ rightdns }}
+  rightsendcert=never
+
+{{ ipsec_groups }}
+
--- a/roles/ipsec/templates/ipsec.secrets
+++ b/roles/ipsec/templates/ipsec.secrets
@ -0,0 +1,2 @@
+{{ leftid }} : RSA "key.pem"
+admin %any% : EAP "{{ lookup(passbolt, 'eap', folder_parent_id=passbolt_folder).password }}"
--- a/roles/ipsec/templates/vn-attr.conf
+++ b/roles/ipsec/templates/vn-attr.conf
@ -0,0 +1,8 @@
+attr {
+	load = yes
+	dns = {{ rightdns }}
+	split-include = {{ leftsubnet }}
+	split-exclude = 0.0.0.0/0
+	28674 = {{ leftid }}
+	25 = {{ leftid }}
+}
--- a/roles/ipsec/templates/vn-eap-radius.conf
+++ b/roles/ipsec/templates/vn-eap-radius.conf
@ -0,0 +1,21 @@
+eap-radius {
+	load = yes
+	accounting = yes
+	class_group = yes
+	servers {
+		primary {
+			#address = radius1.verdnatura.es
+			address = {{ address_radiusA }}
+			auth_port = {{ auth_port }}
+			acct_port = {{ acct_port }}
+			secret = {{ lookup(passbolt, 'eap-radius', folder_parent_id=passbolt_folder).password }}
+		}
+		secondary {
+			#address = radius2.verdnatura.es
+			address = {{ address_radiusB }}
+			auth_port = {{ auth_port }}
+			acct_port = {{ acct_port }}
+			secret = {{ lookup(passbolt, 'eap-radius', folder_parent_id=passbolt_folder).password }}
+		}
+	}
+}