From 00239750a21688a8f0d68a05c9db5420235a5ee2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 14 Mar 2025 11:29:31 +0100
Subject: [PATCH 1/6] vpn: refs #8748 - Initial approche

---
 playbooks/vpn-ipsec.yml                  |  6 ++++
 roles/ipsec/defaults/main.yml            | 10 ++++++
 roles/ipsec/files/vn.conf                | 19 +++++++++++
 roles/ipsec/handlers/main.yml            |  4 +++
 roles/ipsec/tasks/ipsec.yml              | 43 ++++++++++++++++++++++++
 roles/ipsec/tasks/main.yml               |  3 ++
 roles/ipsec/templates/ipsec.conf         | 32 ++++++++++++++++++
 roles/ipsec/templates/ipsec.secrets      |  2 ++
 roles/ipsec/templates/vn-attr.conf       |  8 +++++
 roles/ipsec/templates/vn-eap-radius.conf | 21 ++++++++++++
 10 files changed, 148 insertions(+)
 create mode 100644 playbooks/vpn-ipsec.yml
 create mode 100644 roles/ipsec/defaults/main.yml
 create mode 100644 roles/ipsec/files/vn.conf
 create mode 100644 roles/ipsec/handlers/main.yml
 create mode 100644 roles/ipsec/tasks/ipsec.yml
 create mode 100644 roles/ipsec/tasks/main.yml
 create mode 100644 roles/ipsec/templates/ipsec.conf
 create mode 100644 roles/ipsec/templates/ipsec.secrets
 create mode 100644 roles/ipsec/templates/vn-attr.conf
 create mode 100644 roles/ipsec/templates/vn-eap-radius.conf

diff --git a/playbooks/vpn-ipsec.yml b/playbooks/vpn-ipsec.yml
new file mode 100644
index 0000000..c8f0979
--- /dev/null
+++ b/playbooks/vpn-ipsec.yml
@@ -0,0 +1,6 @@
+- name: Configure DHCP
+  hosts: all
+  tasks:
+  - name: Configure services to install in the server
+    import_role:
+      name: ipsec
\ No newline at end of file
diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml
new file mode 100644
index 0000000..9113d34
--- /dev/null
+++ b/roles/ipsec/defaults/main.yml
@@ -0,0 +1,10 @@
+strongswan_requeriments:
+  - strongswan
+  - libstrongswan-standard-plugins
+  - strongswan-pki
+  - tcpdump
+  - iperf
+  - conntrack
+certificates:
+  - { content: '{{ cert_ipsec }}', dest: '/etc/ipsec.d/certs/cert.pem', mode: 'u=rw,g=r,o=r' }
+  - { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }
\ No newline at end of file
diff --git a/roles/ipsec/files/vn.conf b/roles/ipsec/files/vn.conf
new file mode 100644
index 0000000..0b26373
--- /dev/null
+++ b/roles/ipsec/files/vn.conf
@@ -0,0 +1,19 @@
+charon {
+	cisco_unity = yes
+
+	filelog {
+		log {
+			path = /var/log/strongswan/charon.log
+			append = yes
+			default = 1
+			flush_line = yes
+			ike_name = yes
+			time_format = %Y-%m-%d %H:%M:%S
+		}
+	}
+	syslog {
+		identifier = charon
+		daemon {
+		}
+	}
+}
diff --git a/roles/ipsec/handlers/main.yml b/roles/ipsec/handlers/main.yml
new file mode 100644
index 0000000..79978af
--- /dev/null
+++ b/roles/ipsec/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart-ipsec
+  systemd:
+    name: strongswan-starter.service
+    state: restarted
diff --git a/roles/ipsec/tasks/ipsec.yml b/roles/ipsec/tasks/ipsec.yml
new file mode 100644
index 0000000..0b786ba
--- /dev/null
+++ b/roles/ipsec/tasks/ipsec.yml
@@ -0,0 +1,43 @@
+- name: Update apt cache
+  apt:
+   update_cache: yes
+- name: Install VPN package requirements
+  apt:
+    name: "{{ strongswan_requeriments }}"
+    state: present
+    install_recommends: no
+- name: Insert certificates
+  no_log: true
+  copy:
+    content: "{{ item.content }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop: "{{ certificates }}"
+- name: Add private key
+  copy:
+    content: "{{ lookup(passbolt, 'ipsec_private_key', folder_parent_id=passbolt_folder).description }}"
+    dest: /etc/ipsec.d/private/key.pem
+    owner: root
+    group: root
+    mode: u=r,g=r,o=
+- name: Configure ipsec.conf and charon
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop:
+    - { src: 'ipsec.conf', dest: '/etc/ipsec.conf', mode: 'u=rw,g=r,o=r' }
+    - { src: 'vn-attr.conf', dest: '/etc/strongswan.d/charon/vn-attr.conf', mode: 'u=rw,g=r,o=r' }
+    - { src: 'vn-eap-radius.conf', dest: '/etc/strongswan.d/charon/vn-eap-radius.conf', mode: 'u=r,g=,o=' }
+    - { src: 'ipsec.secrets', dest: '/etc/ipsec.secrets', mode: 'u=r,g=,o=' }
+- name: Copy Configure file
+  copy:
+    src: vn.conf
+    dest: /etc/strongswan.d/vn.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
\ No newline at end of file
diff --git a/roles/ipsec/tasks/main.yml b/roles/ipsec/tasks/main.yml
new file mode 100644
index 0000000..d3dd860
--- /dev/null
+++ b/roles/ipsec/tasks/main.yml
@@ -0,0 +1,3 @@
+- import_tasks: ipsec.yml
+  tags: ipsec
+
diff --git a/roles/ipsec/templates/ipsec.conf b/roles/ipsec/templates/ipsec.conf
new file mode 100644
index 0000000..76d3627
--- /dev/null
+++ b/roles/ipsec/templates/ipsec.conf
@@ -0,0 +1,32 @@
+
+config setup
+  charondebug="ike 1, knl 1, cfg 0"
+  uniqueids=no
+
+conn %default
+  auto=add
+  compress=no
+  type=tunnel
+  keyexchange=ikev2
+  fragmentation=yes
+  forceencaps=yes
+  eap_identity=%identity
+
+  dpdaction=clear
+  dpddelay=300s
+  rekey=no
+
+  left=%any
+  leftid=@{{ leftid }}
+  leftcert=cert.pem
+  leftsendcert=always
+  leftsubnet={{ leftsubnet  }}
+
+  right=%any
+  rightid=%any
+  rightauth=eap-radius
+  rightdns={{ rightdns }}
+  rightsendcert=never
+
+{{ ipsec_groups }}
+
diff --git a/roles/ipsec/templates/ipsec.secrets b/roles/ipsec/templates/ipsec.secrets
new file mode 100644
index 0000000..9956a00
--- /dev/null
+++ b/roles/ipsec/templates/ipsec.secrets
@@ -0,0 +1,2 @@
+{{ leftid }} : RSA "key.pem"
+admin %any% : EAP "{{ lookup(passbolt, 'eap', folder_parent_id=passbolt_folder).password }}"
diff --git a/roles/ipsec/templates/vn-attr.conf b/roles/ipsec/templates/vn-attr.conf
new file mode 100644
index 0000000..94b2b2f
--- /dev/null
+++ b/roles/ipsec/templates/vn-attr.conf
@@ -0,0 +1,8 @@
+attr {
+	load = yes
+	dns = {{ rightdns }}
+	split-include = {{ leftsubnet }}
+	split-exclude = 0.0.0.0/0
+	28674 = {{ leftid }}
+	25 = {{ leftid }}
+}
diff --git a/roles/ipsec/templates/vn-eap-radius.conf b/roles/ipsec/templates/vn-eap-radius.conf
new file mode 100644
index 0000000..de69c64
--- /dev/null
+++ b/roles/ipsec/templates/vn-eap-radius.conf
@@ -0,0 +1,21 @@
+eap-radius {
+	load = yes
+	accounting = yes
+	class_group = yes
+	servers {
+		primary {
+			#address = radius1.verdnatura.es
+			address = {{ address_radiusA }}
+			auth_port = {{ auth_port }}
+			acct_port = {{ acct_port }}
+			secret = {{ lookup(passbolt, 'eap-radius', folder_parent_id=passbolt_folder).password }}
+		}
+		secondary {
+			#address = radius2.verdnatura.es
+			address = {{ address_radiusB }}
+			auth_port = {{ auth_port }}
+			acct_port = {{ acct_port }}
+			secret = {{ lookup(passbolt, 'eap-radius', folder_parent_id=passbolt_folder).password }}
+		}
+	}
+}
\ No newline at end of file
-- 
2.40.1


From 9ac8501f148d597b3e6a9d4810c0eadd1ec6969b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 14 Mar 2025 11:33:01 +0100
Subject: [PATCH 2/6] vpn: refs #8748 - Names fix

---
 playbooks/dhcp.yml          | 2 +-
 roles/ipsec/tasks/ipsec.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/playbooks/dhcp.yml b/playbooks/dhcp.yml
index 9a89db8..ebfc0c5 100644
--- a/playbooks/dhcp.yml
+++ b/playbooks/dhcp.yml
@@ -1,4 +1,4 @@
-- name: Configure DHCP
+- name: Configure IPsec StrongSwan
   hosts: all
   tasks:
   - name: Configure services to install in the server
diff --git a/roles/ipsec/tasks/ipsec.yml b/roles/ipsec/tasks/ipsec.yml
index 0b786ba..ce822dd 100644
--- a/roles/ipsec/tasks/ipsec.yml
+++ b/roles/ipsec/tasks/ipsec.yml
@@ -22,7 +22,7 @@
     owner: root
     group: root
     mode: u=r,g=r,o=
-- name: Configure ipsec.conf and charon
+- name: Configure ipsec and charon
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-- 
2.40.1


From 8c168d4fa872861f0a9d7a872c2ebe459b38c4b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 14 Mar 2025 11:34:21 +0100
Subject: [PATCH 3/6] vpn: refs #8748 - Names fix

---
 playbooks/dhcp.yml      | 2 +-
 playbooks/vpn-ipsec.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/playbooks/dhcp.yml b/playbooks/dhcp.yml
index ebfc0c5..9a89db8 100644
--- a/playbooks/dhcp.yml
+++ b/playbooks/dhcp.yml
@@ -1,4 +1,4 @@
-- name: Configure IPsec StrongSwan
+- name: Configure DHCP
   hosts: all
   tasks:
   - name: Configure services to install in the server
diff --git a/playbooks/vpn-ipsec.yml b/playbooks/vpn-ipsec.yml
index c8f0979..aa9b29a 100644
--- a/playbooks/vpn-ipsec.yml
+++ b/playbooks/vpn-ipsec.yml
@@ -1,4 +1,4 @@
-- name: Configure DHCP
+- name: Configure IPsec StrongSwan
   hosts: all
   tasks:
   - name: Configure services to install in the server
-- 
2.40.1


From 0e393b49c8f76e25e2c055e247744bf8a73547ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 14 Mar 2025 11:41:13 +0100
Subject: [PATCH 4/6] vpn: refs #8748 - Variables array

---
 roles/ipsec/defaults/main.yml | 7 ++++++-
 roles/ipsec/tasks/ipsec.yml   | 6 +-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml
index 9113d34..0553fc3 100644
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@@ -7,4 +7,9 @@ strongswan_requeriments:
   - conntrack
 certificates:
   - { content: '{{ cert_ipsec }}', dest: '/etc/ipsec.d/certs/cert.pem', mode: 'u=rw,g=r,o=r' }
-  - { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }
\ No newline at end of file
+  - { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }
+config_ipsec_files:
+  - { src: 'ipsec.conf', dest: '/etc/ipsec.conf', mode: 'u=rw,g=r,o=r' }
+  - { src: 'vn-attr.conf', dest: '/etc/strongswan.d/charon/vn-attr.conf', mode: 'u=rw,g=r,o=r' }
+  - { src: 'vn-eap-radius.conf', dest: '/etc/strongswan.d/charon/vn-eap-radius.conf', mode: 'u=r,g=,o=' }
+  - { src: 'ipsec.secrets', dest: '/etc/ipsec.secrets', mode: 'u=r,g=,o=' }
diff --git a/roles/ipsec/tasks/ipsec.yml b/roles/ipsec/tasks/ipsec.yml
index ce822dd..36ad57e 100644
--- a/roles/ipsec/tasks/ipsec.yml
+++ b/roles/ipsec/tasks/ipsec.yml
@@ -29,11 +29,7 @@
     owner: root
     group: root
     mode: "{{ item.mode }}"
-  loop:
-    - { src: 'ipsec.conf', dest: '/etc/ipsec.conf', mode: 'u=rw,g=r,o=r' }
-    - { src: 'vn-attr.conf', dest: '/etc/strongswan.d/charon/vn-attr.conf', mode: 'u=rw,g=r,o=r' }
-    - { src: 'vn-eap-radius.conf', dest: '/etc/strongswan.d/charon/vn-eap-radius.conf', mode: 'u=r,g=,o=' }
-    - { src: 'ipsec.secrets', dest: '/etc/ipsec.secrets', mode: 'u=r,g=,o=' }
+  loop: "{{ config_ipsec_files }}"
 - name: Copy Configure file
   copy:
     src: vn.conf
-- 
2.40.1


From c1074a90e51fbeb4804168c6238a8fb7ec37f95c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 14 Mar 2025 12:58:15 +0100
Subject: [PATCH 5/6] vpn: refs #8748 - Iptables approche - what to do

---
 roles/ipsec/defaults/main.yml |  1 +
 roles/ipsec/tasks/ipsec.yml   | 26 +++++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml
index 0553fc3..fedeaef 100644
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@@ -5,6 +5,7 @@ strongswan_requeriments:
   - tcpdump
   - iperf
   - conntrack
+  - iptables-persistent
 certificates:
   - { content: '{{ cert_ipsec }}', dest: '/etc/ipsec.d/certs/cert.pem', mode: 'u=rw,g=r,o=r' }
   - { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }
diff --git a/roles/ipsec/tasks/ipsec.yml b/roles/ipsec/tasks/ipsec.yml
index 36ad57e..a1ed9cd 100644
--- a/roles/ipsec/tasks/ipsec.yml
+++ b/roles/ipsec/tasks/ipsec.yml
@@ -36,4 +36,28 @@
     dest: /etc/strongswan.d/vn.conf
     owner: root
     group: root
-    mode: u=rw,g=r,o=r
\ No newline at end of file
+    mode: u=rw,g=r,o=r
+- name: IP forward as a router
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    state: present
+    sysctl_set: yes
+    reload: yes
+- name: Add iptables rules in rules.v4 file
+  blockinfile:
+    path: /etc/iptables/rules.v4
+    marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN MANGED"
+    block: |
+      *mangle
+      :PREROUTING ACCEPT [0:0]
+      :INPUT ACCEPT [0:0]
+      :FORWARD ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      :POSTROUTING ACCEPT [0:0]
+      -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
+      -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360    
+  register: iptables
+- name: Reload iptables rules
+  command: netfilter-persistent reload
+  when: iptables.changed
\ No newline at end of file
-- 
2.40.1


From aba7121907ea0307f829d8d9ee10de75c4fc1f86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 14 Mar 2025 14:33:53 +0100
Subject: [PATCH 6/6] vpn: refs #8748 - Final touch

---
 roles/ipsec/defaults/main.yml | 13 +++++++++
 roles/ipsec/files/charon      | 11 ++++++++
 roles/ipsec/tasks/ipsec.yml   | 50 +++++++++++++++++++++++++----------
 3 files changed, 60 insertions(+), 14 deletions(-)
 create mode 100644 roles/ipsec/files/charon

diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml
index fedeaef..c8b1cd0 100644
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@@ -14,3 +14,16 @@ config_ipsec_files:
   - { src: 'vn-attr.conf', dest: '/etc/strongswan.d/charon/vn-attr.conf', mode: 'u=rw,g=r,o=r' }
   - { src: 'vn-eap-radius.conf', dest: '/etc/strongswan.d/charon/vn-eap-radius.conf', mode: 'u=r,g=,o=' }
   - { src: 'ipsec.secrets', dest: '/etc/ipsec.secrets', mode: 'u=r,g=,o=' }
+mangle_block: |
+  *mangle
+  :PREROUTING ACCEPT [0:0]
+  :INPUT ACCEPT [0:0]
+  :FORWARD ACCEPT [0:0]
+  :OUTPUT ACCEPT [0:0]
+  :POSTROUTING ACCEPT [0:0]
+  -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
+  -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
+  COMMIT
+config_and_logrotate:
+  - { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' }
+  - { src: charon, dest: '/etc/logrotate.d/charon' }
diff --git a/roles/ipsec/files/charon b/roles/ipsec/files/charon
new file mode 100644
index 0000000..9a05de0
--- /dev/null
+++ b/roles/ipsec/files/charon
@@ -0,0 +1,11 @@
+/var/log/strongswan/charon.log
+{
+	copytruncate
+	create 644 root root
+        rotate 10
+        weekly
+        missingok
+        notifempty
+        compress
+	delaycompress
+}
diff --git a/roles/ipsec/tasks/ipsec.yml b/roles/ipsec/tasks/ipsec.yml
index a1ed9cd..37f63ce 100644
--- a/roles/ipsec/tasks/ipsec.yml
+++ b/roles/ipsec/tasks/ipsec.yml
@@ -6,6 +6,13 @@
     name: "{{ strongswan_requeriments }}"
     state: present
     install_recommends: no
+- name: Create directory /var/log/strongswan
+  file:
+    path: /var/log/strongswan
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
 - name: Insert certificates
   no_log: true
   copy:
@@ -30,13 +37,16 @@
     group: root
     mode: "{{ item.mode }}"
   loop: "{{ config_ipsec_files }}"
-- name: Copy Configure file
+  notify: restart-ipsec
+- name: Copy Configure file and logrotate Charon
   copy:
-    src: vn.conf
-    dest: /etc/strongswan.d/vn.conf
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     owner: root
     group: root
     mode: u=rw,g=r,o=r
+  loop: "{{ config_and_logrotate }}"
+  notify: restart-ipsec
 - name: IP forward as a router
   sysctl:
     name: net.ipv4.ip_forward
@@ -47,17 +57,29 @@
 - name: Add iptables rules in rules.v4 file
   blockinfile:
     path: /etc/iptables/rules.v4
-    marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN MANGED"
-    block: |
-      *mangle
-      :PREROUTING ACCEPT [0:0]
-      :INPUT ACCEPT [0:0]
-      :FORWARD ACCEPT [0:0]
-      :OUTPUT ACCEPT [0:0]
-      :POSTROUTING ACCEPT [0:0]
-      -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-      -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360    
+    marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN"
+    block: "{{ mangle_block }}"
   register: iptables
 - name: Reload iptables rules
   command: netfilter-persistent reload
-  when: iptables.changed
\ No newline at end of file
+  when: iptables.changed
+- name: Get default IPv4 interface
+  command: ip -o -4 route show default
+  register: default_route
+- name: Extract interface default name
+  set_fact:
+    active_interface: "{{ default_route.stdout.split()[-1] }}"
+- name: Routing table for VPN
+  lineinfile:
+    path: /etc/iproute2/rt_tables
+    line: "10 vpn"
+    state: present
+    regexp: "vpn"
+- name: Static routing rules to send VPN traffic directly to the firewall
+  lineinfile:
+    path: /etc/network/interfaces
+    insertafter: "dhcp"
+    line: "{{ item }}"
+    state: present
+  loop: "{{ static_routes }}"
+  
\ No newline at end of file
-- 
2.40.1