This module installs and manages strongSwan daemon on a host. For detailed information about strongSwan, please see its website and the wiki.
The initial setup of the module happens in the main strongswan puppet class. The defaults are relatively safe, but we allow you to overwrite as many settings as you wish, as long as you instantiate the main class before calling any of the resource definitions.
class { 'strongswan':
charon_options => <charon options>,
conn_conf_path => <path to store connections>,
ipsec_options => <ipsec options>,
secrets_conf_path => <path to store secrets>,
service_name => <ipsec service name>,
service_provider => <init system name>,
service_ensure => <ipsec service ensure>,
service_enable => <ipsec service enable bool>,
strongswan_package => <strongswan package name>,
strongswan_version => <strongswan version num>,
strongswan_plugins => <strongswan plugins list>,
}
A hash of custom options for the /etc/strongswan.d/charon.conf file (default: {})
Directory to store individual IPSec Connection configuration files in. (default: /etc/ipsec.d/conns)
A hash of settings for the 'config settings' section of the /etc/ipsec.conf file. (default: {})
Directory to store individual IPSec Connection secret files in. (default: /etc/ipsec.d/secrets)
Name of the StrongSwan service daemon. (default: strongswan)
Name of the init system to use e.g. 'upstart' or 'systemd'. (default: upstart)
Whether to ensure the service is running or not. (default: running)
Whether to enable the strongswan service on system startup. (default: true)
Name of the Strongswan package to install. (default: strongswan)
Version of the Strongswan packages to install. (default: installed)
(default: [ strongswan-plugin-unity, strongswan-plugin-xauth-pam ])
strongswan::conn { 'myconn':
params => <hash of custom connection parameters>
secrets => <array of hashes of secrets>
}
Or through Hiera:
strongswan::conns:
myconn:
params: {}
secrets: []
A hash that contains all of the key
=>value
parameters for your connection.
Expects that you know all of the parameters required, and it will fill them in
exactly as you've supplied.
{ 'keyexchange' => 'ikev2',
'auto' => 'start',
'esp' => 'aes128-sha1-modp1024',
'ikelifetime' => '28800s',
'keylife' => '3600s',
'rekey' => 'no',
'reauth' => 'no',
'authby' => 'secret',
'closeaction' => 'restart',
'dpddelay' => '10s',
'dpdtimeout' => '30s',
'dpdaction' => 'restart',
'rightsubnet' => $vpc_subnet,
'leftid' => $customer_gateway_ip,
'leftsubnet' => $customer_subnet,
'right' => $ipsec_1_vpg_ip,
'rightid' => $ipsec_1_vpg_ip
}
An array of hashes that list the secrets for the connection. Eg:
[ { 'left_id' => '10.0.0.1', 'right_id' => '%any',
'auth' => 'PSK', 'key' => 'xYsdfkjkasd' },
{ 'left_id' => '10.0.0.2', 'right_id' => '%any',
'auth' => 'PSK', 'key' => 'xYsdfkjkasd' },
]
Configures your server as a VPN endpoint for incoming Cisco IPSEC VPN clients (like iOS, Android, Mac OSX, etc). Uses simple local PAM for user authentication.
class { 'strongswan::presets::pam_authed_vpn':
client_source_ip => '0.0.0.0/0',
dns => [ '8.8.8.8', '8.8.4.4' ],
routed_ip_cidr => '10.0.0.0/8',
private_ip_cidr => '192.168.0.0/24',
private_ip => '192.168.0.1',
}
IP CIDR to accept VPN connection requests from. (default: 0.0.0.0/0)
A list of DNS servers to pass to the VPN clients. (default: [ 8.8.8.8, 8.8.4.4 ])
The IP range thats passed to the VPN clients as the 'routed' range. Defaults to 0.0.0.0/0, which means to pass all traffic through the VPN client. Narrowing this down to some other range (like 10.0.0.0/8) will cause split-tunneling, allowing the client to go directly to the internet for most traffic, but over the VPN for specific traffic. (default: 0.0.0.0/0)
Private IP CIDR range to hand addresses out to VPN clients. (default: 192.168.0.0/22)
Private IP that the VPN server will use for routing VPN client data. (default: 192.168.0.1/22)
Configures a VPN connection into an Amazon VPC following their Generic Customer Gateway without Border Gateway Protocol model. Creates two outbound, policy based VPN tunnels to the Amazon VPN endpoints. Only one tunnel can be used at any given moment, but automatic failover happens when one of the AWS endpoints shuts down.
strongswan::presets::aws_vpc { 'myVPC':
customer_gateway_ip => <your servers eIP>,
customer_subnet => <your servers CIDR block>,
ipsec_1_vpg_ip => <AWS VPC IPSec #1 Endpoint>,
ipsec_1_psk => <PSK for IPSec #1 Endpoint>,
ipsec_2_vpg_ip => <AWS VPC IPSec #2 Endpoint>,
ipsec_2_psk => <PSK for IPSec #2 Endpoint>,
vpc_subnet => <your VPC CIDR block>,
}
(Line 77 of the Generic VPC Configuration from Amazon)
The subnet on the 'left' (client) side of the tunnel. Can be as small as a /32, or as large as you want. Should match whatever static route you have configured in your VPN Connection endpoint in Amazon.
(Line 78 of the Generic VPC Configuration from Amazon)
(Line 25 of the Generic VPC Configuration from Amazon)
(Line 162 of the Generic VPC Configuration from Amazon)
(Line 109 of the Generic VPC Configuration from Amazon)
Configures an incoming VPN service for a Meraki MX-series router using IKEv1 per their documentation.
strongswan::presets::meraki_vpn { 'our-office':
meraki_public_ip => <your meraki/office public ip address>,
meraki_subnet => <your internal office subnet>,
swan_public_ip => <your strongswan server public address>,
swan_subnet => <your strongswan server private subnet>,
psk => <pre-shared-key>
masquerade => <whether or not to enable ip masquerading>
}
The Public IPv4 address that your Meraki has on the Internet. Used to configure inbound access through the Firewall to the network
The IP CIDR that your Meraki is hosting behind it. Likely matches the range described in the 'Local networks' section of the site-to-site VPN page.
The public IP address of the strongSwan server -- used to help handle NAT-Traversal issues.
The IP CIDR that you want your strongSwan server to provide access to your Merakis. Should exactly match the Private subnets configuration option in the Meraki site-to-site VPN page.
The pre-shared-key you've entered into your Meraki site-to-site VPN page.
Either present
or absent
: Whether or not to enable IP masquerading on the
strongSwan host.