From f400516745aee13ee55e59623717e82619818c10 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Wed, 19 Sep 2018 19:29:18 +0200 Subject: o Adding strongswan experiment. --- .../files/swanctl/CA/ca-cert.der | Bin 0 -> 834 bytes .../files/swanctl/CA/ca-key.der | Bin 0 -> 1191 bytes .../files/swanctl/arius/rsa/arius-key.der | Bin 0 -> 1190 bytes .../files/swanctl/arius/x509/arius-cert.der | Bin 0 -> 806 bytes .../roles/strongswan-rw/tasks/main.yml | 21 +++++++ .../roles/strongswan-rw/templates/swanctl.conf | 34 +++++++++++ ansible/strongswan-experiment/strongswan-rw.yml | 9 +++ .../strongswan-experiment/strongswan-server.yml | 67 +++++++++++++++++++++ ansible/strongswan-experiment/strongswan-vars.yml | 7 +++ ansible/strongswan-experiment/strongswan.md | 18 ++++++ 10 files changed, 156 insertions(+) create mode 100644 ansible/strongswan-experiment/files/swanctl/CA/ca-cert.der create mode 100644 ansible/strongswan-experiment/files/swanctl/CA/ca-key.der create mode 100644 ansible/strongswan-experiment/files/swanctl/arius/rsa/arius-key.der create mode 100644 ansible/strongswan-experiment/files/swanctl/arius/x509/arius-cert.der create mode 100644 ansible/strongswan-experiment/roles/strongswan-rw/tasks/main.yml create mode 100644 ansible/strongswan-experiment/roles/strongswan-rw/templates/swanctl.conf create mode 100644 ansible/strongswan-experiment/strongswan-rw.yml create mode 100644 ansible/strongswan-experiment/strongswan-server.yml create mode 100644 ansible/strongswan-experiment/strongswan-vars.yml create mode 100644 ansible/strongswan-experiment/strongswan.md (limited to 'ansible') diff --git a/ansible/strongswan-experiment/files/swanctl/CA/ca-cert.der b/ansible/strongswan-experiment/files/swanctl/CA/ca-cert.der new file mode 100644 index 0000000..73e9b45 Binary files /dev/null and b/ansible/strongswan-experiment/files/swanctl/CA/ca-cert.der differ diff --git a/ansible/strongswan-experiment/files/swanctl/CA/ca-key.der b/ansible/strongswan-experiment/files/swanctl/CA/ca-key.der new file mode 100644 index 0000000..740545a Binary files /dev/null and b/ansible/strongswan-experiment/files/swanctl/CA/ca-key.der differ diff --git a/ansible/strongswan-experiment/files/swanctl/arius/rsa/arius-key.der b/ansible/strongswan-experiment/files/swanctl/arius/rsa/arius-key.der new file mode 100644 index 0000000..5c988d9 Binary files /dev/null and b/ansible/strongswan-experiment/files/swanctl/arius/rsa/arius-key.der differ diff --git a/ansible/strongswan-experiment/files/swanctl/arius/x509/arius-cert.der b/ansible/strongswan-experiment/files/swanctl/arius/x509/arius-cert.der new file mode 100644 index 0000000..562c76b Binary files /dev/null and b/ansible/strongswan-experiment/files/swanctl/arius/x509/arius-cert.der differ diff --git a/ansible/strongswan-experiment/roles/strongswan-rw/tasks/main.yml b/ansible/strongswan-experiment/roles/strongswan-rw/tasks/main.yml new file mode 100644 index 0000000..fb09476 --- /dev/null +++ b/ansible/strongswan-experiment/roles/strongswan-rw/tasks/main.yml @@ -0,0 +1,21 @@ +- name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - strongswan-swanctl +- name: Install CA certificate + copy: + src=swanctl/CA/ca-cert.der + dest=/etc/swanctl/x509ca/ca-cert.der +- name: Install key + copy: + src=swanctl/{{ inventory_hostname }}/rsa/{{ inventory_hostname }}-key.der + dest=/etc/swanctl/rsa/{{ inventory_hostname }}-key.der +- name: Install certificate + copy: + src=swanctl/{{ inventory_hostname }}/x509/{{ inventory_hostname }}-cert.der + dest=/etc/swanctl/x509/{{ inventory_hostname }}-cert.der +- template: + src: swanctl.conf + dest: /etc/swanctl/conf.d/trygvis.io.conf diff --git a/ansible/strongswan-experiment/roles/strongswan-rw/templates/swanctl.conf b/ansible/strongswan-experiment/roles/strongswan-rw/templates/swanctl.conf new file mode 100644 index 0000000..90d212b --- /dev/null +++ b/ansible/strongswan-experiment/roles/strongswan-rw/templates/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = {{ strongswan_rw[inventory_hostname].local_addrs }} + remote_addrs = {{ strongswan_home_addrs }} + + local { + auth = pubkey + certs = {{ inventory_hostname }}-cert.der + id = {{ inventory_hostname }}.trygvis.io + } + remote { + auth = pubkey + id = {{ strongswan_remote_id }} + } + children { + home { + remote_ts = {{ strongswan_ts }} + +# updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = ca-cert.der + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/ansible/strongswan-experiment/strongswan-rw.yml b/ansible/strongswan-experiment/strongswan-rw.yml new file mode 100644 index 0000000..136e9ad --- /dev/null +++ b/ansible/strongswan-experiment/strongswan-rw.yml @@ -0,0 +1,9 @@ +- hosts: + - arius + vars_files: + - strongswan-vars.yml + tasks: + - name: strongswan-rw + import_role: name=strongswan-rw + tags: strongswan-rw + become: yes diff --git a/ansible/strongswan-experiment/strongswan-server.yml b/ansible/strongswan-experiment/strongswan-server.yml new file mode 100644 index 0000000..e555b90 --- /dev/null +++ b/ansible/strongswan-experiment/strongswan-server.yml @@ -0,0 +1,67 @@ +- hosts: + - knot + vars_files: + - strongswan-vars.yml + vars: + peers: + - arius + handlers: + - name: systemctl restart strongswan + become: true + systemd: + name: strongswan + state: restarted + tasks: + - become: true + block: + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - strongswan-swanctl + - name: install certs + with_items: "{{ peers }}" + copy: + src=swanctl/{{ item }}/rsa/{{ item }}-key.der + dest=/etc/swanctl/rsa/{{ item }}-key.der + - name: install swanctl.conf + notify: systemctl restart strongswan + copy: + dest: /etc/swanctl/conf.d/trygvis.io.conf + content: | + connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = {{ strongswan_ts }} + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + } + + authorities { + strongswan { + #cacert = caCert.pem + #crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + cacert = ca-cert.der + crl_uris = + } + } + diff --git a/ansible/strongswan-experiment/strongswan-vars.yml b/ansible/strongswan-experiment/strongswan-vars.yml new file mode 100644 index 0000000..e72b040 --- /dev/null +++ b/ansible/strongswan-experiment/strongswan-vars.yml @@ -0,0 +1,7 @@ +strongswan_rw: + arius: + local_addrs: fc00:0002::2 + +strongswan_home_addrs: fc00:0001::1 +strongswan_ts: fc00:0001::0/32 +strongswan_remote_id: knot.trygvis.io diff --git a/ansible/strongswan-experiment/strongswan.md b/ansible/strongswan-experiment/strongswan.md new file mode 100644 index 0000000..4258037 --- /dev/null +++ b/ansible/strongswan-experiment/strongswan.md @@ -0,0 +1,18 @@ +# CA certificate + + mkdir -p files/swanctl/CA + pki --gen > files/swanctl/CA/ca-key.der + pki --self \ + --in files/swanctl/CA/ca-key.der \ + --dn "C=NO, O=Trygvis IO AS, CN=Trygvis IO CA" \ + --ca > files/swanctl/CA/ca-cert.der + +# Peer certificate + + mkdir -p files/swanctl/$host/{rsa,x509} + pki --gen > files/swanctl/$host/rsa/$host-key.der + pki --pub --in files/swanctl/$host/rsa/$host-key.der | \ + pki --issue \ + --cakey files/swanctl/CA/ca-key.der \ + --cacert files/swanctl/CA/ca-cert.der \ + --dn "C=NO, O=Trygvis IO AS, CN=$host.trygvis.io" > files/swanctl/$host/x509/$host-cert.der -- cgit v1.2.3