AETHER-1094 Update strongswan role
- Update VTI up/down script
- Make reauth option configurable
- Make auto option configurable
Change-Id: Ibeb65403387fe56445ce3f93f078418522ea60cf
diff --git a/README.md b/README.md
index 8d29aac..c92d35a 100644
--- a/README.md
+++ b/README.md
@@ -37,7 +37,6 @@
vti:
local: 169.254.0.2/30
remote: 169.254.0.1/30
- mark: "100"
psk: secret
left: 10.0.0.3
leftid: 128.105.144.189
diff --git a/defaults/main.yml b/defaults/main.yml
index 5261e7a..617ebf6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -31,6 +31,13 @@
# NOTE: only psk is supported
strongswan_conf_auth_type: "psk"
+# What operation should be done automatically at IPsec startup
+# Acceptable values are add, start, or route
+strongswan_conf_auto: "add"
+
+# Whether rekeying of an IKE_SA should also reauthenticate the peer
+strongswan_conf_reauth: "no"
+
# Handle routes in strongSwan or not
# Set no if VPNs are route based
strongswan_conf_install_routes: false
diff --git a/files/ipsec-vti.sh b/files/ipsec-vti.sh
index 0d9022e..f6bb054 100644
--- a/files/ipsec-vti.sh
+++ b/files/ipsec-vti.sh
@@ -8,96 +8,47 @@
set -o nounset
set -o errexit
-echo "${PLUTO_VERB}" >> /tmp/yoyo
-while [[ $# -gt 1 ]]; do
- case ${1} in
- -ln|--link-name)
- TUNNEL_NAME="${2}"
- TUNNEL_PHY_INTERFACE="${PLUTO_INTERFACE}"
- shift
- ;;
- -ll|--link-local)
- TUNNEL_LOCAL_ADDRESS="${2}"
- TUNNEL_LOCAL_ENDPOINT="${PLUTO_ME}"
- shift
- ;;
- -lr|--link-remote)
- TUNNEL_REMOTE_ADDRESS="${2}"
- TUNNEL_REMOTE_ENDPOINT="${PLUTO_PEER}"
- shift
- ;;
- -m|--mark)
- TUNNEL_MARK="${2}"
- shift
- ;;
- -r|--static-route)
- TUNNEL_STATIC_ROUTE="${2}"
- shift
- ;;
- *)
- echo "${0}: Unknown argument \"${1}\"" >&2
- ;;
- esac
- shift
-done
+IP=$(which ip)
-command_exists() {
- type "$1" >&2 2>&2
-}
+PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
+PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
-create_interface() {
- {
- echo "ip link add ${TUNNEL_NAME} type vti local ${TUNNEL_LOCAL_ENDPOINT} remote ${TUNNEL_REMOTE_ENDPOINT} key ${TUNNEL_MARK}"
- echo "ip addr add ${TUNNEL_LOCAL_ADDRESS} remote ${TUNNEL_REMOTE_ADDRESS} dev ${TUNNEL_NAME}"
- echo "ip link set ${TUNNEL_NAME} up mtu 1387"
- } >> /tmp/yoyo
- ip link add "${TUNNEL_NAME}" type vti local "${TUNNEL_LOCAL_ENDPOINT}" remote "${TUNNEL_REMOTE_ENDPOINT}" key "${TUNNEL_MARK}"
- ip addr add "${TUNNEL_LOCAL_ADDRESS}" remote "${TUNNEL_REMOTE_ADDRESS}" dev "${TUNNEL_NAME}"
- ip link set "${TUNNEL_NAME}" up mtu 1387
-}
+VTI_TUNNEL_ID=${1}
+VTI_REMOTE=${2}
+VTI_LOCAL=${3}
-configure_sysctl() {
- sysctl -w net.ipv4.ip_forward=1
- sysctl -w net.ipv4.conf."${TUNNEL_NAME}".rp_filter=2
- sysctl -w net.ipv4.conf."${TUNNEL_NAME}".disable_policy=1
- sysctl -w net.ipv4.conf."${TUNNEL_PHY_INTERFACE}".disable_xfrm=1
- sysctl -w net.ipv4.conf."${TUNNEL_PHY_INTERFACE}".disable_policy=1
-}
-
-add_route() {
- IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
- for i in "${route[@]}"; do
- ip route add "${i}" dev "${TUNNEL_NAME}" metric "${TUNNEL_MARK}"
- done
-}
-
-cleanup() {
- IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
- for i in "${route[@]}"; do
- ip route del "${i}" dev "${TUNNEL_NAME}" metric "${TUNNEL_MARK}"
- done
-}
-
-delete_interface() {
- ip link set "${TUNNEL_NAME}" down
- ip link del "${TUNNEL_NAME}"
-}
-
-# main execution starts here
-
-command_exists ip || echo "ERROR: ip command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
-command_exists iptables || echo "ERROR: iptables command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
-command_exists sysctl || echo "ERROR: sysctl command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
+LOCAL_IF="${PLUTO_INTERFACE}"
+VTI_IF="${VTI_TUNNEL_ID}"
+# GCP's MTU is 1460, so it's hardcoded
+GCP_MTU="1460"
+# ipsec overhead is 73 bytes, we need to compute new mtu.
+VTI_MTU=$((GCP_MTU-73))
case "${PLUTO_VERB}" in
- up-client)
- create_interface
- configure_sysctl
- add_route
- echo "A"
- ;;
- down-client)
- cleanup
- delete_interface
- ;;
+ up-client)
+ ${IP} link add ${VTI_IF} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
+ ${IP} addr add ${VTI_LOCAL} remote ${VTI_REMOTE} dev "${VTI_IF}"
+ ${IP} link set ${VTI_IF} up mtu ${VTI_MTU}
+
+ # Disable IPSEC Policy
+ sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1
+
+ # Enable loosy source validation, if possible. Otherwise disable validation.
+ sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=0
+
+ # If you would like to use VTI for policy-based you shoud take care of routing by yourselv, e.x.
+ #if [[ "${PLUTO_PEER_CLIENT}" != "0.0.0.0/0" ]]; then
+ # ${IP} r add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
+ #fi
+ ;;
+ down-client)
+ ${IP} tunnel del "${VTI_IF}"
+ ;;
esac
+
+# Enable IPv4 forwarding
+sysctl -w net.ipv4.ip_forward=1
+
+# Disable IPSEC Encryption on local net
+sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_xfrm=1
+sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_policy=1
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index 7d3e9b6..a63ac89 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -7,13 +7,13 @@
- name: Converge
hosts: all
vars:
+ strongswan_conf_auto: "start"
strongswan_conf_connections:
- name: tunnel1
psk: secret
vti:
local: 169.254.0.2/30
remote: 169.254.0.1/30
- mark: "100"
left: 10.0.0.3
leftid: 128.105.144.189
left_subnets: 0.0.0.0/0
@@ -24,7 +24,6 @@
vti:
local: 169.254.0.6/30
remote: 169.254.0.5/30
- mark: "200"
left: 10.0.0.3
leftid: 128.105.144.189
left_subnets: 0.0.0.0/0
diff --git a/tasks/Debian.yml b/tasks/Debian.yml
index f9e890b..c8b5be3 100644
--- a/tasks/Debian.yml
+++ b/tasks/Debian.yml
@@ -9,7 +9,6 @@
name: "{{ strongswan_package }}"
state: "present"
update_cache: true
- cache_valid_time: 3600
notify:
- start-strongswan
diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2
index 2410e59..3f191f9 100644
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@@ -19,12 +19,15 @@
ike={{ strongswan_conf_ike_cipher }}
esp={{ strongswan_conf_esp_cipher }}
authby={{ strongswan_conf_auth_type }}
+ auto={{ strongswan_conf_auto }}
+ reauth={{ strongswan_conf_reauth }}
+ type=tunnel
+ dpdaction=restart
{% for conn in strongswan_conf_connections %}
conn {{ conn.name }}
{% if conn.vti is defined %}
- leftupdown="/etc/ipsec.d/ipsec-vti.sh -ln {{ conn.name }} -ll {{ conn.vti.local }} -lr {{ conn.vti.remote }} -m {{ conn.vti.mark }}"
- mark={{ conn.vti.mark }}
+ leftupdown="/etc/ipsec.d/ipsec-vti.sh {{ conn.name }} {{ conn.vti.remote }} {{ conn.vti.local }}"
{% endif %}
left={{ conn.left }}
leftid={{ conn.leftid }}
@@ -33,8 +36,5 @@
right={{ conn.right }}
rightsubnet={{ conn.right_subnets }}
rightauth={{ strongswan_conf_auth_type }}
- auto=start
- type=tunnel
- dpdaction=restart
- closeaction=restart
+ mark=%unique
{% endfor %}