[EDGEPOD-226] Add installing strongswan to router role
Also fixed ansible-lint failures
Change-Id: I78fbab0a9e2f45ea4f5989c255f09b47ef01bdcc
diff --git a/aether-playbook/roles/router/defaults/main.yml b/aether-playbook/roles/router/defaults/main.yml
index 6af6545..5987766 100644
--- a/aether-playbook/roles/router/defaults/main.yml
+++ b/aether-playbook/roles/router/defaults/main.yml
@@ -14,9 +14,18 @@
---
router_type: linux
-netplan_config_file: /etc/netplan/sgi-s1u-gateway.yaml
-# Provide below to run the playbook
+router_enabled: false
+# Provide below when router_enabled is true
+#netplan_config_file: /etc/netplan/sgi-s1u-gateway.yaml
#sgi_gateway_ip:
#s1u_gateway_ip:
#sgi_s1u_gateway_iface:
+
+vpn_enabled: false
+# Provide below when vpn_enabled is true
+#vpn_local_addr:
+#vpn_local_subnets:
+#vpn_remote_addr:
+#vpn_remote_subnets: 10.168.0.0/20,10.45.0.0/16,10.52.0.0/16
+#vpn_psk:
\ No newline at end of file
diff --git a/aether-playbook/roles/router/linux/handlers/main.yml b/aether-playbook/roles/router/linux/handlers/main.yml
index 6408d79..0796da0 100644
--- a/aether-playbook/roles/router/linux/handlers/main.yml
+++ b/aether-playbook/roles/router/linux/handlers/main.yml
@@ -18,3 +18,6 @@
- name: netplan apply
command: netplan apply
+
+- name: ipsec restart
+ command: ipsec restart
\ No newline at end of file
diff --git a/aether-playbook/roles/router/linux/tasks/interfaces.yml b/aether-playbook/roles/router/linux/tasks/interfaces.yml
new file mode 100644
index 0000000..a9406d8
--- /dev/null
+++ b/aether-playbook/roles/router/linux/tasks/interfaces.yml
@@ -0,0 +1,57 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Create netplan config file for SGI and S1U gateway interfaces
+ template:
+ src: etc/netplan/sgi-s1u-gateway.yaml.j2
+ dest: "{{ netplan_config_file }}"
+ notify:
+ - netplan generate
+ - netplan apply
+ tags: router
+
+- name: Install iptables-persistent
+ apt:
+ name: iptables-persistent
+ state: present
+ update_cache: yes
+ tags: router
+
+- name: Ensure ip_forward enabled
+ sysctl:
+ name: net.ipv4.ip_forward
+ value: '1'
+ sysctl_set: yes
+ state: present
+ tags: router
+
+- name: Set default forwarding policy to ACCEPT
+ iptables:
+ chain: FORWARD
+ policy: ACCEPT
+ tags: router
+
+- name: Add SNAT
+ iptables:
+ table: nat
+ chain: POSTROUTING
+ out_interface: "{{ ansible_default_ipv4.interface }}"
+ jump: MASQUERADE
+ tags: router
+
+- name: Save iptables v4 rules
+ shell: iptables-save > /etc/iptables/rules.v4
+ changed_when: False
+ tags: router
diff --git a/aether-playbook/roles/router/linux/tasks/ipsec-vpn.yml b/aether-playbook/roles/router/linux/tasks/ipsec-vpn.yml
new file mode 100644
index 0000000..86e7c30
--- /dev/null
+++ b/aether-playbook/roles/router/linux/tasks/ipsec-vpn.yml
@@ -0,0 +1,45 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Run "apt update"
+ apt:
+ update_cache: yes
+ tags: vpn
+
+- name: Install strongSwan
+ apt:
+ name: strongswan
+ state: present
+ tags: vpn
+
+- name: Start strongSwan
+ service:
+ name: strongswan
+ state: started
+ enabled: yes
+ tags: vpn
+
+- name: Create ipsec config and secrets file
+ template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ owner: root
+ group: root
+ mode: 0640
+ loop:
+ - { src: 'etc/ipsec.secrets.j2', dest: '/etc/ipsec.secrets' }
+ - { src: 'etc/ipsec.conf.j2', dest: '/etc/ipsec.conf' }
+ notify: ipsec restart
+ tags: vpn
diff --git a/aether-playbook/roles/router/linux/tasks/main.yml b/aether-playbook/roles/router/linux/tasks/main.yml
index c37bca1..6fb32aa 100644
--- a/aether-playbook/roles/router/linux/tasks/main.yml
+++ b/aether-playbook/roles/router/linux/tasks/main.yml
@@ -13,44 +13,10 @@
# limitations under the License.
---
-- name: Create netplan config file for SGI network gateway
- template:
- src: etc/netplan/sgi-s1u-gateway.yaml.j2
- dest: "{{ netplan_config_file }}"
- notify:
- - netplan generate
- - netplan apply
+- include_tasks: interfaces.yml
+ when: router_enabled | bool
tags: router
-- name: Install iptables-persistent
- apt:
- name: iptables-persistent
- state: present
- update_cache: yes
- tags: router
-
-- name: Ensure ip_forward enabled
- sysctl:
- name: net.ipv4.ip_forward
- value: '1'
- sysctl_set: yes
- state: present
- tags: router
-
-- name: Set default forwarding policy to ACCEPT
- iptables:
- chain: FORWARD
- policy: ACCEPT
- tags: router
-
-- name: Add SNAT
- iptables:
- table: nat
- chain: POSTROUTING
- out_interface: "{{ ansible_default_ipv4.interface }}"
- jump: MASQUERADE
- tags: router
-
-- name: Save iptables v4 rules
- shell: iptables-save > /etc/iptables/rules.v4
- tags: router
+- include_tasks: ipsec-vpn.yml
+ when: vpn_enabled | bool
+ tags: vpn
diff --git a/aether-playbook/roles/router/linux/templates/etc/ipsec.conf.j2 b/aether-playbook/roles/router/linux/templates/etc/ipsec.conf.j2
new file mode 100644
index 0000000..29acef9
--- /dev/null
+++ b/aether-playbook/roles/router/linux/templates/etc/ipsec.conf.j2
@@ -0,0 +1,42 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# basic configuration
+config setup
+ # strictcrlpolicy=yes
+ # uniqueids = no
+
+conn %default
+ ikelifetime=600m # 36,000s
+ keylife=180m # 10,800s
+ rekeymargin=3m
+ keyingtries=3
+ keyexchange=ikev2
+ mobike=no
+ ike=aes256gcm16-sha512-modp2048
+ esp=aes256gcm16-sha512-modp8192
+ authby=psk
+
+conn peer-aether-gcp-vpn-gateway
+ left={{ vpn_local_addr }}
+ leftid={{ vpn_local_id }}
+ leftsubnet={{ vpn_local_subnets }}
+ leftauth=psk
+ right={{ vpn_remote_addr }}
+ rightsubnet={{ vpn_remote_subnets }}
+ rightauth=psk
+ auto=start
+ type=tunnel
+ dpdaction=restart
+ closeaction=restart
diff --git a/aether-playbook/roles/router/meta/main.yml b/aether-playbook/roles/router/linux/templates/etc/ipsec.secrets.j2
similarity index 79%
copy from aether-playbook/roles/router/meta/main.yml
copy to aether-playbook/roles/router/linux/templates/etc/ipsec.secrets.j2
index 3c4fe58..b60cff9 100644
--- a/aether-playbook/roles/router/meta/main.yml
+++ b/aether-playbook/roles/router/linux/templates/etc/ipsec.secrets.j2
@@ -12,12 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
----
-dependencies:
- - role: router/linux
- when:
- - router_type == 'linux'
-
-# - role: router/vyos
-# when:
-# - router_type == 'vyos'
+{{ vpn_local_addr}} {{ vpn_remote_addr }} : PSK "{{ vpn_psk }}"
\ No newline at end of file
diff --git a/aether-playbook/roles/router/meta/main.yml b/aether-playbook/roles/router/tasks/main.yml
similarity index 80%
rename from aether-playbook/roles/router/meta/main.yml
rename to aether-playbook/roles/router/tasks/main.yml
index 3c4fe58..a64cd53 100644
--- a/aether-playbook/roles/router/meta/main.yml
+++ b/aether-playbook/roles/router/tasks/main.yml
@@ -13,11 +13,18 @@
# limitations under the License.
---
-dependencies:
- - role: router/linux
+ - include_role:
+ name: router/linux
when:
- router_type == 'linux'
+ tags:
+ - router
+ - vpn
-# - role: router/vyos
+# - include_role:
+# name: router/vyos
# when:
# - router_type == 'vyos'
+# tags:
+# - router
+# - vpn