Puppet Class: libreswan

Defined in:
manifests/init.pp

Summary

Installs and configures libreswan to provide IPSEC capabilities.

Overview

> It is very important you read the documentation that comes with libreswan > before attempting to use this module.

> This module is designed to install and configure system IPSEC capabilities > using libreswan.

> It will also configure and maintain the NSS database used by libreswan if you > have chosen to let SIMP manage your PKI certificates.

> To add and start tunnels that will be managed by libreswan see the manifest > ‘libreswan::add_connection`.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

  • When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.

  • If used independently, all SIMP-managed security subsystems are disabled by default, and must be explicitly opted into by administrators. Please review items referring to ‘simp_options::*` for additional information.

  • See the libreswan documentation libreswan.org/man/ipsec.conf.5.html for more information regarding these variables.

  • Any variable set to ‘undef` will not appear in the configuration file and will default to the value set by libreswan. Those set will appear in the configuration file but can be overwritten using Hiera.

Parameters:

  • service_name (String)

    The name of the IPSEC service.

  • package_name (String)

    The name of the libreswan package.

  • trusted_nets (Simplib::Netlist) (defaults to: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] }))

    An allowed set of subnetworks (in CIDR notataion) with permitted access explicitly for IPSEC communication

  • firewall (Boolean) (defaults to: simplib::lookup('simp_options::firewall', {'default_value' => false }))

    Whether to add appropriate rules to allow IPSEC traffic to the SIMP-controlled firewall

  • fips (Boolean) (defaults to: simplib::lookup('simp_options::fips', {'default_value' => false }))

    Whether server is in FIPS mode.

    • Affects cryptography allowed to be used by IPSEC.

  • pki (Variant[Boolean,Enum['simp']]) (defaults to: simplib::lookup('simp_options::pki', {'default_value' => false }))

    • If ‘’simp’‘, include `simp/pki` and use `pki::copy` to manage application certs in `/etc/pki/simp_apps/libreswan/x509`

    • If ‘true`, do not include `simp/pki`, but still use `pki::copy` to manage certs in `/etc/pki/simp_apps/libreswan/x509`

    • If ‘false`, do not include `simp/pki` and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:

      * app_pki_dir
* app_pki_key
* app_pki_cert
* app_pki_ca
* app_pki_ca_dir
  • haveged (Boolean) (defaults to: simplib::lookup('simp_options::haveged', {'default_value' => false }))

    Whether to use haveged to ensure adequate entropy

  • nssdb_password (String) (defaults to: simplib::passgen('nssdb_password'))

    Password for the NSS database used by ipsec

  • myid (Optional[String]) (defaults to: undef)
  • protostack (Enum['netkey','klips','mast']) (defaults to: 'netkey')
  • interfaces (Optional[Libreswan::Interfaces]) (defaults to: undef)
  • listen (Optional[Simplib::IP]) (defaults to: undef)
  • ikeport (Simplib::Port) (defaults to: 500)
  • nflog_all (Optional[Integer]) (defaults to: undef)
  • nat_ikeport (Simplib::Port) (defaults to: 4500)
  • keep_alive (Optional[Integer]) (defaults to: undef)
  • virtual_private (Libreswan::VirtualPrivate) (defaults to: ['%v4:10.0.0.0/8','%v4:192.168.0.0/16','%v4:172.16.0.0/12'])
  • myvendorid (Optional[String]) (defaults to: undef)
  • nhelpers (Optional[Integer]) (defaults to: undef)
  • plutofork (Optional[Enum['yes','no']]) (defaults to: undef)
  • crlcheckinterval (Optional[Integer]) (defaults to: undef)
  • strictcrlpolicy (Optional[Enum['yes','no']]) (defaults to: undef)
  • ocsp_enable (Optional[Enum['yes','no']]) (defaults to: undef)
  • ocsp_strict (Optional[Enum['yes','no']]) (defaults to: undef)
  • ocsp_timeout (Optional[Integer]) (defaults to: undef)
  • ocsp_uri (Optional[Simplib::Uri]) (defaults to: undef)
  • ocsp_trustname (Optional[String]) (defaults to: undef)
  • syslog (Optional[String]) (defaults to: undef)
  • klipsdebug (String) (defaults to: 'none')
  • plutodebug (String) (defaults to: 'none')
  • uniqueids (Optional[Enum['yes','no']]) (defaults to: undef)
  • plutorestartoncrash (Optional[Enum['yes','no']]) (defaults to: undef)
  • logfile (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • logappend (Optional[Enum['yes','no']]) (defaults to: undef)
  • logtime (Optional[Enum['yes','no']]) (defaults to: undef)
  • ddos_mode (Optional[Enum['busy', 'unlimited','auto']]) (defaults to: undef)
  • ddos_ike_treshold (Optional[Integer]) (defaults to: undef)
  • dumpdir (Stdlib::Absolutepath) (defaults to: '/var/run/pluto')
  • statsbin (Optional[String]) (defaults to: undef)
  • ipsecdir (Stdlib::Absolutepath) (defaults to: '/etc/ipsec.d')

    The directory to store all ipsec configuration information.

  • secretsfile (Stdlib::Absolutepath) (defaults to: '/etc/ipsec.secrets')
  • perpeerlog (Optional[Enum['yes','no']]) (defaults to: undef)
  • perpeerlogdir (Stdlib::Absolutepath) (defaults to: '/var/log/pluto/peer')
  • fragicmp (Optional[Enum['yes','no']]) (defaults to: undef)
  • hidetos (Optional[Enum['yes','no']]) (defaults to: undef)
  • overridemtu (Optional[Integer]) (defaults to: undef)
  • block_cidrs (Optional[Array[Simplib::IP::V4::CIDR]]) (defaults to: undef)

    List of CIDRs to which communication should never be allowed

  • clear_cidrs (Optional[Array[Simplib::IP::V4::CIDR]]) (defaults to: undef)

    List of CIDRs to which communication should always be in the clear

  • clear_private_cidrs (Optional[Array[Simplib::IP::V4::CIDR]]) (defaults to: undef)

    List of CIDRs to which communication will be in the clear, or, if the other side initiates IPSEC, use encryption

  • private_cidrs (Optional[Array[Simplib::IP::V4::CIDR]]) (defaults to: undef)

    List of CIDRs to which communication should always be private

  • private_clear_cidrs (Optional[Array[Simplib::IP::V4::CIDR]]) (defaults to: ['0.0.0.0/0'])

    List of CIDRs to which communication should be private if possible but in the clear otherwise

See Also:

Author:



136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
 
# File 'manifests/init.pp', line 136

class libreswan (
  String                                 $service_name,
  String                                 $package_name,
  Simplib::Netlist                       $trusted_nets        = simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] }),
  Boolean                                $firewall            = simplib::lookup('simp_options::firewall', {'default_value' => false }),
  Boolean                                $fips                = simplib::lookup('simp_options::fips', {'default_value' => false }),
  Variant[Boolean,Enum['simp']]          $pki                 = simplib::lookup('simp_options::pki', {'default_value' => false }),
  Boolean                                $haveged             = simplib::lookup('simp_options::haveged', {'default_value' => false }),
  String                                 $nssdb_password      = simplib::passgen('nssdb_password'),
  # Possible Values in ipsec.conf file
  Optional[String]                       $myid                = undef,
  Enum['netkey','klips','mast']          $protostack          = 'netkey',
  Optional[Libreswan::Interfaces]        $interfaces          = undef,
  Optional[Simplib::IP]                  $listen              = undef,
  Simplib::Port                          $ikeport             = 500,
  Optional[Integer]                      $nflog_all           = undef,
  Simplib::Port                          $nat_ikeport         = 4500,
  Optional[Integer]                      $keep_alive          = undef,
  Libreswan::VirtualPrivate              $virtual_private     = ['%v4:10.0.0.0/8','%v4:192.168.0.0/16','%v4:172.16.0.0/12'],
  Optional[String]                       $myvendorid          = undef,
  Optional[Integer]                      $nhelpers            = undef,
  Optional[Enum['yes','no']]             $plutofork           = undef,
  Optional[Integer]                      $crlcheckinterval    = undef,
  Optional[Enum['yes','no']]             $strictcrlpolicy     = undef,
  Optional[Enum['yes','no']]             $ocsp_enable         = undef,
  Optional[Enum['yes','no']]             $ocsp_strict         = undef,
  Optional[Integer]                      $ocsp_timeout        = undef,
  Optional[Simplib::Uri]                 $ocsp_uri            = undef,
  Optional[String]                       $ocsp_trustname      = undef,
  Optional[String]                       $syslog              = undef,
  String                                 $klipsdebug          = 'none',
  String                                 $plutodebug          = 'none',
  Optional[Enum['yes','no']]             $uniqueids           = undef,
  Optional[Enum['yes','no']]             $plutorestartoncrash = undef,
  Optional[Stdlib::Absolutepath]         $logfile             = undef,
  Optional[Enum['yes','no']]             $logappend           = undef,
  Optional[Enum['yes','no']]             $logtime             = undef,
  Optional[Enum['busy',
    'unlimited','auto']]                 $ddos_mode           = undef,
  Optional[Integer]                      $ddos_ike_treshold   = undef,  # incorrect spelling in libreswan 3.1.5 source code verified
  Stdlib::Absolutepath                   $dumpdir             = '/var/run/pluto',
  Optional[String]                       $statsbin            = undef,
  Stdlib::Absolutepath                   $ipsecdir            = '/etc/ipsec.d',
  Stdlib::Absolutepath                   $secretsfile         = '/etc/ipsec.secrets',
  Optional[Enum['yes','no']]             $perpeerlog          = undef,
  Stdlib::Absolutepath                   $perpeerlogdir       = '/var/log/pluto/peer',
  Optional[Enum['yes','no']]             $fragicmp            = undef,
  Optional[Enum['yes','no']]             $hidetos             = undef,
  Optional[Integer]                      $overridemtu         = undef,
  Optional[Array[Simplib::IP::V4::CIDR]] $block_cidrs         = undef,
  Optional[Array[Simplib::IP::V4::CIDR]] $clear_cidrs         = undef,
  Optional[Array[Simplib::IP::V4::CIDR]] $clear_private_cidrs = undef,
  Optional[Array[Simplib::IP::V4::CIDR]] $private_cidrs       = undef,
  Optional[Array[Simplib::IP::V4::CIDR]] $private_clear_cidrs = ['0.0.0.0/0']

) {

  simplib::assert_metadata($module_name)

  # set the token for the NSS database.
  if $fips or $facts['fips_enabled'] {
    $token = 'NSS FIPS 140-2 Certificate DB' }
  else {
    $token = 'NSS Certificate DB'
  }

  if $haveged {
    include 'haveged'

    Class[ 'haveged' ] -> Class[ 'libreswan::service' ]
  }

  $nsspassword = "${ipsecdir}/nsspassword"

  contain 'libreswan::install'
  contain 'libreswan::config'
  contain 'libreswan::service'

  Class[ 'libreswan::install' ] -> Class[ 'libreswan::config'  ]
  Class[ 'libreswan::config'  ] ~> Class[ 'libreswan::service' ]

  if $firewall {
    contain 'libreswan::config::firewall'

    Class[ 'libreswan::config::firewall' ] ~> Class[ 'libreswan::service'  ]
  }

  if $pki {
    contain 'libreswan::config::pki'
    contain 'libreswan::config::pki::nsspki'

    Class[ 'libreswan::config::pki' ] ~> Class[ 'libreswan::config::pki::nsspki' ]
    Class[ 'libreswan::config::pki::nsspki' ] ~> Class[ 'libreswan::service' ]
  }
}