Skip to content

MinionsCloud/ansible-ipsec

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
group_vars
group_vars
 
 
templates
templates
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
inventory
inventory
 
 
manual.yml
manual.yml
 
 
racoon.yml
racoon.yml
 
 

Repository files navigation

Securing cloud servers with IPSec and Ansible

This set of Ansible templates is an example how IPSec suite of protocols can be used to simplify transport security in networks of Linux-based cloud servers. It's not ready to use, drop-in Ansible plugin, more of a template, but should be relatively easy to adapt to a network of any complexity.

The repository contains two git branches: master which only produces local configuration files with lots of debugging output (including plaintext secrets) without atually touching any of the remote servers listed in the example inventory. It's safe to run even in the local repo. The prod branch will actually install configuration files on remote servers, restart services etc and it won't work unmodified on your network.

My article Securing cloud servers with IPSec and Ansible discusses this setup in more details.

Quick start (Racoon)

  • Make sure you have Ansible installed (pip install ansible or your Linux distro's equivalent)
  • Checkout the repo:
    git checkout https://github.com/kravietz/ansible-ipsec.git
  • Run the racoon.yml playbook to generate Racoon configuration files for IKE-managed IPSec coniguration:
    cd ansible-ipsec
    ansible-playbook -i inventory racoon.yml

The files will generated into the output/racoon directory, just as if they would be placed in /etc. The following files will be produced:

    output/racoon/web1/racoon/racoon.conf
    output/racoon/web1/racoon/pks.txt
    output/racoon/web1/ipsec-tools.conf
    output/racoon/web2... etc

If you now switch to the prod branch (git checkout prod) and run the same play, it will actually deploy these files to /etc on servers listed in inventory. It won't work out of the box obviously, as the example inventory has hardcoded dummy IP addresses. The prod mode templates will install the configuration files in /etc as well as restart racoon and setkey services. It is also expected that the hostnames in inventory are working SSH aliases in production mode.

Quick start (manual keying)

Run the manual.yml playbook to generate manual-keyed IPSec configuration:

    ansible-playbook -i inventory manual.yml

The files will be found in output/manual directory:

    output/manual/web1/ipsec-tools.conf
    output/manual/web1/ipsec-tools.d/web2
    output/manual/web1/ipsec-tools.d/web3... etc
    output/manual/web2... etc

For manually-keyed configuration the templates will be saved in ipsec-tools.d subdirectory, one file for each remote server, to keep them small and more readable. The prod mode here works just as in the Racoon mode, except that Racoon configuration files and racoon service are not changed.

Production mode

If you now switch to the prod branch (git checkout prod) and run the same playfiles as above, it will actually deploy the generated files to /etc on servers listed in the inventory as well as restart racoon and setkey services (this will be the moment of truth). It is also expected that the hostnames in inventory are working SSH aliases in production mode. The templates will use default IPv4 addresses of each of the listed hosts.

About

IPSec configuration generator for Ansible

ipsec.pl/ipsec/2015/securing-cloud-servers-ipsec-and-ansible.html

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published