Forge Home


Setting IPSec up using Strongswan


7,116 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.4 (latest)
  • 0.1.3
  • 0.1.2
released Apr 4th 2018
This version is compatible with:
  • Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.7.0 < 6.0.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'trepasi-ipsec', '0.1.4'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add trepasi-ipsec
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install trepasi-ipsec --version 0.1.4

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



trepasi/ipsec — version 0.1.4 Apr 4th 2018


GitHub: GitHub issues GitHub license GitHub tag

Travis-CI Build Status

Forge: Puppet Forge Puppet Forge Puppet Forge

Table of Contents

  1. Description
  2. Setup - The basics of getting started with ipsec
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module


This puppet module is providing facility to install and configure ipsec settings. Currently using strongswan, it manages package installation, the contents of configuration files ipsec.secrets and ipsec.conf and controlling the service itself in order to reload configurations after changes. The module is designed to be fully configurable through parameter lookup, but it also allowes you to manage configuration artefacts via resource instances.


Beginning with ipsec

The very basic steps needed for a user to get the module up and running. This can include setup steps, if necessary, or it can be an example of the most basic use of the module.


To get startet with this module, simply include the module into your puppet manifest. Passing parameter values may happen by direct assignment or preferably via lookup.

include ipsec

The module will install strongswan on the affected nodes and care about the service to be enabled.

Defining secrets

To add your secrets to the ipsec.secrets file, there are two options. Passing the actual secrets to the module via ipsec::secrets parameter or adding includes to the secrets file and file the secrets through other tools.

  - selector: ''
      type: PSK
      passphrase: 'asdf1234'
  - selector: ''
      type: RSA
      private_key_file: '/etc/ipsec.d/private/host-a.key'
      prompt: true
  - selector: ''
      type: RSA
      private_key_file: '/etc/ipsec.d/private/host-b.key'
      passphrase: 'asdf1234'
  - secret:
      type: RSA
      private_key_file: '/etc/ipsec.d/private/host-def.key'
  - secret:
      type: PIN
      slotnr: 1
      keyid: 50
      pin: 1234
  - secret:
      type: PIN
      slotnr: 1
      module: opensc
      keyid: 45
      prompt: true

Note, that non of the above used secrets (passphrase or pin fields) are treated as sensitive content.

The other option is to use parameter ipsec::secret_includes to include files.

  - '/var/lib/strongswan/'
  - '/etc/ipsec.d/very.secret'

Creating configuration

IPSec configuration is handled within ipsec.conf file. This consists of sections of three types. All sections can be handled via ipsec::conf parameter. The setup secion is a singleton section, therefore it is handled only via the conf parameter.

Setup section

The hash passed in through ipsec::conf['setup'] is placed as key-value pairs into the setup section of the ipsec.conf file.

Authority sections

The ipsec.conf file may contain multiple ca sections each configuring a certification authority. These section may be created via ipsec::conf['authorities'] parameter.

      auto: add
      cacert: '/etc/ssl/certs/myca.pem'
      crluri: 'file:///etc/ssl/crls/myca_crl.pem'

Alternatively, ca sections can be created by resource instances of type ipsec::conf::ca.

ipsec::conf::ca { 'myca':
  auto   => 'add',
  cacert => '/etc/ssl/certs/myca.pem',
  crluri => 'file:///etc/ssl/crls/myca_crl.pem'

Connection sections

Connections sections are created similar to authority sections. Resource instances of ipsec::conf::conn are created automatically from ipsec::conf['connections'] hash parameter, or may be created directly within your puppet code.

      type: transport
      left: %any
      leftcert: hostcert.pem
      rightid: %any
      auto: route
ipsec::conf::conn { 'test':
  type     => 'transport',
  left     => '%any'
  leftcert => 'hostcert.pem',
  right    => '',
  rightid  => '%any',
  auto     => 'route',


  • Reference documentation is created by Puppet Strings code comments, and published as gh_pages at [].

Data types

The module introduces some custom data types, which are not contained in the above reference.


Represents a time value as used in Strongswan configuration. Consisting eighter of an integer or one or more numerals followed by an optional suffix, which designate the dimensions of seconds (s), minutes (m), hours (h) or days (d).

type Ipsec::Time = Variant[Integer,Pattern[/^[0-9]+[smhd]?$/]]


The custom data structure to handle different types of secrets configuration for Strongswan is a bit more complex. It consists of an optional selector and a secret, which is a varian of some sub-types. The outer structure is defined as

type Ipsec::Secret = Struct[{
  selector => Optional[Pattern[/[^:]*/]],
  secret   => Variant[

Each sub-type does have a mandatory field named type, which may decide on the applicability of the particular type.


The custom type for shared secrets is handling types PSK, EAP and XAUTH and storing the passphrase as string.

type Ipsec::Secret::Shared = Struct[{
  type       => Enum['PSK','EAP','XAUTH'],
  passphrase => String,

Note! The passphrase is not treated as sensitive data. Use this feature of the module with care, only in the case no other solution is possible. The secrets_include parameter is providing feature to ipsec.secrets which may support other solutions for handling secret passphrase.


Private key type secrets has one of types RSA, ECDSA or P12. All Privkey secrets does need a private_key_file pointing to the file path the secret key is found. It the private key needs to be unlocked, a passphrase may be filed or the prompt option enabled.

type Ipsec::Secret::Privkey = Struct[{
  type             => Enum['RSA','ECDSA','P12'],
  private_key_file => String,
  prompt           => Optional[Boolean],
  passphrase       => Optional[String],

Note! The passphrase is not treated as sensitive data. Use this feature with care, only in the case no other solution is possible. The secrets_include parameter is providing feature to ipsec.secrets which may support other solutions for handling secret passphrase.


Smartcard based authentication is supported by a secret with type PIN, which mandatory takes a keyid parameter, and optional the slotnr, module name. If the card needs to be unlocked, a pin may be filed or the prompt option enabled.

type Ipsec::Secret::Smartcard = Struct[{
  type   => Enum['PIN'],
  slotnr => Optional[Integer],
  module => Optional[String],
  keyid  => Integer,
  pin    => Optional[Integer],
  prompt => Optional[Boolean],

Note! The pin is not treated as sensitive data. Use this feature with care, only in the case no other solution is possible. The secrets_include parameter is providing feature to ipsec.secrets which may support other solutions for handling secret pin.


The module is currently tested for a few OS distributions only and needs contribution to be ported and tested on others. There are features Strongswan is providing but cannot be configured with this module, e.g. NTLM based authentication. Feel free to contribute missing features.


Puppet modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. Please follow the usual guidelines when contributing changes.

  1. fork the repository on GitHub
  2. make your improvements, preferably to a feature branch
  3. rebase your changes to the head of the master branch
  4. squash your changes into a single commit
  5. file a pull request and check the result of Travis-CI tests


If you like this project feel free to support via Bitcoin BitCoin Wallet 1GYq2ycFk3gXdQ2dn6V8YARFL52mVi3Wtj