Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-libreswan', '3.10.0'Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Overview
- This is a SIMP module
- Module Description
- Beginning with ipsec
- Setup
- > delete it from the directory automatically.
- Reference
- Development
Overview
This module installs and configures Libreswan, an implementation of the VPN protocol, which supports IPSEC and IKE.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. Please see
parameters mapped to
simp_options::*items ininit.ppfor details.
Module Description
This module installs the libreswan IPSEC service. IPSEC is Internet Protocol SECurity. It uses strong cryptography to provide both authentication and encryption services.
This module installs the most recently RedHat approved version of libreswan, currently 3.15. It will configure the IPSEC daemon using the most up to date defaults and, if you are using SIMP, manage your certificates. Connections can be managed through the puppet modules or by hand.
Beginning with ipsec
Before installing pupmod-simp-libreswan, make sure you read the libreswan documentation thoroughly.
After reading the introduction, select the Main Wiki Page link to get to the user documentation.
- All
ipsec.confoptions can be found inipsec.conf(5).
Setup
- Ensure the libreswan and NSS packages are available.
Before installing pupmod-simp-libreswan, make sure you read the libreswan documentation thoroughly.
After reading the introduction, select the Main Wiki Page link to get to the user documentation.
Defaults
- IPSEC configuration file:
/etc/ipsec.conf - Configuration directory:
/etc/ipsec.d/ - NSS database (containing peer certs and the CA):
/etc/ipsec.d/[key4.db,cert9.db,pkcs11.txt] - Policy files (clear, private):
/etc/ipsec.d/policies/ - Secrets files (secret or key used by ipsec):
/etc/ipsec.d/*.secrets - Connection files (tunnel configurations):
/etc/ipsec.d/*.conf - Log file:
/var/log/secure - Libreswan starts an "ipsec" service, but it is listed as "pluto" in the process list.
Configure the IPSEC service
Add the following to hiera:
---
simp_options::pki: true
simp_options::trusted_nets : <desired client nets>
classes:
- 'libreswan'
Make sure that you have all Certificate Authorities needed loaded into SIMP. If the side you are connecting to
uses a different CA from yours, make sure you load their CA into your CA listing in PKI.
(See the SIMP documentation to see how to do this.)
You can verify the contents of the NSS database with:
certutil -L -d sql:/etc/ipsec.d/
Setting up an IPSEC connection.
To add a connection via puppet, create a definition file under the site manifest. A simple VPN tunnel host to host example is given here, named ipsec_tunne1.pp:
class site::ipsec_tunne1 {
include 'libreswan'
libreswan::connection{ 'default':
leftcert => $facts['fqdn'],
left => $facts['ipaddress'],
leftrsasigkey => '%cert',
leftsendcert => 'always',
authby => 'rsasig'
}
libreswan::connection{ 'outgoing' :
right => '<the IP Address of the client you are connecting to.>'
rightrsasigkey => '%cert',
notify => Service['ipsec'],
auto => 'start'
}
}
This will add two files to the ipsec directory, default.conf and outgoing.conf. These are the connection files that will be used by the libreswan daemon.
NOTE: If you delete a connection from the site manifest, it will not delete it from the directory automatically.
Reference
See REFERENCE.md
Development
Please read our Contribution Guide.
Unit tests
Unit tests, written in rspec-puppet can be run by calling:
bundle exec rake spec
Acceptance tests
To run the system tests, you need Vagrant installed. Then, run:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug: show the commands being run on the STU and their output.BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from thespec/fixtures/modulesdirectory, based on the contents of.fixtures.yml. The contents of this directory are usually populated bybundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
libreswan: Installs and configures libreswan to provide IPSEC capabilities.libreswan::config: Configuresipsec.confand necessary directories.libreswan::config::firewall: Ensures that the required firewall rules are definedlibreswan::config::pki: Ensure that thesimp/pkiPKI certificates are loaded into the IPSEC NSS Database.libreswan::config::pki::nsspki: Ensure that the PKI certificates are loaded into the NSS Database used by the IPSEC process.libreswan::install: Installs the appropriate packages.libreswan::service: Ensure that the appropriate services are running.
Defined types
libreswan::connection: Create a connection file in the IPSEC configuration directory.libreswan::nss::init_db: Initializes the NSS database, sets the correct password, and configures FIPS if necessary.libreswan::nss::loadcacerts: Adds the CA certificates to the NSS trust store.libreswan::nss::loadcerts: Load a server certificate into the NSS database.
Data types
Libreswan::ConnAddr: Valid libreswan connection addressesLibreswan::IP::V4::VirtualPrivate: Matches valid IPv4 CIDR Mask addresses Base Regex taken from Ruby core's Resolv::IPv4::Regex Reference: ruby/lib/resolv.rb Copyright 2010 TLibreswan::IP::V6::VirtualPrivate: Matches valid IPv4 CIDR Mask addresses Base Regex taken from Ruby core's Resolv::IPv4::Regex Reference: ruby/lib/resolv.rb Copyright 2010 TLibreswan::Interfaces: Valid libreswan interfacesLibreswan::VirtualPrivate: Valid virtual private addresses
Classes
libreswan
It is very important you read the documentation that comes with libreswan
before attempting to use this module.
This module is designed to install and configure system IPSEC capabilities using libreswan.
It will also configure and maintain the NSS database used by libreswan if you have chosen to let SIMP manage your PKI certificates.
To add and start tunnels that will be managed by libreswan see the manifest
libreswan::add_connection.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
-
If used independently, all SIMP-managed security subsystems are disabled by default, and must be explicitly opted into by administrators. Please review items referring to
simp_options::*for additional information. -
See the libreswan documentation https://libreswan.org/man/ipsec.conf.5.html for more information regarding these variables.
-
Any variable set to
undefwill not appear in the configuration file and will default to the value set by libreswan. Those set will appear in the configuration file but can be overwritten using Hiera. -
See also
Parameters
The following parameters are available in the libreswan class:
service_namepackage_nametrusted_netsfirewallfipspkihavegednssdb_passwordmyidprotostackinterfaceslistenikeportnflog_allnat_ikeportkeep_alivevirtual_privatemyvendoridnhelpersplutoforkcrlcheckintervalstrictcrlpolicyocsp_enableocsp_strictocsp_timeoutocsp_uriocsp_trustnamesyslogklipsdebugplutodebuguniqueidsplutorestartoncrashlogfilelogappendlogtimeddos_modeddos_ike_tresholddumpdirstatsbinipsecdirsecretsfileperpeerlogperpeerlogdirfragicmphidetosoverridemtublock_cidrsclear_cidrsclear_private_cidrsprivate_cidrsprivate_clear_cidrs
service_name
Data type: String
The name of the IPSEC service.
package_name
Data type: String
The name of the libreswan package.
trusted_nets
Data type: Simplib::Netlist
An allowed set of subnetworks (in CIDR notataion) with permitted access explicitly for IPSEC communication
Default value: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] })
firewall
Data type: Boolean
Whether to add appropriate rules to allow IPSEC traffic to the SIMP-controlled firewall
Default value: simplib::lookup('simp_options::firewall', {'default_value' => false })
fips
Data type: Boolean
Whether server is in FIPS mode.
- Affects cryptography allowed to be used by IPSEC.
Default value: simplib::lookup('simp_options::fips', {'default_value' => false })
pki
Data type: Variant[Boolean,Enum['simp']]
- If
'simp', includesimp/pkiand usepki::copyto manage application certs in/etc/pki/simp_apps/libreswan/x509 - If
true, do not includesimp/pki, but still usepki::copyto manage certs in/etc/pki/simp_apps/libreswan/x509 - If
false, do not includesimp/pkiand do not use pki::copy to manage certs. You will need to appropriately assign a subset of:- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', {'default_value' => false })
haveged
Data type: Boolean
Whether to use haveged to ensure adequate entropy
Default value: simplib::lookup('simp_options::haveged', {'default_value' => false })
nssdb_password
Data type: String
Password for the NSS database used by ipsec
Default value: simplib::passgen('nssdb_password')
myid
Data type: Optional[String]
Default value: undef
protostack
Data type: Enum['netkey','klips','mast']
Default value: 'netkey'
interfaces
Data type: Optional[Libreswan::Interfaces]
Default value: undef
listen
Data type: Optional[Simplib::IP]
Default value: undef
ikeport
Data type: Simplib::Port
DEPRECATED
Default value: 500
nflog_all
Data type: Optional[Integer]
Default value: undef
nat_ikeport
Data type: Simplib::Port
DEPRECATED
Default value: 4500
keep_alive
Data type: Optional[Integer]
Default value: undef
virtual_private
Data type: Libreswan::VirtualPrivate
Default value: ['%v4:10.0.0.0/8','%v4:192.168.0.0/16','%v4:172.16.0.0/12']
myvendorid
Data type: Optional[String]
Default value: undef
nhelpers
Data type: Optional[Integer]
Default value: undef
plutofork
Data type: Optional[Enum['yes','no']]
Default value: undef
crlcheckinterval
Data type: Optional[Integer]
Default value: undef
strictcrlpolicy
Data type: Optional[Enum['yes','no']]
Default value: undef
ocsp_enable
Data type: Optional[Enum['yes','no']]
Default value: undef
ocsp_strict
Data type: Optional[Enum['yes','no']]
Default value: undef
ocsp_timeout
Data type: Optional[Integer]
Default value: undef
ocsp_uri
Data type: Optional[Simplib::Uri]
Default value: undef
ocsp_trustname
Data type: Optional[String]
Default value: undef
syslog
Data type: Optional[String]
Default value: undef
klipsdebug
Data type: String
DEPRECATED
Default value: 'none'
plutodebug
Data type: String
Default value: 'none'
uniqueids
Data type: Optional[Enum['yes','no']]
Default value: undef
plutorestartoncrash
Data type: Optional[Enum['yes','no']]
Default value: undef
logfile
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
logappend
Data type: Optional[Enum['yes','no']]
Default value: undef
logtime
Data type: Optional[Enum['yes','no']]
Default value: undef
ddos_mode
Data type:
Optional[Enum['busy',
'unlimited','auto']]
Default value: undef
ddos_ike_treshold
Data type: Optional[Integer]
Default value: undef
dumpdir
Data type: Stdlib::Absolutepath
Default value: '/var/run/pluto'
statsbin
Data type: Optional[String]
Default value: undef
ipsecdir
Data type: Stdlib::Absolutepath
The directory to store all ipsec configuration information.
Default value: '/etc/ipsec.d'
secretsfile
Data type: Stdlib::Absolutepath
Default value: '/etc/ipsec.secrets'
perpeerlog
Data type: Optional[Enum['yes','no']]
DEPRECATED
Default value: undef
perpeerlogdir
Data type: Stdlib::Absolutepath
DEPRECATED
Default value: '/var/log/pluto/peer'
fragicmp
Data type: Optional[Enum['yes','no']]
Default value: undef
hidetos
Data type: Optional[Enum['yes','no']]
Default value: undef
overridemtu
Data type: Optional[Integer]
Default value: undef
block_cidrs
Data type: Optional[Array[Simplib::IP::V4::CIDR]]
List of CIDRs to which communication should never be allowed
Default value: undef
clear_cidrs
Data type: Optional[Array[Simplib::IP::V4::CIDR]]
List of CIDRs to which communication should always be in the clear
Default value: undef
clear_private_cidrs
Data type: Optional[Array[Simplib::IP::V4::CIDR]]
List of CIDRs to which communication will be in the clear, or, if the other side initiates IPSEC, use encryption
Default value: undef
private_cidrs
Data type: Optional[Array[Simplib::IP::V4::CIDR]]
List of CIDRs to which communication should always be private
Default value: undef
private_clear_cidrs
Data type: Array[Simplib::IP::V4::CIDR]
List of CIDRs to which communication should be private if possible but in the clear otherwise
Default value: ['0.0.0.0/0']
libreswan::config
Configures ipsec.conf and necessary directories.
libreswan::config::firewall
Ensures that the required firewall rules are defined
libreswan::config::pki
Ensure that the simp/pki PKI certificates are loaded into the IPSEC NSS Database.
Parameters
The following parameters are available in the libreswan::config::pki class:
app_pki_external_source
Data type: String
- If
$pki='simp'ortrue, this is the directory from which certs will be copied, viapki::copy. - If
$pki=false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
app_pki_dir
Data type: Stdlib::Absolutepath
Controls the base path of the other app_pki_* parameters.
Default value: '/etc/pki/simp_apps/libreswan/x509'
app_pki_key
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file
Default value: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem"
app_pki_cert
Data type: Stdlib::Absolutepath
Path and name of the public SSL certificate
Default value: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub"
app_pki_ca
Data type: Stdlib::Absolutepath
Path and name of the CA.
Default value: "${app_pki_dir}/cacerts/cacerts.pem"
libreswan::config::pki::nsspki
Called when the certificates change or when the database is initialized.
Parameters
The following parameters are available in the libreswan::config::pki::nsspki class:
certname
Data type: String[1]
The name of the certificate to be used
Default value: $facts['networking']['fqdn']
libreswan::install
Installs the appropriate packages.
libreswan::service
Ensure that the appropriate services are running.
Defined types
libreswan::connection
You can can set up defaults for all of your connections by using the name
'default'. This will create a file default.conf with a 'conn %default'
header. Then, all settings in default.conf will be used as defaults for
connections specified in other files.
Not all available, connection-related, libreswan settings are defined
here. However, should you need a missing setting you can manually
create a correctly-formatted, connection configuration file in the
IPSEC configuration directory. This file must have a .conf suffix.
- Manually generated configuration files are not managed, or purged, by Puppet.
The following parameters correspond to libreswan settings for which the default values are different from the libreswan defaults. You can override the defaults by passing in different data in the definition parameters.
The rest of the parameters map one-to-one to libreswan settings and
are undef.
Any undef parameter will not appear in the generated configuration file for
the connection. See libreswan documentation for the setting defaults when
omitted from a connection's configuration.
https://libreswan.org/man/ipsec.conf.5.html, the CONN:SETTINGS section
Parameters
The following parameters are available in the libreswan::connection defined type:
dirkeyingtriesikephase2algleftrightconnaddrfamilyleftaddresspoolleftsubnetleftsubnetsleftprotoportleftsourceipleftupdownleftcertleftrsasigkeyleftrsasigkey2leftsendcertleftnexthopleftidleftcarightidrightrsasigkeyrightrsasigkey2rightcarightaddresspoolrightsubnetsrightsubnetrightprotoportrightsourceiprightupdownrightcertrightsendcertrightnexthopautoauthbytypeikev2mobikephase2ikepadfragmentationsha2_truncbugnarrowingsareftrackleftxauthserverrightxauthserverleftxauthusernamerightxauthusernameleftxauthclientrightxauthclientleftmodecfgserverrightmodecfgserverleftmodecfgclientrightmodecfgclientxauthbyxauthfailmodecfgpullmodecfgdnsmodecfgdns1modecfgdns2modecfgdomainmodecfgdomainsmodecfgbannernat_ikev1_methoddpddelaydpdtimeoutdpdaction
dir
Data type: Stdlib::Absolutepath
The absolute path to the IPSEC configuration directory.
Default value: '/etc/ipsec.d'
keyingtries
Data type: Integer
The number of times a connection will try to reconnect before exiting.
Default value: 10
ike
Data type: String
The ciphers used in the connection.
Default value: 'aes-sha2'
phase2alg
Data type: String
The ciphers used in the second part of the connection.
Default value: 'aes-sha2'
left
Data type: Optional[Libreswan::ConnAddr]
Default value: undef
right
Data type: Optional[Libreswan::ConnAddr]
Default value: undef
connaddrfamily
Data type: Optional[Enum['ipv4','ipv6']]
Default value: undef
leftaddresspool
Data type: Optional[Array[Simplib::IP,2,2]]
Default value: undef
leftsubnet
Data type:
Optional[Variant[
Enum['%no','%priv'],
Pattern['^vhost:*'],
Pattern['^vnet:*'],
Simplib::IP::CIDR]]
Default value: undef
leftsubnets
Data type: Optional[Array[Simplib::IP::CIDR]]
Default value: undef
leftprotoport
Data type: Optional[String]
Default value: undef
leftsourceip
Data type: Optional[Simplib::IP]
Default value: undef
leftupdown
Data type: Optional[String]
Default value: undef
leftcert
Data type: Optional[String]
Default value: undef
leftrsasigkey
Data type: Optional[String]
Default value: undef
leftrsasigkey2
Data type: Optional[String]
Default value: undef
leftsendcert
Data type:
Optional[Enum['yes', 'no',
'never','always','sendifasked']]
Default value: undef
leftnexthop
Data type:
Optional[Variant[
Enum['%direct','%defaultroute'],
Simplib::IP]]
Default value: undef
leftid
Data type: Optional[String]
Default value: undef
leftca
Data type: Optional[String]
Default value: undef
rightid
Data type: Optional[String]
Default value: undef
rightrsasigkey
Data type: Optional[String]
Default value: undef
rightrsasigkey2
Data type: Optional[String]
Default value: undef
rightca
Data type: Optional[String]
Default value: undef
rightaddresspool
Data type: Optional[Array[Simplib::IP,2,2]]
Default value: undef
rightsubnets
Data type: Optional[Array[Simplib::IP::CIDR]]
Default value: undef
rightsubnet
Data type:
Optional[Variant[
Enum['%no','%priv'],
Pattern['^vhost:*'],
Pattern['^vnet:*'],
Simplib::IP::CIDR]]
Default value: undef
rightprotoport
Data type: Optional[String]
Default value: undef
rightsourceip
Data type: Optional[Simplib::IP]
Default value: undef
rightupdown
Data type: Optional[String]
Default value: undef
rightcert
Data type: Optional[String]
Default value: undef
rightsendcert
Data type:
Optional[Enum['yes', 'no',
'never','always','sendifasked']]
Default value: undef
rightnexthop
Data type:
Optional[Variant[
Enum['%direct','%defaultroute'],
Simplib::IP]]
Default value: undef
auto
Data type:
Optional[Enum['add','start',
'ondemand', 'ignore']]
Default value: undef
authby
Data type:
Optional[Enum['rsasig','secret',
'secret|rsasig', 'never', 'null']]
Default value: undef
type
Data type:
Optional[Enum['tunnel','transport',
'passthough','reject','drop']]
Default value: undef
ikev2
Data type:
Optional[Enum['insist','permit',
'propose','never','yes', 'no']]
Default value: undef
mobike
Data type: Optional[Enum['yes', 'no']]
Default value: undef
phase2
Data type: Optional[Enum['esp', 'ah']]
Default value: undef
ikepad
Data type: Optional[Enum['yes','no']]
Default value: undef
fragmentation
Data type: Optional[Enum['yes','no','force']]
Default value: undef
sha2_truncbug
Data type: Optional[Enum['yes','no']]
Default value: undef
narrowing
Data type: Optional[Enum['yes','no']]
Default value: undef
sareftrack
Data type:
Optional[Enum['yes','no',
'conntrack']]
Default value: undef
leftxauthserver
Data type: Optional[Enum['yes','no']]
Default value: undef
rightxauthserver
Data type: Optional[Enum['yes','no']]
Default value: undef
leftxauthusername
Data type: Optional[String]
Default value: undef
rightxauthusername
Data type: Optional[String]
Default value: undef
leftxauthclient
Data type: Optional[Enum['yes','no']]
Default value: undef
rightxauthclient
Data type: Optional[Enum['yes','no']]
Default value: undef
leftmodecfgserver
Data type: Optional[Enum['yes','no']]
Default value: undef
rightmodecfgserver
Data type: Optional[Enum['yes','no']]
Default value: undef
leftmodecfgclient
Data type: Optional[Enum['yes','no']]
Default value: undef
rightmodecfgclient
Data type: Optional[Enum['yes','no']]
Default value: undef
xauthby
Data type:
Optional[Enum['file','pam',
'alwaysok']]
Default value: undef
xauthfail
Data type: Optional[Enum['hard','soft']]
Default value: undef
modecfgpull
Data type: Optional[Enum['yes','no']]
Default value: undef
modecfgdns
Data type: Optional[Array[Simplib::IP]]
Support 3.23+ DNS configuration
Default value: undef
modecfgdns1
Data type: Optional[Simplib::IP]
Support <= 3.22 domain configuration
Default value: undef
modecfgdns2
Data type: Optional[Simplib::IP]
Support <= 3.22 domain configuration
Default value: undef
modecfgdomain
Data type: Optional[String]
Support <= 3.22 domain configuration
Default value: undef
modecfgdomains
Data type: Optional[Array[String]]
Support 3.23+ domains configuration
Default value: undef
modecfgbanner
Data type: Optional[String]
Default value: undef
nat_ikev1_method
Data type:
Optional[Enum['drafts','rfc',
'both']]
Default value: undef
dpddelay
Data type: Optional[Pattern[/\d+[smh]$/]]
Default value: undef
dpdtimeout
Data type: Optional[Pattern[/\d+[smh]$/]]
Default value: undef
dpdaction
Data type:
Optional[Enum['hold', 'clear',
'restart']]
Default value: undef
libreswan::nss::init_db
Initializes the NSS database, sets the correct password, and configures FIPS if necessary.
Parameters
The following parameters are available in the libreswan::nss::init_db defined type:
dbdir
Data type: Stdlib::Absolutepath
Directory where the NSS database will be created.
password
Data type: String
Password used to protect the database.
- Each NSS database is broken up into tokens used for different types of
certificates, Smart cards, FIPS compliant, non-FIPS. This util sets the
FIPS and non-FIPS token to they same password. The tokens are defined by
$libreswan::nsstoken. You can add tokens to array if there are other parts of the database you want to protect.
destroyexisting
Data type: Boolean
If true, it will remove the existing database before running the init command.
Default value: false
fips
Data type: Boolean
Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })
token
Data type: String
Default value: 'NSS Certificate DB'
nsspassword
Data type: Stdlib::Absolutepath
Default value: "${dbdir}/nsspassword"
init_command
Data type: Optional[String[1]]
Command used to create the cert db.
Default value: simplib::lookup('libreswan::nss::init_db::init_command', { 'default_value' => undef })
libreswan::nss::loadcacerts
Adds the CA certificates to the NSS trust store.
Parameters
The following parameters are available in the libreswan::nss::loadcacerts defined type:
dbdir
Data type: Stdlib::Absolutepath
The directory where the DB is located
nsspwd_file
Data type: Stdlib::Absolutepath
Default value: "${dbdir}/nsspassword"
cert
Data type: Stdlib::Absolutepath
The absolute path to the public portion CA certificate.
token
Data type: String
Default value: 'NSS Certificate DB'
certtype
Data type: Enum['PEM','DER']
The format the certificate is in. PEM and DER are currently acceptable.
Default value: 'PEM'
libreswan::nss::loadcerts
Load a server certificate into the NSS database.
Parameters
The following parameters are available in the libreswan::nss::loadcerts defined type:
dbdir
Data type: Stdlib::Absolutepath
The directory where the NSS Database is located.
nsspwd_file
Data type: Stdlib::Absolutepath
The file which contains the password if there is one.
Default value: "${dbdir}/nsspassword"
cert
Data type: Stdlib::Absolutepath
The absolute path to the public portion of the cert.
token
Data type: String
Default value: 'NSS Certificate DB'
key
Data type: Optional[Stdlib::Absolutepath]
The absolute path to the private portion of the cert.
Default value: undef
certtype
Data type: Enum['PEM','P12']
The format the certificate is in.
Default value: 'PEM'
Data types
Libreswan::ConnAddr
Valid libreswan connection addresses
Alias of
Variant[Enum[
'%any',
'%defaultroute',
'%opportunistic',
'%opportunisticgroup',
'%group'
], Simplib::IP::V4, Simplib::IP::V6, Pattern['^%[a-zA-Z]+\d+$']]
Libreswan::IP::V4::VirtualPrivate
Matches valid IPv4 CIDR Mask addresses Base Regex taken from Ruby core's Resolv::IPv4::Regex
Reference: ruby/lib/resolv.rb
Copyright 2010 Tanaka Akira kr@fsij.org Released under the guidance of the Ruby COPYING file section 2(a) Commit 4e3a98d383eb3c420df5208d83f9aba70b504e33
Alias of Pattern['^(?-mix:\A%v4:(!)?((?x-mi:0|1(?:[0-9][0-9]?)?|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?))\.((?x-mi:0|1(?:[0-9][0-9]?)?|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?))\.((?x-mi:0|1(?:[0-9][0-9]?)?|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?))\.((?x-mi:0|1(?:[0-9][0-9]?)?|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?))/(3[012]|[12][0-9]|[0-9])\z)$']
Libreswan::IP::V6::VirtualPrivate
Matches valid IPv4 CIDR Mask addresses Base Regex taken from Ruby core's Resolv::IPv4::Regex
Reference: ruby/lib/resolv.rb
Copyright 2010 Tanaka Akira kr@fsij.org Released under the guidance of the Ruby COPYING file section 2(a) Commit 4e3a98d383eb3c420df5208d83f9aba70b504e33
Alias of Pattern['^(?x-mi:(\A%v6:(!)?(?x-mi:(?:(?x-mi:(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/(12[0-8]|1[01][0-9]|[0-9]?[0-9])\z))|(?:(?x-mi:((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)/(12[0-8]|1[01][0-9]|[0-9]?[0-9])\z))|(?:(?x-mi:((?:[0-9A-Fa-f]{1,4}:){6,6})(\d+)\.(\d+)\.(\d+)\.(\d+)/(12[0-8]|1[01][0-9]|[0-9]?[0-9])\z))|(?:(?x-mi:((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}:)*)(\d+)\.(\d+)\.(\d+)\.(\d+)/(12[0-8]|1[01][0-9]|[0-9]?[0-9]))))\z))$']
Libreswan::Interfaces
Valid libreswan interfaces
Alias of
Array[Variant[
Enum['%none','%defaultroute'],
Pattern['(\w+=\w+)']
]]
Libreswan::VirtualPrivate
Valid virtual private addresses
Alias of
Array[Variant[
Libreswan::IP::V4::VirtualPrivate,
Libreswan::IP::V6::VirtualPrivate
]]
- Wed Sep 11 2024 Steven Pritchard steve@sicura.us - 3.10.0
- [puppetsync] Update module dependencies to support simp-iptables 7.x
- Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 3.9.0
- [puppetsync] Add EL9 support
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 3.8.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Wed Sep 06 2023 Steven Pritchard steve@sicura.us - 3.7.0
- Add AlmaLinux 8 support
- Move
$init_commandinlibreswan::nss::init_dbto a parameter and set the default in Hiera to avoid the hard-coded list of supported operating systems - Clean up for puppet-lint in
libreswan::nss::init_db - Add support for Puppet 8 and stdlib 9
- Drop support for Puppet 6
- Update gem dependencies
- Clean up Gemfile for rubocop
- Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 3.6.0
- Add RockyLinux 8 support
- Tue Jun 22 2021 Trevor Vaughan tvaughan@onyxpoint.com - 3.5.0
- Removed obsolete configuration options whose presence prevent the
ipsec service from starting on EL8. The corresponding deprecated
parameters are as follows:
libreswan::ikeportlibreswan::nat_ikeportlibreswan::klipsdebuglibreswan::perpeerloglibreswan::perpeerlogdir
- Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 3.5.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Thu Jan 07 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 3.4.2
- Removed EL6 support
- Tue Nov 03 2020 Trevor Vaughan tvaughan@onyxpoint.com - 3.4.1-0
- Updated/corrected documentation
- Added REFERENCE.md
- Removed the unused libreswan::use_certs parameter
- Converted libreswan::params to module data
- Hooked service notifications at the class levels
- Thu Oct 08 2020 Adam Yohrling adam.yohrling@onyxpoint.com - 3.4.0-0
- Add support for IKEv2 Mobility (RFC-4555) and mobile client connections
- Add additional settings for DNS and Domains for libreswan v3.23+
- Mon Aug 03 2020 Adam Yohrling adam.yohrling@onyxpoint.com - 3.3.0-0
- Add EL8 and firewalld support
- Thu Jul 23 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 3.2.1-0
- update the upper bound of simplib for SIMP 6.5 release
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 3.2.0-0
- Drop Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Tue Feb 12 2019 Liz Nemsick lnemsick.simp@gmail.com - 3.1.1-0
- Use simplib::passgen() in lieu of passgen(), a deprecated simplib Puppet 3 function.
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Mon Nov 05 2018 Liz Nemsick lnemsick-simp@gmail.com - 3.1.0-0
- Update badges and contribution guide URL in README.md
- Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 3.1.0-0
- Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.
- Fri Jul 06 2018 Trevor Vaughan tvaughan@onyxpont.com - 3.1.0-0
- Added Puppet 5 and OEL support
- Fri Jun 15 2018 Nick Miller nick.miller@onyxpoint.com - 3.0.3-0
- Remove unneeded fixtures and update CI assets
- Thu Nov 09 2017 Liz Nemsick lnemsick.simp@gmail.com - 3.0.2-0
- Bug fixes:
- Set up FIPS-compliant configuration, not just when simp_options::fips is true, but also when the server is already in FIPS mode.
- Insert token password into the NSS database after configuring the NSS database for FIPS.
- Updated the tests.
- Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 3.0.1-0
- Confine puppet version in metadata.json
- Fri Jan 13 2017 Nick Markowski nmarkowski@keywcorp.com - 3.0.0-0
- Updated pki scheme.
- Application certs now managed in /etc/pki/simp_apps/libreswan/x509
- Thu Dec 22 2016 Jeanne Greulich jeanne.greulich@onyxpoint.com - 3.0.0-0
- Update Global Catalysts
- Strong type
- Tue Nov 22 2016 Liz Nemsick lnemsick.simp@gmail.com - 2.0.0-0
- Update version to reflect SIMP6 dependencies
- Update to SIMP6 dependencies
- Minor cleanup
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 1.0.1-0
- Minor cleanup
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 1.0.0-0
- Updated iptables dependency version
- Wed Oct 12 2016 Liz Nemsick lnemsick.simp@gmail.com - 1.0.0-0
- Added support for CentOS 6
- Fix several bugs in the following categories:
- Use of wrong variables (cut and paste errors or typos)
- Improper parameter validations
- Parameters not being used in erb files.
- OBE names of ipsec settings.
- Missing quotes/braces around settings that can contain whitespace
- Expose more ipsec settings.
- Allow IPv6 addresses
- Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 0.1.1-0
- Fix Forge
havegeddependency name
- Thu Jun 30 2016 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.1.0-0
- Initial release for CentOS 7 only
Dependencies
- simp/haveged (>= 0.4.5 < 1.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
- simp/iptables (>= 6.5.3 < 8.0.0)
- simp/pki (>= 6.2.0 < 7.0.0)
- simp/simp_firewalld (>= 0.1.3 < 1.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
ipsecl - Manages IPSec software libreswan
Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.
The US Government retains the right to pursue copyright protections outside of
the United States.
The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.
---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.