[WIP] ipsec role

This commit is contained in:
Jérémy Lecour 2017-07-14 11:36:18 +02:00
parent a6db2c9428
commit 3669e473c2
4 changed files with 127 additions and 0 deletions

View File

@ -0,0 +1,23 @@
#!/bin/sh
IPSECCTL="/sbin/ipsecctl -s sa"
STATUS=0
LINE1=`$IPSECCTL | grep "from $1 to $2" `
if [ $? -eq 1 ]; then
STATUS=2;
OUTPUT1="No VPN from $1 to $2 "
fi
LINE2=`$IPSECCTL | grep "from $2 to $1" `
if [ $? -eq 1 ]; then
STATUS=2;
OUTPUT2="No VPN from $2 to $1"
fi
if [ $STATUS -eq 0 ]; then
echo "VPN OK - $3 is up"
exit $STATUS
else
echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)"
exit $STATUS
fi

View File

@ -0,0 +1,29 @@
#!/bin/sh
CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh"
STATUS=0
VPN_KO=""
default_int=$(route -n show|grep default|awk '{ print $8 }')
default_ip=$(ifconfig $default_int|grep inet|awk '{ print $2 }')
for vpn in $(ls /etc/ipsec/); do
vpn=$(basename $vpn .conf)
local_ip=$(grep -E "local_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
ifconfig|grep -q $local_ip
[ $? -ne 0 ] && local_ip=$default_ip
remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
$CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null
if [ $? -ne 0 ]; then
STATUS=2
VPN_KO="$VPN_KO $vpn"
fi
done
if [ $STATUS -eq 0 ]; then
echo "ALL VPN(s) UP(s)"
exit 0
else
echo "VPN(s) down(s) :$VPN_KO"
exit 2
fi

65
ipsec/tasks/main.yml Normal file
View File

@ -0,0 +1,65 @@
---
- name: Create /etc/ipsec dir
file:
path: /etc/ipsec
state: directory
mode: "0700"
owner: root
group: wheel
tags:
- ipsec
- name: Enable and start isakmpd service
service:
name: isakmpd
arguments: '-K'
state: started
enabled: yes
tags:
- ipsec
- name: Deploy nrpe scripts
copy:
src: "{{ item }}"
dest: /usr/local/libexec/nagios/
mode: "0755"
with_items:
- 'check_ipsecctl.sh'
- 'check_ipsecctl_multi.sh'
tags:
- ipsec
- name: Add sudo right to _nrpe for check ipsecctl
lineinfile:
dest: /etc/sudoers
line: "{{ item }}"
state: present
validate: "visudo -cf %s"
with_items:
- "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl_multi.sh"
- "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl.sh"
tags:
- ipsec
- name: "Copy /etc/ipsec/{{ ipsec_name }}.conf"
template:
src: ipsec.conf.j2
dest: "/etc/ipsec/{{ ipsec_name }}.conf"
mode: "0600"
owner: root
group: wheel
register: ipsec_conf
tags:
- ipsec
- name: "Check {{ ipsec_name }} config"
command: "ipsecctl -nf /etc/ipsec/{{ ipsec_name }}.conf"
changed_when: false
tags:
- ipsec
- name: "Reload ipsec {{ ipsec_name }}"
command: "ipsecctl -f /etc/ipsec/{{ ipsec_name }}.conf"
when: ipsec_conf.changed
tags:
- ipsec

View File

@ -0,0 +1,10 @@
local_ip="{{ ipsec_local_ip }}"
local_network="{{ ipsec_local_network }}"
remote_ip_{{ ipsec_name }}="{{ ipsec_remote_ip }}"
remote_networks_{{ ipsec_name }}="{{ ipsec_remote_network }}"
ike esp from $local_network to $remote_networks_{{ ipsec_name }} peer $remote_ip_{{ ipsec_name }} \
main auth hmac-sha2-512 enc aes group modp4096 \
quick auth hmac-sha2-512 enc aes group modp4096 \
psk "{{ ipsec_psk }}"