[WIP] ipsec role
This commit is contained in:
parent
a6db2c9428
commit
3669e473c2
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
IPSECCTL="/sbin/ipsecctl -s sa"
|
||||
STATUS=0
|
||||
|
||||
LINE1=`$IPSECCTL | grep "from $1 to $2" `
|
||||
if [ $? -eq 1 ]; then
|
||||
STATUS=2;
|
||||
OUTPUT1="No VPN from $1 to $2 "
|
||||
fi
|
||||
|
||||
LINE2=`$IPSECCTL | grep "from $2 to $1" `
|
||||
if [ $? -eq 1 ]; then
|
||||
STATUS=2;
|
||||
OUTPUT2="No VPN from $2 to $1"
|
||||
fi
|
||||
|
||||
if [ $STATUS -eq 0 ]; then
|
||||
echo "VPN OK - $3 is up"
|
||||
exit $STATUS
|
||||
else
|
||||
echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)"
|
||||
exit $STATUS
|
||||
fi
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/sh
|
||||
|
||||
CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh"
|
||||
STATUS=0
|
||||
VPN_KO=""
|
||||
|
||||
default_int=$(route -n show|grep default|awk '{ print $8 }')
|
||||
default_ip=$(ifconfig $default_int|grep inet|awk '{ print $2 }')
|
||||
|
||||
for vpn in $(ls /etc/ipsec/); do
|
||||
vpn=$(basename $vpn .conf)
|
||||
local_ip=$(grep -E "local_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
|
||||
ifconfig|grep -q $local_ip
|
||||
[ $? -ne 0 ] && local_ip=$default_ip
|
||||
remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
|
||||
$CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
STATUS=2
|
||||
VPN_KO="$VPN_KO $vpn"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $STATUS -eq 0 ]; then
|
||||
echo "ALL VPN(s) UP(s)"
|
||||
exit 0
|
||||
else
|
||||
echo "VPN(s) down(s) :$VPN_KO"
|
||||
exit 2
|
||||
fi
|
|
@ -0,0 +1,65 @@
|
|||
---
|
||||
- name: Create /etc/ipsec dir
|
||||
file:
|
||||
path: /etc/ipsec
|
||||
state: directory
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: wheel
|
||||
tags:
|
||||
- ipsec
|
||||
|
||||
- name: Enable and start isakmpd service
|
||||
service:
|
||||
name: isakmpd
|
||||
arguments: '-K'
|
||||
state: started
|
||||
enabled: yes
|
||||
tags:
|
||||
- ipsec
|
||||
|
||||
- name: Deploy nrpe scripts
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: /usr/local/libexec/nagios/
|
||||
mode: "0755"
|
||||
with_items:
|
||||
- 'check_ipsecctl.sh'
|
||||
- 'check_ipsecctl_multi.sh'
|
||||
tags:
|
||||
- ipsec
|
||||
|
||||
- name: Add sudo right to _nrpe for check ipsecctl
|
||||
lineinfile:
|
||||
dest: /etc/sudoers
|
||||
line: "{{ item }}"
|
||||
state: present
|
||||
validate: "visudo -cf %s"
|
||||
with_items:
|
||||
- "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl_multi.sh"
|
||||
- "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl.sh"
|
||||
tags:
|
||||
- ipsec
|
||||
|
||||
- name: "Copy /etc/ipsec/{{ ipsec_name }}.conf"
|
||||
template:
|
||||
src: ipsec.conf.j2
|
||||
dest: "/etc/ipsec/{{ ipsec_name }}.conf"
|
||||
mode: "0600"
|
||||
owner: root
|
||||
group: wheel
|
||||
register: ipsec_conf
|
||||
tags:
|
||||
- ipsec
|
||||
|
||||
- name: "Check {{ ipsec_name }} config"
|
||||
command: "ipsecctl -nf /etc/ipsec/{{ ipsec_name }}.conf"
|
||||
changed_when: false
|
||||
tags:
|
||||
- ipsec
|
||||
|
||||
- name: "Reload ipsec {{ ipsec_name }}"
|
||||
command: "ipsecctl -f /etc/ipsec/{{ ipsec_name }}.conf"
|
||||
when: ipsec_conf.changed
|
||||
tags:
|
||||
- ipsec
|
|
@ -0,0 +1,10 @@
|
|||
local_ip="{{ ipsec_local_ip }}"
|
||||
local_network="{{ ipsec_local_network }}"
|
||||
|
||||
remote_ip_{{ ipsec_name }}="{{ ipsec_remote_ip }}"
|
||||
remote_networks_{{ ipsec_name }}="{{ ipsec_remote_network }}"
|
||||
|
||||
ike esp from $local_network to $remote_networks_{{ ipsec_name }} peer $remote_ip_{{ ipsec_name }} \
|
||||
main auth hmac-sha2-512 enc aes group modp4096 \
|
||||
quick auth hmac-sha2-512 enc aes group modp4096 \
|
||||
psk "{{ ipsec_psk }}"
|
Loading…
Reference in New Issue