diff --git a/ipsec/files/check_ipsecctl.sh b/ipsec/files/check_ipsecctl.sh new file mode 100644 index 00000000..4cdeaa94 --- /dev/null +++ b/ipsec/files/check_ipsecctl.sh @@ -0,0 +1,23 @@ +#!/bin/sh +IPSECCTL="/sbin/ipsecctl -s sa" +STATUS=0 + +LINE1=`$IPSECCTL | grep "from $1 to $2" ` +if [ $? -eq 1 ]; then + STATUS=2; + OUTPUT1="No VPN from $1 to $2 " +fi + +LINE2=`$IPSECCTL | grep "from $2 to $1" ` +if [ $? -eq 1 ]; then + STATUS=2; + OUTPUT2="No VPN from $2 to $1" +fi + +if [ $STATUS -eq 0 ]; then + echo "VPN OK - $3 is up" + exit $STATUS +else + echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)" + exit $STATUS +fi diff --git a/ipsec/files/check_ipsecctl_multi.sh b/ipsec/files/check_ipsecctl_multi.sh new file mode 100644 index 00000000..09cf6aa2 --- /dev/null +++ b/ipsec/files/check_ipsecctl_multi.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh" +STATUS=0 +VPN_KO="" + +default_int=$(route -n show|grep default|awk '{ print $8 }') +default_ip=$(ifconfig $default_int|grep inet|awk '{ print $2 }') + +for vpn in $(ls /etc/ipsec/); do + vpn=$(basename $vpn .conf) + local_ip=$(grep -E "local_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") + ifconfig|grep -q $local_ip + [ $? -ne 0 ] && local_ip=$default_ip + remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") + $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null + if [ $? -ne 0 ]; then + STATUS=2 + VPN_KO="$VPN_KO $vpn" + fi +done + +if [ $STATUS -eq 0 ]; then + echo "ALL VPN(s) UP(s)" + exit 0 +else + echo "VPN(s) down(s) :$VPN_KO" + exit 2 +fi diff --git a/ipsec/tasks/main.yml b/ipsec/tasks/main.yml new file mode 100644 index 00000000..85d1b69a --- /dev/null +++ b/ipsec/tasks/main.yml @@ -0,0 +1,65 @@ +--- +- name: Create /etc/ipsec dir + file: + path: /etc/ipsec + state: directory + mode: "0700" + owner: root + group: wheel + tags: + - ipsec + +- name: Enable and start isakmpd service + service: + name: isakmpd + arguments: '-K' + state: started + enabled: yes + tags: + - ipsec + +- name: Deploy nrpe scripts + copy: + src: "{{ item }}" + dest: /usr/local/libexec/nagios/ + mode: "0755" + with_items: + - 'check_ipsecctl.sh' + - 'check_ipsecctl_multi.sh' + tags: + - ipsec + +- name: Add sudo right to _nrpe for check ipsecctl + lineinfile: + dest: /etc/sudoers + line: "{{ item }}" + state: present + validate: "visudo -cf %s" + with_items: + - "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl_multi.sh" + - "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl.sh" + tags: + - ipsec + +- name: "Copy /etc/ipsec/{{ ipsec_name }}.conf" + template: + src: ipsec.conf.j2 + dest: "/etc/ipsec/{{ ipsec_name }}.conf" + mode: "0600" + owner: root + group: wheel + register: ipsec_conf + tags: + - ipsec + +- name: "Check {{ ipsec_name }} config" + command: "ipsecctl -nf /etc/ipsec/{{ ipsec_name }}.conf" + changed_when: false + tags: + - ipsec + +- name: "Reload ipsec {{ ipsec_name }}" + command: "ipsecctl -f /etc/ipsec/{{ ipsec_name }}.conf" + when: ipsec_conf.changed + tags: + - ipsec diff --git a/ipsec/templates/ipsec.conf.j2 b/ipsec/templates/ipsec.conf.j2 new file mode 100644 index 00000000..862cf686 --- /dev/null +++ b/ipsec/templates/ipsec.conf.j2 @@ -0,0 +1,10 @@ +local_ip="{{ ipsec_local_ip }}" +local_network="{{ ipsec_local_network }}" + +remote_ip_{{ ipsec_name }}="{{ ipsec_remote_ip }}" +remote_networks_{{ ipsec_name }}="{{ ipsec_remote_network }}" + +ike esp from $local_network to $remote_networks_{{ ipsec_name }} peer $remote_ip_{{ ipsec_name }} \ +main auth hmac-sha2-512 enc aes group modp4096 \ +quick auth hmac-sha2-512 enc aes group modp4096 \ +psk "{{ ipsec_psk }}"