diff --git a/ipsec/files/check_ipsecctl.sh b/ipsec/files/check_ipsecctl.sh deleted file mode 100644 index 4cdeaa94..00000000 --- a/ipsec/files/check_ipsecctl.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -IPSECCTL="/sbin/ipsecctl -s sa" -STATUS=0 - -LINE1=`$IPSECCTL | grep "from $1 to $2" ` -if [ $? -eq 1 ]; then - STATUS=2; - OUTPUT1="No VPN from $1 to $2 " -fi - -LINE2=`$IPSECCTL | grep "from $2 to $1" ` -if [ $? -eq 1 ]; then - STATUS=2; - OUTPUT2="No VPN from $2 to $1" -fi - -if [ $STATUS -eq 0 ]; then - echo "VPN OK - $3 is up" - exit $STATUS -else - echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)" - exit $STATUS -fi diff --git a/ipsec/files/check_ipsecctl_multi.sh b/ipsec/files/check_ipsecctl_multi.sh deleted file mode 100644 index 09cf6aa2..00000000 --- a/ipsec/files/check_ipsecctl_multi.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh" -STATUS=0 -VPN_KO="" - -default_int=$(route -n show|grep default|awk '{ print $8 }') -default_ip=$(ifconfig $default_int|grep inet|awk '{ print $2 }') - -for vpn in $(ls /etc/ipsec/); do - vpn=$(basename $vpn .conf) - local_ip=$(grep -E "local_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") - ifconfig|grep -q $local_ip - [ $? -ne 0 ] && local_ip=$default_ip - remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") - $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null - if [ $? -ne 0 ]; then - STATUS=2 - VPN_KO="$VPN_KO $vpn" - fi -done - -if [ $STATUS -eq 0 ]; then - echo "ALL VPN(s) UP(s)" - exit 0 -else - echo "VPN(s) down(s) :$VPN_KO" - exit 2 -fi diff --git a/ipsec/tasks/main.yml b/ipsec/tasks/main.yml deleted file mode 100644 index 85d1b69a..00000000 --- a/ipsec/tasks/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -- name: Create /etc/ipsec dir - file: - path: /etc/ipsec - state: directory - mode: "0700" - owner: root - group: wheel - tags: - - ipsec - -- name: Enable and start isakmpd service - service: - name: isakmpd - arguments: '-K' - state: started - enabled: yes - tags: - - ipsec - -- name: Deploy nrpe scripts - copy: - src: "{{ item }}" - dest: /usr/local/libexec/nagios/ - mode: "0755" - with_items: - - 'check_ipsecctl.sh' - - 'check_ipsecctl_multi.sh' - tags: - - ipsec - -- name: Add sudo right to _nrpe for check ipsecctl - lineinfile: - dest: /etc/sudoers - line: "{{ item }}" - state: present - validate: "visudo -cf %s" - with_items: - - "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl_multi.sh" - - "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl.sh" - tags: - - ipsec - -- name: "Copy /etc/ipsec/{{ ipsec_name }}.conf" - template: - src: ipsec.conf.j2 - dest: "/etc/ipsec/{{ ipsec_name }}.conf" - mode: "0600" - owner: root - group: wheel - register: ipsec_conf - tags: - - ipsec - -- name: "Check {{ ipsec_name }} config" - command: "ipsecctl -nf /etc/ipsec/{{ ipsec_name }}.conf" - changed_when: false - tags: - - ipsec - -- name: "Reload ipsec {{ ipsec_name }}" - command: "ipsecctl -f /etc/ipsec/{{ ipsec_name }}.conf" - when: ipsec_conf.changed - tags: - - ipsec diff --git a/ipsec/templates/ipsec.conf.j2 b/ipsec/templates/ipsec.conf.j2 deleted file mode 100644 index 862cf686..00000000 --- a/ipsec/templates/ipsec.conf.j2 +++ /dev/null @@ -1,10 +0,0 @@ -local_ip="{{ ipsec_local_ip }}" -local_network="{{ ipsec_local_network }}" - -remote_ip_{{ ipsec_name }}="{{ ipsec_remote_ip }}" -remote_networks_{{ ipsec_name }}="{{ ipsec_remote_network }}" - -ike esp from $local_network to $remote_networks_{{ ipsec_name }} peer $remote_ip_{{ ipsec_name }} \ -main auth hmac-sha2-512 enc aes group modp4096 \ -quick auth hmac-sha2-512 enc aes group modp4096 \ -psk "{{ ipsec_psk }}"