Forge Home


Nextdoor strongSwan Management Module


121,382 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.0.2 (latest)
  • 0.0.1
released Jan 13th 2015
This version is compatible with:
  • Puppet 3.x
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'Nextdoor-strongswan', '0.0.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add Nextdoor-strongswan
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install Nextdoor-strongswan --version 0.0.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



Nextdoor/strongswan — version 0.0.2 Jan 13th 2015

Table of Contents

  1. Overview
  2. Module Description
  3. Usage
  4. Pre-defined Tunnel Types


This module installs and manages strongSwan daemon on a host. For detailed information about strongSwan, please see its website and the wiki.


The initial setup of the module happens in the main strongswan puppet class. The defaults are relatively safe, but we allow you to overwrite as many settings as you wish, as long as you instantiate the main class before calling any of the resource definitions.


Class: strongswan

class { 'strongswan':
  charon_options     => <charon options>,
  conn_conf_path     => <path to store connections>,
  ipsec_options      => <ipsec options>,
  secrets_conf_path  => <path to store secrets>,
  service_name       => <ipsec service name>,
  service_ensure     => <ipsec service ensure>,
  service_enable     => <ipsec service enable bool>,
  strongswan_package => <strongswan package name>,
  strongswan_version => <strongswan version num>,
  strongswan_plugins => <strongswan plugins list>,


A hash of custom options for the /etc/strongswan.d/charon.conf file (default: {})


Directory to store individual IPSec Connection configuration files in. (default: /etc/ipsec.d/conns)


A hash of settings for the 'config settings' section of the /etc/ipsec.conf file. (default: {})


Directory to store individual IPSec Connection secret files in. (default: /etc/ipsec.d/secrets)


Name of the StrongSwan service daemon. (default: strongswan)


Whether to ensure the service is running or not. (default: running)


Whether to enable the strongswan service on system startup. (default: true)


Name of the Strongswan package to install. (default: strongswan)


Version of the Strongswan packages to install. (default: installed)


(default: [ strongswan-plugin-unity, strongswan-plugin-xauth-pam ])

Definition: strongswan::conn

strongswan::conn { 'myconn':
  params  => <hash of custom connection parameters>
  secrets => <array of hashes of secrets>


A hash that contains all of the key=>value parameters for your connection. Expects that you know all of the parameters required, and it will fill them in exactly as you've supplied.

{ 'keyexchange' => 'ikev2',
  'auto'        => 'start',
  'esp'         => 'aes128-sha1-modp1024',
  'ikelifetime' => '28800s',
  'keylife'     => '3600s',
  'rekey'       => 'no',
  'reauth'      => 'no',
  'authby'      => 'secret',
  'closeaction' => 'restart',
  'dpddelay'    => '10s',
  'dpdtimeout'  => '30s',
  'dpdaction'   => 'restart',
  'rightsubnet' => $vpc_subnet,
  'leftid'      => $customer_gateway_ip,
  'leftsubnet'  => $customer_subnet,
  'right'       => $ipsec_1_vpg_ip,
  'rightid'     => $ipsec_1_vpg_ip


An array of hashes that list the secrets for the connection. Eg:

[ { 'left_id' => '', 'right_id' => '%any',
    'auth'    => 'PSK', 'key' => 'xYsdfkjkasd' },
  { 'left_id' => '', 'right_id' => '%any',
    'auth'    => 'PSK', 'key' => 'xYsdfkjkasd' },


Class: strongswan::presets::pam_authed_vpn

Configures your server as a VPN endpoint for incoming Cisco IPSEC VPN clients (like iOS, Android, Mac OSX, etc). Uses simple local PAM for user authentication.

class { 'strongswan::presets::pam_authed_vpn':
  client_source_ip => '',
  dns              => [ '', '' ],
  routed_ip_cidr   => '',
  private_ip_cidr  => '',
  private_ip       => '',


IP CIDR to accept VPN connection requests from. (default:


A list of DNS servers to pass to the VPN clients. (default: [, ])


The IP range thats passed to the VPN clients as the 'routed' range. Defaults to, which means to pass all traffic through the VPN client. Narrowing this down to some other range (like will cause split-tunneling, allowing the client to go directly to the internet for most traffic, but over the VPN for specific traffic. (default:


Private IP CIDR range to hand addresses out to VPN clients. (default:


Private IP that the VPN server will use for routing VPN client data. (default:

Definition: strongswan::presets::aws_vpc

Configures a VPN connection into an Amazon VPC following their Generic Customer Gateway without Border Gateway Protocol model. Creates two outbound, policy based VPN tunnels to the Amazon VPN endpoints. Only one tunnel can be used at any given moment, but automatic failover happens when one of the AWS endpoints shuts down.

strongswan::presets::aws_vpc { 'myVPC':
  customer_gateway_ip => <your servers eIP>,
  customer_subnet     => <your servers CIDR block>,
  ipsec_1_vpg_ip      => <AWS VPC IPSec #1 Endpoint>,
  ipsec_1_psk         => <PSK for IPSec #1 Endpoint>,
  ipsec_2_vpg_ip      => <AWS VPC IPSec #2 Endpoint>,
  ipsec_2_psk         => <PSK for IPSec #2 Endpoint>,
  vpc_subnet          => <your VPC CIDR block>,


(Line 77 of the Generic VPC Configuration from Amazon)


The subnet on the 'left' (client) side of the tunnel. Can be as small as a /32, or as large as you want. Should match whatever static route you have configured in your VPN Connection endpoint in Amazon.


(Line 78 of the Generic VPC Configuration from Amazon)


(Line 25 of the Generic VPC Configuration from Amazon)


(Line 162 of the Generic VPC Configuration from Amazon)


(Line 109 of the Generic VPC Configuration from Amazon)

Definition: strongswan::presets::meraki_vpn

Configures an incoming VPN service for a Meraki MX-series router using IKEv1 per their documentation.

strongswan::presets::meraki_vpn { 'our-office':
  meraki_public_ip => <your meraki/office public ip address>,
  meraki_subnet    => <your internal office subnet>,
  swan_public_ip   => <your strongswan server public address>,
  swan_subnet      => <your strongswan server private subnet>,
  psk              => <pre-shared-key>
  masquerade       => <whether or not to enable ip masquerading>


The Public IPv4 address that your Meraki has on the Internet. Used to configure inbound access through the Firewall to the network


The IP CIDR that your Meraki is hosting behind it. Likely matches the range described in the 'Local networks' section of the site-to-site VPN page.


The public IP address of the strongSwan server -- used to help handle NAT-Traversal issues.


The IP CIDR that you want your strongSwan server to provide access to your Merakis. Should exactly match the Private subnets configuration option in the Meraki site-to-site VPN page.


The pre-shared-key you've entered into your Meraki site-to-site VPN page.


Either present or absent: Whether or not to enable IP masquerading on the strongSwan host.