Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
- Puppet >= 5.5.8 < 7.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppet-strongswan', '1.0.0'Learn more about managing modules with a PuppetfileDocumentation
This Puppet module contains configurations for Strongswan.
Example usage
StrongSwan default config:
include strongswan
Strongswan self-signed CA:
include strongswan::pki::ca
Strongswan certificates management:
strongswan::pki::certificate {'server':
common_name => 'myvpn.local',
san => ['@strongswan-1','strongswan-1','192.168.33.42', '@192.168.33.42'],
}
strongswan::pki::certificate {'John Smith':
common_name => 'Jonh Smith',
p12_password => 'mySuperStrongPass',
}
Example configuration ipsec.conf:
strongswan::conn { '%default':
options => {
"ike" => "aes128gcm128-prfsha256-ecp256!",
"esp" => "aes128gcm128-ecp256!",
"keyexchange" => "ikev2",
"ikelifetime" => "60m",
"lifetime" => "20m",
"margintime" => "3m",
"closeaction" => "restart",
"dpdaction" => "restart",
}
}
strongswan::conn { 'IPsec-IKEv2':
options => {
"rekey" => "no",
"left" => "%any",
"leftsubnet" => "0.0.0.0/0",
"leftcert" => "vpnHostCert.der",
"right" => "%any",
"rightdns" => "8.8.8.8,8.8.4.4",
"rightsourceip" => "10.10.10.0/24",
"auto" => "add",
}
}
strongswan::conn { 'IKEv2-EAP':
options => {
"also" => "IPSec-IKEv2",
"leftauth" => "pubkey",
"leftsendcert" => "always",
"rightauth" => "eap-mschapv2",
"rightsendcert" => "never",
"eap_identity" => "%any",
}
ipsec.secrets
strongswan::secrets { '%any':
options => {
'RSA' => 'vpnHostKey.der keypass'
}
}
strongswan::secrets { 'John':
options => {
'EAP' => 'SuperSecretPass'
}
}
charon daemon configuration example:
strongswan::charon { 'dns':
options => {
'dns1' => '8.8.8.8',
'dns2' => '8.8.4.4'
}
}
charon logging configuration example:
strongswan::charon { '/var/log/vpn.log':
options => {
'filelog' => {
'/var/log/vpn.log' => {
'time_format' => '%b %e %T',
'ike_name' => 'yes',
'append' => 'no',
'default' => '1',
'flush_line' => 'yes',
},
'stderr' => {
'ike' => '2',
'knl' => '2',
}
}
}
}
Setup configuration
The IPsec 'config setup' section in ipsec.conf:
class { 'strongswan::setup':
options => {
'charondebug' => '"ike 2, knl 2, cfg 2"'
}
}
Compatibility
Supports:
- RedHat
- Debian/Ubuntu
License
MIT License
Reference
Table of Contents
Classes
Public Classes
strongswan: Installs and manages strongSwanstrongswan::pki::ca: This class manages the Strongswan CAstrongswan::setup: Manages the Strongswan 'setup' section in ipsec.conf
Private Classes
strongswan::config: Manages Strongswan basic configurationstrongswan::package: This class manages Strongswan package installationstrongswan::params: Operating specific default parametersstrongswan::service: This class manages the Strongswan service
Defined types
strongswan::charon: Manage strongswan charon config filesstrongswan::charon::plugin: Configure charon pluginstrongswan::conn: Configure a strongSwan connection configuration.strongswan::pki::certificate: Manage strongswan certificatesstrongswan::secrets: strongSwan secrets configuration.
Classes
strongswan
Installs and manages strongSwan
Parameters
The following parameters are available in the strongswan class.
package_name
Data type: Any
The strongswan package name.
Default value: 'strongswan'
package_ensure
Data type: Any
The desired package state. Can be used to install latest or a specific version etc.
Default value: 'installed'
service_name
Data type: Any
The strongswan service name.
Default value: 'strongswan'
service_ensure
Data type: Any
The desired ensure state for the service.
Default value: running
service_enable
Data type: Any
The desited enable state for the service.
Default value: true
ipsec_d_dir
Data type: Any
The directory for the ipsec configuration files. The default is operating system specific and you should not need to override this setting.
Default value: $strongswan::params::ipsec_d_dir
ipsec_conf
Data type: Any
The location of the ipsec.conf file. The default is operating system specific and you should not need to override this setting.
Default value: $strongswan::params::ipsec_conf
ipsec_secrets
Data type: Any
The location of the ipsec.secrets file. The default is operating system specific and you should not need to override this setting.
Default value: $strongswan::params::ipsec_secrets
charon_conf
Data type: Any
The location of the main charon.conf config file. WARNING, this option is not currently used.
Default value: $strongswan::params::charon_conf
strongswan::pki::ca
This class manages the Strongswan CA
Examples
Default CA configuration
include strongswan::pki::ca
Configure the CA with custom options
class {'strongswan::pki::ca':
$common_name => 'myVPN',
$country_code => 'XX',
$organization => 'myOrg',
}
Parameters
The following parameters are available in the strongswan::pki::ca class.
common_name
Data type: String[1]
The Certificate Authority Common Name (CN)
Default value: 'strongswanCA'
country_code
Data type: String[2]
The Certificate Authority Country Code (C)
Default value: 'GB'
organization
Data type: String[1]
The Certificate Authority Organization (O)
Default value: 'Strongswan'
strongswan::setup
Manages the Strongswan 'setup' section in ipsec.conf
Examples
Sample Usage
class { 'strongswan::setup':
options => {
'strictcrlpolicy' => 'yes',
'uniqueids' => 'never',
}
}
}
Parameters
The following parameters are available in the strongswan::setup class.
options
Data type: Hash
The hash of options to configure
Default value: {}
Defined types
strongswan::charon
Manage strongswan charon config files
Examples
Define file loggers in charon_log.conf file
strongswan::charon { 'log':
options => {
'filelog' => {
'/var/log/strongswan.log' => {
'time_format' => '%b %e %T',
'ike_name' => 'yes',
'append' => 'no',
'default' => '1',
'flush_line' => 'yes',
},
'stderr' => {
'ike' => '2',
'knl' => '2',
},
},
},
}
Parameters
The following parameters are available in the strongswan::charon defined type.
options
Data type: Hash
charon options hash
Default value: {}
strongswan::charon::plugin
Configure charon plugin
Examples
enable plugin
strongswan::charon::plugin { 'eap-radius':
options => {
'load' => 'yes',
'secret' => '$ecRet',
}
}
disable plugin
strongswan::charon::plugin { 'revocation':
options => {
'load' => 'no',
}
}
Parameters
The following parameters are available in the strongswan::charon::plugin defined type.
options
Data type: Hash
plugin configuration options
Default value: {}
strongswan::conn
@example Configure IPsec-IKEv2 connection.
strongswan::conn { 'IPsec-IKEv2':
options => {
'rekey' => 'no',
'left' => '%any',
'leftsubnet' => '0.0.0.0/0',
'leftcert' => 'vpnHostCert.der',
'right' => '%any',
'rightdns' => '8.8.8.8,8.8.4.4',
'rightsourceip' => '10.10.10.0/24',
'auto' => 'add',
}
}
@example Configure IKEv2-EAP connection.
strongswan::conn { 'IKEv2-EAP':
options => {
'also' => 'IPSec-IKEv2',
'leftauth' => 'pubkey',
'leftsendcert' => 'always',
'rightauth' => 'eap-mschapv2',
'rightsendcert' => 'never',
'eap_identity' => '%any',
}
Examples
Configure defaults for other connections
strongswan::conn { '%default':
options => {
'ike' => 'aes128gcm128-prfsha256-ecp256!',
'esp' => 'aes128gcm128-ecp256!',
'keyexchange' => 'ikev2',
'ikelifetime' => '60m',
'lifetime' => '20m',
'margintime' => '3m',
'closeaction' => 'restart',
'dpdaction' => 'restart',
}
}
Parameters
The following parameters are available in the strongswan::conn defined type.
conn_name
Data type: String[1]
The name of the connection.
Default value: $title
options
Data type: Hash
A hash of configuration options for the connection.
Default value: {}
strongswan::pki::certificate
Manage strongswan certificates
Examples
Add a certificate
strongswan::pki::certificate {'server':
common_name => 'myvpn.local',
san => ['@strongswan-1','strongswan-1','192.168.33.42', '@192.168.33.42']
}
Parameters
The following parameters are available in the strongswan::pki::certificate defined type.
common_name
Data type: String[1]
The certificate Common Name (CN)
Default value: fact('fqdn')
country_code
Data type: String[2]
The certificate Country Code (C)
Default value: 'GB'
organization
Data type: String[1]
The certificate Organization (O)
Default value: 'Strongswan'
san
Data type: Array[String[1]]
An Array of Subject Alternative Names
Default value: ['localhost']
p12_password
Data type: Optional[String[1]]
An optional PKCS#12 password for the certificate
Default value: undef
strongswan::secrets
strongSwan secrets configuration.
Examples
Example 1
strongswan::secrets { '%any':
options => {
'RSA' => 'vpnHostKey.der keypass'
}
}
Example 2
strongswan::secrets { 'John':
options => {
'EAP' => 'SuperSecretPass'
}
}
Parameters
The following parameters are available in the strongswan::secrets defined type.
selectors
Data type: Array[String[1]]
List of selectors for current secret
Default value: [$title]
options
Data type: Hash
A hash of options to use with the secret
Default value: {}
Changelog
All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.
v1.0.0 (2020-03-13)
Breaking changes:
- drop Ubuntu 14.04 support #29 (bastelfreak)
- modulesync 2.7.0 and drop puppet 4 #23 (bastelfreak)
Implemented enhancements:
- Enable acceptance tests #37
- support for charon plugins configuration #35 (ihpu)
- strongswan::secrets support selectors #34 (ihpu)
- Allow specifying of package version and service variables #26 (kuldazbraslav)
- Don't show diffs from strongSwan secrets file. #21 (jared-gs)
Fixed bugs:
strongswan::pki::caandstrongswan::pki::certificatearen't working on Debian #39- Allow puppetlabs/concat 6.x, puppetlabs/stdlib 6.x #24 (dhoppe)
Closed issues:
- Not able to configure ensure for service #16
Merged pull requests:
- Refactor and document with puppet-strings #36 (alexjfisher)
v0.4.0 (2018-10-14)
Implemented enhancements:
Closed issues:
- Migrate strongswan module to Vox Pupuli #2
Merged pull requests:
- modulesync 2.2.0 and allow puppet 6.x #18 (bastelfreak)
- allow puppetlabs/concat 5.x #17 (bastelfreak)
- allow puppetlabs/stdlib 5.x #13 (bastelfreak)
v0.3.0 (2018-06-01)
Merged pull requests:
- add secret #9 (bastelfreak)
- Remove docker nodesets #8 (bastelfreak)
- drop EOL OSs; fix puppet version range #7 (bastelfreak)
- modulesync 1.6.0-14-g7ec1f6b #3 (CommanderK5)
v.0.2.0 (2018-01-03)
Merged pull requests:
- Readded Debian support #1 (grzegorzgr)
v0.1.0 (2016-03-15)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs-concat (>= 4.1.0 < 7.0.0)
- puppetlabs-stdlib (>= 4.25.0 < 7.0.0)
The MIT License (MIT) Copyright © 2015 Lukasz Rohde Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.