class Construqt::Flavour::Ubuntu::Ipsec
Public Class Methods
header(host)
click to toggle source
# File lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb, line 10 def self.header(host) #binding.pry addrs = {} ifaces = {} host.ipsecs.each do |ipsec| [ipsec.left, ipsec.right].each do |iface| next if iface.host != host ifaces[iface.remote.interface.name] = iface.remote.interface if iface.remote.first_ipv4 addrs[iface.remote.first_ipv4.to_s] = "isakmp #{iface.remote.first_ipv4.to_s} [500];" end if iface.remote.first_ipv6 addrs[iface.remote.first_ipv6.to_s] = "isakmp #{iface.remote.first_ipv6.to_s} [500];" end end end return if addrs.empty? host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "default", "racoon") # do not edit generated file # # this a a evil hack to avoid a raise condition on starting the # OS racoon in the same moment like our if [ "$STARTED_BY_CONSTRUQT" = "" ] then exit 0 fi HEADER host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf") # do not edit generated file path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; log info; listen { #{Util.indent(addrs.keys.sort.map{|k| addrs[k] }.join("\n"), " ")} strict_address; } HEADER end
new(cfg)
click to toggle source
Calls superclass method
# File lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb, line 6 def initialize(cfg) super(cfg) end
Public Instance Methods
build_config(unused, unused2)
click to toggle source
# File lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb, line 143 def build_config(unused, unused2) # build_gre_config() if self.cfg.transport_family == Construqt::Addresses::IPV6 throw "we need a remote ipv6 address #{self.cfg.name}" unless self.other.remote.first_ipv6 throw "we need a local ipv6 address #{self.cfg.name}" unless self.remote.first_ipv6 build_racoon_config(self.other.remote.first_ipv6.to_s) host.result.add(self, psk(self.other.remote.first_ipv6.to_s, cfg), Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt") build_policy(self.cfg.transport_family, self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my) else throw "we need a remote ipv4 address #{self.cfg.name}" unless self.other.remote.first_ipv4 throw "we need a local ipv4 address #{self.cfg.name}" unless self.remote.first_ipv4 build_racoon_config(self.other.remote.first_ipv4.to_s) host.result.add(self, psk(self.other.remote.first_ipv4.to_s, cfg), Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt") build_policy(self.cfg.transport_family, self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my) end end
build_policy(family, remote_my, remote_other, my, other)
click to toggle source
# File lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb, line 115 def build_policy(family, remote_my, remote_other, my, other) #binding.pry my.ips.each do |my_ip| other.ips.each do |other_ip| next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) || (family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)) from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip) from_to_sainfo(my_ip, other_ip) end end other.ips.each do |other_ip| my.ips.each do |my_ip| next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) || (family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)) from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip) from_to_sainfo(other_ip, my_ip) end end end
build_racoon_config(remote_ip)
click to toggle source
def build_gre_config() iname = Util.clean_if("gt", self.other.host.name) writer = self.host.result.delegate.etc_network_interfaces.get(self.interface) writer.lines.add(<<UP)
up ip -6 tunnel add #{iname} mode ip6gre local #{self.my.first_ipv6} remote #{self.other.my.first_ipv6} up ip -6 addr add #{self.my.first_ipv6.to_string} dev #{iname} up ip -6 link set dev #{iname} up UP
writer.lines.add(<<DOWN)
down ip -6 tunnel del #{iname} DOWN
end
# File lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb, line 63 def build_racoon_config(remote_ip) #binding.pry self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf") # #{self.cfg.name} remote #{remote_ip} { exchange_mode main; lifetime time 24 hour; proposal_check strict; dpd_delay 30; ike_frag on; # use IKE fragmentation proposal { encryption_algorithm aes256; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1536; } } RACOON end
from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
click to toggle source
# File lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb, line 104 def from_to_ipsec_conf(dir, remote_my, remote_other, my, other) host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf") if my.network.to_s == other.network.to_s spdadd = "spdadd #{my.to_s} #{other.to_s} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;" else spdadd = "spdadd #{my.to_string} #{other.to_string} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;" end host.result.add(self, spdadd, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf") end
from_to_sainfo(my_ip, other_ip)
click to toggle source
# File lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb, line 84 def from_to_sainfo(my_ip, other_ip) if my_ip.network.to_s == other_ip.network.to_s my_ip_str = my_ip.to_s other_ip_str = other_ip.to_s else my_ip_str = my_ip.to_string other_ip_str = other_ip.to_string end self.host.result.add(self, <<RACOON, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf") sainfo address #{my_ip_str} any address #{other_ip_str} any { pfs_group 5; encryption_algorithm aes256; authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 1 hour; } RACOON end
psk(ip, cfg)
click to toggle source
# File lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb, line 136 def psk(ip, cfg) [ "# #{cfg.name}", "#{ip} #{Util.password(cfg.password)}" ].join("\n") end