strongswan: Installs and manages strongSwanstrongswan::pki::ca: This class manages the Strongswan CAstrongswan::setup: Manages the Strongswan 'setup' section in ipsec.conf
strongswan::config: Manages Strongswan basic configurationstrongswan::package: This class manages Strongswan package installationstrongswan::params: Operating specific default parametersstrongswan::service: This class manages the Strongswan service
strongswan::charon: Manage strongswan charon config filesstrongswan::charon::plugin: Configure charon pluginstrongswan::conn: Configure a strongSwan connection configuration.strongswan::pki::certificate: Manage strongswan certificatesstrongswan::secrets: strongSwan secrets configuration.
Installs and manages strongSwan
The following parameters are available in the strongswan class:
package_namepackage_ensureservice_nameservice_ensureservice_enableipsec_d_diripsec_confipsec_secretscharon_conf
Data type: Any
The strongswan package name.
Default value: 'strongswan'
Data type: Any
The desired package state. Can be used to install latest or a specific version etc.
Default value: 'installed'
Data type: Any
The strongswan service name.
Default value: $strongswan::params::service_name
Data type: Any
The desired ensure state for the service.
Default value: running
Data type: Any
The desired enable state for the service.
Default value: true
Data type: Any
The directory for the ipsec configuration files. The default is operating system specific and you should not need to override this setting.
Default value: $strongswan::params::ipsec_d_dir
Data type: Any
The location of the ipsec.conf file. The default is operating system specific and you should not need to override this setting.
Default value: $strongswan::params::ipsec_conf
Data type: Any
The location of the ipsec.secrets file. The default is operating system specific and you should not need to override this setting.
Default value: $strongswan::params::ipsec_secrets
Data type: Any
The location of the main charon.conf config file. WARNING, this option is not currently used.
Default value: $strongswan::params::charon_conf
This class manages the Strongswan CA
include strongswan::pki::caclass {'strongswan::pki::ca':
$common_name => 'myVPN',
$country_code => 'XX',
$organization => 'myOrg',
}The following parameters are available in the strongswan::pki::ca class:
Data type: String[1]
The Certificate Authority Common Name (CN)
Default value: 'strongswanCA'
Data type: String[2]
The Certificate Authority Country Code (C)
Default value: 'GB'
Data type: String[1]
The Certificate Authority Organization (O)
Default value: 'Strongswan'
Manages the Strongswan 'setup' section in ipsec.conf
class { 'strongswan::setup':
options => {
'strictcrlpolicy' => 'yes',
'uniqueids' => 'never',
}
}
}The following parameters are available in the strongswan::setup class:
Data type: Hash
The hash of options to configure
Default value: {}
Manage strongswan charon config files
strongswan::charon { 'log':
options => {
'filelog' => {
'/var/log/strongswan.log' => {
'time_format' => '%b %e %T',
'ike_name' => 'yes',
'append' => 'no',
'default' => '1',
'flush_line' => 'yes',
},
'stderr' => {
'ike' => '2',
'knl' => '2',
},
},
},
}The following parameters are available in the strongswan::charon defined type:
Data type: Hash
charon options hash
Default value: {}
Configure charon plugin
strongswan::charon::plugin { 'eap-radius':
options => {
'load' => 'yes',
'secret' => '$ecRet',
}
}strongswan::charon::plugin { 'revocation':
options => {
'load' => 'no',
}
}The following parameters are available in the strongswan::charon::plugin defined type:
Data type: Hash
plugin configuration options
Default value: {}
@example Configure IPsec-IKEv2 connection.
strongswan::conn { 'IPsec-IKEv2':
options => {
'rekey' => 'no',
'left' => '%any',
'leftsubnet' => '0.0.0.0/0',
'leftcert' => 'vpnHostCert.der',
'right' => '%any',
'rightdns' => '8.8.8.8,8.8.4.4',
'rightsourceip' => '10.10.10.0/24',
'auto' => 'add',
}
}
@example Configure IKEv2-EAP connection.
strongswan::conn { 'IKEv2-EAP':
options => {
'also' => 'IPSec-IKEv2',
'leftauth' => 'pubkey',
'leftsendcert' => 'always',
'rightauth' => 'eap-mschapv2',
'rightsendcert' => 'never',
'eap_identity' => '%any',
}
strongswan::conn { '%default':
options => {
'ike' => 'aes128gcm128-prfsha256-ecp256!',
'esp' => 'aes128gcm128-ecp256!',
'keyexchange' => 'ikev2',
'ikelifetime' => '60m',
'lifetime' => '20m',
'margintime' => '3m',
'closeaction' => 'restart',
'dpdaction' => 'restart',
}
}The following parameters are available in the strongswan::conn defined type:
Data type: String[1]
The name of the connection.
Default value: $title
Data type: Hash
A hash of configuration options for the connection.
Default value: {}
Manage strongswan certificates
strongswan::pki::certificate {'server':
common_name => 'myvpn.local',
san => ['@strongswan-1','strongswan-1','192.168.33.42', '@192.168.33.42']
}The following parameters are available in the strongswan::pki::certificate defined type:
Data type: String[1]
The certificate Common Name (CN)
Default value: $facts['networking']['fqdn']
Data type: String[2]
The certificate Country Code (C)
Default value: 'GB'
Data type: String[1]
The certificate Organization (O)
Default value: 'Strongswan'
Data type: Array[String[1]]
An Array of Subject Alternative Names
Default value: ['localhost']
Data type: Optional[String[1]]
An optional PKCS#12 password for the certificate
Default value: undef
strongSwan secrets configuration.
strongswan::secrets { '%any':
options => {
'RSA' => 'vpnHostKey.der keypass'
}
}strongswan::secrets { 'John':
options => {
'EAP' => 'SuperSecretPass'
}
}The following parameters are available in the strongswan::secrets defined type:
Data type: Array[String[1]]
List of selectors for current secret
Default value: [$title]
Data type: Hash
A hash of options to use with the secret
Default value: {}