Class: Construqt::Flavour::Ubuntu::Ipsec

Inherits:

OpenStruct

Object
OpenStruct
Construqt::Flavour::Ubuntu::Ipsec

show all

Defined in:: lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb

Class Method Summary collapse

.header(host) ⇒ Object

Instance Method Summary collapse

#build_config(unused, unused2) ⇒ Object
#build_policy(remote_my, remote_other, my, other) ⇒ Object
#build_racoon_config(remote_ip) ⇒ Object

def build_gre_config() iname = Util.clean_if(“gt”, self.other.host.name) writer = self.host.result.delegate.etc_network_interfaces.get(self.interface) writer.lines.add(<<UP) up ip -6 tunnel add #iname mode ip6gre local #selfself.myself.my.first_ipv6 remote #selfself.otherself.other.myself.other.my.first_ipv6 up ip -6 addr add #selfself.myself.my.first_ipv6self.my.first_ipv6.to_string dev #iname up ip -6 link set dev #iname up UP writer.lines.add(<<DOWN) down ip -6 tunnel del #iname DOWN end.
#from_to_ipsec_conf(dir, remote_my, remote_other, my, other) ⇒ Object
#from_to_sainfo(my_ip, other_ip) ⇒ Object
#initialize(cfg) ⇒ Ipsec constructor

A new instance of Ipsec.
#psk(ip, cfg) ⇒ Object

Constructor Details

#initialize(cfg) ⇒ `Ipsec`

Returns a new instance of Ipsec.



6
7
8

# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb', line 6

def initialize(cfg)
  super(cfg)
end

Class Method Details

.header(host) ⇒ `Object`

# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb', line 10

def self.header(host)
  #binding.pry
  addrs = {}
  host.interfaces.values.each do |iface|
    iface = iface.delegate
    next unless iface.cfg
    next unless iface.cfg.kind_of? Construqt::Ipsec
    if iface.remote.first_ipv4
      addrs[iface.remote.first_ipv4.to_s] = "isakmp #{self.remote.first_ipv4.to_s} [500];"
    end
    if iface.remote.first_ipv6
      addrs[iface.remote.first_ipv6.to_s] = "isakmp #{self.remote.first_ipv6.to_s} [500];"
    end
  end
  return if addrs.empty?
  self.host.result.add(self, <<HEADER, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
# do not edit generated filed #{path}
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log info;
listen {
#{Util.indent(addrs.keys.sort.map{|k| addrs[k] }.join("\n"), " ")}
  strict_address;
}
HEADER
end

Instance Method Details

#build_config(unused, unused2) ⇒ `Object`

# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb', line 128

def build_config(unused, unused2)
  #      build_gre_config()
  #binding.pry
  if self.other.remote.first_ipv6
    build_racoon_config(self.other.remote.first_ipv6.to_s)
    host.result.add(self, psk(self.other.remote.first_ipv6.to_s, cfg),
                    Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
    build_policy(self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
  elsif self.other.remote.first_ipv4
    build_racoon_config(self.other.remote.first_ipv4.to_s)
    host.result.add(self, psk(self.other.remote.first_ipv4.to_s, cfg),
                    Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
    build_policy(self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
  else
    throw "ipsec need a remote address"
  end
end

#build_policy(remote_my, remote_other, my, other) ⇒ `Object`

# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb', line 102

def build_policy(remote_my, remote_other, my, other)
  #binding.pry
  my.ips.each do |my_ip|
    other.ips.each do |other_ip|
      next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
      from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip)
      from_to_sainfo(my_ip, other_ip)
    end
  end

  other.ips.each do |other_ip|
    my.ips.each do |my_ip|
      next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
      from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip)
      from_to_sainfo(other_ip, my_ip)
    end
  end
end

#build_racoon_config(remote_ip) ⇒ `Object`

def build_gre_config()

iname = Util.clean_if("gt", self.other.host.name)
writer = self.host.result.delegate.etc_network_interfaces.get(self.interface)
writer.lines.add(<<UP)

up ip -6 tunnel add #iname mode ip6gre local #Construqt::Flavour::Ubuntu::Ipsec.selfself.myself.my.first_ipv6 remote #Construqt::Flavour::Ubuntu::Ipsec.selfself.otherself.other.myself.other.my.first_ipv6 up ip -6 addr add #Construqt::Flavour::Ubuntu::Ipsec.selfself.myself.my.first_ipv6self.my.first_ipv6.to_string dev #iname up ip -6 link set dev #iname up UP

writer.lines.add(<<DOWN)

down ip -6 tunnel del #iname DOWN

end

# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb', line 50

def build_racoon_config(remote_ip)
  #binding.pry
  self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
# #{self.cfg.name}
remote #{remote_ip} {
  exchange_mode main;
  lifetime time 24 hour;

  proposal_check strict;
  dpd_delay 30;
  ike_frag on;                    # use IKE fragmentation
  proposal {
    encryption_algorithm aes256;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group modp1536;
  }
}
RACOON
end

#from_to_ipsec_conf(dir, remote_my, remote_other, my, other) ⇒ `Object`

# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb', line 91

def from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
  host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
  if my.network.to_s == other.network.to_s
    spdadd = "spdadd #{my.to_s} #{other.to_s}  any -P #{dir}  ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
  else
    spdadd = "spdadd #{my.to_string} #{other.to_string}  any -P #{dir}  ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
  end

  host.result.add(self, spdadd, Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
end

#from_to_sainfo(my_ip, other_ip) ⇒ `Object`

# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb', line 71

def from_to_sainfo(my_ip, other_ip)
  if my_ip.network.to_s == other_ip.network.to_s
    my_ip_str = my_ip.to_s
    other_ip_str = other_ip.to_s
  else
    my_ip_str = my_ip.to_string
    other_ip_str = other_ip.to_string
  end

  self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
sainfo address #{my_ip_str} any address #{other_ip_str} any {
pfs_group 5;
encryption_algorithm aes256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 1 hour;
}
RACOON
end

#psk(ip, cfg) ⇒ `Object`

# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb', line 121

def psk(ip, cfg)
  [
    "# #{cfg.name}",
    "#{ip} #{Util.password(cfg.password)}"
  ].join("\n")
end

Class: Construqt::Flavour::Ubuntu::Ipsec

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(cfg) ⇒ Ipsec

Class Method Details

.header(host) ⇒ Object

Instance Method Details

#build_config(unused, unused2) ⇒ Object

#build_policy(remote_my, remote_other, my, other) ⇒ Object

#build_racoon_config(remote_ip) ⇒ Object

#from_to_ipsec_conf(dir, remote_my, remote_other, my, other) ⇒ Object

#from_to_sainfo(my_ip, other_ip) ⇒ Object

#psk(ip, cfg) ⇒ Object