1 # basic ipsec configuration
3 # this configures all packages and required kernel modules, but
4 # doesn't configure any host, see `ipsec::network` instead.
6 # when first loaded, this will add a list of modules to the kernel,
7 # but this will only load on reboot.
11 'libstrongswan-standard-plugins'
22 content => template('ipsec/ipsec.conf.erb'),
23 notify => Service['ipsec'];
26 content => template('ipsec/ipsec.secrets.erb'),
27 notify => Service['ipsec'];
29 ensure => 'directory',
34 '/etc/ipsec.secrets.d':
35 ensure => 'directory',
40 '/etc/ipsec.conf.d/00-default.conf':
41 content => template('ipsec/ipsec.conf-00-default.conf.erb'),
42 notify => Service['ipsec'];
43 '/etc/strongswan.d/charon-logging.conf':
44 content => template('ipsec/strongswan-charon-logging.conf'),
45 notify => Service['ipsec'];
50 description => 'ipsec protocols are allowed from the ipsec peers',
52 chain => 'ipsec-peers',
56 description => 'ipsec protocols are allowed from the ipsec peers',
59 proto udp dport (isakmp 4500) jump ipsec-peers;
60 proto esp jump ipsec-peers
64 # Since we disable module loading after boot, we want to load them all at boot time
65 $modules = split('af_alg af_key ah4 algif_skcipher ansi_cprng authenc drbg echainiv esp4 ipcomp macvlan macvtap tunnel4 vhost vhost_net xfrm4_mode_tunnel xfrm4_tunnel xfrm6_mode_tunnel xfrm_algo xfrm_ipcomp xfrm_user', ' ') # lint:ignore:140chars
66 base::linux_module { $modules: }