1 # an ipsec peer, another node to connect to
14 $network_name = 'ipsec',
16 $leftsubnet = $local_networks ? {
18 default => "leftsubnet = ${$local_networks.join(', ')}"
20 $rightsubnet = $peer_networks ? {
22 default => "rightsubnet = ${$peer_networks.join(', ')}"
24 concat::fragment { "${network_name}::${ipsec_conf_file}::${name}":
25 target => $ipsec_conf_file,
28 conn ${network_name}::${peer_name}
29 # left is us (local, ${local_name})
30 left = ${local_ipaddress}
33 # right is our peer (remote, ${peer_name})
34 right = ${peer_ipaddress}
41 # create the data portion for the key derivation function
43 # It needs to be the same data on both ends of a connection, so the
44 # corresponding secrets entry at the peer gets the same PSK. We do
45 # this by putting the peer's info and our info in some arbitrary,
46 # yet canonical order by sorting.
47 $ipsec_psk_data = ("${local_name}(${local_ipaddress})" < "${peer_name}(${peer_ipaddress})") ? {
48 true => "ipsec-peer-psk-${network_name}-${local_name}(${local_ipaddress})-${peer_name}(${peer_ipaddress})",
49 false => "ipsec-peer-psk-${network_name}-${peer_name}(${peer_ipaddress})-${local_name}(${local_ipaddress})"
51 $ipsec_psk = hkdf('/etc/puppet/secret', $ipsec_psk_data)
52 concat::fragment { "${network_name}::${ipsec_secrets_file}::${name}":
53 target => $ipsec_secrets_file,
56 ${peer_ipaddress} : PSK "${ipsec_psk}"
60 ferm::rule { "${network_name}-${name}":
61 description => "allow ipsec protocols for peer ${peer_name}",
63 chain => 'ipsec-peers',
64 rule => "saddr ${peer_ipaddress} ACCEPT",