-
-
Save cmacrae/eaeb6bc8910b13b6388e79335361f151 to your computer and use it in GitHub Desktop.
OpenIKED deployment on OpenBSD
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: vpn_servers | |
| gather_facts: false | |
| vars: | |
| iked_psk: !vault | | |
| $ANSIBLE_VAULT;1.1;AES256 | |
| 32623230623235316330323235303137656139383262336333663335633833306266663066396265 | |
| 6233636636323232353262613131343538623136623433620a313662653034663933353535383335 | |
| 37306332653639323963333166366561393665633033303930323034366566633932393363623330 | |
| 3766663035313862310a663430356363366533653031376132666638303664393132313266316464 | |
| 36643564383061653364383437306438653864613633303438366462323239386266 | |
| handlers: | |
| - name: Reload pf configuration | |
| shell: pfctl -f /etc/pf.conf | |
| - name: Reload iked service | |
| service: | |
| name: iked | |
| state: reloaded | |
| - name: Reload network configuration | |
| shell: sh /etc/netstart | |
| tasks: | |
| - block: | |
| - name: Ensure sysctl params are set | |
| sysctl: | |
| name: net.inet.{{item}} | |
| value: 1 | |
| with_items: | |
| - ip.forwarding | |
| - esp.enable | |
| - ah.enable | |
| - ipcomp.enable | |
| - name: Ensure /etc/badguys exists | |
| copy: | |
| dest: /etc/badguys | |
| owner: root | |
| group: wheel | |
| mode: 0640 | |
| force: false | |
| content: "" | |
| - name: Ensure the enc0 interface is configured | |
| copy: | |
| dest: /etc/hostname.enc0 | |
| owner: root | |
| group: wheel | |
| mode: 0640 | |
| content: | | |
| inet 10.0.1.1 255.255.255.0 10.0.1.255 | |
| up | |
| notify: Reload network configuration | |
| - name: Ensure pf is configured | |
| copy: | |
| dest: /etc/pf.conf | |
| owner: root | |
| group: wheel | |
| mode: 0644 | |
| content: | | |
| intra = "vio0" | |
| vpn = "enc0" | |
| set reassemble yes | |
| set block-policy return | |
| set loginterface egress | |
| set skip on { lo, enc } | |
| match in all scrub (no-df random-id max-mss 1440) | |
| table <ossec_fwtable> persist | |
| table <badguys> persist file "/etc/badguys" | |
| block in quick on egress from <badguys> label "bad" | |
| block out quick on egress to <badguys> label "bad" | |
| block in quick on egress from <ossec_fwtable> label "bad" | |
| block out quick on egress to <ossec_fwtable> label "bad" | |
| block in quick from urpf-failed label uRPF | |
| block return log | |
| pass out all modulate state | |
| pass in on egress proto { ah, esp } | |
| pass in on egress proto udp to (egress) port { isakmp, ipsec-nat-t } | |
| pass out on egress from 10.0.1.0/24 to any nat-to (egress) | |
| pass out on $intra from 10.0.1.0/24 to $intra:network nat-to ($intra) | |
| pass in quick inet proto icmp icmp-type { echoreq, unreach } | |
| pass in on egress proto tcp from any to (egress) port 22 keep state (max-src-conn 40, max-src-conn-rate 10/30, overload <badguys> flush global) | |
| pass in on $intra proto { udp tcp } from any to ($intra) port 53 | |
| notify: Reload pf configuration | |
| - name: Ensure iked is configured | |
| copy: | |
| dest: /etc/iked.conf | |
| owner: root | |
| group: wheel | |
| mode: 0600 | |
| content: | | |
| ikev2 "inet" passive ipcomp esp \ | |
| from 0.0.0.0/0 to 10.0.1.0/24 \ | |
| from 10.0.0.0/24 to 10.0.1.0/24 \ | |
| local egress peer any \ | |
| psk "{{iked_psk}}" \ | |
| config protected-subnet 0.0.0.0/0 \ | |
| config address 10.0.1.0/24 \ | |
| config name-server 10.19.3.1 \ | |
| tag "IKED" tap enc0 | |
| notify: Reload iked service | |
| - name: Ensure iked service is running/enabled | |
| service: | |
| name: iked | |
| state: started | |
| enabled: true | |
| tags: vpn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment