Cert auth

.gitignore

@@ -1,2 +1 @@
 *.retry
-inventory

config.cfg

@@ -0,0 +1,21 @@
+---
+
+# IKEv2 currently supports only the following three curves:
+#  prime256v1
+#  secp384r1
+#  secp521r1
+easyrsa_dir: /opt/easy-rsa-ipsec
+easyrsa_curve: secp384r1
+easyrsa_ca_expire: 3650
+easyrsa_cert_expire: 3650
+easyrsa_key_size: 2048
+
+# if True re-init all existing certificates. Boolean
+easyrsa_reinit_existent: True
+
+# Domain or ip
+server_name: "{{ ansible_ssh_host }}"
+
+users:
+  - mr.smith
+  - mrs.smith

templates/easy-rsa.vars.j2

@@ -0,0 +1,198 @@
+# Easy-RSA 3 parameter settings
+
+# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
+# this file in place -- instead, you should copy the entire easy-rsa directory
+# to another location so future upgrades don't wipe out your changes.
+
+# HOW TO USE THIS FILE
+#
+# vars.example contains built-in examples to Easy-RSA settings. You MUST name
+# this file 'vars' if you want it to be used as a configuration file. If you do
+# not, it WILL NOT be automatically read when you call easyrsa commands.
+#
+# It is not necessary to use this config file unless you wish to change
+# operational defaults. These defaults should be fine for many uses without the
+# need to copy and edit the 'vars' file.
+#
+# All of the editable settings are shown commented and start with the command
+# 'set_var' -- this means any set_var command that is uncommented has been
+# modified by the user. If you're happy with a default, there is no need to
+# define the value to its default.
+
+# NOTES FOR WINDOWS USERS
+#
+# Paths for Windows  *MUST* use forward slashes, or optionally double-esscaped
+# backslashes (single forward slashes are recommended.) This means your path to
+# the openssl binary might look like this:
+# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# A little housekeeping: DON'T EDIT THIS SECTION
+# 
+# Easy-RSA 3.x doesn't source into the environment directly.
+# Complain if a user tries to do this:
+if [ -z "$EASYRSA_CALLER" ]; then
+    echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
+    echo "This is no longer necessary and is disallowed. See the section called" >&2
+    echo "'How to use this file' near the top comments for more details." >&2
+    return 1
+fi
+
+# DO YOUR EDITS BELOW THIS POINT
+
+# This variable should point to the top level of the easy-rsa tree. By default,
+# this is taken to be the directory you are currently in.
+
+set_var EASYRSA    "{{ easyrsa_dir }}/easyrsa3/"
+
+# If your OpenSSL command is not in the system PATH, you will need to define the
+# path to it here. Normally this means a full path to the executable, otherwise
+# you could have left it undefined here and the shown default would be used.
+#
+# Windows users, remember to use paths with forward-slashes (or escaped
+# back-slashes.) Windows users should declare the full path to the openssl
+# binary here if it is not in their system PATH.
+
+#set_var EASYRSA_OPENSSL    "openssl"
+#
+# This sample is in Windows syntax -- edit it for your path if not using PATH:
+#set_var EASYRSA_OPENSSL    "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# Edit this variable to point to your soon-to-be-created key directory.
+#
+# WARNING: init-pki will do a rm -rf on this directory so make sure you define
+# it correctly! (Interactive mode will prompt before acting.)
+
+set_var EASYRSA_PKI        "$EASYRSA/pki"
+
+# Define X509 DN mode.
+# This is used to adjust what elements are included in the Subject field as the DN
+# (this is the "Distinguished Name.")
+# Note that in cn_only mode the Organizational fields further below aren't used.
+#
+# Choices are:
+#   cn_only  - use just a CN value
+#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
+
+set_var EASYRSA_DN "cn_only"
+
+# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
+# These are the default values for fields which will be placed in the
+# certificate.  Don't leave any of these fields blank, although interactively
+# you may omit any specific field by typing the "." symbol (not valid for
+# email.)
+
+#set_var EASYRSA_REQ_COUNTRY    "US"
+#set_var EASYRSA_REQ_PROVINCE   "California"
+#set_var EASYRSA_REQ_CITY   "San Francisco"
+#set_var EASYRSA_REQ_ORG    "Copyleft Certificate Co"
+#set_var EASYRSA_REQ_EMAIL  "me@example.net"
+#set_var EASYRSA_REQ_OU     "My Organizational Unit"
+
+# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
+# 2048-bit keys is considered more than sufficient for many years into the
+# future. Larger keysizes will slow down TLS negotiation and make key/DH param
+# generation take much longer. Values up to 4096 should be accepted by most
+# software. Only used when the crypto alg is rsa (see below.)
+
+set_var EASYRSA_KEY_SIZE   {{ easyrsa_key_size }}
+
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+#  * rsa
+#  * ec
+
+set_var EASYRSA_ALGO       ec
+
+# Define the named curve, used in ec mode only:
+
+set_var EASYRSA_CURVE      {{ easyrsa_curve }}
+
+# In how many days should the root CA key expire?
+
+set_var EASYRSA_CA_EXPIRE  {{ easyrsa_ca_expire }}
+
+# In how many days should certificates expire?
+
+set_var EASYRSA_CERT_EXPIRE    {{ easyrsa_cert_expire }}
+
+# How many days until the next CRL publish date?  Note that the CRL can still be
+# parsed after this timeframe passes. It is only used for an expected next
+# publication date.
+
+#set_var EASYRSA_CRL_DAYS   180
+
+# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
+# is "no" to discourage use of deprecated extensions. If you require this
+# feature to use with --ns-cert-type, set this to "yes" here. This support
+# should be replaced with the more modern --remote-cert-tls feature.  If you do
+# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
+# this defined to "no".  When set to "yes", server-signed certs get the
+# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
+# nsComment field.
+
+#set_var EASYRSA_NS_SUPPORT "no"
+
+# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
+# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
+
+#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
+
+# A temp file used to stage cert extensions during signing. The default should
+# be fine for most users; however, some users might want an alternative under a
+# RAM-based FS, such as /dev/shm or /tmp on some systems.
+
+#set_var EASYRSA_TEMP_FILE  "$EASYRSA_PKI/extensions.temp"
+
+# !!
+# NOTE: ADVANCED OPTIONS BELOW THIS POINT
+# PLAY WITH THEM AT YOUR OWN RISK
+# !!
+
+# Broken shell command aliases: If you have a largely broken shell that is
+# missing any of these POSIX-required commands used by Easy-RSA, you will need
+# to define an alias to the proper path for the command.  The symptom will be
+# some form of a 'command not found' error from your shell. This means your
+# shell is BROKEN, but you can hack around it here if you really need. These
+# shown values are not defaults: it is up to you to know what you're doing if
+# you touch these.
+#
+#alias awk="/alt/bin/awk"
+#alias cat="/alt/bin/cat"
+
+# X509 extensions directory:
+# If you want to customize the X509 extensions used, set the directory to look
+# for extensions here. Each cert type you sign must have a matching filename,
+# and an optional file named 'COMMON' is included first when present. Note that
+# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
+# fallback to $EASYRSA for the 'x509-types' dir.  You may override this
+# detection with an explicit dir here.
+#
+#set_var EASYRSA_EXT_DIR    "$EASYRSA/x509-types"
+
+# OpenSSL config file:
+# If you need to use a specific openssl config file, you can reference it here.
+# Normally this file is auto-detected from a file named openssl-1.0.cnf from the
+# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
+# specific and you cannot just use a standard config file, so this is an
+# advanced feature.
+
+#set_var EASYRSA_SSL_CONF   "$EASYRSA/openssl-1.0.cnf"
+
+# Default CN:
+# This is best left alone. Interactively you will set this manually, and BATCH
+# callers are expected to set this themselves.
+
+set_var EASYRSA_REQ_CN     "{{ server_name }}"
+
+# Cryptographic digest to use.
+# Do not change this default unless you understand the security implications.
+# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
+
+#set_var EASYRSA_DIGEST     "sha256"
+
+# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
+# in batch mode without any user input, confirmation on dangerous operations,
+# or most output. Setting this to any non-blank string enables batch mode.
+
+set_var EASYRSA_BATCH      "{{ server_name }}"

templates/ipsec.conf.j2

@@ -1,19 +1,52 @@
+#config setup
+	#uniqueids = never # allow multiple connections per user
+
+#conn %default
+    #dpdaction=clear
+    #dpddelay=35s
+    #dpdtimeout=300s
+    #rekey=no
+	#keyexchange=ikev2
+    #ike=aes256-sha1-modp1024!
+    #esp=aes256-sha1!
+	#compress=yes
+	#fragmentation=yes
+	
+    #left=%any
+    #leftauth=pubkey
+    #leftid={{ server_name }}
+    #leftcert={{ server_name }}.crt
+    #leftsendcert=always
+    #leftsubnet=0.0.0.0/0,::/0
+
+    #right=%any
+    ##rightauth=pubkey
+    #rightsourceip=10.0.0.0/24
+    #rightdns=8.8.8.8,8.8.4.4
+
+#conn ikev2-pubkey
+    #auto=add
+
+    
+    
 config setup
-	uniqueids = never # allow multiple connections per user
 
 conn %default
-	keyexchange=ikev2
+        ikelifetime=60m
-	ike=aes128gcm16-sha2_256-prfsha256-ecp256!
+        keylife=20m
-	esp=aes128gcm16-sha2_256-ecp256!
+        rekeymargin=3m
-	compress=yes
+        keyingtries=1
-	fragmentation=yes
 
-conn psk	
+conn common
-	authby=psk
+        left=%any         # Ip of the host
-	left=%any
+        leftcert={{ server_name }}.crt # the cert we just created and copied
-	leftsubnet=0.0.0.0/0
+        leftid={{ server_name }}  # the Alt name in the Cert we just created
+        leftsubnet=172.16.31.0/24      # The internal subnet the remote user wants to access
         right=%any
-	rightdns=8.8.8.8,8.8.4.4
+        rightid=%any # Connections can come from anywhere
-	rightsourceip=10.0.0.0/24
+        rightsourceip=192.168.1.0/24   # Use this pool of IPs to assign to these inbound connections
         auto=add
 
+conn ikev2
+        keyexchange=ikev2 
+        also=common

templates/ipsec.secrets.j2

@@ -1 +1 @@
-dan : PSK "{{ ipsec_psk.stdout }}"
+: ECDSA {{ server_name }}.key

vpn.yml

@@ -4,38 +4,134 @@
   hosts: vpn-host
   gather_facts: false
   remote_user: root
+  vars_files:
+    - config.cfg    
   
   tasks:
   - name: Wait for port 22 to become available
     local_action: "wait_for port=22 host={{ inventory_hostname }}"
 
-  - name: Updating apt-get
+  #- name: Updating apt-get
-    raw: apt-get update -qq
+    #raw: apt-get update -qq
+    
+  #- name: Install python2.7 for Ansible
+    #raw: apt-get install -qq -y python2.7
+
+  #- name: Install StrongSwan
+    #apt: name=strongswan state=latest update_cache=yes
+
+  #- name: Enable strongswan
+    #service: name=strongswan enabled=yes
+
+  #- name: Enable packet forwarding for IPv4
+    #sysctl: name=net.ipv4.ip_forward value=1
+
+  #- name: Do not accept ICMP redirects (prevent MITM attacks)
+    #sysctl: name=net.ipv4.conf.all.accept_redirects value=0
+
+  #- name: Do not send ICMP redirects (we are not a router)
+    #sysctl: name=net.ipv4.conf.all.send_redirects value=0
+
+  #- name: Configure iptables so IPSec traffic can traverse the tunnel
+    #iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
+
+  #- name: Setup the ipsec.conf file from our template
+    #template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
+    #notify:
+    #- restart strongswan    
+
+  #- name: Setup the ipsec.secrets file with users and passwords
+    #template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600
+    #notify:
+    #- restart strongswan    
+ 
+  #- name: Install git
+    #apt: name=git state=latest      
+    
+  - name: Fetch easy-rsa-ipsec repo
+    git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}"
+
+  - name: Setup the vars file from our template
+    template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
+    
+  - name: Ensure the pki directory is not exist
+    file: dest={{ easyrsa_dir }}/easyrsa3/pki state=absent
+    when: easyrsa_reinit_existent == True
+    
+  - name: Build the pki enviroments
+    shell: |
+      ./easyrsa init-pki
+      touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'    
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
+
+  - name: Build the CA pair 
+    shell: |
+      ./easyrsa build-ca nopass
+      touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/ca_initialized'
+    notify:
+    - restart strongswan  
+    
+  - name: Build the server pair
+    shell: |
+      ./easyrsa build-server-full {{ server_name }} nopass
+      touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
+    notify:
+    - restart strongswan        
+
+  - name: Build the client's pair
+    shell: |
+      ./easyrsa build-client-full {{ item }} nopass
+      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+    with_items: "{{ users }}"
+
+  - name: Build the client's p12 
+    shell: |
+      ./easyrsa export-p12 {{ item }} nopass
+      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
+    with_items: "{{ users }}"
+  
+  - name: Make the CA cert to the strongswan directory
+    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=root group=root mode=0600
+    notify:
+    - restart strongswan
+
+  - name: Make the server cert to the strongswan directory
+    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ server_name }}.crt' dest=/etc/ipsec.d/certs/{{ server_name }}.crt owner=root group=root mode=0600
+    notify:
+    - restart strongswan      
+    
+  - name: Make the server key to the strongswan directory
+    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ server_name }}.key' dest=/etc/ipsec.d/private/{{ server_name }}.key owner=root group=root mode=0600
+    notify:
+    - restart strongswan    
+   
+  - name: restart strongswan
+    service: name=strongswan state=restarted
+    
+  handlers:
+    - name: restart strongswan
+      service: name=strongswan state=restarted
+      
       
-  - name: Install python2.7 for Ansible
-    raw: apt-get install -qq -y python2.7
       
-  - name: Install StrongSwan
-    apt: name=strongswan state=latest update_cache=yes
       
-  - name: Enable packet forwarding for IPv4
-    sysctl: name=net.ipv4.ip_forward value=1
     
-  - name: Do not accept ICMP redirects (prevent MITM attacks)
-    sysctl: name=net.ipv4.conf.all.accept_redirects value=0
     
-  - name: Do not send ICMP redirects (we are not a router)
-    sysctl: name=net.ipv4.conf.all.send_redirects value=0
     
-  - name: Configure iptables so IPSec traffic can traverse the tunnel
-    iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
     
-  - name: Setup the ipsec.conf file from our template
-    template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
     
-  - name: Generate a random IPsec pre-shared key (16 bytes)
-    shell: openssl rand -base64 16
-    register: ipsec_psk
     
-  - name: Setup the ipsec.secrets file with users and passwords
-    template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600