Skip to content

An Ansible Role that manages network encryption between inventory hosts based on IPsec / strongSwan.

License

Notifications You must be signed in to change notification settings

nl2go/ansible-role-network-encryption

Repository files navigation

Travis (.org) branch Codecov Ansible Galaxy GitHub tag (latest by date) Ansible Galaxy Downloads

Ansible Role: Network Encryption

An Ansible Role that manages network encryption between inventory hosts based on IPsec / strongSwan.

Requirements

Name Type Version Location
ansible-filter Python package 1.0.0 Control node

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

network_encryption_charon_port: 500

UDP port used locally. If set to 0 a random port will be allocated (s. strongswan.conf).

network_encryption_port_nat_t: 4500

UDP port used locally in case of NAT-T. If set to 0 a random port will be allocated. Has to be different from charon.port, otherwise a random port will be allocated (s. strongswan.conf).

network_encryption_configs:
  - name: default
    psk: secret

Configuration sets must be configured using network_encryption_configs variable. The name of the configuration set is mandatory and used for identification. Pre-shared key can be specified using psk.

network_encryption_host_configs:
  - name: default

Hosts can be attached to a configuration set using network_encryption_host_configs variable. Configuration sets are referenced by name.

network_encryption_host_configs:
  - name: default
    state: absent

A host can be detached from the configuration set using state: absent.

network_encryption_configs:
  - name: default
    interface: eth0
    psk: secret

The interface can be specified using interface variable. If not specified, it defaults to ansible_default_ipv4.interface.

network_encryption_configs:
  - name: default
    psk: secret
    params:
        lifetime: 8h

General connection parameters like lifetime may be set within params section (s. ipsec.conf for full parameter description).

network_encryption_default_config_params:
  ike: aes256gcm16-prfsha384-modp4096,aes256gcm16-prfsha384-ecp384!
  esp: aes256gcm16-modp4096,aes256gcm16-ecp384!
  keyingtries: 0
  ikelifetime: 1h
  lifetime: 8h
  dpddelay: 30
  dpdtimeout: 120
  dpdaction: clear
  authby: secret
  keyexchange: ikev2
  type: tunnel

The params within network_encryption_configs extend/override default connection parameters present above.

network_encryption_config_dir: "/etc/ipsec.d/{{ role_name }}"

Defines the custom IPsec configuration directory for isolation purposes.

Tags

Tags can be used to limit the role execution to a particular task module. Following tags are available:

  • network_encryption: Covers the full role lifecycle.
  • network_encryption_install, install: Installs required packages
  • network_encryption_config, config: Configures required packages

Dependencies

None.

Example Playbook

- hosts: all
  roles:
     - nl2go.network_encryption

Development

Use docker-molecule following the instructions to run Molecule or install Molecule locally (not recommended, version conflicts might appear).

Use following to run tests:

molecule test --all

Maintainers

License

See the LICENSE.md file for details.

Author Information

This role was created by in 2019 by Newsletter2Go GmbH.