kravietz / ansible-ipsec Goto Github PK
View Code? Open in Web Editor NEWIPSec configuration generator for Ansible
Home Page: https://ipsec.pl/ipsec/2015/securing-cloud-servers-ipsec-and-ansible.html
License: GNU General Public License v2.0
IPSec configuration generator for Ansible
Home Page: https://ipsec.pl/ipsec/2015/securing-cloud-servers-ipsec-and-ansible.html
License: GNU General Public License v2.0
If some servers are inside EC2 and some are outside EC2, the configuration generated by this Ansible role does not work. I think it is because EC2 servers are sitting inside a NAT-ed environment.
If you can tell me how to set this up, I can raise a PR to implement this.
Since the ipsec-tools
project has been discontinued and as result the tools have been removed from Debian and Ubuntu, this project requires a substantial design changes.
One option is libreswan which is still supported but seems to be designed for VPN tunnels primarily (but it supports transport mode).
The functionality of setkey
can be replaced by ip xfrm
in terms of creating manually-keyed IPSec SAs.
Another option is switching to Wireguard.
Cc @saurabhnanda @domhaas @piotron @o-sole @NielsKSchjoedt
Hi,
I have quite a few dedicated servers residing in different datacenters. I need to be able to connect them in a private network, so e.g. my web servers can communicate securely with memcached, postgresql etc. on different servers. Currently I'm using tinc for this, but I have seen something that looks like network overhead in this setup: https://stackoverflow.com/questions/47350951/tinc-shh-ipsec-tuning-for-high-throughput
As part of renewing the servers I'm considering switching to use IPsec provisioned using this ansible role instead. Do you have any thoughts on the performance or experience you care to share? :-)
I have the following config:
- hosts: all
roles:
- name: ansible-ipsec
vars:
ipsec_secret: "REDACTED"
ipsec_inet:
- ansible_default_ipv4
ipsec_policy: require
ipsec_mode: ike
ipsec_open_ssh: true
ipsec_open_icmp: true
ipsec_forward: false
ipsec_compress: true
But, I can see the following snippets in /etc/ipsec-tools.conf
:
### SPD entries for storefront/2a01:4f9:c010:8d7::1 <-> dataserver/2a01:4f9:2b:3cc::2
# storefront -> dataserver
spdadd 2a01:4f9:c010:8d7::1 2a01:4f9:2b:3cc::2 any -P out ipsec ipcomp/transport//use esp/transport//require;
# dataserver -> storefront
spdadd 2a01:4f9:2b:3cc::2 2a01:4f9:c010:8d7::1 any -P in ipsec ipcomp/transport//use esp/transport//require;
Hi, after your recent changes we started to have issues with this playbook.
step ipse-tools configuration
returns
{
"msg": "AnsibleUndefinedVariable: 'dict object' has no attribute 'address'",
"_ansible_notify": [
"setkey restart"
],
"changed": false,
"_ansible_no_log": false
}
Everything works to 2a344d9 after that we're getting message above.
Our servers are running on Ubuntu, some may not have ipv6 interfaces.
Are the instructions given at https://github.com/kravietz/ansible-ipsec/blob/fb98a4ff5219dcc709aa411f68d00665142069de/README.md#firewall applicable to both modes, ike
and setkey
, or only the former?
If one is using setkey
is iptables -A INPUT -p esp -j ACCEPT
still required?
Use-case: setting up an NFS v4 server without kerberos such that ALL traffic to the NFS server is always encrypted irrespective of the client's IP. This will prevent misconfigurations where one server is left out of the ipsec "ring" and is still able to access NFS without using ipsec.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.