kravietz / ansible-ipsec Goto Github PK

If some servers are inside EC2 and some are outside EC2, the configuration generated by this Ansible role does not work. I think it is because EC2 servers are sitting inside a NAT-ed environment.

If you can tell me how to set this up, I can raise a PR to implement this.

Since the ipsec-tools project has been discontinued and as result the tools have been removed from Debian and Ubuntu, this project requires a substantial design changes.

One option is libreswan which is still supported but seems to be designed for VPN tunnels primarily (but it supports transport mode).

The functionality of setkey can be replaced by ip xfrm in terms of creating manually-keyed IPSec SAs.

Another option is switching to Wireguard.

Cc @saurabhnanda @domhaas @piotron @o-sole @NielsKSchjoedt

Hi,

I have quite a few dedicated servers residing in different datacenters. I need to be able to connect them in a private network, so e.g. my web servers can communicate securely with memcached, postgresql etc. on different servers. Currently I'm using tinc for this, but I have seen something that looks like network overhead in this setup: https://stackoverflow.com/questions/47350951/tinc-shh-ipsec-tuning-for-high-throughput

As part of renewing the servers I'm considering switching to use IPsec provisioned using this ansible role instead. Do you have any thoughts on the performance or experience you care to share? :-)

I have the following config:

- hosts: all
  roles:
    - name: ansible-ipsec
      vars:
        ipsec_secret: "REDACTED"
        ipsec_inet:
          - ansible_default_ipv4
        ipsec_policy: require
        ipsec_mode: ike
        ipsec_open_ssh: true
        ipsec_open_icmp: true
        ipsec_forward: false
        ipsec_compress: true

But, I can see the following snippets in /etc/ipsec-tools.conf:

### SPD entries for storefront/2a01:4f9:c010:8d7::1 <-> dataserver/2a01:4f9:2b:3cc::2

# storefront -> dataserver
spdadd 2a01:4f9:c010:8d7::1 2a01:4f9:2b:3cc::2 any -P out ipsec ipcomp/transport//use esp/transport//require;
# dataserver -> storefront
spdadd 2a01:4f9:2b:3cc::2 2a01:4f9:c010:8d7::1 any -P in  ipsec ipcomp/transport//use esp/transport//require;

Hi, after your recent changes we started to have issues with this playbook.
step ipse-tools configuration returns

{
    "msg": "AnsibleUndefinedVariable: 'dict object' has no attribute 'address'",
    "_ansible_notify": [
        "setkey restart"
    ],
    "changed": false,
    "_ansible_no_log": false
}

Everything works to 2a344d9 after that we're getting message above.
Our servers are running on Ubuntu, some may not have ipv6 interfaces.

Are the instructions given at https://github.com/kravietz/ansible-ipsec/blob/fb98a4ff5219dcc709aa411f68d00665142069de/README.md#firewall applicable to both modes, ike and setkey, or only the former?

If one is using setkey is iptables -A INPUT -p esp -j ACCEPT still required?

Use-case: setting up an NFS v4 server without kerberos such that ALL traffic to the NFS server is always encrypted irrespective of the client's IP. This will prevent misconfigurations where one server is left out of the ipsec "ring" and is still able to access NFS without using ipsec.