Premier commit

roles/vpn/files/sysctl.conf

@@ -0,0 +1,60 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additonal system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+#net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+#

roles/vpn/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+  - name: restart racoon
+    service: name=racoon state=restarted
+
+  - name: restart setkey
+    service: name=setkey state=restarted

roles/vpn/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+  - name: Installation Racoon
+    apt: name=racoon state=present update_cache=yes
+
+  - name: install ipsec-tools
+    apt: name=ipsec-tools state=present update_cache=yes
+
+  - name: install tcpdump
+    apt: name=tcpdump state=present update_cache=yes
+
+  - name: generation racoon.conf
+    template: src=racoon.conf.j2 dest=/etc/racoon/racoon.conf
+
+  - name: generation ipsec-tools.conf
+    template: src=ipsec-tools.conf.j2 dest=/etc/ipsec-tools.conf
+    notify: restart setkey
+
+  - name: generation psk.txt
+    template: src=psk.txt.j2 dest=/etc/racoon/psk.txt
+    notify: restart racoon
+
+  - name: activation du routage
+    copy: src=sysctl.conf dest=/etc/sysctl.conf

roles/vpn/templates/ipsec-tools.conf.j2

@@ -0,0 +1,9 @@
+flush;
+spdflush;
+
+spdadd {{ mynet }}/24 {{ remnet }}/24 any -P out ipsec
+           esp/tunnel/{{ ip1 }}-{{ remip }}/require;
+
+spdadd {{ remnet }}/24 {{ mynet }}/24 any -P in ipsec
+           esp/tunnel/{{ remip }}-{{ ip1 }}/require;
+

roles/vpn/templates/psk.txt.j2

@@ -0,0 +1,2 @@
+{{ remip }} secret
+

roles/vpn/templates/racoon.conf.j2

@@ -0,0 +1,19 @@
+path pre_shared_key "/etc/racoon/psk.txt";
+
+remote {{ remip }} {
+        exchange_mode main,aggressive;
+        proposal {
+                encryption_algorithm 3des;
+                hash_algorithm sha1;
+                authentication_method pre_shared_key;
+                dh_group 2;
+        }
+}
+
+sainfo address {{ mynet }}/24 any address {{ remnet }}/24 any {
+        pfs_group 2;
+        lifetime time 1 hour ;
+        encryption_algorithm 3des, blowfish 448, rijndael ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}