Premier commit

2021-01-04 22:49:46 +01:00
parent da1100578d
commit 65b2a3eaf3
538 changed files with 52570 additions and 0 deletions
--- a/roles/x509-r/files/generate.sh
+++ b/roles/x509-r/files/generate.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+cd /etc/ipsec.d  
+
+ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem  
+
+ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=GSB, CN=Root CA" --outform pem > cacerts/strongswanCert.pem
+
+ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp1Key.pem 
+
+chmod 600 private/r-vp1Key.pem 
+
+ipsec pki --pub --in private/r-vp1Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp1" --san r-vp1 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp1Cert.pem    
+
+ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp2Key.pem
+
+chmod 600 private/r-vp2Key.pem
+
+ipsec pki --pub --in private/r-vp2Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp2" --san r-vp2 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp2Cert.pem
--- a/roles/x509-r/files/ipsec.conf
+++ b/roles/x509-r/files/ipsec.conf
@@ -0,0 +1,25 @@
+config setup
+        charondebug="all"
+        uniqueids=yes
+        strictcrlpolicy=no
+conn %default
+conn tunnel #
+        left=192.168.0.51
+        leftsubnet=192.168.0.0/16, 172.16.0.0/24
+        right=192.168.0.52
+        rightsubnet=172.16.128.0/24
+        ike=aes256-sha2_256-modp1024!
+        esp=aes256-sha2_256!
+        keyingtries=0
+        ikelifetime=1h
+        lifetime=8h
+        dpddelay=30
+        dpdtimeout=120
+        dpdaction=restart
+        #authby=secret
+        auto=start
+        keyexchange=ikev2
+        type=tunnel
+	leftcert=r-vp1Cert.pem
+        leftid="C=CH, O=GSB, CN=r-vp1"
+        rightid="C=CH, O=GSB, CN=r-vp2"
--- a/roles/x509-r/files/ipsec.secrets
+++ b/roles/x509-r/files/ipsec.secrets
@@ -0,0 +1,9 @@
+# This file holds shared secrets or RSA private keys for authentication.
+
+# RSA private key for this host, authenticating it to any other host
+# which knows the public part.
+
+# this file is managed with debconf and will contain the automatically created private key
+#include /var/lib/strongswan/ipsec.secrets.inc
+#192.168.0.51 192.168.0.52 : PSK 'root'
+: RSA r-vp1Key.pem
--- a/roles/x509-r/files/recupKey.sh
+++ b/roles/x509-r/files/recupKey.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+REMH=192.168.0.52
+
+cd /etc/ipsec.d  
+
+scp cacerts/strongswanCert.pem root@$REMH:/etc/ipsec.d/cacerts
+
+scp certs/r-vp2Cert.pem root@$REMH:/etc/ipsec.d/certs
+
+scp certs/r-vp1Cert.pem root@$REMH:/etc/ipsec.d/certs
+
+scp private/r-vp2Key.pem root@$REMH:/etc/ipsec.d/private
+
+scp private/r-vp1Key.pem root@$REMH:/etc/ipsec.d/private
+
--- a/roles/x509-r/files/sysctl.conf
+++ b/roles/x509-r/files/sysctl.conf
@@ -0,0 +1,60 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additonal system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+#net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+#