Merge branch 'master' of github.com:JNPRAutomate/JNPRAutomateDemo-Stu…

…dent
JNPRAutomate · Mar 27, 2015 · 9e1b705 · 9e1b705
2 parents 106d4b4 + 9c04f68
commit 9e1b705
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 4 deletions.
diff --git a/Vagrantfile b/Vagrantfile
@@ -31,7 +31,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
         # add this to the shell
         # export ANSIBLE_LIBRARY=/etc/ansible/roles/
         # set routes for 10.10.0.0/24 and 192.168.10.0/24 to 172.16.0.1
-      s.path = "scripts/ifbounce.sh"
+      s.path = "scripts/ndo-setup.sh"
     end
   end
 

diff --git a/ansible/playbooks/templates/interfaces.set.j2 b/ansible/playbooks/templates/interfaces.set.j2
@@ -1,5 +1,5 @@
 {% for i in interfaces %}
-    {% if i.addr_type is "dhcp" %}
+    {% if i.addr_type == "dhcp" %}
 set interfaces {{ i.interface }} unit {{ i.unit }} family {{ i.family }} dhcp
     {% else %}
 set interfaces {{ i.interface }} unit {{ i.unit }} family {{ i.family }} {{ i.addr_type }} {{ i.addr }}

diff --git a/ansible/playbooks/templates/interfaces_zone.set.j2 b/ansible/playbooks/templates/interfaces_zone.set.j2
@@ -1,3 +1,9 @@
-{% for item in zone_interface %}
-set security zones security-zone {{ item.zone }} interfaces {{ item.interface }}
+{% for i in interfaces %}
+	{% if i.zone is defined%}
+set security zones security-zone {{ i.zone }} interfaces {{ i.interface -}}.{{ i.unit -}}
+	{% endif %}
+
+	{% if i.inbound_type %}
+set security zones security-zone {{ i.zone }} interfaces {{ i.interface }}.{{ i.unit }}  host-inbound-traffic {{ i.inbound_type }} {{ i.system_service }}
+	{% endif %}
 {% endfor %}
diff --git a/ansible/playbooks/templates/sec_flow_tcp_mss.set.j2 b/ansible/playbooks/templates/sec_flow_tcp_mss.set.j2
@@ -0,0 +1,3 @@
+{% for i in mss_entries %}
+set security flow tcp-mss {{i.protocol}} mss {{i.mss}}
+{% endfor %}
diff --git a/ansible/playbooks/templates/vpn_ike.set.j2 b/ansible/playbooks/templates/vpn_ike.set.j2
@@ -0,0 +1,11 @@
+{% for i in ike %}
+
+set security ike gateway {{ i.ike_name }} address {{ i.gateway_ip }}
+set security ike gateway {{ i.ike_name }} external-interface {{ i.ext_interface }}
+set security ike gateway {{ i.ike_name }} ike-policy {{ i.ike_policy_name }}
+
+set security ike policy {{ i.ike_policy_name }} mode {{ i.ike_policy_mode }}
+set security ike policy {{ i.ike_policy_name }} proposal-set {{ i.ike_policy_proposal }}
+set security ike policy {{ i.ike_policy_name }} pre-shared-key ascii-text "{{ i.shared_secret }}"
+
+{% endfor %}
diff --git a/ansible/playbooks/templates/vpn_ipsec.set.j2 b/ansible/playbooks/templates/vpn_ipsec.set.j2
@@ -0,0 +1,6 @@
+{% for i in ipsec %}
+set security ipsec policy {{ i.ipsec_policy_name }} proposal-set {{ i.ipsec_policy_mode }}
+set security ipsec vpn {{ i.ipsec_vpn_name }} ike gateway {{ i.ike_gateway }}
+set security ipsec vpn {{ i.ipsec_vpn_name }} ike ipsec-policy {{ i.ipsec_policy_name }} 
+set security ipsec vpn {{ i.ipsec_vpn_name }} bind-interface {{ i.tunnel_int }}
+{% endfor %}
diff --git a/ansible/playbooks/vpn_config.yml b/ansible/playbooks/vpn_config.yml
@@ -0,0 +1,52 @@
+---
+- name: Configure student vpn to headend
+  hosts: mysrx
+  connection: local
+  gather_facts: no
+  vars:
+    junos_user: "root"
+    junos_password: "Juniper"
+    build_dir: "/tmp/"
+    address_entries: [ {'name':'LocalNet','prefix':'172.16.0.0/24'},{'name':'PrivateNet','prefix':'192.168.10.0/24'},{'name':'PublicNet','prefix':'10.10.0.0/24'} ]
+    fw_policy_info: [ {'policy_name':'Allow_Policy','src_zone':'trust','dst_zone':'untrust','src_ips':['LocalNet'],'dst_ips':['PrivateNet'],'action':'permit','apps':['any']}]
+    mss_entries: [ {'protocol': 'ipsec-vpn', 'mss': '1350'} ]
+    interfaces: [ {'interface': 'st0', 'unit': '1', 'family': 'inet', 'addr_type': 'address', 'addr': '10.255.1.2/30', 'zone':'vpn', 'inbound_type': 'system-services', 'system_service': 'ping'} ]
+    ike: [ {'ike_name': 'ike-vpn', 'gateway_ip': '10.10.0.10', 'ext_interface': 'ge-0/0/2.0', 'ike_policy_name': 'ike-policy1', 'ike_policy_mode': 'main', 'ike_policy_proposal': 'standard', 'shared_secret': 'AwesomePassword123'} ]
+    ipsec: [ {'ipsec_policy_name': 'vpn-policy1', 'ipsec_policy_mode': 'standard', 'ipsec_vpn_name': 'ipsec-vpn', 'ike_gateway': 'ike-vpn', 'tunnel_int': 'st0.1'} ]
+
+
+  tasks:
+    - name: set flow tcp-mss
+      template: src=templates/sec_flow_tcp_mss.set.j2 dest={{build_dir}}/sec_flow_tcp_mss.set
+      with_items: mss_entries
+
+    - name: Apply flow tcp-mss
+      junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/sec_flow_tcp_mss.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
+
+    - name: Build vpn tunnel interface
+      template: src=templates/interfaces.set.j2 dest={{build_dir}}/interfaces.set
+      with_items: interfaces
+
+    - name: Apply vpn tunnel interface
+      junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/interfaces.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
+
+    - name: Build vpn zone 
+      template: src=templates/interfaces_zone.set.j2 dest={{build_dir}}/interfaces_zone.set
+      with_items: interfaces
+
+    - name: Apply vpn zone
+      junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/interfaces_zone.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
+
+    - name: Build VPN Phase 1 
+      template: src=templates/vpn_ike.set.j2 dest={{build_dir}}/vpn_ike.set
+      with_items: ike
+
+    - name: Apply VPN Phase 1
+      junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/vpn_ike.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
+
+    - name: Build VPN Phase 2
+      template: src=templates/vpn_ipsec.set.j2 dest={{build_dir}}/vpn_ipsec.set
+      with_items: ipsec
+
+    - name: Apply VPN Phase 2
+      junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/vpn_ipsec.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
diff --git a/scripts/ndo-setup.sh b/scripts/ndo-setup.sh
@@ -0,0 +1,7 @@
+export ANSIBLE_LIBRARY=/etc/ansible/roles/
+echo "export ANSIBLE_LIBRARY=/etc/ansible/roles/" >> /home/vagrant/.bashrc
+
+/sbin/route add -net 10.10.0.0 netmask 255.255.255.0 gw 172.16.0.1 dev eth1
+/sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 172.16.0.1 dev eth1
+echo "up route add -net 10.10.0.0/24 gw 172.16.0.1 dev eth1" >> /etc/network/interfaces
+echo "up route add -net 192.168.10.0/24 gw 172.16.0.1 dev eth1" >> /etc/network/interfaces