From 9a4569eddfedd7e02fb9356801d05c1977b1aeff Mon Sep 17 00:00:00 2001 From: Kurt Bales Date: Thu, 26 Mar 2015 23:27:43 -0700 Subject: [PATCH 1/3] Add VPN configuration Playbooks. STILL NEEDS TESTING --- .../templates/interfaces_zone.set.j2 | 10 +++- .../templates/sec_flow_tcp_mss.set.j2 | 3 ++ ansible/playbooks/templates/vpn_ike.set.j2 | 11 ++++ ansible/playbooks/templates/vpn_ipsec.set.j2 | 6 +++ ansible/playbooks/vpn_config.yml | 52 +++++++++++++++++++ 5 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 ansible/playbooks/templates/sec_flow_tcp_mss.set.j2 create mode 100644 ansible/playbooks/templates/vpn_ike.set.j2 create mode 100644 ansible/playbooks/templates/vpn_ipsec.set.j2 diff --git a/ansible/playbooks/templates/interfaces_zone.set.j2 b/ansible/playbooks/templates/interfaces_zone.set.j2 index ef8be7a..67c684e 100644 --- a/ansible/playbooks/templates/interfaces_zone.set.j2 +++ b/ansible/playbooks/templates/interfaces_zone.set.j2 @@ -1,3 +1,9 @@ -{% for item in zone_interface %} -set security zones security-zone {{ item.zone }} interfaces {{ item.interface }} +{% for i in interfaces %} + {% if i.zone is defined%} +set security zones security-zone {{ i.zone }} interfaces {{ i.interface }} + {% endif %} + + {% if i.inbound_type %} +set security zones security-zone {{ i.zone }} interfaces {{ i.interface }} host-inbound-traffic {{ i.inbound_type }} {{ i.system_service }} + {% endif %} {% endfor %} diff --git a/ansible/playbooks/templates/sec_flow_tcp_mss.set.j2 b/ansible/playbooks/templates/sec_flow_tcp_mss.set.j2 new file mode 100644 index 0000000..1e44e07 --- /dev/null +++ b/ansible/playbooks/templates/sec_flow_tcp_mss.set.j2 @@ -0,0 +1,3 @@ +{% for i in mss_entries %} +set security flow tcp-mss {{i.protocol}} mss {{i.mss}} +{% endfor %} \ No newline at end of file diff --git a/ansible/playbooks/templates/vpn_ike.set.j2 b/ansible/playbooks/templates/vpn_ike.set.j2 new file mode 100644 index 0000000..4463ffe --- /dev/null +++ b/ansible/playbooks/templates/vpn_ike.set.j2 @@ -0,0 +1,11 @@ +{% for i in ike %} + +set security ike gateway {{ i.ike_name }} address {{ i.gateway_ip }} +set security ike gateway {{ i.ike_name }} external-interface {{ i.ext_interface }} +set security ike gateway {{ i.ike_name }} ike-policy {{ i.ike_policy_name }} + +set security ike policy {{ i.ike_policy_name }} mode {{ i.ike_policy_mode }} +set security ike policy {{ i.ike_policy_name }} proposal-set {{ i.ike_policy_proposal }} +set security ike policy {{ i.ike_policy_name }} pre-shared-key ascii-text "{{ i.shared_secret }}" + +{% endfor %} \ No newline at end of file diff --git a/ansible/playbooks/templates/vpn_ipsec.set.j2 b/ansible/playbooks/templates/vpn_ipsec.set.j2 new file mode 100644 index 0000000..b4597bb --- /dev/null +++ b/ansible/playbooks/templates/vpn_ipsec.set.j2 @@ -0,0 +1,6 @@ +{% for i in ipsec %} +set security ipsec policy {{ i.ipsec_policy_name }} proposal-set {{ i.ipsec_policy_mode }} +set security ipsec vpn {{ i.ipsec_vpn_name }} ike gateway {{ i.ike_gateway }} +set security ipsec vpn {{ i.ipsec_vpn_name }} ike ipsec-policy {{ i.ipsec_policy_name }} +set security ipsec vpn {{ i.ipsec_vpn_name }} bind-interface {{ vpn.tunnel_int }} +{% endfor %} diff --git a/ansible/playbooks/vpn_config.yml b/ansible/playbooks/vpn_config.yml index e69de29..3ed190b 100644 --- a/ansible/playbooks/vpn_config.yml +++ b/ansible/playbooks/vpn_config.yml @@ -0,0 +1,52 @@ +--- +- name: Configure student vpn to headend + hosts: mysrx + connection: local + gather_facts: no + vars: + junos_user: "root" + junos_password: "Juniper" + build_dir: "/tmp/" + address_entries: [ {'name':'LocalNet','prefix':'172.16.0.0/24'},{'name':'PrivateNet','prefix':'192.168.10.0/24'},{'name':'PublicNet','prefix':'10.10.0.0/24'} ] + fw_policy_info: [ {'policy_name':'Allow_Policy','src_zone':'trust','dst_zone':'untrust','src_ips':['LocalNet'],'dst_ips':['PrivateNet'],'action':'permit','apps':['any']}] + mss_entries: [ {'protocol': 'ipsec-vpn', 'mss': '1350'} ] + interfaces: [ {'interface': 'st0', 'unit': '1', 'family': 'inet', 'addr_type': 'address', 'addr': '10.255.1.2/30', 'zone':'vpn', 'inbound_type': 'system-services', 'system_service': 'ping'} ] + ike: [ {'ike_name': 'ike-vpn', 'gateway_ip': '10.10.0.10', 'ext_interface': 'ge-0/0/2', 'ike_policy_name': 'ike-policy1', 'ike_policy_mode': 'mode', 'ike_policy_proposal': 'stanard', 'shared_secret': 'AwesomePassword123'} ] + ipsec: [ {'ipsec_policy_name': 'vpn-policy1', 'ipsec_policy_mode': 'standard', 'ipsec_vpn_name': 'ipsec-vpn', 'ike_gateway': 'ike-vpn', 'tunnel_int': 'st0.1'} ] + + + tasks: + - name: set flow tcp-mss + template: src=templates/sec_flow_tcp_mss.set.j2 dest={{build_dir}}/sec_flow_tcp_mss.set + with_items: mss_entries + + - name: Apply flow tcp-mss + junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/sec_flow_tcp_mss.set overwrite=no logfile=logs/{{ inventory_hostname }}.log + + - name: Build vpn tunnel interface + template: src=templates/interfaces.set.j2 dest={{build_dir}}/interfaces.set + with_items: interfaces + + - name: Apply tunnel interface + junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/interfaces.set overwrite=no logfile=logs/{{ inventory_hostname }}.log + + - name: Build vpn zone + template: src=templates/interfaces_zone.set.j2 dest={{build_dir}}/interfaces_zone.set + with_items: interfaces + + - name: Apply vpn zone + junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/interfaces_zone.set overwrite=no logfile=logs/{{ inventory_hostname }}.log + + - name: Build VPN Phase 1 + template: src=templates/vpn_ike.set.j2 dest={{build_dir}}/vpn_ike.set + with_items: ike + + - name: Apply VPN Phase 1 + junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/vpn_ike.set overwrite=no logfile=logs/{{ inventory_hostname }}.log + + - name: Build VPN Phase 2 + template: src=templates/vpn_ipsec.set.j2 dest={{build_dir}}/vpn_ipsec.set + with_items: ipsec + + - name: Apply VPN Phase 2 + junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/vpn_ipsec.set overwrite=no logfile=logs/{{ inventory_hostname }}.log From 2edcb9b6f6df4712697460d3ad0bc53612689db2 Mon Sep 17 00:00:00 2001 From: Kurt Bales Date: Thu, 26 Mar 2015 23:52:52 -0700 Subject: [PATCH 2/3] Create new NDO setup script and add to Vagrantfile --- Vagrantfile | 2 +- scripts/ndo-setup.sh | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 scripts/ndo-setup.sh diff --git a/Vagrantfile b/Vagrantfile index a629a7b..34dde6b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -31,7 +31,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| # add this to the shell # export ANSIBLE_LIBRARY=/etc/ansible/roles/ # set routes for 10.10.0.0/24 and 192.168.10.0/24 to 172.16.0.1 - s.path = "scripts/ifbounce.sh" + s.path = "scripts/ndo-setup.sh" end end diff --git a/scripts/ndo-setup.sh b/scripts/ndo-setup.sh new file mode 100644 index 0000000..c9a703b --- /dev/null +++ b/scripts/ndo-setup.sh @@ -0,0 +1,7 @@ +export ANSIBLE_LIBRARY=/etc/ansible/roles/ +echo "export ANSIBLE_LIBRARY=/etc/ansible/roles/" >> /home/vagrant/.bashrc + +/sbin/route add -net 10.10.0.0 netmask 255.255.255.0 gw 172.16.0.1 dev eth1 +/sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 172.16.0.1 dev eth1 +echo "up route add -net 10.10.0.0/24 gw 172.16.0.1 dev eth1" >> /etc/network/interfaces +echo "up route add -net 192.168.10.0/24 gw 172.16.0.1 dev eth1" >> /etc/network/interfaces From 9c04f68b69975d3cf64a6e8deccfef1273b4800a Mon Sep 17 00:00:00 2001 From: Kurt Bales Date: Fri, 27 Mar 2015 00:14:22 -0700 Subject: [PATCH 3/3] Fix VPN deployment playbook and test --- ansible/playbooks/templates/interfaces.set.j2 | 2 +- ansible/playbooks/templates/interfaces_zone.set.j2 | 4 ++-- ansible/playbooks/templates/vpn_ipsec.set.j2 | 2 +- ansible/playbooks/vpn_config.yml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ansible/playbooks/templates/interfaces.set.j2 b/ansible/playbooks/templates/interfaces.set.j2 index 07c2bb0..f09b6df 100644 --- a/ansible/playbooks/templates/interfaces.set.j2 +++ b/ansible/playbooks/templates/interfaces.set.j2 @@ -1,5 +1,5 @@ {% for i in interfaces %} - {% if i.addr_type is "dhcp" %} + {% if i.addr_type == "dhcp" %} set interfaces {{ i.interface }} unit {{ i.unit }} family {{ i.family }} dhcp {% else %} set interfaces {{ i.interface }} unit {{ i.unit }} family {{ i.family }} {{ i.addr_type }} {{ i.addr }} diff --git a/ansible/playbooks/templates/interfaces_zone.set.j2 b/ansible/playbooks/templates/interfaces_zone.set.j2 index 67c684e..c8eab89 100644 --- a/ansible/playbooks/templates/interfaces_zone.set.j2 +++ b/ansible/playbooks/templates/interfaces_zone.set.j2 @@ -1,9 +1,9 @@ {% for i in interfaces %} {% if i.zone is defined%} -set security zones security-zone {{ i.zone }} interfaces {{ i.interface }} +set security zones security-zone {{ i.zone }} interfaces {{ i.interface -}}.{{ i.unit -}} {% endif %} {% if i.inbound_type %} -set security zones security-zone {{ i.zone }} interfaces {{ i.interface }} host-inbound-traffic {{ i.inbound_type }} {{ i.system_service }} +set security zones security-zone {{ i.zone }} interfaces {{ i.interface }}.{{ i.unit }} host-inbound-traffic {{ i.inbound_type }} {{ i.system_service }} {% endif %} {% endfor %} diff --git a/ansible/playbooks/templates/vpn_ipsec.set.j2 b/ansible/playbooks/templates/vpn_ipsec.set.j2 index b4597bb..b122bae 100644 --- a/ansible/playbooks/templates/vpn_ipsec.set.j2 +++ b/ansible/playbooks/templates/vpn_ipsec.set.j2 @@ -2,5 +2,5 @@ set security ipsec policy {{ i.ipsec_policy_name }} proposal-set {{ i.ipsec_policy_mode }} set security ipsec vpn {{ i.ipsec_vpn_name }} ike gateway {{ i.ike_gateway }} set security ipsec vpn {{ i.ipsec_vpn_name }} ike ipsec-policy {{ i.ipsec_policy_name }} -set security ipsec vpn {{ i.ipsec_vpn_name }} bind-interface {{ vpn.tunnel_int }} +set security ipsec vpn {{ i.ipsec_vpn_name }} bind-interface {{ i.tunnel_int }} {% endfor %} diff --git a/ansible/playbooks/vpn_config.yml b/ansible/playbooks/vpn_config.yml index 3ed190b..0c0fd4b 100644 --- a/ansible/playbooks/vpn_config.yml +++ b/ansible/playbooks/vpn_config.yml @@ -11,7 +11,7 @@ fw_policy_info: [ {'policy_name':'Allow_Policy','src_zone':'trust','dst_zone':'untrust','src_ips':['LocalNet'],'dst_ips':['PrivateNet'],'action':'permit','apps':['any']}] mss_entries: [ {'protocol': 'ipsec-vpn', 'mss': '1350'} ] interfaces: [ {'interface': 'st0', 'unit': '1', 'family': 'inet', 'addr_type': 'address', 'addr': '10.255.1.2/30', 'zone':'vpn', 'inbound_type': 'system-services', 'system_service': 'ping'} ] - ike: [ {'ike_name': 'ike-vpn', 'gateway_ip': '10.10.0.10', 'ext_interface': 'ge-0/0/2', 'ike_policy_name': 'ike-policy1', 'ike_policy_mode': 'mode', 'ike_policy_proposal': 'stanard', 'shared_secret': 'AwesomePassword123'} ] + ike: [ {'ike_name': 'ike-vpn', 'gateway_ip': '10.10.0.10', 'ext_interface': 'ge-0/0/2.0', 'ike_policy_name': 'ike-policy1', 'ike_policy_mode': 'main', 'ike_policy_proposal': 'standard', 'shared_secret': 'AwesomePassword123'} ] ipsec: [ {'ipsec_policy_name': 'vpn-policy1', 'ipsec_policy_mode': 'standard', 'ipsec_vpn_name': 'ipsec-vpn', 'ike_gateway': 'ike-vpn', 'tunnel_int': 'st0.1'} ] @@ -27,7 +27,7 @@ template: src=templates/interfaces.set.j2 dest={{build_dir}}/interfaces.set with_items: interfaces - - name: Apply tunnel interface + - name: Apply vpn tunnel interface junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/interfaces.set overwrite=no logfile=logs/{{ inventory_hostname }}.log - name: Build vpn zone