1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
# manage a strongswan
class strongswan(
$manage_shorewall = false,
$shorewall_source = 'net',
$monkeysphere_publish_key = false,
$ipsec_nat = false,
$default_left_ip_address = $::ipaddress,
$default_left_subnet = reject(split($::strongswan_ips,','),$::ipaddress),
$additional_options = '',
$auto_remote_host = false
) {
class{'monkeysphere':
publish_key => $monkeysphere_publish_key
} -> class{'certtool': }
case $::operatingsystem {
centos: {
case $::lsbmajdistrelease {
'5': {
$config_dir = '/etc/ipsec.d'
$cert_dir = '/etc/ipsec.d'
$binary = '/usr/sbin/ipsec'
class{'strongswan::centos::five':
require => Class['monkeysphere'],
}
}
default: {
$config_dir = '/etc/strongswan'
$cert_dir = '/etc/strongswan/ipsec.d'
$binary = '/usr/sbin/strongswan'
class{'strongswan::centos::six':
require => Class['monkeysphere'],
}
}
}
}
default: {
$config_dir = '/etc/ipsec.d'
$cert_dir = '/etc/ipsec.d'
$binary = '/usr/sbin/ipsec'
class{'strongswan::base':
require => Class['monkeysphere'],
}
}
}
if $auto_remote_host and ($::strongswan_cert != 'false') and ($::strongswan_cert != '') {
# export myself
@@strongswan::remote_host{$::fqdn:
right_cert_content => $::strongswan_cert,
right_ip_address => $strongswan::default_left_ip_address,
right_subnet => $strongswan::default_left_subnet,
tag => 'strongswan_auto'
}
# collect all other auto exported
# myself is excluded in the template
Strongswan::Remote_Host<<| tag == 'strongswan_auto' |>>
}
if $manage_shorewall {
shorewall::rules::ipsec{
$strongswan::shorewall_source:
}
if $ipsec_nat {
include shorewall::rules::ipsec_nat
}
}
}
|