Implement PSK authentication for node-to-node tunnels

The new node-to-node tunnels that use the dynamic inventory had null auth.
Now they can use PSK for authentication.
This commit is contained in:
Juan Antonio Osorio Robles 2017-11-30 06:38:01 +00:00
parent 8b12243e34
commit 67e7142a94
4 changed files with 29 additions and 15 deletions

View File

@ -56,15 +56,6 @@
notify:
- Restart ipsec
- name: Write ipsec tunnel configuration for the {{ network }} network
template:
src: ipsec-{{ type }}-{{ policy }}.conf.j2
dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-{{ policy }}-tunnels.conf
mode: '0640'
when: other_ips != []
notify:
- Restart ipsec
- name: Write ipsec tunnel policy for the {{ network }} network
template:
src: policy.j2
@ -76,6 +67,26 @@
notify:
- Restart ipsec
- name: Write ipsec tunnel secrets for the {{ network }} network
template:
src: ipsec-{{ type }}-tunnels.secrets.j2
dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-tunnels.secrets
mode: '0600'
when:
- other_ips != []
- type != 'opportunistic'
notify:
- Restart ipsec
- name: Write ipsec tunnel configuration for the {{ network }} network
template:
src: ipsec-{{ type }}-{{ policy }}.conf.j2
dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-{{ policy }}-tunnels.conf
mode: '0640'
when: other_ips != []
notify:
- Restart ipsec
- name: Write VIP ipsec secrets file for the {{ network }} network
template:
src: ipsec-vip-tunnels.secrets.j2

View File

@ -8,10 +8,10 @@
conn overcloud-private-node-to-node-{{ network }}-ip-{{ loop.index0 }}
type=tunnel
authby=null
leftid=%null
rightid=%null
authby=secret
leftid={{ current_ip }}
left={{ current_ip }}
rightid={{ other_ip }}
right={{ other_ip }}
failureshunt=passthrough
ikev2=insist

View File

@ -6,10 +6,10 @@
conn overcloud-private-node-to-node-{{ network }}-ip-{{ loop.index0 }}
type=tunnel
authby=null
leftid=%null
rightid=%null
authby=secret
leftid={{ current_ip }}
left={{ current_ip }}
rightid={{ other_ip }}
right={{ other_ip }}
failureshunt=drop
ikev2=insist

View File

@ -0,0 +1,3 @@
{% for other_ip in other_ips %}
{{ current_ip }} {{ other_ip }} : PSK "{{ ipsec_psk }}"
{% endfor %}