Implement PSK authentication for node-to-node tunnels
The new node-to-node tunnels that use the dynamic inventory had null auth. Now they can use PSK for authentication.
This commit is contained in:
parent
8b12243e34
commit
67e7142a94
|
@ -56,15 +56,6 @@
|
|||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
- name: Write ipsec tunnel configuration for the {{ network }} network
|
||||
template:
|
||||
src: ipsec-{{ type }}-{{ policy }}.conf.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-{{ policy }}-tunnels.conf
|
||||
mode: '0640'
|
||||
when: other_ips != []
|
||||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
- name: Write ipsec tunnel policy for the {{ network }} network
|
||||
template:
|
||||
src: policy.j2
|
||||
|
@ -76,6 +67,26 @@
|
|||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
- name: Write ipsec tunnel secrets for the {{ network }} network
|
||||
template:
|
||||
src: ipsec-{{ type }}-tunnels.secrets.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-tunnels.secrets
|
||||
mode: '0600'
|
||||
when:
|
||||
- other_ips != []
|
||||
- type != 'opportunistic'
|
||||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
- name: Write ipsec tunnel configuration for the {{ network }} network
|
||||
template:
|
||||
src: ipsec-{{ type }}-{{ policy }}.conf.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-{{ policy }}-tunnels.conf
|
||||
mode: '0640'
|
||||
when: other_ips != []
|
||||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
- name: Write VIP ipsec secrets file for the {{ network }} network
|
||||
template:
|
||||
src: ipsec-vip-tunnels.secrets.j2
|
||||
|
|
|
@ -8,10 +8,10 @@
|
|||
|
||||
conn overcloud-private-node-to-node-{{ network }}-ip-{{ loop.index0 }}
|
||||
type=tunnel
|
||||
authby=null
|
||||
leftid=%null
|
||||
rightid=%null
|
||||
authby=secret
|
||||
leftid={{ current_ip }}
|
||||
left={{ current_ip }}
|
||||
rightid={{ other_ip }}
|
||||
right={{ other_ip }}
|
||||
failureshunt=passthrough
|
||||
ikev2=insist
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
|
||||
conn overcloud-private-node-to-node-{{ network }}-ip-{{ loop.index0 }}
|
||||
type=tunnel
|
||||
authby=null
|
||||
leftid=%null
|
||||
rightid=%null
|
||||
authby=secret
|
||||
leftid={{ current_ip }}
|
||||
left={{ current_ip }}
|
||||
rightid={{ other_ip }}
|
||||
right={{ other_ip }}
|
||||
failureshunt=drop
|
||||
ikev2=insist
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
{% for other_ip in other_ips %}
|
||||
{{ current_ip }} {{ other_ip }} : PSK "{{ ipsec_psk }}"
|
||||
{% endfor %}
|
Loading…
Reference in New Issue