Juniper · Attil · Dec 21, 2017
diff --git a/scripts/vpnaas/ansible/.gitignore b/scripts/vpnaas/ansible/.gitignore
@@ -0,0 +1 @@
+*.retry
diff --git a/scripts/vpnaas/ansible/README.md b/scripts/vpnaas/ansible/README.md
@@ -0,0 +1 @@
+# contrail_vpnaas_ansible
diff --git a/scripts/vpnaas/ansible/inventory.yaml b/scripts/vpnaas/ansible/inventory.yaml
@@ -0,0 +1,19 @@
+#[vrouters]
+#10.10.3.83
+#[ipsec_mesh]
+#10.10.3.83
+#10.10.3.84
+vrouters:
+  hosts:
+    10.84.24.32:
+      id: 1
+      vm_mac: 00:11:22:33:44:32
+      tunnel_mac: 00:25:90:c9:2b:7e
+      tunnel_ip: 10.255.0.32
+      swan: libreswan
+    10.84.24.33:
+      id: 3
+      vm_mac: 00:11:22:33:44:33
+      tunnel_mac: 00:25:90:c9:29:10
+      tunnel_ip: 10.255.0.33
+      swan: libreswan
diff --git a/scripts/vpnaas/ansible/playbook.yml b/scripts/vpnaas/ansible/playbook.yml
@@ -0,0 +1,13 @@
+---
+- hosts: vrouters
+  remote_user: root
+  roles:
+    - setup
+    - common
+    - swan
+    - gre_tunnel
+    - contrail_tunnels
+    - psk_tunnels
+  tasks:
+    - debug:
+        msg: "Done!"
diff --git a/scripts/vpnaas/ansible/psk_mesh.yaml b/scripts/vpnaas/ansible/psk_mesh.yaml
@@ -0,0 +1,7 @@
+---
+- hosts: ipsec_mesh
+  remote_user: root
+  roles:
+    - strongswan
+    - psk_tunnels
+
diff --git a/scripts/vpnaas/ansible/resources/utils/dropstats b/scripts/vpnaas/ansible/resources/utils/dropstats
diff --git a/scripts/vpnaas/ansible/resources/utils/flow b/scripts/vpnaas/ansible/resources/utils/flow
diff --git a/scripts/vpnaas/ansible/resources/utils/mirror b/scripts/vpnaas/ansible/resources/utils/mirror
diff --git a/scripts/vpnaas/ansible/resources/utils/mpls b/scripts/vpnaas/ansible/resources/utils/mpls
diff --git a/scripts/vpnaas/ansible/resources/utils/nh b/scripts/vpnaas/ansible/resources/utils/nh
diff --git a/scripts/vpnaas/ansible/resources/utils/qosmap b/scripts/vpnaas/ansible/resources/utils/qosmap
diff --git a/scripts/vpnaas/ansible/resources/utils/rt b/scripts/vpnaas/ansible/resources/utils/rt
diff --git a/scripts/vpnaas/ansible/resources/utils/vif b/scripts/vpnaas/ansible/resources/utils/vif
diff --git a/scripts/vpnaas/ansible/resources/utils/vrfstats b/scripts/vpnaas/ansible/resources/utils/vrfstats
diff --git a/scripts/vpnaas/ansible/resources/utils/vrmemstats b/scripts/vpnaas/ansible/resources/utils/vrmemstats
diff --git a/scripts/vpnaas/ansible/resources/utils/vrouter b/scripts/vpnaas/ansible/resources/utils/vrouter
diff --git a/scripts/vpnaas/ansible/resources/utils/vxlan b/scripts/vpnaas/ansible/resources/utils/vxlan
diff --git a/scripts/vpnaas/ansible/resources/vhost.sh b/scripts/vpnaas/ansible/resources/vhost.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+vif --create vhost0 --mac {{ mac_address }}
+ip link set vhost0 up
+vif --add {{ interface }} --mac {{ mac_address }} --vrf 0 --type physical --vhost-phys
+vif --add vhost0 --mac {{ mac_address }} --vrf 0 --type vhost --xconnect {{ interface }}
+dhclient -r
+ip addr flush dev {{ interface }}
+dhclient vhost0
diff --git a/scripts/vpnaas/ansible/resources/vrouter_CentOS_Core.ko b/scripts/vpnaas/ansible/resources/vrouter_CentOS_Core.ko
diff --git a/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_trusty.ko b/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_trusty.ko
diff --git a/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_xenial.ko b/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_xenial.ko
diff --git a/scripts/vpnaas/ansible/roles/common/tasks/main.yaml b/scripts/vpnaas/ansible/roles/common/tasks/main.yaml
@@ -0,0 +1,31 @@
+---
+  - name: Reload dependencies
+    shell: depmod -a
+  - name: Load vRouter module
+    modprobe:
+      name: vrouter
+  - set_fact:
+      mac_address: "{{ ansible_default_ipv4.macaddress }}"
+      ip_address: "{{ ansible_default_ipv4.address }}"
+      mask: "{{ ansible_default_ipv4.netmask }}"
+      interface: "{{ ansible_default_ipv4.interface }}"
+  - file:
+      path: /opt/contrail/vpnaas/
+      state: directory
+      mode: 0755
+  - template:
+      src: resources/vhost.sh
+      dest: /opt/contrail/vpnaas/vhost.sh
+      mode: 0700
+  - name: Checking if vhost0 is already configured
+    shell: ip link show dev vhost0
+    register: vhost0
+    ignore_errors: yes
+  - name: Set up vhost
+    shell: /opt/contrail/vpnaas/vhost.sh
+    when: vhost0.rc != 0
+  - name: Interface settings
+    import_tasks: tasks/settings.yaml
+    vars:
+      interface_name: vhost0
+    when: vhost0.rc != 0
diff --git a/scripts/vpnaas/ansible/roles/contrail_tunnels/tasks/main.yaml b/scripts/vpnaas/ansible/roles/contrail_tunnels/tasks/main.yaml
@@ -0,0 +1,15 @@
+---
+  - name: Checking if gw0 is already configured
+    shell: ip link show dev gw0
+    register: gw0
+    ignore_errors: yes
+  - import_tasks: tasks/create_gateway.yaml
+    vars:
+      nh: 200
+      interface_name: "gw0"
+    when: gw0.rc != 0
+  - include_tasks: tasks/loop_hosts_regular.yaml task=tasks/create_tunnel.yaml
+    when: gw0.rc != 0
+  - include_role:
+      name: psk_tunnels
+    when: gw0.rc != 0
diff --git a/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/main.yaml b/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/main.yaml
@@ -0,0 +1,8 @@
+---
+  - name: Ensure package bridge-utils is present
+    apt:
+      name: bridge-utils
+      state: present
+    when: ansible_distribution == 'Ubuntu'
+  - name: Setting up tun0
+    import_tasks: tun0.yaml
diff --git a/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/tun0.yaml b/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/tun0.yaml
@@ -0,0 +1,23 @@
+---
+  - name: Checking if tun0 is already configured
+    shell: ip link show dev tun0
+    register: tun0
+    ignore_errors: yes
+  - shell: "ip link add tun0 type gretap local {{ inventory_hostname }} remote 10.84.24.41"
+    when: tun0.rc != 0
+  - shell: ip link set dev tun0 up
+    when: tun0.rc != 0
+  - name: Adding tun0 to vRouter
+    shell: vif --add tun0 --vrf 1 --type virtual --mac 00:11:22:33:44:55
+    when: tun0.rc != 0
+  - name: Creating an Encap nh for tun0
+    import_tasks: tasks/create_encap.yaml
+    vars:
+      interface_name: tun0
+      vrf: 1
+      nh: 100
+      mpls_label: 32
+  - import_tasks: tasks/settings.yaml
+    vars:
+      interface_name: tun0
+    when: tun0.rc != 0
diff --git a/scripts/vpnaas/ansible/roles/libreswan/handlers/main.yaml b/scripts/vpnaas/ansible/roles/libreswan/handlers/main.yaml
@@ -0,0 +1,7 @@
+---
+  - name: restart ipsec
+    shell: |
+      "{{ swan_command }}" stop
+      ip xfrm policy flush
+      ip xfrm state flush
+      "{{ swan_command }}" start
diff --git a/scripts/vpnaas/ansible/roles/libreswan/tasks/main.yaml b/scripts/vpnaas/ansible/roles/libreswan/tasks/main.yaml
@@ -0,0 +1,85 @@
+---
+  - name: Install dependencies for LibreSWAN
+    apt:
+      name: "{{ item }}"
+      state: present
+    when: ansible_distribution == 'Ubuntu'
+    with_items:
+      - libnss3-dev
+      - libnspr4-dev
+      - pkg-config
+      - libpam-dev
+      - libcap-ng-dev
+      - libcap-ng-utils
+      - libselinux-dev
+      - libcurl3-nss-dev
+      - flex
+      - bison
+      - gcc
+      - make
+      - libldns-dev
+      - libunbound-dev
+      - libnss3-tools
+      - libevent-dev
+      - xmlto
+      - git
+  - apt:
+      name: libsystemd-dev
+      state: present
+    when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial'
+  - name: Install EPEL Repository
+    yum:
+      name: epel-release
+      state: present
+    when: ansible_distribution == 'CentOS'
+  - name: Install dependencies for LibreSWAN
+    yum:
+      name: "{{ item }}"
+      state: present
+    when: ansible_distribution == 'CentOS'
+    with_items:
+      - audit-libs-devel
+      - bison
+      - curl-devel
+      - fipscheck-devel
+      - flex
+      - gcc
+      - ldns-devel
+      - libcap-ng-devel
+      - libevent-devel
+      - libseccomp-devel
+      - libselinux-devel
+      - make
+      - nspr-devel
+      - nss-devel
+      - pam-devel
+      - pkgconfig
+      - systemd-devel
+      - unbound-devel
+      - xmlto
+      - git
+  - name: Download LibreSWAN
+    git:
+      repo: 'https://github.com/libreswan/libreswan.git'
+      dest: /tmp/libreswan/
+    when: ansible_distribution == 'Ubuntu'
+  - name: Install LibreSWAN
+    make:
+      chdir: /tmp/libreswan/
+      target: "{{ item }}"
+    with_items:
+      - all
+      - install
+    environment:
+      USE_DNSSEC: false
+  #   when: ansible_distribution == 'Ubuntu'
+  # - name: Install LibreSWAN
+  #   yum:
+  #     name: libreswan
+  #     state: present
+  #   when: ansible_distribution == 'CentOS'
+  - template:
+      src: ipsec.conf
+      dest: "{{ swan_path }}/ipsec.conf"
+    notify:
+      - restart ipsec
diff --git a/scripts/vpnaas/ansible/roles/libreswan/templates/ipsec.conf b/scripts/vpnaas/ansible/roles/libreswan/templates/ipsec.conf
@@ -0,0 +1,14 @@
+config setup
+
+conn default_setup
+    ikelifetime=60m
+    keylife=20m
+    rekeymargin=3m
+    keyingtries=1
+    ikev2=insist
+    ike=aes_gcm256-sha512-ecp_256
+    esp=aes_gcm256-none-ecp_256
+    type=tunnel
+    encapsulation=yes 
+
+include {{ swan_path }}/ipsec.d/conns/*.conf
diff --git a/scripts/vpnaas/ansible/roles/psk_tunnels/files/ipsec.secrets b/scripts/vpnaas/ansible/roles/psk_tunnels/files/ipsec.secrets
@@ -0,0 +1 @@
+: PSK "ASGHFASGHFKAHKSFdgshkudgskdgfdgfbdvfdgfdgfbdgfdgfedgfsdghkdgfyh54ojgrt"
diff --git a/scripts/vpnaas/ansible/roles/psk_tunnels/tasks/main.yaml b/scripts/vpnaas/ansible/roles/psk_tunnels/tasks/main.yaml
@@ -0,0 +1,7 @@
+---
+  - include_tasks: tasks/loop_hosts.yaml task=tasks/add_ipsec_conf.yaml
+  - copy:
+      src: ipsec.secrets
+      dest: "{{ swan_path }}/ipsec.secrets"
+    notify:
+      - restart ipsec
diff --git a/scripts/vpnaas/ansible/roles/psk_tunnels/templates/ipsec.conf b/scripts/vpnaas/ansible/roles/psk_tunnels/templates/ipsec.conf
@@ -0,0 +1,10 @@
+# Connection number {{ idx }}
+conn tunnel{{ idx }}
+        also=default_setup
+        left={{ real_host1 }}
+        leftsubnet={{ host1 }}/32
+        right={{ real_host2 }}
+        rightsubnet={{ host2 }}/32
+        authby=secret
+        auto=start
+        mark=42/0xffffffff
diff --git a/scripts/vpnaas/ansible/roles/setup/tasks/main.yaml b/scripts/vpnaas/ansible/roles/setup/tasks/main.yaml
@@ -0,0 +1,15 @@
+---
+  - name: Install utilities
+    copy:
+      src: resources/utils/
+      dest: /usr/bin/
+      mode: 0700
+  - name: Check Linux version
+    shell: uname -r
+    register: uname_output
+  - set_fact:
+      linux_version: "{{ uname_output.stdout }}"
+  - name: Copy vRouter
+    copy:
+      src: resources/vrouter_{{ ansible_distribution }}_{{ ansible_distribution_release }}.ko
+      dest: "/lib/modules/{{ linux_version }}/vrouter.ko"
diff --git a/scripts/vpnaas/ansible/roles/setup_ips/tasks/ip_add.yaml b/scripts/vpnaas/ansible/roles/setup_ips/tasks/ip_add.yaml
@@ -0,0 +1,3 @@
+---
+  - shell: |
+      ip addr add "{{ ip_addr }}"/16 dev ens3 || /bin/true
diff --git a/scripts/vpnaas/ansible/roles/setup_ips/tasks/main.yaml b/scripts/vpnaas/ansible/roles/setup_ips/tasks/main.yaml
@@ -0,0 +1,3 @@
+---
+  - include_tasks: tasks/loop_ips.yaml task=roles/setup_ips/tasks/ip_add.yaml
+    when: skip_ip_add is not defined
diff --git a/scripts/vpnaas/ansible/roles/strongswan/files/strongswan.conf b/scripts/vpnaas/ansible/roles/strongswan/files/strongswan.conf
@@ -0,0 +1,11 @@
+include strongswan.d/*.conf
+
+charon {
+        load_modular = yes
+        plugins {
+                include strongswan.d/charon/*.conf
+        }
+        block_threshold = 2000
+        half_open_timeout = 30
+}
+
diff --git a/scripts/vpnaas/ansible/roles/strongswan/handlers/main.yaml b/scripts/vpnaas/ansible/roles/strongswan/handlers/main.yaml
@@ -0,0 +1,7 @@
+---
+  - name: restart ipsec
+    shell: |
+      "{{ swan_command }}" stop
+      ip xfrm policy flush
+      ip xfrm state flush
+      "{{ swan_command }}" start
diff --git a/scripts/vpnaas/ansible/roles/strongswan/tasks/main.yaml b/scripts/vpnaas/ansible/roles/strongswan/tasks/main.yaml
@@ -0,0 +1,24 @@
+---
+  - name: Install StrongSWAN
+    apt:
+      name: strongswan
+      state: present
+    when: ansible_distribution == 'Ubuntu'
+  - name: Install EPEL Repository
+    yum:
+      name: epel-release
+      state: present
+    when: ansible_distribution == 'CentOS'
+  - name: Install StrongSWAN
+    yum:
+      name: strongswan
+      state: present
+    when: ansible_distribution == 'CentOS'
+  - copy:
+      src: strongswan.conf
+      dest: "{{ swan_path }}/strongswan.conf"
+  - template:
+      src: ipsec.conf
+      dest: "{{ swan_path }}/ipsec.conf"
+    notify:
+      - restart ipsec
diff --git a/scripts/vpnaas/ansible/roles/strongswan/templates/ipsec.conf b/scripts/vpnaas/ansible/roles/strongswan/templates/ipsec.conf
@@ -0,0 +1,15 @@
+config setup
+
+conn default_setup
+    ikelifetime=60m
+    keylife=20m
+    rekeymargin=3m
+    keyingtries=1
+    keyexchange=ikev2
+    mobike=no
+    ike=aes256gcm128-sha512-ecp256!
+    esp=aes256gcm128-ecp256!
+    type=tunnel
+    forceencaps=yes    
+
+include {{ swan_path }}/ipsec.d/conns/*.conf
diff --git a/scripts/vpnaas/ansible/roles/swan/handlers/main.yaml b/scripts/vpnaas/ansible/roles/swan/handlers/main.yaml
@@ -0,0 +1,7 @@
+---
+  - name: restart ipsec
+    shell: |
+      "{{ swan_command }}" stop
+      ip xfrm policy flush
+      ip xfrm state flush
+      "{{ swan_command }}" start