#cloud-config preserve_hostname: false hostname: ${hostname} fqdn: ${fqdn} # A lot of this could be done via salt. But for simplicity, i'm presently keeping it out. yum_repos: epel-release: baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch enabled: true failovermethod: priority gpgcheck: true gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 name: Extra Packages for Enterprise Linux 7 - Release packages: - strongswan - quagga - ntp - vim package_update: true # Always patch growpart: mode: auto devices: [ '/' ] ignore_growroot_disabled: false write_files: - path: /etc/strongswan/strongswan.conf content: | # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { plugins { include strongswan.d/charon/*.conf } load_modular = yes filelog { charon { path = /var/log/charon.log time_format = %b %e %T ike_name = yes append = yes } } } owner: root group: root permissions: '0600' - path: /etc/strongswan/ipsec.conf content: | conn %default leftauth=psk rightauth=psk ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024! ikelifetime=28800s aggressive=no esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024! lifetime=3600s type=tunnel dpddelay=10s dpdtimeout=30s keyexchange=ikev1 rekey=yes reauth=no dpdaction=restart closeaction=restart left=%defaultroute leftsubnet=0.0.0.0/0,::/0 rightsubnet=0.0.0.0/0,::/0 leftupdown=/etc/strongswan/ipsec-vti.sh installpolicy=yes compress=no mobike=no conn AWS-VPC-TUNNEL-1 left=%any right=TODO-pTunnel1VgwOutsideIpAddress auto=start mark=100 conn AWS-VPC-TUNNEL-2 left=%any right=TODO-pTunnel2VgwOutsideIpAddress auto=start mark=200 owner: root group: root permissions: '0600' - path: /etc/strongswan/ipsec-vti.sh content: | #!/bin/bash #@ /etc/strongswan/ipsec-vti.sh (Centos) or /etc/strongswan.d/ipsec-vti.sh (Ubuntu) # AWS VPC Hardware VPN Strongswan updown Script # Usage Instructions: # Add "install_routes = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf # Add "install_virtual_ip = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf # For Ubuntu: Add "leftupdown=/etc/strongswan.d/ipsec-vti.sh" to /etc/ipsec.conf # For RHEL/Centos: Add "leftupdown=/etc/strongswan/ipsec-vti.sh" to /etc/strongswan/ipsec.conf # For RHEL/Centos 6 and below: git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git && cd iproute2 && make && cp ./ip/ip /usr/local/sbin/ip # Adjust the below according to the Generic Gateway Configuration file provided to you by AWS. # Sample: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html IP=$(which ip) IPTABLES=$(which iptables) PLUTO_MARK_OUT_ARR=($${!PLUTO_MARK_OUT//// }) PLUTO_MARK_IN_ARR=($${!PLUTO_MARK_IN//// }) case "$PLUTO_CONNECTION" in AWS-VPC-TUNNEL-1) VTI_INTERFACE=vti1 VTI_LOCALADDR=TODO_pTunnel1CgwInsideCidr VTI_REMOTEADDR=TODO_pTunnel1VgwInsideCidr ;; AWS-VPC-TUNNEL-2) VTI_INTERFACE=vti2 VTI_LOCALADDR=TODO_pTunnel2CgwInsideCidr VTI_REMOTEADDR=TODO_pTunnel2VgwInsideCidr ;; esac case "$${!PLUTO_VERB}" in up-client) #$IP tunnel add $${!VTI_INTERFACE} mode vti local $${!PLUTO_ME} remote $${!PLUTO_PEER} okey $${!PLUTO_MARK_OUT_ARR[0]} ikey $${!PLUTO_MARK_IN_ARR[0]} $IP link add $${!VTI_INTERFACE} type vti local $${!PLUTO_ME} remote $${!PLUTO_PEER} okey $${!PLUTO_MARK_OUT_ARR[0]} ikey $${!PLUTO_MARK_IN_ARR[0]} sysctl -w net.ipv4.conf.$${!VTI_INTERFACE}.disable_policy=1 sysctl -w net.ipv4.conf.$${!VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.$${!VTI_INTERFACE}.rp_filter=0 $IP addr add $${!VTI_LOCALADDR} remote $${!VTI_REMOTEADDR} dev $${!VTI_INTERFACE} $IP link set $${!VTI_INTERFACE} up mtu 1436 $IPTABLES -t mangle -I FORWARD -o $${!VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPTABLES -t mangle -I INPUT -p esp -s $${!PLUTO_PEER} -d $${!PLUTO_ME} -j MARK --set-xmark $${!PLUTO_MARK_IN} $IP route flush table 220 #/etc/init.d/bgpd reload || /etc/init.d/quagga force-reload bgpd ;; down-client) #$IP tunnel del $${!VTI_INTERFACE} $IP link del $${!VTI_INTERFACE} $IPTABLES -t mangle -D FORWARD -o $${!VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPTABLES -t mangle -D INPUT -p esp -s $${!PLUTO_PEER} -d $${!PLUTO_ME} -j MARK --set-xmark $${!PLUTO_MARK_IN} ;; esac mode: '000700' owner: root group: root - path: /etc/strongswan/ipsec.secrets content: | TODO_pTunnel1VgwOutsideIpAddress : PSK "TODO_pTunnel1Psk" TODO_pTunnel2VgwOutsideIpAddress : PSK "TODO_Tunnel2Psk" mode: '000600' owner: root group: root - path: /etc/quagga/zebra.conf content: | hostname {HOSTNAME} password zebra enable password zebra ! log file /var/log/quagga/zebra.log ! ! Configure interfaces interface lo ! Change preferred source ip address of received routes route-map RM_SET_SRC permit 10 set src {PRIVATE_IP} ip protocol bgp route-map RM_SET_SRC ! line vty mode: '000644' owner: root group: root - path: /etc/quagga/bgpd.conf content: | hostname bgpd password zebra enable password zebra ! log file /var/log/quagga/bgpd.log ! debug bgp events debug bgp filters debug bgp fsm debug bgp keepalives debug bgp updates ! router bgp TODO_pLocalBgpAsn bgp router-id {PRIVATE_IP} network TODO_pVpcCidr neighbor TODO_pTunnel1BgpNeighborIpAddress} remote-as TODO_pTunnel1BgpAsn} neighbor TODO_pTunnel2BgpNeighborIpAddress} remote-as TODO_pTunnel2BgpAsn} neighbor TODO_pTunnel2BgpNeighborIpAddress} route-map RM_LOWER_PRIORITY out ! route-map RM_LOWER_PRIORITY permit 10 set as-path prepend TODO_pLocalBgpAsn} TODO_pLocalBgpAsn} TODO_pLocalBgpAsn} ! line vty mode: '000644' owner: root group: root - path: /etc/sysctl.conf content: | # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.tcp_max_syn_backlog = 1280 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.tcp_mtu_probing = 1 mode: '000600' owner: root group: root runcmd: - echo "${fqdn}" > /etc/salt/minion_id - /bin/systemctl restart salt-minion - /bin/systemctl enable salt-minion - /bin/systemctl start amazon-ssm-agent - /bin/systemctl enable amazon-ssm-agent - /usr/sbin/aide --update --verbose=0 - /bin/cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz # Since we reboot, either final message or power state, but probably not both #final_message: "The system is up after $UPTIME seconds" #power_state: # delay: "+30" # mode: reboot # message: "System configured after $UPTIME seconds" # timeout: 300 # condition: true