diff --git a/scripts/vpnaas/ansible/.gitignore b/scripts/vpnaas/ansible/.gitignore new file mode 100644 index 000000000..a8b42eb6e --- /dev/null +++ b/scripts/vpnaas/ansible/.gitignore @@ -0,0 +1 @@ +*.retry diff --git a/scripts/vpnaas/ansible/README.md b/scripts/vpnaas/ansible/README.md new file mode 100644 index 000000000..bd7c2d275 --- /dev/null +++ b/scripts/vpnaas/ansible/README.md @@ -0,0 +1 @@ +# contrail_vpnaas_ansible diff --git a/scripts/vpnaas/ansible/inventory.yaml b/scripts/vpnaas/ansible/inventory.yaml new file mode 100644 index 000000000..3f13e4a19 --- /dev/null +++ b/scripts/vpnaas/ansible/inventory.yaml @@ -0,0 +1,19 @@ +#[vrouters] +#10.10.3.83 +#[ipsec_mesh] +#10.10.3.83 +#10.10.3.84 +vrouters: + hosts: + 10.84.24.32: + id: 1 + vm_mac: 00:11:22:33:44:32 + tunnel_mac: 00:25:90:c9:2b:7e + tunnel_ip: 10.255.0.32 + swan: libreswan + 10.84.24.33: + id: 3 + vm_mac: 00:11:22:33:44:33 + tunnel_mac: 00:25:90:c9:29:10 + tunnel_ip: 10.255.0.33 + swan: libreswan diff --git a/scripts/vpnaas/ansible/playbook.yml b/scripts/vpnaas/ansible/playbook.yml new file mode 100644 index 000000000..227c5d00c --- /dev/null +++ b/scripts/vpnaas/ansible/playbook.yml @@ -0,0 +1,13 @@ +--- +- hosts: vrouters + remote_user: root + roles: + - setup + - common + - swan + - gre_tunnel + - contrail_tunnels + - psk_tunnels + tasks: + - debug: + msg: "Done!" \ No newline at end of file diff --git a/scripts/vpnaas/ansible/psk_mesh.yaml b/scripts/vpnaas/ansible/psk_mesh.yaml new file mode 100644 index 000000000..e0533821f --- /dev/null +++ b/scripts/vpnaas/ansible/psk_mesh.yaml @@ -0,0 +1,7 @@ +--- +- hosts: ipsec_mesh + remote_user: root + roles: + - strongswan + - psk_tunnels + diff --git a/scripts/vpnaas/ansible/resources/utils/dropstats b/scripts/vpnaas/ansible/resources/utils/dropstats new file mode 100755 index 000000000..9e8214a0c Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/dropstats differ diff --git a/scripts/vpnaas/ansible/resources/utils/flow b/scripts/vpnaas/ansible/resources/utils/flow new file mode 100755 index 000000000..8d0dc091f Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/flow differ diff --git a/scripts/vpnaas/ansible/resources/utils/mirror b/scripts/vpnaas/ansible/resources/utils/mirror new file mode 100755 index 000000000..7a3b21a00 Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/mirror differ diff --git a/scripts/vpnaas/ansible/resources/utils/mpls b/scripts/vpnaas/ansible/resources/utils/mpls new file mode 100755 index 000000000..f87c114b5 Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/mpls differ diff --git a/scripts/vpnaas/ansible/resources/utils/nh b/scripts/vpnaas/ansible/resources/utils/nh new file mode 100755 index 000000000..246e04d92 Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/nh differ diff --git a/scripts/vpnaas/ansible/resources/utils/qosmap b/scripts/vpnaas/ansible/resources/utils/qosmap new file mode 100755 index 000000000..0004dbe52 Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/qosmap differ diff --git a/scripts/vpnaas/ansible/resources/utils/rt b/scripts/vpnaas/ansible/resources/utils/rt new file mode 100755 index 000000000..d184a47d3 Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/rt differ diff --git a/scripts/vpnaas/ansible/resources/utils/vif b/scripts/vpnaas/ansible/resources/utils/vif new file mode 100755 index 000000000..b984823ca Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/vif differ diff --git a/scripts/vpnaas/ansible/resources/utils/vrfstats b/scripts/vpnaas/ansible/resources/utils/vrfstats new file mode 100755 index 000000000..ef70ea5be Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/vrfstats differ diff --git a/scripts/vpnaas/ansible/resources/utils/vrmemstats b/scripts/vpnaas/ansible/resources/utils/vrmemstats new file mode 100755 index 000000000..206a38c49 Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/vrmemstats differ diff --git a/scripts/vpnaas/ansible/resources/utils/vrouter b/scripts/vpnaas/ansible/resources/utils/vrouter new file mode 100755 index 000000000..c60927adf Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/vrouter differ diff --git a/scripts/vpnaas/ansible/resources/utils/vxlan b/scripts/vpnaas/ansible/resources/utils/vxlan new file mode 100755 index 000000000..4b6dc967a Binary files /dev/null and b/scripts/vpnaas/ansible/resources/utils/vxlan differ diff --git a/scripts/vpnaas/ansible/resources/vhost.sh b/scripts/vpnaas/ansible/resources/vhost.sh new file mode 100644 index 000000000..c7206df18 --- /dev/null +++ b/scripts/vpnaas/ansible/resources/vhost.sh @@ -0,0 +1,8 @@ +#!/bin/sh +vif --create vhost0 --mac {{ mac_address }} +ip link set vhost0 up +vif --add {{ interface }} --mac {{ mac_address }} --vrf 0 --type physical --vhost-phys +vif --add vhost0 --mac {{ mac_address }} --vrf 0 --type vhost --xconnect {{ interface }} +dhclient -r +ip addr flush dev {{ interface }} +dhclient vhost0 diff --git a/scripts/vpnaas/ansible/resources/vrouter_CentOS_Core.ko b/scripts/vpnaas/ansible/resources/vrouter_CentOS_Core.ko new file mode 100644 index 000000000..cc6532adf Binary files /dev/null and b/scripts/vpnaas/ansible/resources/vrouter_CentOS_Core.ko differ diff --git a/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_trusty.ko b/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_trusty.ko new file mode 100644 index 000000000..d336f9b57 Binary files /dev/null and b/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_trusty.ko differ diff --git a/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_xenial.ko b/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_xenial.ko new file mode 100644 index 000000000..8375dba8e Binary files /dev/null and b/scripts/vpnaas/ansible/resources/vrouter_Ubuntu_xenial.ko differ diff --git a/scripts/vpnaas/ansible/roles/common/tasks/main.yaml b/scripts/vpnaas/ansible/roles/common/tasks/main.yaml new file mode 100644 index 000000000..f360fd256 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/common/tasks/main.yaml @@ -0,0 +1,31 @@ +--- + - name: Reload dependencies + shell: depmod -a + - name: Load vRouter module + modprobe: + name: vrouter + - set_fact: + mac_address: "{{ ansible_default_ipv4.macaddress }}" + ip_address: "{{ ansible_default_ipv4.address }}" + mask: "{{ ansible_default_ipv4.netmask }}" + interface: "{{ ansible_default_ipv4.interface }}" + - file: + path: /opt/contrail/vpnaas/ + state: directory + mode: 0755 + - template: + src: resources/vhost.sh + dest: /opt/contrail/vpnaas/vhost.sh + mode: 0700 + - name: Checking if vhost0 is already configured + shell: ip link show dev vhost0 + register: vhost0 + ignore_errors: yes + - name: Set up vhost + shell: /opt/contrail/vpnaas/vhost.sh + when: vhost0.rc != 0 + - name: Interface settings + import_tasks: tasks/settings.yaml + vars: + interface_name: vhost0 + when: vhost0.rc != 0 \ No newline at end of file diff --git a/scripts/vpnaas/ansible/roles/contrail_tunnels/tasks/main.yaml b/scripts/vpnaas/ansible/roles/contrail_tunnels/tasks/main.yaml new file mode 100644 index 000000000..b91278cf1 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/contrail_tunnels/tasks/main.yaml @@ -0,0 +1,15 @@ +--- + - name: Checking if gw0 is already configured + shell: ip link show dev gw0 + register: gw0 + ignore_errors: yes + - import_tasks: tasks/create_gateway.yaml + vars: + nh: 200 + interface_name: "gw0" + when: gw0.rc != 0 + - include_tasks: tasks/loop_hosts_regular.yaml task=tasks/create_tunnel.yaml + when: gw0.rc != 0 + - include_role: + name: psk_tunnels + when: gw0.rc != 0 \ No newline at end of file diff --git a/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/main.yaml b/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/main.yaml new file mode 100644 index 000000000..174dc5aa6 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/main.yaml @@ -0,0 +1,8 @@ +--- + - name: Ensure package bridge-utils is present + apt: + name: bridge-utils + state: present + when: ansible_distribution == 'Ubuntu' + - name: Setting up tun0 + import_tasks: tun0.yaml diff --git a/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/tun0.yaml b/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/tun0.yaml new file mode 100644 index 000000000..537d12dfc --- /dev/null +++ b/scripts/vpnaas/ansible/roles/gre_tunnel/tasks/tun0.yaml @@ -0,0 +1,23 @@ +--- + - name: Checking if tun0 is already configured + shell: ip link show dev tun0 + register: tun0 + ignore_errors: yes + - shell: "ip link add tun0 type gretap local {{ inventory_hostname }} remote 10.84.24.41" + when: tun0.rc != 0 + - shell: ip link set dev tun0 up + when: tun0.rc != 0 + - name: Adding tun0 to vRouter + shell: vif --add tun0 --vrf 1 --type virtual --mac 00:11:22:33:44:55 + when: tun0.rc != 0 + - name: Creating an Encap nh for tun0 + import_tasks: tasks/create_encap.yaml + vars: + interface_name: tun0 + vrf: 1 + nh: 100 + mpls_label: 32 + - import_tasks: tasks/settings.yaml + vars: + interface_name: tun0 + when: tun0.rc != 0 \ No newline at end of file diff --git a/scripts/vpnaas/ansible/roles/libreswan/handlers/main.yaml b/scripts/vpnaas/ansible/roles/libreswan/handlers/main.yaml new file mode 100644 index 000000000..e0a547621 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/libreswan/handlers/main.yaml @@ -0,0 +1,7 @@ +--- + - name: restart ipsec + shell: | + "{{ swan_command }}" stop + ip xfrm policy flush + ip xfrm state flush + "{{ swan_command }}" start diff --git a/scripts/vpnaas/ansible/roles/libreswan/tasks/main.yaml b/scripts/vpnaas/ansible/roles/libreswan/tasks/main.yaml new file mode 100644 index 000000000..e8f5dd954 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/libreswan/tasks/main.yaml @@ -0,0 +1,85 @@ +--- + - name: Install dependencies for LibreSWAN + apt: + name: "{{ item }}" + state: present + when: ansible_distribution == 'Ubuntu' + with_items: + - libnss3-dev + - libnspr4-dev + - pkg-config + - libpam-dev + - libcap-ng-dev + - libcap-ng-utils + - libselinux-dev + - libcurl3-nss-dev + - flex + - bison + - gcc + - make + - libldns-dev + - libunbound-dev + - libnss3-tools + - libevent-dev + - xmlto + - git + - apt: + name: libsystemd-dev + state: present + when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' + - name: Install EPEL Repository + yum: + name: epel-release + state: present + when: ansible_distribution == 'CentOS' + - name: Install dependencies for LibreSWAN + yum: + name: "{{ item }}" + state: present + when: ansible_distribution == 'CentOS' + with_items: + - audit-libs-devel + - bison + - curl-devel + - fipscheck-devel + - flex + - gcc + - ldns-devel + - libcap-ng-devel + - libevent-devel + - libseccomp-devel + - libselinux-devel + - make + - nspr-devel + - nss-devel + - pam-devel + - pkgconfig + - systemd-devel + - unbound-devel + - xmlto + - git + - name: Download LibreSWAN + git: + repo: 'https://github.com/libreswan/libreswan.git' + dest: /tmp/libreswan/ + when: ansible_distribution == 'Ubuntu' + - name: Install LibreSWAN + make: + chdir: /tmp/libreswan/ + target: "{{ item }}" + with_items: + - all + - install + environment: + USE_DNSSEC: false + # when: ansible_distribution == 'Ubuntu' + # - name: Install LibreSWAN + # yum: + # name: libreswan + # state: present + # when: ansible_distribution == 'CentOS' + - template: + src: ipsec.conf + dest: "{{ swan_path }}/ipsec.conf" + notify: + - restart ipsec diff --git a/scripts/vpnaas/ansible/roles/libreswan/templates/ipsec.conf b/scripts/vpnaas/ansible/roles/libreswan/templates/ipsec.conf new file mode 100644 index 000000000..74c989c05 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/libreswan/templates/ipsec.conf @@ -0,0 +1,14 @@ +config setup + +conn default_setup + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ikev2=insist + ike=aes_gcm256-sha512-ecp_256 + esp=aes_gcm256-none-ecp_256 + type=tunnel + encapsulation=yes + +include {{ swan_path }}/ipsec.d/conns/*.conf diff --git a/scripts/vpnaas/ansible/roles/psk_tunnels/files/ipsec.secrets b/scripts/vpnaas/ansible/roles/psk_tunnels/files/ipsec.secrets new file mode 100644 index 000000000..2bf845744 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/psk_tunnels/files/ipsec.secrets @@ -0,0 +1 @@ +: PSK "ASGHFASGHFKAHKSFdgshkudgskdgfdgfbdvfdgfdgfbdgfdgfedgfsdghkdgfyh54ojgrt" diff --git a/scripts/vpnaas/ansible/roles/psk_tunnels/tasks/main.yaml b/scripts/vpnaas/ansible/roles/psk_tunnels/tasks/main.yaml new file mode 100644 index 000000000..5f6bbc483 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/psk_tunnels/tasks/main.yaml @@ -0,0 +1,7 @@ +--- + - include_tasks: tasks/loop_hosts.yaml task=tasks/add_ipsec_conf.yaml + - copy: + src: ipsec.secrets + dest: "{{ swan_path }}/ipsec.secrets" + notify: + - restart ipsec diff --git a/scripts/vpnaas/ansible/roles/psk_tunnels/templates/ipsec.conf b/scripts/vpnaas/ansible/roles/psk_tunnels/templates/ipsec.conf new file mode 100644 index 000000000..ae77a8bf2 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/psk_tunnels/templates/ipsec.conf @@ -0,0 +1,10 @@ +# Connection number {{ idx }} +conn tunnel{{ idx }} + also=default_setup + left={{ real_host1 }} + leftsubnet={{ host1 }}/32 + right={{ real_host2 }} + rightsubnet={{ host2 }}/32 + authby=secret + auto=start + mark=42/0xffffffff diff --git a/scripts/vpnaas/ansible/roles/setup/tasks/main.yaml b/scripts/vpnaas/ansible/roles/setup/tasks/main.yaml new file mode 100644 index 000000000..03be85309 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/setup/tasks/main.yaml @@ -0,0 +1,15 @@ +--- + - name: Install utilities + copy: + src: resources/utils/ + dest: /usr/bin/ + mode: 0700 + - name: Check Linux version + shell: uname -r + register: uname_output + - set_fact: + linux_version: "{{ uname_output.stdout }}" + - name: Copy vRouter + copy: + src: resources/vrouter_{{ ansible_distribution }}_{{ ansible_distribution_release }}.ko + dest: "/lib/modules/{{ linux_version }}/vrouter.ko" diff --git a/scripts/vpnaas/ansible/roles/setup_ips/tasks/ip_add.yaml b/scripts/vpnaas/ansible/roles/setup_ips/tasks/ip_add.yaml new file mode 100644 index 000000000..e6b8d3147 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/setup_ips/tasks/ip_add.yaml @@ -0,0 +1,3 @@ +--- + - shell: | + ip addr add "{{ ip_addr }}"/16 dev ens3 || /bin/true diff --git a/scripts/vpnaas/ansible/roles/setup_ips/tasks/main.yaml b/scripts/vpnaas/ansible/roles/setup_ips/tasks/main.yaml new file mode 100644 index 000000000..72ca811c2 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/setup_ips/tasks/main.yaml @@ -0,0 +1,3 @@ +--- + - include_tasks: tasks/loop_ips.yaml task=roles/setup_ips/tasks/ip_add.yaml + when: skip_ip_add is not defined diff --git a/scripts/vpnaas/ansible/roles/strongswan/files/strongswan.conf b/scripts/vpnaas/ansible/roles/strongswan/files/strongswan.conf new file mode 100644 index 000000000..a864d12fd --- /dev/null +++ b/scripts/vpnaas/ansible/roles/strongswan/files/strongswan.conf @@ -0,0 +1,11 @@ +include strongswan.d/*.conf + +charon { + load_modular = yes + plugins { + include strongswan.d/charon/*.conf + } + block_threshold = 2000 + half_open_timeout = 30 +} + diff --git a/scripts/vpnaas/ansible/roles/strongswan/handlers/main.yaml b/scripts/vpnaas/ansible/roles/strongswan/handlers/main.yaml new file mode 100644 index 000000000..e0a547621 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/strongswan/handlers/main.yaml @@ -0,0 +1,7 @@ +--- + - name: restart ipsec + shell: | + "{{ swan_command }}" stop + ip xfrm policy flush + ip xfrm state flush + "{{ swan_command }}" start diff --git a/scripts/vpnaas/ansible/roles/strongswan/tasks/main.yaml b/scripts/vpnaas/ansible/roles/strongswan/tasks/main.yaml new file mode 100644 index 000000000..301f576c2 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/strongswan/tasks/main.yaml @@ -0,0 +1,24 @@ +--- + - name: Install StrongSWAN + apt: + name: strongswan + state: present + when: ansible_distribution == 'Ubuntu' + - name: Install EPEL Repository + yum: + name: epel-release + state: present + when: ansible_distribution == 'CentOS' + - name: Install StrongSWAN + yum: + name: strongswan + state: present + when: ansible_distribution == 'CentOS' + - copy: + src: strongswan.conf + dest: "{{ swan_path }}/strongswan.conf" + - template: + src: ipsec.conf + dest: "{{ swan_path }}/ipsec.conf" + notify: + - restart ipsec \ No newline at end of file diff --git a/scripts/vpnaas/ansible/roles/strongswan/templates/ipsec.conf b/scripts/vpnaas/ansible/roles/strongswan/templates/ipsec.conf new file mode 100644 index 000000000..ae1b86b96 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/strongswan/templates/ipsec.conf @@ -0,0 +1,15 @@ +config setup + +conn default_setup + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + ike=aes256gcm128-sha512-ecp256! + esp=aes256gcm128-ecp256! + type=tunnel + forceencaps=yes + +include {{ swan_path }}/ipsec.d/conns/*.conf diff --git a/scripts/vpnaas/ansible/roles/swan/handlers/main.yaml b/scripts/vpnaas/ansible/roles/swan/handlers/main.yaml new file mode 100644 index 000000000..e0a547621 --- /dev/null +++ b/scripts/vpnaas/ansible/roles/swan/handlers/main.yaml @@ -0,0 +1,7 @@ +--- + - name: restart ipsec + shell: | + "{{ swan_command }}" stop + ip xfrm policy flush + ip xfrm state flush + "{{ swan_command }}" start diff --git a/scripts/vpnaas/ansible/roles/swan/tasks/main.yaml b/scripts/vpnaas/ansible/roles/swan/tasks/main.yaml new file mode 100644 index 000000000..1ec9ceb8e --- /dev/null +++ b/scripts/vpnaas/ansible/roles/swan/tasks/main.yaml @@ -0,0 +1,37 @@ +--- + - set_fact: + swan_path: /etc + swan_command: ipsec + when: ansible_distribution == 'Ubuntu' + - set_fact: + swan_path: /etc/strongswan + swan_command: strongswan + when: ansible_distribution == 'CentOS' and swan == 'strongswan' + - set_fact: + swan_path: /etc + swan_command: ipsec + when: ansible_distribution == 'CentOS' and swan == 'libreswan' + - import_role: + name: strongswan + when: swan == 'strongswan' + - import_role: + name: libreswan + when: swan == 'libreswan' + - file: + path: "{{ swan_path }}/ipsec.d/conns" + state: absent + - file: + path: "{{ swan_path }}/ipsec.d/conns" + state: directory + notify: + - restart ipsec + - name: Add APT repository for IProute2 + apt_repository: + repo: ppa:hyperair/iproute2-backports + state: present + update_cache: yes + when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'trusty' + - apt: + name: iproute2 + state: latest + when: ansible_distribution == 'Ubuntu' diff --git a/scripts/vpnaas/ansible/setup_strongswan.yaml b/scripts/vpnaas/ansible/setup_strongswan.yaml new file mode 100644 index 000000000..b1ffda114 --- /dev/null +++ b/scripts/vpnaas/ansible/setup_strongswan.yaml @@ -0,0 +1,5 @@ +--- +- hosts: vrouters + remote_user: root + roles: + - strongswan diff --git a/scripts/vpnaas/ansible/tasks/add_ipsec_conf.yaml b/scripts/vpnaas/ansible/tasks/add_ipsec_conf.yaml new file mode 100644 index 000000000..2c2081629 --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/add_ipsec_conf.yaml @@ -0,0 +1,6 @@ +--- + - template: + src: ipsec.conf + dest: "{{ swan_path }}/ipsec.d/conns/tunnel{{ idx }}.conf" + notify: + - restart ipsec diff --git a/scripts/vpnaas/ansible/tasks/create_encap.yaml b/scripts/vpnaas/ansible/tasks/create_encap.yaml new file mode 100644 index 000000000..bf0e725c9 --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/create_encap.yaml @@ -0,0 +1,7 @@ +--- + - shell: vif --list | grep {{ interface_name }} | awk {'print $1'} | sed 's/vif0\///' + register: interface_id + - name: Adding an Encap NextHop + shell: nh --create {{ nh }} --type 2 --el2 --oif {{ interface_id.stdout }} --vrf {{ vrf }} + - name: Adding a MPLS lable pointing to the Encap NextHop + shell: mpls --create {{ mpls_label }} --nh {{ nh }} diff --git a/scripts/vpnaas/ansible/tasks/create_gateway.yaml b/scripts/vpnaas/ansible/tasks/create_gateway.yaml new file mode 100644 index 000000000..85346e68b --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/create_gateway.yaml @@ -0,0 +1,15 @@ +--- + - import_tasks: tasks/create_interface.yaml + vars: + mac: "{{ tunnel_mac }}" + vrf: 0 + type: gateway + transport: virtual + - shell: vif --list | grep {{ interface_name }} | awk {'print $1'} | sed 's/vif0\///' + register: interface_id + - shell: nh --create {{ nh }} --type 1 --oif {{ interface_id.stdout }} --vrf 0 + - debug: + msg: "nh --create {{ nh }} --type 1 --oif {{ interface_id.stdout }} --vrf 0" + - shell: rt -c -v 0 -f 0 -p {{ tunnel_ip }} -l 32 -n {{ nh }} -x 0x0f + - shell: ip r a {{ tunnel_ip }}/32 dev gw0 + - import_tasks: tasks/settings.yaml diff --git a/scripts/vpnaas/ansible/tasks/create_interface.yaml b/scripts/vpnaas/ansible/tasks/create_interface.yaml new file mode 100644 index 000000000..d39cdea7e --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/create_interface.yaml @@ -0,0 +1,9 @@ +--- + - shell: vif --create {{ interface_name }} --mac {{ mac }} + - shell: sysctl -w net.ipv4.conf.vhost0.rp_filter=0 + - shell: sysctl -w net.ipv4.conf.vhost0.forwarding=1 + - shell: vif --add {{ interface_name }} --mac {{ mac }} --vrf {{ vrf }} --type {{ type }} + when: transport is undefined + - shell: vif --add {{ interface_name }} --mac {{ mac }} --vrf {{ vrf }} --type {{ type }} --transport {{ transport }} + when: transport is defined + - shell: ip link set {{ interface_name }} up diff --git a/scripts/vpnaas/ansible/tasks/create_tunnel.yaml b/scripts/vpnaas/ansible/tasks/create_tunnel.yaml new file mode 100644 index 000000000..94ad7734d --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/create_tunnel.yaml @@ -0,0 +1,22 @@ +--- + - debug: + msg: "nh --create {{ 300 + idx|int }} --type 3 --vrf 0 --root --oif {{ interface_id.stdout }} --sip {{ host1 }} --dip {{ host2 }} --smac {{ host1_mac }} --dmac {{ host2_mac }} --udp" + - include_tasks: tasks/get_id.yaml + vars: + interface: gw0 + - debug: + msg: "nh --create {{ 300 + idx|int }} --type 3 --vrf 0 --root --oif {{ interface_id.stdout }} --sip {{ host1 }} --dip {{ host2 }} --smac {{ host1_mac }} --dmac {{ host2_mac }} --udp" + - shell: nh --create {{ 300 + idx|int }} --type 3 --vrf 0 --root --oif {{ interface_id.stdout }} --sip {{ host1 }} --dip {{ host2 }} --smac {{ host1_mac }} --dmac {{ host2_mac }} --udp + - shell: rt -c -n {{ 300 + idx|int }} -t 32 -f 1 -v 1 -e {{ mac }} -x 0x7 + - name: "Checking if vti{{ idx }} is already configured" + shell: "ip link show dev vti{{ idx }}" + register: vti + ignore_errors: yes + - shell: "ip t a vti{{ idx }} local {{ real_host1 }} remote {{ real_host2 }} mode vti key 42" + when: vti.rc != 0 + - include_tasks: tasks/settings.yaml + vars: + interface_name: "vti{{ idx }}" + - shell: "ip link set vti{{ idx }} up" + when: "vti.rc != 0" + - shell: "ip r a {{ host2 }}/32 dev vti{{ idx }}" diff --git a/scripts/vpnaas/ansible/tasks/get_id.yaml b/scripts/vpnaas/ansible/tasks/get_id.yaml new file mode 100644 index 000000000..32f3efc3b --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/get_id.yaml @@ -0,0 +1,3 @@ +--- + - shell: vif --list | grep {{ interface }} | awk {'print $1'} | sed 's/vif0\///' + register: interface_id \ No newline at end of file diff --git a/scripts/vpnaas/ansible/tasks/loop_hosts.yaml b/scripts/vpnaas/ansible/tasks/loop_hosts.yaml new file mode 100644 index 000000000..778aec23e --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/loop_hosts.yaml @@ -0,0 +1,23 @@ +--- + - include_tasks: "{{ task }}" + vars: + real_host1: "{{ inventory_hostname }}" + real_host2: "{{ item }}" + host1: "{{ hostvars[inventory_hostname]['tunnel_ip'] }}" + host2: "{{ hostvars[item]['tunnel_ip'] }}" + host1_mac: "00:00:5e:00:01:00" + host2_mac: "{{ tunnel_mac }}" + mac: "{{ hostvars[item]['vm_mac'] }}" + idx: "{{ hostvars[item]['id'] }}" + with_items: "{{ ansible_play_batch[:ansible_play_batch.index(inventory_hostname)] }}" + - include_tasks: "{{ task }}" + vars: + real_host2: "{{ inventory_hostname }}" + real_host1: "{{ item }}" + host2: "{{ hostvars[inventory_hostname]['tunnel_ip'] }}" + host1: "{{ hostvars[item]['tunnel_ip'] }}" + host2_mac: "00:00:5e:00:01:00" + host1_mac: "{{ tunnel_mac }}" + mac: "{{ hostvars[item]['vm_mac'] }}" + idx: "{{ hostvars[item]['id'] }}" + with_items: "{{ ansible_play_batch[ansible_play_batch.index(inventory_hostname)+1:] }}" diff --git a/scripts/vpnaas/ansible/tasks/loop_hosts_regular.yaml b/scripts/vpnaas/ansible/tasks/loop_hosts_regular.yaml new file mode 100644 index 000000000..9e4e4153b --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/loop_hosts_regular.yaml @@ -0,0 +1,23 @@ +--- + - include_tasks: "{{ task }}" + vars: + real_host1: "{{ inventory_hostname }}" + real_host2: "{{ item }}" + host1: "{{ hostvars[inventory_hostname]['tunnel_ip'] }}" + host2: "{{ hostvars[item]['tunnel_ip'] }}" + host1_mac: "00:00:5e:00:01:00" + host2_mac: "{{ tunnel_mac }}" + mac: "{{ hostvars[item]['vm_mac'] }}" + idx: "{{ hostvars[item]['id'] }}" + with_items: "{{ ansible_play_batch[:ansible_play_batch.index(inventory_hostname)] }}" + - include_tasks: "{{ task }}" + vars: + real_host1: "{{ inventory_hostname }}" + real_host2: "{{ item }}" + host1: "{{ hostvars[inventory_hostname]['tunnel_ip'] }}" + host2: "{{ hostvars[item]['tunnel_ip'] }}" + host1_mac: "00:00:5e:00:01:00" + host2_mac: "{{ tunnel_mac }}" + mac: "{{ hostvars[item]['vm_mac'] }}" + idx: "{{ hostvars[item]['id'] }}" + with_items: "{{ ansible_play_batch[ansible_play_batch.index(inventory_hostname)+1:] }}" diff --git a/scripts/vpnaas/ansible/tasks/loop_ips.yaml b/scripts/vpnaas/ansible/tasks/loop_ips.yaml new file mode 100644 index 000000000..2428a3a74 --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/loop_ips.yaml @@ -0,0 +1,5 @@ +--- + - include_tasks: "{{ task }}" + vars: + ip_addr: "10.0.{{ 100 + ((item|int) // 100) }}.{{ 100 + ((item|int) % 100) }}" + with_sequence: start=0 end={{ ip_count }} diff --git a/scripts/vpnaas/ansible/tasks/settings.yaml b/scripts/vpnaas/ansible/tasks/settings.yaml new file mode 100644 index 000000000..690777bbe --- /dev/null +++ b/scripts/vpnaas/ansible/tasks/settings.yaml @@ -0,0 +1,5 @@ +--- + - name: Disable RP filter + shell: "sysctl -w net.ipv4.conf.{{ interface_name }}.rp_filter=0" + - name: Enable forwarding + shell: "sysctl -w net.ipv4.conf.{{ interface_name }}.forwarding=1"