Menu Close

Chapter 12. Configuring VPN connections with IPsec by using the VPN RHEL System Role

With the VPN System Role, you can configure VPN connections on RHEL systems by using Red Hat Ansible Automation Platform. You can use it to set up host-to-host, network-to-network, VPN Remote Access Server, and mesh configurations.

For host-to-host connections, the role sets up a VPN tunnel between each pair of hosts in the list of vpn_connections using the default parameters, including generating keys as needed. Alternatively, you can configure it to create an opportunistic mesh configuration between all hosts listed. The role assumes that the names of the hosts under hosts are the same as the names of the hosts used in the Ansible inventory, and that you can use those names to configure the tunnels.

Note

The VPN RHEL System Role currently supports only Libreswan, which is an IPsec implementation, as the VPN provider.

12.1. Creating a host-to-host VPN with IPsec using the VPN System Role

You can use the VPN System Role to configure host-to-host connections by running an Ansible playbook on the control node, which will configure all the managed nodes listed in an inventory file.

Prerequisites

  • Access and permissions to one or more managed nodes, which are systems you want to configure with the VPN System Role.
  • Access and permissions to a control node, which is a system from which Red Hat Ansible Core configures other systems.

    On the control node:

    • The ansible-core and rhel-system-roles packages are installed.
Important

RHEL 8.0-8.5 provided access to a separate Ansible repository that contains Ansible Engine 2.9 for automation based on Ansible. Ansible Engine contains command-line utilities such as ansible, ansible-playbook, connectors such as docker and podman, and many plugins and modules. For information on how to obtain and install Ansible Engine, see the How to download and install Red Hat Ansible Engine Knowledgebase article.

RHEL 8.6 and 9.0 have introduced Ansible Core (provided as the ansible-core package), which contains the Ansible command-line utilities, commands, and a small set of built-in Ansible plugins. RHEL provides this package through the AppStream repository, and it has a limited scope of support. For more information, see the Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories Knowledgebase article.

  • An inventory file which lists the managed nodes.

Procedure

  1. Create a new playbook.yml file with the following content:

    - name: Host to host VPN
      hosts: managed_node1, managed_node2
      roles:
        - rhel-system-roles.vpn
      vars:
        vpn_connections:
          - hosts:
              managed_node1:
              managed_node2:

    This playbook configures the connection managed_node1-to-managed_node2 using pre-shared key authentication with keys auto-generated by the system role.

  2. Optional: Configure connections from managed hosts to external hosts that are not listed in the inventory file by adding the following section to the vpn_connections list of hosts:

        vpn_connections:
          - hosts:
              managed_node1:
              managed_node2:
              external_node:
                hostname: 192.0.2.2

    This configures two additional connections: managed_node1-to-external_node and managed_node2-to-external_node.

Note

The connections are configured only on the managed nodes and not on the external node.

  1. Optional: You can specify multiple VPN connections for the managed nodes by using additional sections within vpn_connections, for example a control plane and a data plane:

    - name: Multiple VPN
      hosts: managed_node1, managed_node2
      roles:
        - rhel-system-roles.vpn
      vars:
        vpn_connections:
          - name: control_plane_vpn
            hosts:
              managed_node1:
                hostname: 192.0.2.0 # IP for the control plane
              managed_node2:
                hostname: 192.0.2.1
          - name: data_plane_vpn
            hosts:
              managed_node1:
                hostname: 10.0.0.1 # IP for the data plane
              managed_node2:
                hostname: 10.0.0.2
  2. Optional: You can modify the variables according to your preferences. For more details, see the /usr/share/doc/rhel-system-roles/vpn/README.md file.
  3. Optional: Verify playbook syntax.

    # ansible-playbook --syntax-check /path/to/file/playbook.yml -i /path/to/file/inventory_file
  4. Run the playbook on your inventory file:

    # ansible-playbook -i /path/to/file/inventory_file /path/to/file/playbook.yml

Verification

  1. On the managed nodes, confirm that the connection is successfully loaded:

    # ipsec status | grep connection.name

    Replace connection.name with the name of the connection from this node, for example managed_node1-to-managed_node2.

Note

By default, the role generates a descriptive name for each connection it creates from the perspective of each system. For example, when creating a connection between managed_node1 and managed_node2, the descriptive name of this connection on managed_node1 is managed_node1-to-managed_node2 but on managed_node2 the connection is named managed_node2-to-managed_node1.

  1. On the managed nodes, confirm that the connection is successfully started:

    # ipsec trafficstatus | grep connection.name
  2. Optional: If a connection did not successfully load, manually add the connection by entering the following command. This will provide more specific information indicating why the connection failed to establish:

    # ipsec auto --add connection.name
    Note

    Any errors that may have occurred during the process of loading and starting the connection are reported in the logs, which can be found in /var/log/pluto.log. Because these logs are hard to parse, try to manually add the connection to obtain log messages from the standard output instead.

12.2. Creating an opportunistic mesh VPN connection with IPsec by using the VPN System Role

You can use the VPN System Role to configure an opportunistic mesh VPN connection that uses certificates for authentication by running an Ansible playbook on the control node, which will configure all the managed nodes listed in an inventory file.

Authentication with certificates is configured by defining the auth_method: cert parameter in the playbook. The VPN System Role assumes that the IPsec Network Security Services (NSS) crypto library, which is defined in the /etc/ipsec.d directory, contains the necessary certificates. By default, the node name is used as the certificate nickname. In this example, this is managed_node1. You can define different certificate names by using the cert_name attribute in your inventory.

In the following example procedure, the control node, which is the system from which you will run the Ansible playbook, shares the same classless inter-domain routing (CIDR) number as both of the managed nodes (192.0.2.0/24) and has the IP address 192.0.2.7. Therefore, the control node falls under the private policy which is automatically created for CIDR 192.0.2.0/24.

To prevent SSH connection loss during the play, a clear policy for the control node is included in the list of policies. Note that there is also an item in the policies list where the CIDR is equal to default. This is because this playbook overrides the rule from the default policy to make it private instead of private-or-clear.

Prerequisites

  • Access and permissions to one or more managed nodes, which are systems you want to configure with the VPN System Role.

    • On all the managed nodes, the NSS database in the /etc/ipsec.d directory contains all the certificates necessary for peer authentication. By default, the node name is used as the certificate nickname.
  • Access and permissions to a control node, which is a system from which Red Hat Ansible Core configures other systems.

    On the control node:

    • The ansible-core and rhel-system-roles packages are installed.
Important

RHEL 8.0-8.5 provided access to a separate Ansible repository that contains Ansible Engine 2.9 for automation based on Ansible. Ansible Engine contains command-line utilities such as ansible, ansible-playbook, connectors such as docker and podman, and many plugins and modules. For information on how to obtain and install Ansible Engine, see the How to download and install Red Hat Ansible Engine Knowledgebase article.

RHEL 8.6 and 9.0 have introduced Ansible Core (provided as the ansible-core package), which contains the Ansible command-line utilities, commands, and a small set of built-in Ansible plugins. RHEL provides this package through the AppStream repository, and it has a limited scope of support. For more information, see the Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories Knowledgebase article.

  • An inventory file which lists the managed nodes.

Procedure

  1. Create a new playbook.yml file with the following content:

    - name: Mesh VPN
      hosts: managed_node1, managed_node2, managed_node3
      roles:
        - rhel-system-roles.vpn
      vars:
        vpn_connections:
          - opportunistic: true
            auth_method: cert
            policies:
              - policy: private
                cidr: default
              - policy: private-or-clear
                cidr: 198.51.100.0/24
              - policy: private
                cidr: 192.0.2.0/24
              - policy: clear
                cidr: 192.0.2.7/32
  2. Optional: You can modify the variables according to your preferences. For more details, see the /usr/share/doc/rhel-system-roles/vpn/README.md file.
  3. Optional: Verify playbook syntax.

    # ansible-playbook --syntax-check playbook.yml
  4. Run the playbook on your inventory file:

    # ansible-playbook -i inventory_file /path/to/file/playbook.yml

12.3. Additional resources

  • For details about the parameters used in the VPN System Role and additional information about the role, see the /usr/share/doc/rhel-system-roles/vpn/README.md file.
  • For details about the ansible-playbook command, see the ansible-playbook(1) man page.