Chapter 7. Configuring VPN connections with IPsec by using the vpn RHEL System Role
With the vpn System Role, you can configure VPN connections on RHEL systems by using Red Hat Ansible Automation Platform. You can use it to set up host-to-host, network-to-network, VPN Remote Access Server, and mesh configurations.
For host-to-host connections, the role sets up a VPN tunnel between each pair of hosts in the list of vpn_connections using the default parameters, including generating keys as needed. Alternatively, you can configure it to create an opportunistic mesh configuration between all hosts listed. The role assumes that the names of the hosts under hosts are the same as the names of the hosts used in the Ansible inventory, and that you can use those names to configure the tunnels.
The vpn RHEL System Role currently supports only Libreswan, which is an IPsec implementation, as the VPN provider.
7.1. Creating a host-to-host VPN with IPsec using the vpn System Role
You can use the vpn System Role to configure host-to-host connections by running an Ansible playbook on the control node, which configures all managed nodes listed in an inventory file.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudopermissions on them. - The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.
Procedure
Create a playbook file, for example
~/vpn-playbook.yml, with the following content:- name: Host to host VPN hosts: <managed_node1>, <managed_node2> roles: - rhel-system-roles.vpn vars: vpn_connections: - hosts: <managed_node1>: <managed_node2>: vpn_manage_firewall: true vpn_manage_selinux: true
This playbook configures the connection
<managed_node1>-to-<managed_node2>using pre-shared key authentication with keys auto-generated by the system role. Becausevpn_manage_firewallandvpn_manage_selinuxare both set totrue, thevpnrole uses thefirewallandselinuxroles to manage the ports used by thevpnrole.Optional: Configure connections from managed hosts to external hosts that are not listed in the inventory file by adding the following section to the
vpn_connectionslist of hosts:vpn_connections: - hosts: <managed_node1>: <managed_node2>: <external_node>: hostname: <192.0.2.2>This configures two additional connections:
<managed_node1>-to-<external_node>and<managed_node2>-to-<external_node>.NoteThe connections are configured only on the managed nodes and not on the external node.
Optional: You can specify multiple VPN connections for the managed nodes by using additional sections within
vpn_connections, for example, a control plane and a data plane:- name: Multiple VPN hosts: <managed_node1>, <managed_node2> roles: - rhel-system-roles.vpn vars: vpn_connections: - name: control_plane_vpn hosts: <managed_node1>: hostname: 192.0.2.0 # IP for the control plane <managed_node2>: hostname: 192.0.2.1 - name: data_plane_vpn hosts: <managed_node1>: hostname: 10.0.0.1 # IP for the data plane <managed_node2>: hostname: 10.0.0.2
-
Optional: You can modify the variables according to your preferences. For more details, see the
/usr/share/doc/rhel-system-roles/vpn/README.mdfile. Validate the playbook syntax:
# ansible-playbook ~/vpn-playbook.yml --syntax-checkNote that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
# ansible-playbook ~/vpn-playbook.yml
Verification
On the managed nodes, confirm that the connection is successfully loaded:
# ipsec status | grep <connection_name>Replace <connection_name> with the name of the connection from this node, for example
managed_node1-to-managed_node2.NoteBy default, the role generates a descriptive name for each connection it creates from the perspective of each system. For example, when creating a connection between
managed_node1andmanaged_node2, the descriptive name of this connection onmanaged_node1ismanaged_node1-to-managed_node2but onmanaged_node2the connection is namedmanaged_node2-to-managed_node1.On the managed nodes, confirm that the connection is successfully started:
# ipsec trafficstatus | grep <connection_name>Optional: If a connection does not successfully load, manually add the connection by entering the following command. This provides more specific information indicating why the connection failed to establish:
# ipsec auto --add <connection_name>NoteAny errors that may occur during the process of loading and starting the connection are reported in the
/var/log/pluto.logfile. Because these logs are hard to parse, manually add the connection to obtain log messages from the standard output instead.
7.2. Creating an opportunistic mesh VPN connection with IPsec by using the vpn System Role
You can use the vpn System Role to configure an opportunistic mesh VPN connection that uses certificates for authentication by running an Ansible playbook on the control node, which will configure all the managed nodes listed in an inventory file.
Authentication with certificates is configured by defining the auth_method: cert parameter in the playbook. The vpn System Role assumes that the IPsec Network Security Services (NSS) crypto library, which is defined in the /etc/ipsec.d directory, contains the necessary certificates. By default, the node name is used as the certificate nickname. In this example, this is managed_node1. You can define different certificate names by using the cert_name attribute in your inventory.
In the following example procedure, the control node, which is the system from which you will run the Ansible playbook, shares the same classless inter-domain routing (CIDR) number as both of the managed nodes (192.0.2.0/24) and has the IP address 192.0.2.7. Therefore, the control node falls under the private policy which is automatically created for CIDR 192.0.2.0/24.
To prevent SSH connection loss during the play, a clear policy for the control node is included in the list of policies. Note that there is also an item in the policies list where the CIDR is equal to default. This is because this playbook overrides the rule from the default policy to make it private instead of private-or-clear.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudopermissions on them. - The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.
Procedure
Create a playbook file, for example
~/mesh-vpn-playbook.yml, with the following content:- name: Mesh VPN hosts: managed_node1, managed_node2, managed_node3 roles: - rhel-system-roles.vpn vars: vpn_connections: - opportunistic: true auth_method: cert policies: - policy: private cidr: default - policy: private-or-clear cidr: 198.51.100.0/24 - policy: private cidr: 192.0.2.0/24 - policy: clear cidr: 192.0.2.7/32 vpn_manage_firewall: true vpn_manage_selinux: trueNoteBecause
vpn_manage_firewallandvpn_manage_selinuxare both set totrue, thevpnrole uses thefirewallandselinuxroles to manage the ports used by thevpnrole.-
Optional: You can modify the variables according to your preferences. For more details, see the
/usr/share/doc/rhel-system-roles/vpn/README.mdfile. Validate the playbook syntax:
# ansible-playbook ~/mesh-vpn-playbook.yml --syntax-checkNote that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
# ansible-playbook ~/mesh-vpn-playbook.yml
7.3. Additional resources
-
For details about the parameters used in the
vpnSystem Role and additional information about the role, see the/usr/share/doc/rhel-system-roles/vpn/README.mdfile. -
For details about the
ansible-playbookcommand, see theansible-playbook(1)man page.
