Chapter 15. Configuring VPN connections with IPsec by using the vpn RHEL System Role
With the vpn
System Role, you can configure VPN connections on RHEL systems by using Red Hat Ansible Automation Platform. You can use it to set up host-to-host, network-to-network, VPN Remote Access Server, and mesh configurations.
For host-to-host connections, the role sets up a VPN tunnel between each pair of hosts in the list of vpn_connections
using the default parameters, including generating keys as needed. Alternatively, you can configure it to create an opportunistic mesh configuration between all hosts listed. The role assumes that the names of the hosts under hosts
are the same as the names of the hosts used in the Ansible inventory, and that you can use those names to configure the tunnels.
The vpn
RHEL System Role currently supports only Libreswan, which is an IPsec implementation, as the VPN provider.
15.1. Creating a host-to-host VPN with IPsec using the vpn
System Role
You can use the vpn
System Role to configure host-to-host connections by running an Ansible playbook on the control node, which will configure all the managed nodes listed in an inventory file.
Prerequisites
-
Access and permissions to one or more managed nodes, which are systems you want to configure with the
vpn
System Role. Access and permissions to a control node, which is a system from which Red Hat Ansible Core configures other systems.
On the control node:
-
The
ansible-core
andrhel-system-roles
packages are installed.
-
The
RHEL 8.0-8.5 provided access to a separate Ansible repository that contains Ansible Engine 2.9 for automation based on Ansible. Ansible Engine contains command-line utilities such as ansible
, ansible-playbook
, connectors such as docker
and podman
, and many plugins and modules. For information about how to obtain and install Ansible Engine, see the How to download and install Red Hat Ansible Engine Knowledgebase article.
RHEL 8.6 and 9.0 have introduced Ansible Core (provided as the ansible-core
package), which contains the Ansible command-line utilities, commands, and a small set of built-in Ansible plugins. RHEL provides this package through the AppStream repository, and it has a limited scope of support. For more information, see the Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories Knowledgebase article.
- An inventory file which lists the managed nodes.
Procedure
Create a new
playbook.yml
file with the following content:- name: Host to host VPN hosts: managed_node1, managed_node2 roles: - rhel-system-roles.vpn vars: vpn_connections: - hosts: managed_node1: managed_node2: vpn_manage_firewall: true vpn_manage_selinux: true
This playbook configures the connection
managed_node1-to-managed_node2
using pre-shared key authentication with keys auto-generated by the system role. Sincevpn_manage_firewall
andvpn_manage_selinux
are both set to true, thevpn
role will use thefirewall
andselinux
roles to manage the ports used by thevpn
role.Optional: Configure connections from managed hosts to external hosts that are not listed in the inventory file by adding the following section to the
vpn_connections
list of hosts:vpn_connections: - hosts: managed_node1: managed_node2: external_node: hostname: 192.0.2.2
This configures two additional connections:
managed_node1-to-external_node
andmanaged_node2-to-external_node
.
The connections are configured only on the managed nodes and not on the external node.
Optional: You can specify multiple VPN connections for the managed nodes by using additional sections within
vpn_connections
, for example a control plane and a data plane:- name: Multiple VPN hosts: managed_node1, managed_node2 roles: - rhel-system-roles.vpn vars: vpn_connections: - name: control_plane_vpn hosts: managed_node1: hostname: 192.0.2.0 # IP for the control plane managed_node2: hostname: 192.0.2.1 - name: data_plane_vpn hosts: managed_node1: hostname: 10.0.0.1 # IP for the data plane managed_node2: hostname: 10.0.0.2
-
Optional: You can modify the variables according to your preferences. For more details, see the
/usr/share/doc/rhel-system-roles/vpn/README.md
file. Optional: Verify playbook syntax.
# ansible-playbook --syntax-check /path/to/file/playbook.yml -i /path/to/file/inventory_file
Run the playbook on your inventory file:
# ansible-playbook -i /path/to/file/inventory_file /path/to/file/playbook.yml
Verification
On the managed nodes, confirm that the connection is successfully loaded:
# ipsec status | grep connection.name
Replace connection.name with the name of the connection from this node, for example
managed_node1-to-managed_node2
.
By default, the role generates a descriptive name for each connection it creates from the perspective of each system. For example, when creating a connection between managed_node1
and managed_node2
, the descriptive name of this connection on managed_node1
is managed_node1-to-managed_node2
but on managed_node2
the connection is named managed_node2-to-managed_node1
.
On the managed nodes, confirm that the connection is successfully started:
# ipsec trafficstatus | grep connection.name
Optional: If a connection did not successfully load, manually add the connection by entering the following command. This will provide more specific information indicating why the connection failed to establish:
# ipsec auto --add connection.name
NoteAny errors that may have occurred during the process of loading and starting the connection are reported in the logs, which can be found in
/var/log/pluto.log
. Because these logs are hard to parse, try to manually add the connection to obtain log messages from the standard output instead.
15.2. Creating an opportunistic mesh VPN connection with IPsec by using the vpn
System Role
You can use the vpn
System Role to configure an opportunistic mesh VPN connection that uses certificates for authentication by running an Ansible playbook on the control node, which will configure all the managed nodes listed in an inventory file.
Authentication with certificates is configured by defining the auth_method: cert
parameter in the playbook. The vpn
System Role assumes that the IPsec Network Security Services (NSS) crypto library, which is defined in the /etc/ipsec.d
directory, contains the necessary certificates. By default, the node name is used as the certificate nickname. In this example, this is managed_node1
. You can define different certificate names by using the cert_name
attribute in your inventory.
In the following example procedure, the control node, which is the system from which you will run the Ansible playbook, shares the same classless inter-domain routing (CIDR) number as both of the managed nodes (192.0.2.0/24) and has the IP address 192.0.2.7. Therefore, the control node falls under the private policy which is automatically created for CIDR 192.0.2.0/24.
To prevent SSH connection loss during the play, a clear policy for the control node is included in the list of policies. Note that there is also an item in the policies list where the CIDR is equal to default. This is because this playbook overrides the rule from the default policy to make it private instead of private-or-clear.
Prerequisites
Access and permissions to one or more managed nodes, which are systems you want to configure with the
vpn
System Role.-
On all the managed nodes, the NSS database in the
/etc/ipsec.d
directory contains all the certificates necessary for peer authentication. By default, the node name is used as the certificate nickname.
-
On all the managed nodes, the NSS database in the
Access and permissions to a control node, which is a system from which Red Hat Ansible Core configures other systems.
On the control node:
-
The
ansible-core
andrhel-system-roles
packages are installed.
-
The
RHEL 8.0-8.5 provided access to a separate Ansible repository that contains Ansible Engine 2.9 for automation based on Ansible. Ansible Engine contains command-line utilities such as ansible
, ansible-playbook
, connectors such as docker
and podman
, and many plugins and modules. For information about how to obtain and install Ansible Engine, see the How to download and install Red Hat Ansible Engine Knowledgebase article.
RHEL 8.6 and 9.0 have introduced Ansible Core (provided as the ansible-core
package), which contains the Ansible command-line utilities, commands, and a small set of built-in Ansible plugins. RHEL provides this package through the AppStream repository, and it has a limited scope of support. For more information, see the Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories Knowledgebase article.
- An inventory file which lists the managed nodes.
Procedure
Create a new
playbook.yml
file with the following content:- name: Mesh VPN hosts: managed_node1, managed_node2, managed_node3 roles: - rhel-system-roles.vpn vars: vpn_connections: - opportunistic: true auth_method: cert policies: - policy: private cidr: default - policy: private-or-clear cidr: 198.51.100.0/24 - policy: private cidr: 192.0.2.0/24 - policy: clear cidr: 192.0.2.7/32 vpn_manage_firewall: true vpn_manage_selinux: true
NoteSince
vpn_manage_firewall
andvpn_manage_selinux
are both set to true, thevpn
role will use thefirewall
andselinux
roles to manage the ports used by thevpn
role.-
Optional: You can modify the variables according to your preferences. For more details, see the
/usr/share/doc/rhel-system-roles/vpn/README.md
file. Optional: Verify playbook syntax.
# ansible-playbook --syntax-check playbook.yml
Run the playbook on your inventory file:
# ansible-playbook -i inventory_file /path/to/file/playbook.yml
15.3. Additional resources
-
For details about the parameters used in the
vpn
System Role and additional information about the role, see the/usr/share/doc/rhel-system-roles/vpn/README.md
file. -
For details about the
ansible-playbook
command, see theansible-playbook(1)
man page.