From dd6a4b49ee93bea5174b5165cf6d077f0397d0ea Mon Sep 17 00:00:00 2001
From: Kurt Bales <kwbales@kwbales.net>
Date: Fri, 27 Mar 2015 10:19:57 -0700
Subject: [PATCH] Updated VPN Template to support lists of Host Inbound
 Protocols and Services

---
 Vagrantfile                                        |  2 ++
 ansible/playbooks/templates/interfaces_zone.set.j2 | 13 +++++++++++--
 ansible/playbooks/vpn_config.yml                   |  2 +-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/Vagrantfile b/Vagrantfile
index cbe0c06..dc018d0 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -46,6 +46,8 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
     srx.vm.synced_folder "", "/vagrant", disabled: true
 
+    srx.ssh.insert_key = false
+
     srx.vm.provision "file", source: "scripts/srx-setup.sh", destination: "/tmp/srx-setup.sh"
     srx.vm.provision :host_shell do |host_shell|
       host_shell.inline = 'vagrant ssh srx -c "/usr/sbin/cli -f /tmp/srx-setup.sh"'
diff --git a/ansible/playbooks/templates/interfaces_zone.set.j2 b/ansible/playbooks/templates/interfaces_zone.set.j2
index c8eab89..e0030f0 100644
--- a/ansible/playbooks/templates/interfaces_zone.set.j2
+++ b/ansible/playbooks/templates/interfaces_zone.set.j2
@@ -3,7 +3,16 @@
 set security zones security-zone {{ i.zone }} interfaces {{ i.interface -}}.{{ i.unit -}}
 	{% endif %}
 
-	{% if i.inbound_type %}
-set security zones security-zone {{ i.zone }} interfaces {{ i.interface }}.{{ i.unit }}  host-inbound-traffic {{ i.inbound_type }} {{ i.system_service }}
+	{% if i.hit_protocols %}
+		{% for protocol in i.hit_protocols %}
+set security zones security-zone {{ i.zone }} interfaces {{ i.interface }}.{{ i.unit }}  host-inbound-traffic protocols {{ protocol }}
+		{% endfor %}
 	{% endif %}
+
+	{% if i.hit_services %}
+		{% for service in i.hit_services %}
+set security zones security-zone {{ i.zone }} interfaces {{ i.interface }}.{{ i.unit }}  host-inbound-traffic system-services {{ service }}
+		{% endfor %}
+	{% endif %}
+
 {% endfor %}
diff --git a/ansible/playbooks/vpn_config.yml b/ansible/playbooks/vpn_config.yml
index 0c0fd4b..c652bc8 100644
--- a/ansible/playbooks/vpn_config.yml
+++ b/ansible/playbooks/vpn_config.yml
@@ -10,7 +10,7 @@
     address_entries: [ {'name':'LocalNet','prefix':'172.16.0.0/24'},{'name':'PrivateNet','prefix':'192.168.10.0/24'},{'name':'PublicNet','prefix':'10.10.0.0/24'} ]
     fw_policy_info: [ {'policy_name':'Allow_Policy','src_zone':'trust','dst_zone':'untrust','src_ips':['LocalNet'],'dst_ips':['PrivateNet'],'action':'permit','apps':['any']}]
     mss_entries: [ {'protocol': 'ipsec-vpn', 'mss': '1350'} ]
-    interfaces: [ {'interface': 'st0', 'unit': '1', 'family': 'inet', 'addr_type': 'address', 'addr': '10.255.1.2/30', 'zone':'vpn', 'inbound_type': 'system-services', 'system_service': 'ping'} ]
+    interfaces: [ {'interface': 'st0', 'unit': '1', 'family': 'inet', 'addr_type': 'address', 'addr': '10.255.1.2/30', 'zone':'vpn', 'hit_protocols': ['ospf', 'bgp'], 'hit_services': ['ping', 'traceroute']} ]
     ike: [ {'ike_name': 'ike-vpn', 'gateway_ip': '10.10.0.10', 'ext_interface': 'ge-0/0/2.0', 'ike_policy_name': 'ike-policy1', 'ike_policy_mode': 'main', 'ike_policy_proposal': 'standard', 'shared_secret': 'AwesomePassword123'} ]
     ipsec: [ {'ipsec_policy_name': 'vpn-policy1', 'ipsec_policy_mode': 'standard', 'ipsec_vpn_name': 'ipsec-vpn', 'ike_gateway': 'ike-vpn', 'tunnel_int': 'st0.1'} ]