diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 719d19d..d718d94 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -19,7 +19,7 @@ jobs:
- name: install requirements
run: |
python -m pip install --upgrade pip
- pip install ansible==9.2.0 ansible-core==2.16.3 lxml cryptography
+ pip install ansible==9.2.0 ansible-core==2.16.3 lxml==5.1.0 cryptography
- name: run ansible test
working-directory: ./test
run: |
diff --git a/tasks/ipsecphase2.yml b/tasks/ipsecphase2.yml
index a08499c..9dc6bed 100644
--- a/tasks/ipsecphase2.yml
+++ b/tasks/ipsecphase2.yml
@@ -57,6 +57,39 @@
count: true
register: eao_count
+- name: debug eao_count
+ ansible.builtin.debug:
+ var: eao_count
+ verbosity: 1
+
+- name: "IPSec ike phase2 {{ uniqid }} get defined encryption-algorithm-options for ikeid {{ ikeid }} from xml"
+ delegate_to: localhost
+ community.general.xml:
+ path: "{{ local_config_path }}"
+ xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option/name"
+ content: text
+ register: eao_matches
+ when: eao_count.count > 0
+
+- name: debug eao_matches
+ ansible.builtin.debug:
+ var: eao_matches
+ verbosity: 1
+ when: eao_matches is defined
+
+- name: "IPSec ike phase2 {{ uniqid }} get defined list of encryption-algorithm-options for ikeid {{ ikeid }}"
+ ansible.builtin.set_fact:
+ eao_list: "{{ eao_matches.matches | list | map(attribute='name') | list | flatten }}"
+ when:
+ - eao_matches is defined
+ - eao_matches.matches is defined
+
+- name: debug eao_list
+ ansible.builtin.debug:
+ var: eao_list
+ verbosity: 1
+ when: eao_list is defined
+
- name: "IPSec ike phase2 {{ uniqid }} get encryption-algorithm-options for ikeid {{ ikeid }}"
delegate_to: localhost
community.general.xml:
@@ -74,12 +107,13 @@
verbosity: 1
when: encalgopt is defined
-- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }}"
+- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }} (1)"
ansible.builtin.set_fact:
encalgopt_reset: true
when:
- - eao_count.count != (ipsecphasevar2[uniqid]['encryption-algorithm-options']|length)
-- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }}"
+ - eao_count.count != (ipsecphasevar2[uniqid]['encryption-algorithm-options'] | length)
+
+- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }} (2)"
ansible.builtin.set_fact:
encalgopt_reset: true
when:
@@ -93,16 +127,16 @@
verbosity: 1
when: encalgopt_reset is defined
-- name: "IPSec ike phase2 {{ uniqid }} reset encryption-algorithm-options for ikeid {{ ikeid }}"
+- name: "IPSec ike phase2 {{ uniqid }} reset encryption-algorithm-options for ikeid {{ ikeid }} ..."
delegate_to: localhost
+ # debugger: on_failed
community.general.xml:
path: "{{ local_config_path }}"
xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option"
state: absent
pretty_print: true
- with_items:
- - "{{ ipsecphasevar2[uniqid]['encryption-algorithm-options'] | default([]) }}"
- when: encalgopt_reset | default(false)
+ when:
+ - encalgopt_reset | default(false)
- name: "IPSec ike phase2 {{ uniqid }} create encryption-algorithm-options for ikeid {{ ikeid }}" # noqa jinja[spacing]
delegate_to: localhost
@@ -152,7 +186,7 @@
verbosity: 1
when: hashalgopt is defined
-- name: register fact change_hashalgopt
+- name: register fact change_hashalgopt (1)
ansible.builtin.set_fact:
change_hashalgopt: true
with_items: "{{ hashalgopt.matches }}"
@@ -164,29 +198,38 @@
or
(ipsecphasevar2[uniqid]['hash-algorithm-options']|length) != (hashalgopt.matches|length))
-- name: register fact change_hashalgopt
+- name: register fact change_hashalgopt (2)
ansible.builtin.set_fact:
change_hashalgopt: true
- with_items: "{{ hashalgopt.matches }}"
when:
- hashalgopt_count.count == 0
- - hashalgopt is defined
- - hashalgopt.matches is defined
- - ipsecphasevar2[uniqid]['hash-algorithm-options']|length > 0
+ - ipsecphasevar2[uniqid]['hash-algorithm-options'] | length > 0
-- name: register fact change_hashalgopt
+- name: register fact change_hashalgopt (3)
ansible.builtin.set_fact:
change_hashalgopt: true
- when: hashalgopt_count.count == 0 and ipsecphasevar2[uniqid]['hash-algorithm-options'] | length > 0
+ when:
+ - hashalgopt_count.count > 0
+ - ipsecphasevar2[uniqid]['hash-algorithm-options'] | length == 0
+
+- name: debug change_hashalgopt
+ ansible.builtin.debug:
+ var: change_hashalgopt
+ verbosity: 1
+ when: change_hashalgopt is defined
- name: "IPSec ike phase2 {{ uniqid }} reset hash-algorithm-options for ikeid {{ ikeid }}"
delegate_to: localhost
+ # debugger: on_failed
community.general.xml:
path: "{{ local_config_path }}"
xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/hash-algorithm-option"
state: absent
pretty_print: true
- when: change_hashalgopt | default(False)
+ when:
+ - change_hashalgopt | default(false)
+ - hashalgopt is defined
+ - hashalgopt.matches is defined
- name: "IPSec ike phase2 {{ uniqid }} hash-algorithm-options for ikeid {{ ikeid }}"
delegate_to: localhost
diff --git a/test/ipsec-test1-04-encalg-expect.xml b/test/ipsec-test1-04-encalg-expect.xml
new file mode 100644
index 0000000..8da222d
--- /dev/null
+++ b/test/ipsec-test1-04-encalg-expect.xml
@@ -0,0 +1,122 @@
+
+
+
+
+
+ 1
+ 1
+ 1
+ 192.168.0.0/24
+
+ 1
+ s2s test
+ ikev1
+ wan
+ main
+ inet
+ auto
+ localhost
+ fqdn
+ fw02
+ 28800
+ 61546da45fbc3
+ 5ef9c5881c158
+ rsasig
+ on
+ start
+ 2
+ md5,sha1
+
+ fw02
+ 10
+ 5
+ restart
+
+ aes
+ 256
+
+
+
+ 1
+ eea1dcb2e051a
+ 1
+ tunnel
+ 2
+ 3600
+ esp
+ 10.0.0.1
+ 10.0.0.0/12
+ 1
+
+ lan
+
+
+ network
+ 10.0.0.0
+ 12
+
+
+ aes192
+
+
+ aes128gcm16
+
+ hmac_sha256
+ hmac_sha512
+
+
+ 1
+ e471b7299c8c1
+ tunnel
+ 2
+ 3600
+ esp
+ 10.128.0.1
+ 10.128.0.0/12
+ 2
+
+ lan
+
+
+ network
+ 10.128.0.0
+ 12
+
+
+ aes192
+
+
+ aes128gcm16
+
+ hmac_sha256
+ hmac_sha512
+
+
+ 1
+ e98f78c414ece
+ tunnel
+ 2
+ 3600
+ esp
+ 10.224.0.1
+ 10.224.0.0/12
+ 3
+
+ lan
+
+
+ network
+ 10.224.0.0
+ 12
+
+
+ aes192
+
+
+ aes128gcm16
+
+ hmac_sha256
+ hmac_sha512
+
+
+
diff --git a/test/ipsec-test1-04-encalg.xml b/test/ipsec-test1-04-encalg.xml
new file mode 100644
index 0000000..43ad283
--- /dev/null
+++ b/test/ipsec-test1-04-encalg.xml
@@ -0,0 +1,110 @@
+
+
+
+
+
+ 1
+ 1
+ 1
+ 192.168.0.0/24
+
+ 1
+ s2s test
+ ikev1
+ wan
+ main
+ inet
+ auto
+ localhost
+ fqdn
+ fw02
+ 28800
+ 61546da45fbc3
+ 5ef9c5881c158
+ rsasig
+ on
+ start
+ 2
+ md5,sha1
+
+ fw02
+ 10
+ 5
+ restart
+
+ aes
+ 256
+
+
+
+ 1
+ eea1dcb2e051a
+ 1
+ tunnel
+ 2
+ 3600
+ esp
+ 10.0.0.1
+ 10.0.0.0/12
+ 1
+
+ lan
+
+
+ network
+ 10.0.0.0
+ 12
+
+
+ aes256
+
+ hmac_sha1
+
+
+ 1
+ e471b7299c8c1
+ tunnel
+ 2
+ 3600
+ esp
+ 10.128.0.1
+ 10.128.0.0/12
+ 2
+
+ lan
+
+
+ network
+ 10.128.0.0
+ 12
+
+
+ aes256
+
+ hmac_sha1
+
+
+ 1
+ e98f78c414ece
+ tunnel
+ 2
+ 3600
+ esp
+ 10.224.0.1
+ 10.224.0.0/12
+ 3
+
+ lan
+
+
+ network
+ 10.224.0.0
+ 12
+
+
+ aes256
+
+ hmac_sha1
+
+
+
diff --git a/test/ipsec-test1-04-encalg.yml b/test/ipsec-test1-04-encalg.yml
new file mode 100644
index 0000000..5760102
--- /dev/null
+++ b/test/ipsec-test1-04-encalg.yml
@@ -0,0 +1,75 @@
+---
+opn_ipsec:
+ enable: 1
+ ipsec_asn: 1
+ ipsec_chd: 1
+ passthrough_networks: "192.168.0.0/24"
+ ikeids: # key is the ikeid
+ 1:
+ phase1:
+ descr: s2s test
+ iketype: ikev1
+ interface: wan
+ mode: main
+ protocol: inet
+ myid_type: auto
+ myid_data: "{{ inventory_hostname }}"
+ peerid_type: fqdn
+ peerid_data: fw02
+ encryption-algorithm:
+ name: aes
+ keylen: 256
+ lifetime: 28800
+ certref: 61546da45fbc3
+ caref: 5ef9c5881c158
+ authentication_method: rsasig
+ nat_traversal: "on"
+ auto: start
+ dhgroup: 2
+ hash-algorithm: md5,sha1
+ private-key:
+ remote-gateway: fw02
+ dpd_delay: 10
+ dpd_maxfail: 5
+ dpd_action: restart
+ phase2_defaults: # common settings for all phase2 elements in this ikeid
+ disabled: 0 # ensure all tunnels are enabled as long as they are not explicitly disabled
+ mode: tunnel
+ pfsgroup: 2
+ lifetime: 3600
+ protocol: esp
+ localid:
+ type: lan
+ encryption-algorithm-options:
+ - name: aes192
+ - name: aes128gcm16
+ hash-algorithm-options:
+ - hmac_sha256
+ - hmac_sha512
+ phase2:
+ # key is the uniqid
+ eea1dcb2e051a:
+ pinghost: 10.0.0.1
+ descr: 10.0.0.0/12
+ disabled: 1 # this way you can disable a p2 entry without deleting it; a disabled p2 entry must be enabled by explicitly setting disabled: 0
+ remoteid:
+ type: network
+ address: 10.0.0.0
+ netbits: 12
+ reqid: 1
+ e471b7299c8c1:
+ pinghost: 10.128.0.1
+ descr: 10.128.0.0/12
+ remoteid:
+ type: network
+ address: 10.128.0.0
+ netbits: 12
+ reqid: 2
+ e98f78c414ece:
+ pinghost: 10.224.0.1
+ descr: 10.224.0.0/12
+ remoteid:
+ type: network
+ address: 10.224.0.0
+ netbits: 12
+ reqid: 3
diff --git a/test/test.yml b/test/test.yml
index 54f80e2..b6e2e4f 100644
--- a/test/test.yml
+++ b/test/test.yml
@@ -3,7 +3,7 @@
- name: run test
hosts: testhosts
vars:
- ansible_python_interpreter: "/usr/bin/env python" # REQUIRED for guthub action
+ ansible_python_interpreter: "/usr/bin/env python" # REQUIRED for github action
config_path: test/{{ inventory_hostname }}.xml
local_config_path: cfg/{{ inventory_hostname }}.xml
all_tests: {}