Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix encalg and hashalg update #71

Merged
merged 18 commits into from
May 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
- name: install requirements
run: |
python -m pip install --upgrade pip
pip install ansible==9.2.0 ansible-core==2.16.3 lxml cryptography
pip install ansible==9.2.0 ansible-core==2.16.3 lxml==5.1.0 cryptography
- name: run ansible test
working-directory: ./test
run: |
Expand Down
75 changes: 59 additions & 16 deletions tasks/ipsecphase2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,39 @@
count: true
register: eao_count

- name: debug eao_count
ansible.builtin.debug:
var: eao_count
verbosity: 1

- name: "IPSec ike phase2 {{ uniqid }} get defined encryption-algorithm-options for ikeid {{ ikeid }} from xml"
delegate_to: localhost
community.general.xml:
path: "{{ local_config_path }}"
xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option/name"
content: text
register: eao_matches
when: eao_count.count > 0

- name: debug eao_matches
ansible.builtin.debug:
var: eao_matches
verbosity: 1
when: eao_matches is defined

- name: "IPSec ike phase2 {{ uniqid }} get defined list of encryption-algorithm-options for ikeid {{ ikeid }}"
ansible.builtin.set_fact:
eao_list: "{{ eao_matches.matches | list | map(attribute='name') | list | flatten }}"
when:
- eao_matches is defined
- eao_matches.matches is defined

- name: debug eao_list
ansible.builtin.debug:
var: eao_list
verbosity: 1
when: eao_list is defined

- name: "IPSec ike phase2 {{ uniqid }} get encryption-algorithm-options for ikeid {{ ikeid }}"
delegate_to: localhost
community.general.xml:
Expand All @@ -74,12 +107,13 @@
verbosity: 1
when: encalgopt is defined

- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }}"
- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }} (1)"
ansible.builtin.set_fact:
encalgopt_reset: true
when:
- eao_count.count != (ipsecphasevar2[uniqid]['encryption-algorithm-options']|length)
- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }}"
- eao_count.count != (ipsecphasevar2[uniqid]['encryption-algorithm-options'] | length)

- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }} (2)"
ansible.builtin.set_fact:
encalgopt_reset: true
when:
Expand All @@ -93,16 +127,16 @@
verbosity: 1
when: encalgopt_reset is defined

- name: "IPSec ike phase2 {{ uniqid }} reset encryption-algorithm-options for ikeid {{ ikeid }}"
- name: "IPSec ike phase2 {{ uniqid }} reset encryption-algorithm-options for ikeid {{ ikeid }} ..."
delegate_to: localhost
# debugger: on_failed
community.general.xml:
path: "{{ local_config_path }}"
xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option"
state: absent
pretty_print: true
with_items:
- "{{ ipsecphasevar2[uniqid]['encryption-algorithm-options'] | default([]) }}"
when: encalgopt_reset | default(false)
when:
- encalgopt_reset | default(false)

- name: "IPSec ike phase2 {{ uniqid }} create encryption-algorithm-options for ikeid {{ ikeid }}" # noqa jinja[spacing]
delegate_to: localhost
Expand Down Expand Up @@ -152,7 +186,7 @@
verbosity: 1
when: hashalgopt is defined

- name: register fact change_hashalgopt
- name: register fact change_hashalgopt (1)
ansible.builtin.set_fact:
change_hashalgopt: true
with_items: "{{ hashalgopt.matches }}"
Expand All @@ -164,29 +198,38 @@
or
(ipsecphasevar2[uniqid]['hash-algorithm-options']|length) != (hashalgopt.matches|length))

- name: register fact change_hashalgopt
- name: register fact change_hashalgopt (2)
ansible.builtin.set_fact:
change_hashalgopt: true
with_items: "{{ hashalgopt.matches }}"
when:
- hashalgopt_count.count == 0
- hashalgopt is defined
- hashalgopt.matches is defined
- ipsecphasevar2[uniqid]['hash-algorithm-options']|length > 0
- ipsecphasevar2[uniqid]['hash-algorithm-options'] | length > 0

- name: register fact change_hashalgopt
- name: register fact change_hashalgopt (3)
ansible.builtin.set_fact:
change_hashalgopt: true
when: hashalgopt_count.count == 0 and ipsecphasevar2[uniqid]['hash-algorithm-options'] | length > 0
when:
- hashalgopt_count.count > 0
- ipsecphasevar2[uniqid]['hash-algorithm-options'] | length == 0

- name: debug change_hashalgopt
ansible.builtin.debug:
var: change_hashalgopt
verbosity: 1
when: change_hashalgopt is defined

- name: "IPSec ike phase2 {{ uniqid }} reset hash-algorithm-options for ikeid {{ ikeid }}"
delegate_to: localhost
# debugger: on_failed
community.general.xml:
path: "{{ local_config_path }}"
xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/hash-algorithm-option"
state: absent
pretty_print: true
when: change_hashalgopt | default(False)
when:
- change_hashalgopt | default(false)
- hashalgopt is defined
- hashalgopt.matches is defined

- name: "IPSec ike phase2 {{ uniqid }} hash-algorithm-options for ikeid {{ ikeid }}"
delegate_to: localhost
Expand Down
122 changes: 122 additions & 0 deletions test/ipsec-test1-04-encalg-expect.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
<?xml version='1.0' encoding='UTF-8'?>
<opnsense>
<system>
</system>
<ipsec>
<enable>1</enable>
<ipsec_asn>1</ipsec_asn>
<ipsec_chd>1</ipsec_chd>
<passthrough_networks>192.168.0.0/24</passthrough_networks>
<phase1>
<ikeid>1</ikeid>
<descr>s2s test</descr>
<iketype>ikev1</iketype>
<interface>wan</interface>
<mode>main</mode>
<protocol>inet</protocol>
<myid_type>auto</myid_type>
<myid_data>localhost</myid_data>
<peerid_type>fqdn</peerid_type>
<peerid_data>fw02</peerid_data>
<lifetime>28800</lifetime>
<certref>61546da45fbc3</certref>
<caref>5ef9c5881c158</caref>
<authentication_method>rsasig</authentication_method>
<nat_traversal>on</nat_traversal>
<auto>start</auto>
<dhgroup>2</dhgroup>
<hash-algorithm>md5,sha1</hash-algorithm>
<private-key/>
<remote-gateway>fw02</remote-gateway>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail>
<dpd_action>restart</dpd_action>
<encryption-algorithm>
<name>aes</name>
<keylen>256</keylen>
</encryption-algorithm>
</phase1>
<phase2>
<ikeid>1</ikeid>
<uniqid>eea1dcb2e051a</uniqid>
<disabled>1</disabled>
<mode>tunnel</mode>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<protocol>esp</protocol>
<pinghost>10.0.0.1</pinghost>
<descr>10.0.0.0/12</descr>
<reqid>1</reqid>
<localid>
<type>lan</type>
</localid>
<remoteid>
<type>network</type>
<address>10.0.0.0</address>
<netbits>12</netbits>
</remoteid>
<encryption-algorithm-option>
<name>aes192</name>
</encryption-algorithm-option>
<encryption-algorithm-option>
<name>aes128gcm16</name>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
<hash-algorithm-option>hmac_sha512</hash-algorithm-option>
</phase2>
<phase2>
<ikeid>1</ikeid>
<uniqid>e471b7299c8c1</uniqid>
<mode>tunnel</mode>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<protocol>esp</protocol>
<pinghost>10.128.0.1</pinghost>
<descr>10.128.0.0/12</descr>
<reqid>2</reqid>
<localid>
<type>lan</type>
</localid>
<remoteid>
<type>network</type>
<address>10.128.0.0</address>
<netbits>12</netbits>
</remoteid>
<encryption-algorithm-option>
<name>aes192</name>
</encryption-algorithm-option>
<encryption-algorithm-option>
<name>aes128gcm16</name>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
<hash-algorithm-option>hmac_sha512</hash-algorithm-option>
</phase2>
<phase2>
<ikeid>1</ikeid>
<uniqid>e98f78c414ece</uniqid>
<mode>tunnel</mode>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<protocol>esp</protocol>
<pinghost>10.224.0.1</pinghost>
<descr>10.224.0.0/12</descr>
<reqid>3</reqid>
<localid>
<type>lan</type>
</localid>
<remoteid>
<type>network</type>
<address>10.224.0.0</address>
<netbits>12</netbits>
</remoteid>
<encryption-algorithm-option>
<name>aes192</name>
</encryption-algorithm-option>
<encryption-algorithm-option>
<name>aes128gcm16</name>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
<hash-algorithm-option>hmac_sha512</hash-algorithm-option>
</phase2>
</ipsec>
</opnsense>
110 changes: 110 additions & 0 deletions test/ipsec-test1-04-encalg.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
<?xml version='1.0' encoding='UTF-8'?>
<opnsense>
<system>
</system>
<ipsec>
<enable>1</enable>
<ipsec_asn>1</ipsec_asn>
<ipsec_chd>1</ipsec_chd>
<passthrough_networks>192.168.0.0/24</passthrough_networks>
<phase1>
<ikeid>1</ikeid>
<descr>s2s test</descr>
<iketype>ikev1</iketype>
<interface>wan</interface>
<mode>main</mode>
<protocol>inet</protocol>
<myid_type>auto</myid_type>
<myid_data>localhost</myid_data>
<peerid_type>fqdn</peerid_type>
<peerid_data>fw02</peerid_data>
<lifetime>28800</lifetime>
<certref>61546da45fbc3</certref>
<caref>5ef9c5881c158</caref>
<authentication_method>rsasig</authentication_method>
<nat_traversal>on</nat_traversal>
<auto>start</auto>
<dhgroup>2</dhgroup>
<hash-algorithm>md5,sha1</hash-algorithm>
<private-key/>
<remote-gateway>fw02</remote-gateway>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail>
<dpd_action>restart</dpd_action>
<encryption-algorithm>
<name>aes</name>
<keylen>256</keylen>
</encryption-algorithm>
</phase1>
<phase2>
<ikeid>1</ikeid>
<uniqid>eea1dcb2e051a</uniqid>
<disabled>1</disabled>
<mode>tunnel</mode>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<protocol>esp</protocol>
<pinghost>10.0.0.1</pinghost>
<descr>10.0.0.0/12</descr>
<reqid>1</reqid>
<localid>
<type>lan</type>
</localid>
<remoteid>
<type>network</type>
<address>10.0.0.0</address>
<netbits>12</netbits>
</remoteid>
<encryption-algorithm-option>
<name>aes256</name>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
</phase2>
<phase2>
<ikeid>1</ikeid>
<uniqid>e471b7299c8c1</uniqid>
<mode>tunnel</mode>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<protocol>esp</protocol>
<pinghost>10.128.0.1</pinghost>
<descr>10.128.0.0/12</descr>
<reqid>2</reqid>
<localid>
<type>lan</type>
</localid>
<remoteid>
<type>network</type>
<address>10.128.0.0</address>
<netbits>12</netbits>
</remoteid>
<encryption-algorithm-option>
<name>aes256</name>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
</phase2>
<phase2>
<ikeid>1</ikeid>
<uniqid>e98f78c414ece</uniqid>
<mode>tunnel</mode>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<protocol>esp</protocol>
<pinghost>10.224.0.1</pinghost>
<descr>10.224.0.0/12</descr>
<reqid>3</reqid>
<localid>
<type>lan</type>
</localid>
<remoteid>
<type>network</type>
<address>10.224.0.0</address>
<netbits>12</netbits>
</remoteid>
<encryption-algorithm-option>
<name>aes256</name>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
</phase2>
</ipsec>
</opnsense>
Loading
Loading