Various improvements required to connect to a managed remote host

[badnetmask]

Use case

Ansible host is a regular application server running RHEL 8, and needs to establish an IPSec connection to a NetApp storage. The storage is managed by various other means (either Ansible or other proprietary tools), but requires very specific parameters in order to establish a connection.

This pull request implements the necessary methods to pass all the required parameters to the tunnel configuration.

Features that have been added

• When establishing a connection between the current running host on a playbook, and only one remote host, you don't need to specify the host in the connection variable.
• The flag no_log has been added to the beginning of the opportunistic configuration to prevent leak of the PSK.
• A few tweaks on the README file.

Options that have been added

• shared_key_content -- the PSK in plain text (added a note to README about secrecy of the value).
• leftid and rightid -- the IPSec ID of each host (when different from the FQDN).
• ike_enc_alg and esp_enc_alg -- Allow detailed specification of the encryption algorithms.
• type -- Tunnel or transport.
• retransmit_timeout -- IKE packet re-transmit timeout.

[richm]

[citest commit:7966f6e9f5925d73bcf634fa4e478698865a321b]

[richm]

ok - https://github.com/linux-system-roles/vpn/pull/66 was merged - please rebase

[richm]

Can you do a rebase without a merge commit?

[richm]

I created another PR

• removes the merge commit
• fixes an error with if tunnel.hosts[host2]['shared_key_content']
• adds a test for shared_key_content

https://github.com/linux-system-roles/vpn/pull/68

[badnetmask]

Sorry, when I saw your rebase note I had already merged. What should I do now?

[richm]

Sorry, when I saw your rebase note I had already merged. What should I do now?

one of these

• take the code from https://github.com/linux-system-roles/vpn/pull/68, replace your local branch with this, force push
• do a git rebase -i master with your branch to squash into a single commit, then incorporate the additional commits from https://github.com/linux-system-roles/vpn/pull/68
• drop https://github.com/linux-system-roles/vpn/pull/65 and we'll just use https://github.com/linux-system-roles/vpn/pull/68

[richm]

[citest]

[richm]

If we accept this PR, we're going to need a follow up PR to add testing for the new parameters, otherwise, QE is going to be very unhappy, and/or we won't be able to put this functionality into the downstream product. @ueno can you help write some tests for leftid/rightid, ike_enc_alg, esp_enc_alg, and type?

[richm]

[citest] At least tests_host_to_host_psk_custom.yml should pass

[richm]

passed! https://dl.fedoraproject.org/pub/alt/linuxsystemroles/logs/lsr-citool_vpn-65-4432c1e_RHEL-7.9-20200917.0_20220818-134510/artifacts/tests_host_to_host_psk_custom-PASSED.log

[richm]

[citest]