search

opoplawski / ansible-pfsense

Ansible modules for managing pfSense firewalls
GNU General Public License v3.0
267 stars 48 forks source link

IPSEC cannot use VIP interface #57

Closed gaeldb closed 1 year ago

gaeldb commented 4 years ago

Hello everyone,

Issue detected today: When using a simple WAN CARP VIP, it's not possible to select this VIP as IPSEC interface. Working in the Pfsense GUI, but not in pfsense_ipsec. VIP interface are defined like: _vip5f0eebd19b2ea

failed: [****] {"msg": "_vip5f0eebd19b2ea is not a valid interface"}
- name: Create IPSEC tunnels (phase 1)
  pfsense_ipsec:
    state: "{{ item.state }}"
    descr: "{{ item.descr }}"
    interface: "_vip5f0eebd19b2ea"
    protocol: inet
    remote_gateway: "{{ item.gateway }}"
    iketype: "{{ item.ike }}"
    mode: main
    authentication_method: pre_shared_key
    preshared_key: "{{ item.key }}"
    myid_type: myaddress
    peerid_type: peeraddress

I will investigate this later, but probably a simple "interface name checking" issue?

Thanks

opoplawski commented 4 years ago

Can you share your config.xml file? Or at least all of the interface definitions?

gaeldb commented 4 years ago

Of course:

Interface in config.xml

    <interfaces>
            <wan>
                    <if>lagg0.4090</if>
                    <switchif>switch0.port1</switchif>
                    <descr><![CDATA[WAN]]></descr>
                    <spoofmac></spoofmac>
                    <enable></enable>
                    <ipaddr>151.25.19.10</ipaddr>
                    <subnet>29</subnet>
                    <gateway>WANGW1</gateway>
            </wan>
            <lan>
                    <enable></enable>
                    <if>lagg0.4091</if>
                    <descr><![CDATA[LAN]]></descr>
                    <ipaddr>10.0.5.34</ipaddr>
                    <subnet>27</subnet>
                    <spoofmac></spoofmac>
            </lan>
            <opt1>
                    <enable></enable>
                    <if>ix0</if>
                    <descr><![CDATA[OPT1]]></descr>
            </opt1>
            <opt2>
                    <enable></enable>
                    <if>ix1</if>
                    <descr><![CDATA[OPT2]]></descr>
            </opt2>
    </interfaces>

and virtual IP part:

    <virtualip>
            <vip>
                    <mode>carp</mode>
                    <interface>wan</interface>
                    <vhid>90</vhid>
                    <advskew>100</advskew>
                    <advbase>1</advbase>
                    <password><![CDATA[123456]]></password>
                    <uniqid>5f0eebd19b2ea</uniqid>
                    <descr><![CDATA[WAN CARP IP]]></descr>
                    <type>single</type>
                    <subnet_bits>29</subnet_bits>
                    <subnet>151.25.19.11</subnet>
            </vip>
    </virtualip>
bailsman commented 3 years ago

I have been running with this patch to pfsensible.core:

diff --git a/ansible/collections/ansible_collections/pfsensible/core/plugins/module_utils/__impl/interfaces.py b/ansib
le/collections/ansible_collections/pfsensible/core/plugins/module_utils/__impl/interfaces.py
index fb3e4b9e..1d142e8a 100644
--- a/ansible/collections/ansible_collections/pfsensible/core/plugins/module_utils/__impl/interfaces.py
+++ b/ansible/collections/ansible_collections/pfsensible/core/plugins/module_utils/__impl/interfaces.py
@@ -119,6 +119,18 @@ def parse_interface(self, interface, fail=True, with_virtual=True):
     elif self.is_interface_port(interface):
         return interface

+    # https://github.com/opoplawski/ansible-pfsense/issues/57
+    if interface.lower().startswith("vip:"):
+        virtualips = self.get_element('virtualip')
+        if virtualips is not None:
+            for vip_elt in virtualips:
+                descr_elt = vip_elt.find('descr')
+                if descr_elt is not None:
+                    if descr_elt.text.strip().lower() == interface.lower()[4:]:
+                        uniqid_elt = vip_elt.find('uniqid')
+                        if uniqid_elt is not None:
+                            return "_vip" + uniqid_elt.text.strip()
+

It allows you to provide vip:name_of_vip as ipsec_interface. I have no idea if that is the right way to solve the problem.

opoplawski commented 3 years ago

This is hopefully fixed in current master with cc083a7a35d02597b0471eb92ad98e0676675caf. Please test it out and report back. Thank you for the report and suggestion.