implemented tests for pr #67

test/ipsec-test1-deconfigure-p2-expect.xml

@@ -0,0 +1,87 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<opnsense>
+  <system>
+  </system>
+  <ipsec>
+    <enable>1</enable>
+    <ipsec_asn>1</ipsec_asn>
+    <ipsec_chd>1</ipsec_chd>
+    <passthrough_networks>192.168.0.0/24</passthrough_networks>
+    <phase1>
+      <ikeid>1</ikeid>
+      <descr>s2s test</descr>
+      <iketype>ikev1</iketype>
+      <interface>wan</interface>
+      <mode>main</mode>
+      <protocol>inet</protocol>
+      <myid_type>auto</myid_type>
+      <myid_data>localhost</myid_data>
+      <peerid_type>fqdn</peerid_type>
+      <peerid_data>fw02</peerid_data>
+      <lifetime>28800</lifetime>
+      <certref>61546da45fbc3</certref>
+      <caref>5ef9c5881c158</caref>
+      <authentication_method>rsasig</authentication_method>
+      <nat_traversal>on</nat_traversal>
+      <auto>start</auto>
+      <dhgroup>2</dhgroup>
+      <hash-algorithm>md5,sha1</hash-algorithm>
+      <private-key/>
+      <remote-gateway>fw02</remote-gateway>
+      <dpd_delay>10</dpd_delay>
+      <dpd_maxfail>5</dpd_maxfail>
+      <dpd_action>restart</dpd_action>
+      <encryption-algorithm>
+        <name>aes</name>
+        <keylen>256</keylen>
+      </encryption-algorithm>
+    </phase1>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>eea1dcb2e051a</uniqid>
+      <disabled>1</disabled>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.0.0.1</pinghost>
+      <descr>10.0.0.0/12</descr>
+      <reqid>1</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.0.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e471b7299c8c1</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.128.0.1</pinghost>
+      <descr>10.128.0.0/12</descr>
+      <reqid>2</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.128.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+  </ipsec>
+</opnsense>

test/ipsec-test1-deconfigure-p2.xml

@@ -0,0 +1,110 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<opnsense>
+  <system>
+  </system>
+  <ipsec>
+    <enable>1</enable>
+    <ipsec_asn>1</ipsec_asn>
+    <ipsec_chd>1</ipsec_chd>
+    <passthrough_networks>192.168.0.0/24</passthrough_networks>
+    <phase1>
+      <ikeid>1</ikeid>
+      <descr>s2s test</descr>
+      <iketype>ikev1</iketype>
+      <interface>wan</interface>
+      <mode>main</mode>
+      <protocol>inet</protocol>
+      <myid_type>auto</myid_type>
+      <myid_data>localhost</myid_data>
+      <peerid_type>fqdn</peerid_type>
+      <peerid_data>fw02</peerid_data>
+      <lifetime>28800</lifetime>
+      <certref>61546da45fbc3</certref>
+      <caref>5ef9c5881c158</caref>
+      <authentication_method>rsasig</authentication_method>
+      <nat_traversal>on</nat_traversal>
+      <auto>start</auto>
+      <dhgroup>2</dhgroup>
+      <hash-algorithm>md5,sha1</hash-algorithm>
+      <private-key/>
+      <remote-gateway>fw02</remote-gateway>
+      <dpd_delay>10</dpd_delay>
+      <dpd_maxfail>5</dpd_maxfail>
+      <dpd_action>restart</dpd_action>
+      <encryption-algorithm>
+        <name>aes</name>
+        <keylen>256</keylen>
+      </encryption-algorithm>
+    </phase1>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>eea1dcb2e051a</uniqid>
+      <disabled>1</disabled>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.0.0.1</pinghost>
+      <descr>10.0.0.0/12</descr>
+      <reqid>1</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.0.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e471b7299c8c1</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.128.0.1</pinghost>
+      <descr>10.128.0.0/12</descr>
+      <reqid>2</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.128.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e98f78c414ece</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.224.0.1</pinghost>
+      <descr>10.224.0.0/12</descr>
+      <reqid>3</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.224.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+  </ipsec>
+</opnsense>

test/ipsec-test1-deconfigure-p2.yml

@@ -0,0 +1,65 @@
+---
+opn_ipsec:
+  enable: 1
+  ipsec_asn: 1
+  ipsec_chd: 1
+  passthrough_networks: "192.168.0.0/24"
+  ikeids:  # key is the ikeid
+    1:
+      phase1:
+        descr: s2s test
+        iketype: ikev1
+        interface: wan
+        mode: main
+        protocol: inet
+        myid_type: auto
+        myid_data: "{{ inventory_hostname }}"
+        peerid_type: fqdn
+        peerid_data: fw02
+        encryption-algorithm:
+          name: aes
+          keylen: 256
+        lifetime: 28800
+        certref: 61546da45fbc3
+        caref: 5ef9c5881c158
+        authentication_method: rsasig
+        nat_traversal: "on"
+        auto: start
+        dhgroup: 2
+        hash-algorithm: md5,sha1
+        private-key:
+        remote-gateway: fw02
+        dpd_delay: 10
+        dpd_maxfail: 5
+        dpd_action: restart
+      phase2_defaults: # common settings for all phase2 elements in this ikeid
+        disabled: 0 # ensure all tunnels are enabled as long as they are not explicitly disabled
+        mode: tunnel
+        pfsgroup: 2
+        lifetime: 3600
+        protocol: esp
+        localid:
+          type: lan
+        encryption-algorithm-options:
+          - name: aes256
+        hash-algorithm-options:
+          - hmac_sha1
+      phase2:
+        # key is the uniqid
+        eea1dcb2e051a:
+          pinghost: 10.0.0.1
+          descr: 10.0.0.0/12
+          disabled: 1  # this way you can disable a p2 entry without deleting it; a disabled p2 entry must be enabled by explicitly setting disabled: 0
+          remoteid:
+            type: network
+            address: 10.0.0.0
+            netbits: 12
+          reqid: 1
+        e471b7299c8c1:
+          pinghost: 10.128.0.1
+          descr: 10.128.0.0/12
+          remoteid:
+            type: network
+            address: 10.128.0.0
+            netbits: 12
+          reqid: 2