Rosa-Luxemburgstiftung-Berlin · zerwes · Dec 14, 2023 · Dec 13, 2023 · Dec 13, 2023 · Dec 14, 2023
diff --git a/tasks/ipsec.yml b/tasks/ipsec.yml
@@ -3,14 +3,15 @@
 
 # definition:
 # opn_ipsec:
-#   enable: 1
+#   enable: 1  # set to 0 to disable ipsec and explicit to 1 do enable a disabled ipsec service
 #   ipsec_asn: 1
 #   ipsec_chd: 1
 #   ... # other globalsettings like passthrough_networks, ...
 #   ikeids: # dict: ikeid is the key !
 #     1:
 #       phase1: # dict
 #         descr: s2s ...
+#         #disabled: 1 # this way you can disable a entry without deleting it; a disabled entry must be enabled by explicitly setting disabled: 0
 #         iketype: ikev1
 #         interface: wan
 #         mode: main
@@ -59,6 +60,19 @@
     - "{{ opn_ipsec | default({}) }}"
   when:
     - item.key != 'ikeids'
+    - not (item.key == 'enable' and item.value|int != 1)
+
+- name: IPSec disable
+  delegate_to: localhost
+  community.general.xml:
+    path: "{{ local_config_path }}"
+    xpath: "/opnsense/ipsec/{{ item.key }}"
+    state: absent
+    pretty_print: true
+  with_dict:
+    - "{{ opn_ipsec | default({}) }}"
+  when:
+    - item.key == 'enable' and item.value|int != 1
 
 - name: IPSec loop ikeids for phase1 ...
   ansible.builtin.include_tasks: ipsecphase1.yml

diff --git a/tasks/ipsecphase1.yml b/tasks/ipsecphase1.yml
@@ -12,6 +12,19 @@
     - "{{ ipsecphasevar.phase1 | default({}) }}"
   when:
     - not item.key == 'encryption-algorithm'
+    - not (item.key == 'disabled' and item.value|int != 1)
+
+- name: "IPSec ike phase1 for ikeid {{ ikeid }} enable"
+  delegate_to: localhost
+  community.general.xml:
+    path: "{{ local_config_path }}"
+    xpath: "/opnsense/ipsec/phase1[ikeid/text()='{{ ikeid }}']/{{ item.key }}"
+    state: absent
+    pretty_print: true
+  with_dict:
+    - "{{ ipsecphasevar.phase1 | default({}) }}"
+  when:
+    - item.key == 'disabled' and item.value|int != 1
 
 - name: "IPSec ike phase1 encryption-algorithm for ikeid {{ ikeid }}"
   delegate_to: localhost

diff --git a/test/ansible.cfg b/test/ansible.cfg
@@ -5,7 +5,7 @@ roles_path = ../../
 
 host_key_checking = False
 
-hash_behaviour = merge
+#hash_behaviour = merge
 
 #callbacks_enabled = profile_tasks
 #stdout_callback = dense
diff --git a/test/ipsec-test1-expect.xml b/test/ipsec-test1-expect.xml
@@ -3,6 +3,7 @@
   <system>
   </system>
   <ipsec>
+    <enable>1</enable>
     <ipsec_asn>1</ipsec_asn>
     <ipsec_chd>1</ipsec_chd>
     <passthrough_networks>192.168.0.0/24</passthrough_networks>

diff --git a/test/ipsec-test1.yml b/test/ipsec-test1.yml
@@ -1,6 +1,6 @@
 ---
 opn_ipsec:
-  #disabled: 0
+  enable: 1
   ipsec_asn: 1
   ipsec_chd: 1
   passthrough_networks: "192.168.0.0/24"

diff --git a/test/ipsec-testdisable-expect.xml b/test/ipsec-testdisable-expect.xml
@@ -0,0 +1,112 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<opnsense>
+  <system>
+  </system>
+  <ipsec>
+    <ipsec_asn>1</ipsec_asn>
+    <ipsec_chd>1</ipsec_chd>
+    <passthrough_networks>192.168.0.0/24</passthrough_networks>
+    <phase1>
+      <ikeid>1</ikeid>
+      <descr>s2s test</descr>
+      <iketype>ikev1</iketype>
+      <interface>wan</interface>
+      <mode>main</mode>
+      <protocol>inet</protocol>
+      <myid_type>auto</myid_type>
+      <myid_data>localhost</myid_data>
+      <peerid_type>fqdn</peerid_type>
+      <peerid_data>fw02</peerid_data>
+      <lifetime>28800</lifetime>
+      <certref>61546da45fbc3</certref>
+      <caref>5ef9c5881c158</caref>
+      <authentication_method>rsasig</authentication_method>
+      <nat_traversal>on</nat_traversal>
+      <auto>start</auto>
+      <dhgroup>2</dhgroup>
+      <hash-algorithm>md5,sha1</hash-algorithm>
+      <private-key/>
+      <remote-gateway>fw02</remote-gateway>
+      <dpd_delay>10</dpd_delay>
+      <dpd_maxfail>5</dpd_maxfail>
+      <dpd_action>restart</dpd_action>
+      <encryption-algorithm>
+        <name>aes</name>
+        <keylen>256</keylen>
+      </encryption-algorithm>
+      <disabled>1</disabled>
+    </phase1>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>eea1dcb2e051a</uniqid>
+      <disabled>1</disabled>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.0.0.1</pinghost>
+      <descr>10.0.0.0/12</descr>
+      <reqid>1</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.0.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e471b7299c8c1</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.128.0.1</pinghost>
+      <descr>10.128.0.0/12</descr>
+      <reqid>2</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.128.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+      <disabled>1</disabled>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e98f78c414ece</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.224.0.1</pinghost>
+      <descr>10.224.0.0/12</descr>
+      <reqid>3</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.224.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+      <disabled>1</disabled>
+    </phase2>
+  </ipsec>
+</opnsense>
diff --git a/test/ipsec-testdisable.xml b/test/ipsec-testdisable.xml
@@ -0,0 +1,110 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<opnsense>
+  <system>
+  </system>
+  <ipsec>
+    <enable>1</enable>
+    <ipsec_asn>1</ipsec_asn>
+    <ipsec_chd>1</ipsec_chd>
+    <passthrough_networks>192.168.0.0/24</passthrough_networks>
+    <phase1>
+      <ikeid>1</ikeid>
+      <descr>s2s test</descr>
+      <iketype>ikev1</iketype>
+      <interface>wan</interface>
+      <mode>main</mode>
+      <protocol>inet</protocol>
+      <myid_type>auto</myid_type>
+      <myid_data>localhost</myid_data>
+      <peerid_type>fqdn</peerid_type>
+      <peerid_data>fw02</peerid_data>
+      <lifetime>28800</lifetime>
+      <certref>61546da45fbc3</certref>
+      <caref>5ef9c5881c158</caref>
+      <authentication_method>rsasig</authentication_method>
+      <nat_traversal>on</nat_traversal>
+      <auto>start</auto>
+      <dhgroup>2</dhgroup>
+      <hash-algorithm>md5,sha1</hash-algorithm>
+      <private-key/>
+      <remote-gateway>fw02</remote-gateway>
+      <dpd_delay>10</dpd_delay>
+      <dpd_maxfail>5</dpd_maxfail>
+      <dpd_action>restart</dpd_action>
+      <encryption-algorithm>
+        <name>aes</name>
+        <keylen>256</keylen>
+      </encryption-algorithm>
+    </phase1>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>eea1dcb2e051a</uniqid>
+      <disabled>1</disabled>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.0.0.1</pinghost>
+      <descr>10.0.0.0/12</descr>
+      <reqid>1</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.0.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e471b7299c8c1</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.128.0.1</pinghost>
+      <descr>10.128.0.0/12</descr>
+      <reqid>2</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.128.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e98f78c414ece</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.224.0.1</pinghost>
+      <descr>10.224.0.0/12</descr>
+      <reqid>3</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.224.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+  </ipsec>
+</opnsense>
diff --git a/test/ipsec-testdisable.yml b/test/ipsec-testdisable.yml
@@ -0,0 +1,77 @@
+---
+opn_ipsec:
+  enable: 0
+  ipsec_asn: 1
+  ipsec_chd: 1
+  passthrough_networks: "192.168.0.0/24"
+  ikeids:  # key is the ikeid
+    1:
+      phase1:
+        disabled: 1
+        descr: s2s test
+        iketype: ikev1
+        interface: wan
+        mode: main
+        protocol: inet
+        myid_type: auto
+        myid_data: "{{ inventory_hostname }}"
+        peerid_type: fqdn
+        peerid_data: fw02
+        encryption-algorithm:
+          name: aes
+          keylen: 256
+        lifetime: 28800
+        certref: 61546da45fbc3
+        caref: 5ef9c5881c158
+        authentication_method: rsasig
+        nat_traversal: "on"
+        auto: start
+        dhgroup: 2
+        hash-algorithm: md5,sha1
+        private-key:
+        remote-gateway: fw02
+        dpd_delay: 10
+        dpd_maxfail: 5
+        dpd_action: restart
+      phase2_defaults: # common settings for all phase2 elements in this ikeid
+        disabled: 0 # ensure all tunnels are enabled as long as they are not explicitly disabled
+        mode: tunnel
+        pfsgroup: 2
+        lifetime: 3600
+        protocol: esp
+        localid:
+          type: lan
+        encryption-algorithm-options:
+          - name: aes256
+        hash-algorithm-options:
+          - hmac_sha1
+      phase2:
+        # key is the uniqid
+        eea1dcb2e051a:
+          pinghost: 10.0.0.1
+          descr: 10.0.0.0/12
+          disabled: 1  # this way you can disable a p2 entry without deleting it; a disabled p2 entry must be enabled by explicitly setting disabled: 0
+          remoteid:
+            type: network
+            address: 10.0.0.0
+            netbits: 12
+          reqid: 1
+        e471b7299c8c1:
+          pinghost: 10.128.0.1
+          descr:  10.128.0.0/12
+          disabled: 1
+          remoteid:
+            type: network
+            address: 10.128.0.0
+            netbits: 12
+          reqid: 2
+        e98f78c414ece:
+          pinghost: 10.224.0.1
+          descr: 10.224.0.0/12
+          disabled: 1
+          remoteid:
+            type: network
+            address: 10.224.0.0
+            netbits: 12
+          reqid: 3
+