ansible-pfsense
ansible-pfsense copied to clipboard
opoplawski
IPSEC cannot use VIP interface
Hello everyone,
Issue detected today: When using a simple WAN CARP VIP, it's not possible to select this VIP as IPSEC interface. Working in the Pfsense GUI, but not in pfsense_ipsec. VIP interface are defined like: _vip5f0eebd19b2ea
failed: [****] {"msg": "_vip5f0eebd19b2ea is not a valid interface"}
- name: Create IPSEC tunnels (phase 1)
pfsense_ipsec:
state: "{{ item.state }}"
descr: "{{ item.descr }}"
interface: "_vip5f0eebd19b2ea"
protocol: inet
remote_gateway: "{{ item.gateway }}"
iketype: "{{ item.ike }}"
mode: main
authentication_method: pre_shared_key
preshared_key: "{{ item.key }}"
myid_type: myaddress
peerid_type: peeraddress
I will investigate this later, but probably a simple "interface name checking" issue?
Thanks
Can you share your config.xml file? Or at least all of the interface definitions?
Of course:
Interface in config.xml
<interfaces>
<wan>
<if>lagg0.4090</if>
<switchif>switch0.port1</switchif>
<descr><![CDATA[WAN]]></descr>
<spoofmac></spoofmac>
<enable></enable>
<ipaddr>151.25.19.10</ipaddr>
<subnet>29</subnet>
<gateway>WANGW1</gateway>
</wan>
<lan>
<enable></enable>
<if>lagg0.4091</if>
<descr><![CDATA[LAN]]></descr>
<ipaddr>10.0.5.34</ipaddr>
<subnet>27</subnet>
<spoofmac></spoofmac>
</lan>
<opt1>
<enable></enable>
<if>ix0</if>
<descr><![CDATA[OPT1]]></descr>
</opt1>
<opt2>
<enable></enable>
<if>ix1</if>
<descr><![CDATA[OPT2]]></descr>
</opt2>
</interfaces>
and virtual IP part:
<virtualip>
<vip>
<mode>carp</mode>
<interface>wan</interface>
<vhid>90</vhid>
<advskew>100</advskew>
<advbase>1</advbase>
<password><![CDATA[123456]]></password>
<uniqid>5f0eebd19b2ea</uniqid>
<descr><![CDATA[WAN CARP IP]]></descr>
<type>single</type>
<subnet_bits>29</subnet_bits>
<subnet>151.25.19.11</subnet>
</vip>
</virtualip>
I have been running with this patch to pfsensible.core:
diff --git a/ansible/collections/ansible_collections/pfsensible/core/plugins/module_utils/__impl/interfaces.py b/ansib
le/collections/ansible_collections/pfsensible/core/plugins/module_utils/__impl/interfaces.py
index fb3e4b9e..1d142e8a 100644
--- a/ansible/collections/ansible_collections/pfsensible/core/plugins/module_utils/__impl/interfaces.py
+++ b/ansible/collections/ansible_collections/pfsensible/core/plugins/module_utils/__impl/interfaces.py
@@ -119,6 +119,18 @@ def parse_interface(self, interface, fail=True, with_virtual=True):
elif self.is_interface_port(interface):
return interface
+ # https://github.com/opoplawski/ansible-pfsense/issues/57
+ if interface.lower().startswith("vip:"):
+ virtualips = self.get_element('virtualip')
+ if virtualips is not None:
+ for vip_elt in virtualips:
+ descr_elt = vip_elt.find('descr')
+ if descr_elt is not None:
+ if descr_elt.text.strip().lower() == interface.lower()[4:]:
+ uniqid_elt = vip_elt.find('uniqid')
+ if uniqid_elt is not None:
+ return "_vip" + uniqid_elt.text.strip()
+
It allows you to provide vip:name_of_vip as ipsec_interface. I have no idea if that is the right way to solve the problem.
This is hopefully fixed in current master with cc083a7a35d02597b0471eb92ad98e0676675caf. Please test it out and report back. Thank you for the report and suggestion.