When creating P2 with pfsense_ipsec_p2, if you set Hash Algorithms (sha1, sha256, sha384, sha512) with boolean (true or false), it will be already enable. Only way to disable a specific hash algorithm is to not set the value.
- pfsensible.core.pfsense_ipsec:
authentication_method: pre_shared_key
descr: '[Test] IPSEC01'
disabled: true
iketype: ikev2
interface: vip:***.***.***.***
preshared_key: ********
remote_gateway: ***.***.***.***
state: present
- pfsensible.core.pfsense_ipsec_proposal:
descr: '[Test] IPSEC01'
dhgroup: 14
encryption: aes
hash: sha256
key_length: 256
state: present
- pfsensible.core.pfsense_ipsec_p2:
aes: true
aes256gcm: true
aes256gcm_len: 128
aes_len: 128
aesxcbc: false
cast128: false
des: false
descr: '[Test] IPSEC01 P2-01'
local: 10.50.0.0/24
md5: false
mode: tunnel
p1_descr: '[Test] IPSEC01'
remote: 10.10.0.0/24
sha1: false
sha256: false
sha384: true
sha512: true
state: present
TASK [pfsense : pfsensible.core.pfsense_ipsec]
**************************************************************************
task path: /home/ncoulomb/Documents/Gitlab/vrack/roles/pfsense/tasks/main.yml:3
[WARNING]: Platform freebsd on host pfsense-01 is using the discovered Python interpreter at /usr/local/bin/python3.11, but future installation of another Python interpreter could change the meaning of that path.
See https://docs.ansible.com/ansible-core/2.18/reference_appendices/interpreter_discovery.html for more information.
changed: [pfsense-01] => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/local/bin/python3.11"
},
"changed": true,
"commands": [
"create ipsec '[Test] IPSEC01', disabled=True, iketype='ikev2', protocol='inet', interface='vip:***.***.***.***', remote_gateway='***.***.***.***', authentication_method='pre_shared_key', preshared_key='********', myid_type='myaddress', peerid_type='peeraddress', lifetime='28800', rekey_time='', reauth_time='', rand_time='', mobike='off', startaction='', closeaction='', nat_traversal='on', enable_dpd=True, dpd_delay='10', dpd_maxfail='5'"
],
"stderr": "",
"stderr_lines": [],
"stdout": "pfSense shell: global $debug;\npfSense shell: $debug = 1;\npfSense shell: global $config;\npfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');\npfSense shell: exec\npfSense shell: exit\n",
"stdout_lines": [
"pfSense shell: global $debug;",
"pfSense shell: $debug = 1;",
"pfSense shell: global $config;",
"pfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');",
"pfSense shell: exec",
"pfSense shell: exit"
]
}
TASK [pfsense : pfsensible.core.pfsense_ipsec_proposal]
**************************************************************************
task path: /home/ncoulomb/Documents/Gitlab/vrack/roles/pfsense/tasks/main.yml:13
changed: [pfsense-01] => {
"changed": true,
"commands": [
"create ipsec_proposal '[Test] IPSEC01', encryption='aes', key_length=256, hash='sha256', dhgroup='14', prf='sha256'"
],
"stderr": "",
"stderr_lines": [],
"stdout": "pfSense shell: global $debug;\npfSense shell: $debug = 1;\npfSense shell: global $config;\npfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');\npfSense shell: exec\npfSense shell: exit\n",
"stdout_lines": [
"pfSense shell: global $debug;",
"pfSense shell: $debug = 1;",
"pfSense shell: global $config;",
"pfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');",
"pfSense shell: exec",
"pfSense shell: exit"
]
}
TASK [pfsense : pfsensible.core.pfsense_ipsec_p2]
**************************************************************************
task path: /home/ncoulomb/Documents/Gitlab/vrack/roles/pfsense/tasks/main.yml:21
changed: [pfsense-01] => {
"changed": true,
"commands": [
"create ipsec_p2 '[Test] IPSEC01 P2-01' on '[Test] IPSEC01', disabled=False, mode='tunnel', local='10.50.0.0/24', remote='10.10.0.0/24', aes=True, aes_len='128', aes256gcm=True, aes256gcm_len='128', des=False, cast128=False, md5=False, sha1=False, sha256=False, sha384=True, sha512=True, aesxcbc=False, pfsgroup='14', lifetime=3600"
],
"stderr": "",
"stderr_lines": [],
"stdout": "pfSense shell: global $debug;\npfSense shell: $debug = 1;\npfSense shell: global $config;\npfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');\npfSense shell: exec\npfSense shell: exit\n",
"stdout_lines": [
"pfSense shell: global $debug;",
"pfSense shell: $debug = 1;",
"pfSense shell: global $config;",
"pfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');",
"pfSense shell: exec",
"pfSense shell: exit"
]
}
When creating P2 with pfsense_ipsec_p2, if you set Hash Algorithms (sha1, sha256, sha384, sha512) with boolean (true or false), it will be already enable. Only way to disable a specific hash algorithm is to not set the value.
Playbook
Output
Result
Environment