Comments (25)
Sorry about that. It's fixed.
from ansible-pfsense.
It's hard to say for sure. Going through the config.xml migrations the possible impacts I see are:
- (19.9) ipsec phase1 authentication_method rsasig -> cert
- (20.1) authserver ldap_urltype names change
- (20.2) language name changes zh_HK -> zh_Hans_HK, zh_TW -> zh_Hant_TW
- (20.9) ipsec VTI -> VTIMAP changes
- (21.3) ipsec
- if reauth_enable then must set reauth_time=0
- else set reauth_time=lifetime-margintime
/* Auto or IKEv2, rekey items */
if (($ph1ent['iketype'] == 'ikev2') || ($ph1ent['iketype'] == 'auto')) {
if (isset($ph1ent['rekey_enable'])) {
/* Disable rekey */
$ph1ent['rekey_time'] = "0";
$ph1ent['reauth_time'] = "0";
} elseif (!empty($ph1ent['margintime'])) {
/* If margintime is set, use that to calculate rekey_time */
$ph1ent['rekey_time'] = ($ph1ent['lifetime'] - $ph1ent['margintime']);
}
}
if (!empty($ph1ent['margintime'])) {
$ph1ent['rand_time'] = $ph1ent['margintime'];
}
/* Older snaps had over_time, now need lifetime back. */
if (!empty($ph1ent['over_time']) && empty($ph1ent['lifetime'])) {
$ph1ent['lifetime'] = $ph1ent['over_time'] + max($ph1ent['rekey_time'], $ph1ent['reauth_time']);
}
unset($ph1ent['reauth_enable'], $ph1ent['rekey_enable'], $ph1ent['margintime'], $ph1ent['over_time']);
So, some significant changes for ipsec and some minor changes for authserver_ldap and setup language. We'll have think about how we want to handle this. We have generally said that we will only support the latest version - and that may remain the case. Or we could possibly support multiple versions if it's seen as needed and not too hard. It will be interesting to see how quickly 2.5.0 is adopted.
from ansible-pfsense.
Thanks!.
-> We have generally said that we will only support the latest version.
This means you have plans to add support for 2.5.0 as that is the latest version now?. Any time frame in mind?
from ansible-pfsense.
We will certainly work on supporting 2.5.0. I've put in a fix for pfsense_authserver_ldap already. @f-bor is the author of the ipsec modules though and I don't make use of them so I'll let him speak to that.
from ansible-pfsense.
For now, I need to support 2.4.x for my own use.
I have added a quick is_version function in my last commit to check pfSense version and to behave accordingly.
I will work on 2.5.0 support this weekend and on pfSense+ next week.
from ansible-pfsense.
Thanks!. I also plan to delay pfSense 2.5.0 upgrade process because of the reported issues. Will wait for another one or two week before the upgrade. Hopefully ansible support will ready by that time,
from ansible-pfsense.
It should be ok for ipsec. I have added the new timing parameters and two others I need (NAT-T port and duplicate endpoints).
Which modules are you using besides pfsense_rule and pfsense_alias ?
from ansible-pfsense.
As of now I am using only interface, alias and rules.
from ansible-pfsense.
ok. Interface is probably broken. I'll try to look into it soon.
from ansible-pfsense.
it seems you are not running the last version of our modules. Can you update them and try again ?
from ansible-pfsense.
it seems you are not running the last version of our modules. Can you update them and try again ?
I indeed wasn't, I noticed it right after commenting, so I deleted my comment in the meantime. It works fine now :)
from ansible-pfsense.
@f-bor ipsec tests are failing with missing fixtures. Could you fix that please? Thanks.
from ansible-pfsense.
Are there any remaining 2.5 support issues to be addressed?
from ansible-pfsense.
Just as a heads up - I will be on vacation Mar 20-26 and offline.
from ansible-pfsense.
Also for authserver_ldap: There is a new setting "Shell Authentication" (https://github.com/pfsense/pfsense/blob/master/src/etc/inc/auth.inc#L2306) that allows with pam_ldap_groupdn
to limit the login to group members also on shell.
from ansible-pfsense.
The aggregate module is currently not working properly on 2.5.0 because "is_jumbo_capable" is now implemented differently on pfSesne side. Due to this reason the vlan plugin which is called by the aggregate module fails.
from ansible-pfsense.
@hambuergaer this was fixed just after the release of 2.5.0. Are you working with a recent version of our modules ?
from ansible-pfsense.
@f-bor : I am using https://galaxy.ansible.com/pfsensible/core version 0.4.1 and it`s not working for me.
from ansible-pfsense.
@f-bor : the fix seems not to be included in the current version available on Ansible Galaxy. But I see the fix already in the Git repo. When do you expect to release a new version in Ansible Galaxy?
from ansible-pfsense.
@hambuergaer I don't know. opoplawski manages that part.
In the meantime, you can build & install the collection from pfsensible repository with the following:
git clone https://github.com/pfsensible/core.git
cd core
ansible-galaxy collection build
ansible-galaxy collection install pfsensible-core-0.4.1.tar.gz --force
from ansible-pfsense.
@hambuergaer 0.4.2 has been pushed to galaxy. Should have all the latest code.
from ansible-pfsense.
@opoplawski @f-bor I have added the settings for pfsense_setup and pfsense_auth_server_ldap (shell auth) for systems >=2.5.0.
I'm using the is_at_least_2_5_0 function for the new settings.
from ansible-pfsense.
@f-bor seems there is an issue when creating multiple VTI interfaces because of the change in ipsec numbering in 2.5
First interface works fine then afterward the interfaces just get over written. as they are both just ipsec
not sure if this has already been addressed and i'm missing something.
thanks
from ansible-pfsense.
Ran into an issue with the play pfsense_setup.yaml
with 2.5.2.
python is 3.8
ansible_python_interpreter=/usr/local/bin/python3.8
the nss_pam_ldap
stuff is no longer valid, also adding the package py27-ipaddress
nslcd
is no longer installed or available.
Also pkg add
has changed to pkg install
from ansible-pfsense.
I'm going to close this issue because there is just too much in it at this point. Please file individual issues for other problems.
I've updated the README to indicate issues with python 3.8 discovery.
from ansible-pfsense.
Related Issues (20)
- Calling the plugin breaks special XML fields which use CDATA and contain ampersands HOT 4
- Managing DHCP and unbound - any plans? HOT 4
- Modules list error in main README.md ? HOT 1
- Feature Request: Provide interface update HOT 1
- Ansible - Error using privilege escalation HOT 1
- using ca module in pfsense 2.5 HOT 1
- pfsensible.core not compatible with ansible.netcommon 2.0.0 HOT 1
- diff['before'] is equal to diff['after'] HOT 1
- Retire this repo HOT 5
- pfsense_vlan.py error on 2.5.1 HOT 5
- Problem with pfsense_authserver_ldap module - automatically change LDAP config ? HOT 2
- pfsense_ipsec_p2 module overwriting other p2 interfaces in 2.5.2 HOT 1
- pfsense_aggregate: module failuer when try to use non-default gateway with the rule
- cannot add vlan interface HOT 1
- can we have a backup option on this ansible modules HOT 1
- Rule add issue when alias list is empty -> TypeError: 'NoneType' object is not iterable HOT 1
- pfsense_interface module cannot remove a subinterface HOT 1
- ERROR! 'pfsense_rule' is not a valid attribute for a Play HOT 1
- Not a problem - just wondering if there is a way to print a list of users by group? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-pfsense.