pfsense 2.5 Support? about ansible-pfsense HOT 25 CLOSED

Sorry about that. It's fixed.

from ansible-pfsense.

It's hard to say for sure. Going through the config.xml migrations the possible impacts I see are:

• (19.9) ipsec phase1 authentication_method rsasig -> cert
• (20.1) authserver ldap_urltype names change
• (20.2) language name changes zh_HK -> zh_Hans_HK, zh_TW -> zh_Hant_TW
• (20.9) ipsec VTI -> VTIMAP changes
• (21.3) ipsec
  • if reauth_enable then must set reauth_time=0
  • else set reauth_time=lifetime-margintime

               /* Auto or IKEv2, rekey items */
                if (($ph1ent['iketype'] == 'ikev2') || ($ph1ent['iketype'] == 'auto')) {
                        if (isset($ph1ent['rekey_enable'])) {
                                /* Disable rekey */
                                $ph1ent['rekey_time'] = "0";
                                $ph1ent['reauth_time'] = "0";
                        } elseif (!empty($ph1ent['margintime'])) {
                                /* If margintime is set, use that to calculate rekey_time */
                                $ph1ent['rekey_time'] = ($ph1ent['lifetime'] - $ph1ent['margintime']);
                        }
                }

                if (!empty($ph1ent['margintime'])) {
                        $ph1ent['rand_time'] = $ph1ent['margintime'];
                }

                /* Older snaps had over_time, now need lifetime back. */
                if (!empty($ph1ent['over_time']) && empty($ph1ent['lifetime'])) {
                        $ph1ent['lifetime'] = $ph1ent['over_time'] + max($ph1ent['rekey_time'], $ph1ent['reauth_time']);
                }

                unset($ph1ent['reauth_enable'], $ph1ent['rekey_enable'], $ph1ent['margintime'], $ph1ent['over_time']);

So, some significant changes for ipsec and some minor changes for authserver_ldap and setup language. We'll have think about how we want to handle this. We have generally said that we will only support the latest version - and that may remain the case. Or we could possibly support multiple versions if it's seen as needed and not too hard. It will be interesting to see how quickly 2.5.0 is adopted.

from ansible-pfsense.

Thanks!.

-> We have generally said that we will only support the latest version.

This means you have plans to add support for 2.5.0 as that is the latest version now?. Any time frame in mind?

from ansible-pfsense.

We will certainly work on supporting 2.5.0. I've put in a fix for pfsense_authserver_ldap already. @f-bor is the author of the ipsec modules though and I don't make use of them so I'll let him speak to that.

from ansible-pfsense.

For now, I need to support 2.4.x for my own use.

I have added a quick is_version function in my last commit to check pfSense version and to behave accordingly.

I will work on 2.5.0 support this weekend and on pfSense+ next week.

from ansible-pfsense.

Thanks!. I also plan to delay pfSense 2.5.0 upgrade process because of the reported issues. Will wait for another one or two week before the upgrade. Hopefully ansible support will ready by that time,

from ansible-pfsense.

It should be ok for ipsec. I have added the new timing parameters and two others I need (NAT-T port and duplicate endpoints).

Which modules are you using besides pfsense_rule and pfsense_alias ?

from ansible-pfsense.

As of now I am using only interface, alias and rules.

from ansible-pfsense.

ok. Interface is probably broken. I'll try to look into it soon.

from ansible-pfsense.

it seems you are not running the last version of our modules. Can you update them and try again ?

from ansible-pfsense.

it seems you are not running the last version of our modules. Can you update them and try again ?

I indeed wasn't, I noticed it right after commenting, so I deleted my comment in the meantime. It works fine now :)

from ansible-pfsense.

@f-bor ipsec tests are failing with missing fixtures. Could you fix that please? Thanks.

from ansible-pfsense.

Are there any remaining 2.5 support issues to be addressed?

from ansible-pfsense.

Just as a heads up - I will be on vacation Mar 20-26 and offline.

from ansible-pfsense.

Also for authserver_ldap: There is a new setting "Shell Authentication" (https://github.com/pfsense/pfsense/blob/master/src/etc/inc/auth.inc#L2306) that allows with pam_ldap_groupdn to limit the login to group members also on shell.

from ansible-pfsense.

The aggregate module is currently not working properly on 2.5.0 because "is_jumbo_capable" is now implemented differently on pfSesne side. Due to this reason the vlan plugin which is called by the aggregate module fails.

from ansible-pfsense.

@hambuergaer this was fixed just after the release of 2.5.0. Are you working with a recent version of our modules ?

from ansible-pfsense.

@f-bor : I am using https://galaxy.ansible.com/pfsensible/core version 0.4.1 and it`s not working for me.

from ansible-pfsense.

@f-bor : the fix seems not to be included in the current version available on Ansible Galaxy. But I see the fix already in the Git repo. When do you expect to release a new version in Ansible Galaxy?

from ansible-pfsense.

@hambuergaer I don't know. opoplawski manages that part.

In the meantime, you can build & install the collection from pfsensible repository with the following:

git clone https://github.com/pfsensible/core.git
cd core
ansible-galaxy collection build
ansible-galaxy collection install pfsensible-core-0.4.1.tar.gz --force

from ansible-pfsense.

@hambuergaer 0.4.2 has been pushed to galaxy. Should have all the latest code.

from ansible-pfsense.

@opoplawski @f-bor I have added the settings for pfsense_setup and pfsense_auth_server_ldap (shell auth) for systems >=2.5.0.
I'm using the is_at_least_2_5_0 function for the new settings.

from ansible-pfsense.

@f-bor seems there is an issue when creating multiple VTI interfaces because of the change in ipsec numbering in 2.5

First interface works fine then afterward the interfaces just get over written. as they are both just ipsec
not sure if this has already been addressed and i'm missing something.
thanks

from ansible-pfsense.

Ran into an issue with the play pfsense_setup.yaml with 2.5.2.
python is 3.8
ansible_python_interpreter=/usr/local/bin/python3.8

the nss_pam_ldap stuff is no longer valid, also adding the package py27-ipaddress
nslcd is no longer installed or available.

Also pkg add has changed to pkg install

from ansible-pfsense.

I'm going to close this issue because there is just too much in it at this point. Please file individual issues for other problems.

I've updated the README to indicate issues with python 3.8 discovery.

from ansible-pfsense.