-
Notifications
You must be signed in to change notification settings - Fork 52
pfsense_ipsec_aggregate
Orion Poplawski edited this page Jan 1, 2024
·
5 revisions
Manage multiple pfSense IPsec tunnels, phases 1, phases 2 and
proposals
ADDED IN: version 0.1.0 of pfsensible.core
OPTIONS (= is mandatory):
- aggregated_ipsec_p2s
Dict of IPsec tunnels phase 2 options to apply on the target
default: null
elements: dict
type: list
SUBOPTIONS:
- aes
Set this option to enable AES encryption.
default: null
type: bool
- aes128gcm
Set this option to enable AES128-GCM encryption.
default: null
type: bool
- aes128gcm_len
AES128-GCM encryption key length
choices: [auto, '64', '96', '128']
default: null
type: str
- aes192gcm
Set this option to enable AES192-GCM encryption.
default: null
type: bool
- aes192gcm_len
AES192-GCM encryption key length
choices: [auto, '64', '96', '128']
default: null
type: str
- aes256gcm
Set this option to enable AES256-GCM encryption.
default: null
type: bool
- aes256gcm_len
AES256-GCM encryption key length
choices: [auto, '64', '96', '128']
default: null
type: str
- aes_len
AES encryption key length
choices: [auto, '128', '192', '256']
default: null
type: str
- aesxcbc
Set this option to enable AES-XCBC hashing.
default: null
type: bool
- apply
Apply VPN configuration on target pfSense
default: true
type: bool
- blowfish
Set this option to enable Blowfish encryption.
default: null
type: bool
- blowfish_len
AES encryption key length
choices: [auto, '128', '192', '256']
default: null
type: str
- cast128
Set this option to enable CAST128 encryption.
default: null
type: bool
- des
Set this option to enable 3DES encryption.
default: null
type: bool
= descr
The description of the IPsec tunnel phase2
type: str
- disabled
Set this option to disable this phase2 without removing it
from the list.
default: false
type: bool
- lifetime
Specifies how often the connection must be rekeyed, in
seconds
default: 3600
type: int
- local
Local network component of this IPsec security
association.
default: null
type: str
- md5
Set this option to enable MD5 hashing.
default: null
type: bool
- mode
Method for managing IPsec traffic
choices: [tunnel, tunnel6, transport, vti]
default: null
type: str
- nat
If NAT/BINAT is required on the local network specify the
address to be translated
default: null
type: str
= p1_descr
The description of the IPsec tunnel
type: str
- pfsgroup
PFS key group, 0 for off. DH groups 1, 2, 22, 23, and 24
provide weak security and should be avoided.
choices: ['0', '1', '2', '5', '14', '15', '16', '17', '18', '19', '20', '21', '22', '23', '24',
'28', '29', '30']
default: '14'
type: str
- pinghost
Automatically ping host
default: null
type: str
- protocol
Encapsulating Security Payload (ESP) is encryption,
Authentication Header (AH) is authentication only.
choices: [esp, ah]
default: esp
type: str
- remote
Remote network component of this IPsec security
association.
default: null
type: str
- sha1
Set this option to enable SHA1 hashing.
default: null
type: bool
- sha256
Set this option to enable SHA256 hashing.
default: null
type: bool
- sha384
Set this option to enable SHA384 hashing.
default: null
type: bool
- sha512
Set this option to enable SHA512 hashing.
default: null
type: bool
- state
State in which to leave the IPsec tunnel phase2
choices: [present, absent]
default: present
type: str
- aggregated_ipsec_proposals
Dict of IPsec proposals to apply on the target
default: null
elements: dict
type: list
SUBOPTIONS:
- apply
Apply VPN configuration on target pfSense
default: true
type: bool
- descr
The description of the IPsec tunnel on which to
create/delete the proposal.
default: null
type: str
= dhgroup
DH group. DH groups 1, 2, 22, 23, and 24 provide weak
security and should be avoided.
choices: [1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 28, 29, 30]
type: int
= encryption
Encryption algorithm. aes128gcm, aes192gcm and aes256gcm
can only be used with IKEv2 tunnels. Blowfish, 3DES and
CAST128 provide weak security and should be avoided.
choices: [aes, aes128gcm, aes192gcm, aes256gcm, blowfish, 3des, cast128]
type: str
= hash
Hash algorithm. MD5 and SHA1 provide weak security and
should be avoided.
choices: [md5, sha1, sha256, sha384, sha512, aesxcbc]
type: str
- key_length
Encryption key length
choices: [64, 96, 128, 192, 256]
default: null
type: int
- prf
PRF algorithm. Manual PRF selection is not required, but
can be useful in combination with AEAD Encryption
Algorithms such as AES-GCM
choices: [md5, sha1, sha256, sha384, sha512, aesxcbc]
default: null
type: str
- state
State in which to leave the IPsec proposal.
choices: [present, absent]
default: present
type: str
- aggregated_ipsecs
Dict of IPsec tunnels and phase 1 options to apply on the
target
default: null
elements: dict
type: list
SUBOPTIONS:
- apply
Apply VPN configuration on target pfSense
default: true
type: bool
- authentication_method
Authenticatin method. Must match the setting chosen on the
remote side.
choices: [pre_shared_key, rsasig]
default: null
type: str
- certificate
a certificate previously configured
default: null
type: str
- certificate_authority
a certificate authority previously configured
default: null
type: str
- closeaction
Set this option to control the behavior when the remote
peer unexpectedly closes a child SA (P2). New in pfSense
2.5.2.
choices: ['', none, start, trap]
default: ''
type: str
added in: version 0.5.2 of pfsensible.core
= descr
The description of the IPsec tunnel
default: null
type: str
- disable_reauth
(IKEv2 only) Whether rekeying of an IKE_SA should also
reauthenticate the peer. In IKEv1, reauthentication is
always done.
default: false
type: bool
- disable_rekey
Disables renegotiation when a connection is about to
expire (deprecated with pfSense 2.5.0)
default: null
type: bool
- disabled
Set this option to disable this phase1 without removing it
from the list.
default: null
type: bool
- dpd_delay
Delay between requesting peer acknowledgement.
default: 10
type: int
- dpd_maxfail
Number of consecutive failures allowed before disconnect.
default: 5
type: int
- enable_dpd
Enable dead peer detection
default: true
type: bool
- gw_duplicates
Allow multiple phase 1 configurations with the same
endpoint
default: null
type: bool
- iketype
Internet Key Exchange protocol version to be used. Auto
uses IKEv2 when initiator, and accepts either IKEv1 or
IKEv2 as responder.
choices: [ikev1, ikev2, auto]
default: null
type: str
- interface
Interface for the local endpoint of this phase1 entry.
default: null
type: str
- lifetime
The lifetime defines how often the connection will be
rekeyed, in seconds.
default: 28800
type: int
- margintime
How long before connection expiry or keying-channel expiry
should attempt to negotiate a replacement begin
(deprecated with pfSense 2.5.0)
default: null
type: int
- mobike
(IKEv2 only) Set this option to control the use of MOBIKE
choices: ['on', 'off']
default: 'off'
type: str
- mode
Negotiation mode. Aggressive is more flexible, but less
secure. Only for IkeV1 or Auto.
choices: [main, aggressive]
default: null
type: str
- myid_data
Local identifier value.
default: null
type: str
- myid_type
Local identifier type.
choices: [myaddress, address, fqdn, user_fqdn, asn1dn, keyid tag, dyn_dns]
default: myaddress
type: str
- nat_traversal
Set this option to enable the use of NAT-T (i.e. the
encapsulation of ESP in UDP packets) if needed, which can
help with clients that are behind restrictive firewalls.
choices: ['on', force]
default: 'on'
type: str
- nattport
UDP port for NAT-T on the remote gateway.
default: null
type: int
- peerid_data
Remote identifier value.
default: null
type: str
- peerid_type
Remote identifier type.
choices: [any, peeraddress, address, fqdn, user_fqdn, asn1dn, keyid tag]
default: peeraddress
type: str
- preshared_key
This key must match on both peers.
default: null
type: str
- protocol
IP family
choices: [inet, inet6, both]
default: inet
type: str
- rand_time
A random value up to this amount will be subtracted from
Rekey Time/Reauth Time to avoid simultaneous
renegotiation.
default: null
type: int
- reauth_time
Time, in seconds, before an IKE SA is torn down and
recreated from scratch, including authentication.
default: null
type: int
- rekey_time
Time, in seconds, before an IKE SA establishes new keys.
default: null
type: int
- remote_gateway
Public IP address or host name of the remote gateway.
default: null
type: str
- responderonly
Enable this option to never initiate this connection from
this side, only respond to incoming requests. Removed in
pfSense 2.5.2.
default: null
type: bool
- splitconn
(IKEv2 only) Enable this to split connection entries with
multiple phase 2 configurations
default: false
type: bool
- startaction
Set this option to force specific initiation/responder
behavior for child SA (P2) entries. New in pfSense 2.5.2.
choices: ['', none, start, trap]
default: ''
type: str
- state
State in which to leave the IPsec tunnel
choices: [present, absent]
default: present
type: str
- apply
Apply VPN configuration on target pfSense
default: true
type: bool
- purge_ipsec_p2s
delete all the phase2 that are not defined into
aggregated_ipsec_p2s
default: false
type: bool
- purge_ipsec_proposals
delete all the phase1 proposals that are not defined into
aggregated_ipsec_proposals
default: false
type: bool
- purge_ipsecs
delete all the IPsec tunnels that are not defined into
aggregated_ipsecs
default: false
type: bool
NOTES:
* aggregated_* use the same options definitions than
pfsense corresponding module
AUTHOR: Frederic Bor (@f-bor)
METADATA:
metadata_version: '1.1'
status:
- preview
supported_by: community
EXAMPLES:
- name: "Setup two tunnels with two proposals and and two phase 2 each, and delete everything else"
pfsense_ipsec_aggregate:
purge_ipsecs: true
purge_ipsec_proposals: true
purge_ipsec_p2s: true
aggregated_ipsecs:
- { descr: t1, interface: wan, remote_gateway: 1.3.3.1, iketype: ikev2, authentication_method: pre_shared_key, preshared_key: azerty123 }
- { descr: t2, interface: wan, remote_gateway: 1.3.4.1, iketype: ikev2, authentication_method: pre_shared_key, preshared_key: qwerty123 }
aggregated_ipsec_proposals:
- { descr: t1, encryption: aes, key_length: 128, hash: md5, dhgroup: 14}
- { descr: t2, encryption: 3des, hash: sha512, dhgroup: 14}
aggregated_ipsec_p2s:
- { descr: t1_p2_1, p1_descr: t1, mode: tunnel, local: 1.2.3.4/24, remote: 10.20.30.40/24, aes: True, aes_len: auto, sha256: True }
- { descr: t1_p2_2, p1_descr: t1, mode: tunnel, local: 1.2.3.4/24, remote: 10.20.30.50/24, aes: True, aes_len: auto, sha256: True }
- { descr: t2_p2_1, p1_descr: t2, mode: tunnel, local: 1.2.3.4/24, remote: 10.20.40.40/24, aes: True, aes_len: auto, sha256: True }
- { descr: t2_p2_2, p1_descr: t2, mode: tunnel, local: 1.2.3.4/24, remote: 10.20.40.50/24, aes: True, aes_len: auto, sha256: True }
RETURN VALUES:
- result_ipsec_p2s
the set of commands that would be pushed to the remote device
(if pfSense had a CLI)
returned: success
sample: ['create ipsec_p2 ''test_p2'' on ''test_tunnel'', disabled=''False'', mode=''vti'',
local=''1.2.3.1'', ...', delete ipsec_p2 'test_p2' on 'test_tunnel']
type: list
- result_ipsec_proposals
the set of commands that would be pushed to the remote device
(if pfSense had a CLI)
returned: success
sample: ['create ipsec_proposal on ''test_tunnel'', encryption=''aes128gcm'', key_length=128,
hash=''sha256'', dhgroup=''14''', 'delete ipsec_proposal on ''test_tunnel'', encryption=''aes128gcm'',
key_length=128, hash=''sha256'', dhgroup=''14''']
type: list
- result_ipsecs
the set of separators commands that would be pushed to the
remote device (if pfSense had a CLI)
returned: success
sample: ['create ipsec ''test_tunnel'', iketype=''ikev2'', protocol=''inet'', interface=''wan'',
remote_gateway=''1.2.3.4'', ...', delete ipsec 'test_tunnel']
type: list