pfsense_ipsec_p2 hash algorithms

[nicolascoulomb]

When creating P2 with pfsense_ipsec_p2, if you set Hash Algorithms (sha1, sha256, sha384, sha512) with boolean (true or false), it will be already enable. Only way to disable a specific hash algorithm is to not set the value.

Playbook

- pfsensible.core.pfsense_ipsec:
    authentication_method: pre_shared_key
    descr: '[Test] IPSEC01'
    disabled: true
    iketype: ikev2
    interface: vip:***.***.***.***
    preshared_key: ********
    remote_gateway: ***.***.***.***
    state: present

- pfsensible.core.pfsense_ipsec_proposal:
    descr: '[Test] IPSEC01'
    dhgroup: 14
    encryption: aes
    hash: sha256
    key_length: 256
    state: present

- pfsensible.core.pfsense_ipsec_p2:
    aes: true
    aes256gcm: true
    aes256gcm_len: 128
    aes_len: 128
    aesxcbc: false
    cast128: false
    des: false
    descr: '[Test] IPSEC01 P2-01'
    local: 10.50.0.0/24
    md5: false
    mode: tunnel
    p1_descr: '[Test] IPSEC01'
    remote: 10.10.0.0/24
    sha1: false
    sha256: false
    sha384: true
    sha512: true
    state: present

Output

TASK [pfsense : pfsensible.core.pfsense_ipsec]
**************************************************************************
task path: /home/ncoulomb/Documents/Gitlab/vrack/roles/pfsense/tasks/main.yml:3

[WARNING]: Platform freebsd on host pfsense-01 is using the discovered Python interpreter at /usr/local/bin/python3.11, but future installation of another Python interpreter could change the meaning of that path.
See https://docs.ansible.com/ansible-core/2.18/reference_appendices/interpreter_discovery.html for more information.

changed: [pfsense-01] => {
  "ansible_facts": {
    "discovered_interpreter_python": "/usr/local/bin/python3.11"
  },
  "changed": true,
  "commands": [
    "create ipsec '[Test] IPSEC01', disabled=True, iketype='ikev2', protocol='inet', interface='vip:***.***.***.***', remote_gateway='***.***.***.***', authentication_method='pre_shared_key', preshared_key='********', myid_type='myaddress', peerid_type='peeraddress', lifetime='28800', rekey_time='', reauth_time='', rand_time='', mobike='off', startaction='', closeaction='', nat_traversal='on', enable_dpd=True, dpd_delay='10', dpd_maxfail='5'"
  ],
  "stderr": "",
  "stderr_lines": [],
  "stdout": "pfSense shell: global $debug;\npfSense shell: $debug = 1;\npfSense shell: global $config;\npfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');\npfSense shell: exec\npfSense shell: exit\n",
  "stdout_lines": [
    "pfSense shell: global $debug;",
    "pfSense shell: $debug = 1;",
    "pfSense shell: global $config;",
    "pfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');",
    "pfSense shell: exec",
    "pfSense shell: exit"
  ]
}

TASK [pfsense : pfsensible.core.pfsense_ipsec_proposal]
**************************************************************************
task path: /home/ncoulomb/Documents/Gitlab/vrack/roles/pfsense/tasks/main.yml:13

changed: [pfsense-01] => {
  "changed": true,
  "commands": [
    "create ipsec_proposal '[Test] IPSEC01', encryption='aes', key_length=256, hash='sha256', dhgroup='14', prf='sha256'"
  ],
  "stderr": "",
  "stderr_lines": [],
  "stdout": "pfSense shell: global $debug;\npfSense shell: $debug = 1;\npfSense shell: global $config;\npfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');\npfSense shell: exec\npfSense shell: exit\n",
  "stdout_lines": [
    "pfSense shell: global $debug;",
    "pfSense shell: $debug = 1;",
    "pfSense shell: global $config;",
    "pfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');",
    "pfSense shell: exec",
    "pfSense shell: exit"
  ]
}

TASK [pfsense : pfsensible.core.pfsense_ipsec_p2]
**************************************************************************
task path: /home/ncoulomb/Documents/Gitlab/vrack/roles/pfsense/tasks/main.yml:21

changed: [pfsense-01] => {
  "changed": true,
  "commands": [
    "create ipsec_p2 '[Test] IPSEC01 P2-01' on '[Test] IPSEC01', disabled=False, mode='tunnel', local='10.50.0.0/24', remote='10.10.0.0/24', aes=True, aes_len='128', aes256gcm=True, aes256gcm_len='128', des=False, cast128=False, md5=False, sha1=False, sha256=False, sha384=True, sha512=True, aesxcbc=False, pfsgroup='14', lifetime=3600"
  ],
  "stderr": "",
  "stderr_lines": [],
  "stdout": "pfSense shell: global $debug;\npfSense shell: $debug = 1;\npfSense shell: global $config;\npfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');\npfSense shell: exec\npfSense shell: exit\n",
  "stdout_lines": [
    "pfSense shell: global $debug;",
    "pfSense shell: $debug = 1;",
    "pfSense shell: global $config;",
    "pfSense shell: require_once('vpn.inc');$ipsec_dynamic_hosts = ipsec_configure();ipsec_reload_package_hook();$retval = 0;$retval |= filter_configure();if ($ipsec_dynamic_hosts >= 0 && is_subsystem_dirty('ipsec')) clear_subsystem_dirty('ipsec');",
    "pfSense shell: exec",
    "pfSense shell: exit"
  ]
}

Result

Environment

• What version of pfsensible.core? 0.62
• What version of ansible? 11.1.0
• What version of pfSense? 2.7.2