diff --git a/changelogs/fragments/129-api-ipsec.yml b/changelogs/fragments/129-api-ipsec.yml new file mode 100644 index 00000000..c13b7a73 --- /dev/null +++ b/changelogs/fragments/129-api-ipsec.yml @@ -0,0 +1,3 @@ +minor_changes: + - api_modify, api_info - support API paths ``ip ipsec identity``, ``ip ipsec peer``, ``ip ipsec policy``, ``ip ipsec profile``, ``ip ipsec proposal`` + (https://github.com/ansible-collections/community.routeros/pull/129). diff --git a/plugins/module_utils/_api_data.py b/plugins/module_utils/_api_data.py index 5bac5341..ad8ceb2f 100644 --- a/plugins/module_utils/_api_data.py +++ b/plugins/module_utils/_api_data.py @@ -301,6 +301,31 @@ def join_path(path): 'transparent-proxy': KeyInfo(), }, ), + ('ip', 'ipsec', 'identity'): APIData( + fully_understood=True, + primary_keys=('peer', ), + fields={ + 'auth-method': KeyInfo(default='pre-shared-key'), + 'certificate': KeyInfo(), + 'comment': KeyInfo(can_disable=True, remove_value=''), + 'disabled': KeyInfo(default=False), + 'eap-methods': KeyInfo(default='eap-tls'), + 'generate-policy': KeyInfo(default=False), + 'key': KeyInfo(), + 'match-by': KeyInfo(can_disable=True, remove_value='remote-id'), + 'mode-config': KeyInfo(can_disable=True, remove_value='none'), + 'my-id': KeyInfo(can_disable=True, remove_value='auto'), + 'notrack-chain': KeyInfo(can_disable=True, remove_value=''), + 'password': KeyInfo(), + 'peer': KeyInfo(), + 'policy-template-group': KeyInfo(can_disable=True, remove_value='default'), + 'remote-certificate': KeyInfo(), + 'remote-id': KeyInfo(can_disable=True, remove_value='auto'), + 'remote-key': KeyInfo(), + 'secret': KeyInfo(default=''), + 'username': KeyInfo(), + }, + ), ('ip', 'ipsec', 'mode-config'): APIData( unknown_mechanism=True, # primary_keys=('default', ), @@ -311,6 +336,22 @@ def join_path(path): 'use-responder-dns': KeyInfo(), }, ), + ('ip', 'ipsec', 'peer'): APIData( + fully_understood=True, + primary_keys=('name', ), + fields={ + 'address': KeyInfo(can_disable=True, remove_value=''), + 'comment': KeyInfo(can_disable=True, remove_value=''), + 'disabled': KeyInfo(default=False), + 'exchange-mode': KeyInfo(default='main'), + 'local-address': KeyInfo(can_disable=True, remove_value='0.0.0.0'), + 'name': KeyInfo(), + 'passive': KeyInfo(can_disable=True, remove_value=False), + 'port': KeyInfo(can_disable=True, remove_value=500), + 'profile': KeyInfo(default='default'), + 'send-initial-contact': KeyInfo(default=True), + }, + ), ('ip', 'ipsec', 'policy', 'group'): APIData( unknown_mechanism=True, # primary_keys=('default', ), @@ -320,32 +361,32 @@ def join_path(path): }, ), ('ip', 'ipsec', 'profile'): APIData( - unknown_mechanism=True, - # primary_keys=('default', ), + fully_understood=True, + primary_keys=('name', ), fields={ - 'default': KeyInfo(), - 'dh-group': KeyInfo(), - 'dpd-interval': KeyInfo(), - 'dpd-maximum-failures': KeyInfo(), - 'enc-algorithm': KeyInfo(), - 'hash-algorithm': KeyInfo(), - 'lifetime': KeyInfo(), + 'dh-group': KeyInfo(default='modp2048,modp1024'), + 'dpd-interval': KeyInfo(default='2m'), + 'dpd-maximum-failures': KeyInfo(default=5), + 'enc-algorithm': KeyInfo(default='aes-128,3des'), + 'hash-algorithm': KeyInfo(default='sha1'), + 'lifebytes': KeyInfo(can_disable=True, remove_value=0), + 'lifetime': KeyInfo(default='1d'), 'name': KeyInfo(), - 'nat-traversal': KeyInfo(), - 'proposal-check': KeyInfo(), + 'nat-traversal': KeyInfo(default=True), + 'prf-algorithm': KeyInfo(can_disable=True, remove_value='auto'), + 'proposal-check': KeyInfo(default='obey'), }, ), ('ip', 'ipsec', 'proposal'): APIData( - unknown_mechanism=True, - # primary_keys=('default', ), + fully_understood=True, + primary_keys=('name', ), fields={ - 'default': KeyInfo(), - 'auth-algorithms': KeyInfo(), - 'disabled': KeyInfo(), - 'enc-algorithms': KeyInfo(), - 'lifetime': KeyInfo(), + 'auth-algorithms': KeyInfo(default='sha1'), + 'disabled': KeyInfo(default=False), + 'enc-algorithms': KeyInfo(default='aes-256-cbc,aes-192-cbc,aes-128-cbc'), + 'lifetime': KeyInfo(default='30m'), 'name': KeyInfo(), - 'pfs-group': KeyInfo(), + 'pfs-group': KeyInfo(default='modp1024'), }, ), ('ip', 'pool'): APIData( @@ -2127,15 +2168,25 @@ def join_path(path): }, ), ('ip', 'ipsec', 'policy'): APIData( - has_identifier=True, + fully_understood=True, fields={ - 'disabled': KeyInfo(), + 'action': KeyInfo(default='encrypt'), + 'comment': KeyInfo(can_disable=True, remove_value=''), + 'disabled': KeyInfo(default=False), 'dst-address': KeyInfo(), - 'group': KeyInfo(), - 'proposal': KeyInfo(), - 'protocol': KeyInfo(), + 'dst-port': KeyInfo(default='any'), + 'group': KeyInfo(can_disable=True, remove_value='default'), + 'ipsec-protocols': KeyInfo(default='esp'), + 'level': KeyInfo(default='require'), + 'peer': KeyInfo(), + 'proposal': KeyInfo(default='default'), + 'protocol': KeyInfo(default='all'), 'src-address': KeyInfo(), - 'template': KeyInfo(), + 'src-port': KeyInfo(default='any'), + 'template': KeyInfo(can_disable=True, remove_value=False), + # the tepmlate field can't really be changed once the item is created. This config captures the behavior best as it can + # i.e. tepmplate=yes is shown, tepmlate=no is hidden + 'tunnel': KeyInfo(default=False), }, ), ('ip', 'service'): APIData( diff --git a/plugins/modules/api_info.py b/plugins/modules/api_info.py index b8d6aa69..92ca1a23 100644 --- a/plugins/modules/api_info.py +++ b/plugins/modules/api_info.py @@ -92,6 +92,11 @@ - ip firewall nat - ip firewall service-port - ip hotspot service-port + - ip ipsec identity + - ip ipsec peer + - ip ipsec policy + - ip ipsec profile + - ip ipsec proposal - ip ipsec settings - ip neighbor discovery-settings - ip pool diff --git a/plugins/modules/api_modify.py b/plugins/modules/api_modify.py index 633836b6..4f3dbe8b 100644 --- a/plugins/modules/api_modify.py +++ b/plugins/modules/api_modify.py @@ -97,6 +97,11 @@ - ip firewall nat - ip firewall service-port - ip hotspot service-port + - ip ipsec identity + - ip ipsec peer + - ip ipsec policy + - ip ipsec profile + - ip ipsec proposal - ip ipsec settings - ip neighbor discovery-settings - ip pool