From c4c4f2606450b830fdd8cba11e4ebf3aeedebb6e Mon Sep 17 00:00:00 2001 From: gusmb Date: Tue, 31 Oct 2023 11:46:39 +0100 Subject: [PATCH 01/12] update templates and schemas --- .../inventory/host_vars/ip-security.yml | 3 ++ .../docs/tables/ip-security.md | 6 +++ .../eos_cli_config_gen.jsonschema.json | 35 +++++++++++++++++ .../schemas/eos_cli_config_gen.schema.yml | 39 +++++++++++++++++++ .../schema_fragments/ip_security.schema.yml | 25 ++++++++++++ .../templates/eos/ip-security.j2 | 9 +++++ 6 files changed, 117 insertions(+) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml index 5f3e3b8c567..8222ebf0a8d 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml @@ -3,6 +3,9 @@ ip_security: ike_policies: - name: IKE-1 local_id: 192.168.100.1 + ike_lifetime: 24 + encryption: aes256 + dh_group: 20 - name: IKE-2 sa_policies: - name: SA-1 diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md index 7d0a1a06d24..b8a75e9a7b1 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md @@ -11,6 +11,9 @@ | [  ike_policies](## "ip_security.ike_policies") | List, items: Dictionary | | | | Internet Security Association and Key Mgmt Protocol. | | [    - name](## "ip_security.ike_policies.[].name") | String | Required, Unique | | | Policy name. | | [      local_id](## "ip_security.ike_policies.[].local_id") | String | | | | Local IKE Identification.
Can be an IPv4 or an IPv6 address.
| + | [      ike_lifetime](## "ip_security.ike_policies.[].ike_lifetime") | Integer | | | Min: 1
Max: 24 | IKE lifetime in hours.
| + | [      encryption](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:
- null
- 3des
- aes128
- aes256 | Local IKE Identification.
Can be an IPv4 or an IPv6 address.
| + | [      dh_group](## "ip_security.ike_policies.[].dh_group") | Integer | | | Valid Values:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 20
- 21
- 24 | Diffie-Hellman group for the key exchange.
| | [  sa_policies](## "ip_security.sa_policies") | List, items: Dictionary | | | | Security Association policies. | | [    - name](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. | | [      esp](## "ip_security.sa_policies.[].esp") | Dictionary | | | | | @@ -38,6 +41,9 @@ ike_policies: - name: local_id: + ike_lifetime: + encryption: + dh_group: sa_policies: - name: esp: diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json index 13481bd47a2..a92906f53ca 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json @@ -6597,6 +6597,41 @@ "type": "string", "description": "Local IKE Identification.\nCan be an IPv4 or an IPv6 address.\n", "title": "Local ID" + }, + "ike_lifetime": { + "type": "integer", + "minimum": 1, + "maximum": 24, + "description": "IKE lifetime in hours.\n", + "title": "Ike Lifetime" + }, + "encryption": { + "type": "string", + "enum": [ + "null", + "3des", + "aes128", + "aes256" + ], + "description": "Local IKE Identification.\nCan be an IPv4 or an IPv6 address.\n", + "title": "Encryption" + }, + "dh_group": { + "type": "integer", + "enum": [ + 1, + 2, + 5, + 14, + 15, + 16, + 17, + 20, + 21, + 24 + ], + "description": "Diffie-Hellman group for the key exchange.\n", + "title": "Dh Group" } }, "additionalProperties": false, diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml index e740802f453..96fd7bb3e57 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml @@ -3788,6 +3788,45 @@ keys: Can be an IPv4 or an IPv6 address. + ' + ike_lifetime: + type: int + convert_types: + - str + min: 1 + max: 24 + description: 'IKE lifetime in hours. + + ' + encryption: + type: str + valid_values: + - 'null' + - 3des + - aes128 + - aes256 + description: 'Local IKE Identification. + + Can be an IPv4 or an IPv6 address. + + ' + dh_group: + type: int + convert_types: + - str + valid_values: + - 1 + - 2 + - 5 + - 14 + - 15 + - 16 + - 17 + - 20 + - 21 + - 24 + description: 'Diffie-Hellman group for the key exchange. + ' sa_policies: type: list diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml index d95f467b89a..5253c5a219d 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml @@ -24,6 +24,31 @@ keys: description: | Local IKE Identification. Can be an IPv4 or an IPv6 address. + ike_lifetime: + type: int + convert_types: + - str + min: 1 + max: 24 + description: | + IKE lifetime in hours. + encryption: + type: str + valid_values: + - "null" + - 3des + - aes128 + - aes256 + description: | + Local IKE Identification. + Can be an IPv4 or an IPv6 address. + dh_group: + type: int + convert_types: + - str + valid_values: [1, 2, 5, 14, 15, 16, 17, 20, 21, 24] + description: | + Diffie-Hellman group for the key exchange. sa_policies: type: list description: Security Association policies. diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 index fe27a581d16..8c25bab6001 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 @@ -13,6 +13,15 @@ ip security {% if ike_policy.local_id is arista.avd.defined %} local-id {{ ike_policy.local_id }} {% endif %} +{% if ike_policy.ike_lifetime is arista.avd.defined %} + ike-lifetime {{ ike_policy.ike_lifetime }} +{% endif %} +{% if ike_policy.encryption is arista.avd.defined %} + encryption {{ ike_policy.encryption }} +{% endif %} +{% if ike_policy.dh_group is arista.avd.defined %} + dh-group {{ ike_policy.dh_group }} +{% endif %} {% endfor %} {% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} ! From 8adeb28df1e6c7a6cde7cf63d430ad256f67c403 Mon Sep 17 00:00:00 2001 From: gusmb Date: Tue, 31 Oct 2023 12:30:39 +0100 Subject: [PATCH 02/12] refresh molecule --- .../eos_cli_config_gen/documentation/devices/ip-security.md | 3 +++ .../eos_cli_config_gen/intended/configs/ip-security.cfg | 3 +++ 2 files changed, 6 insertions(+) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md index b895782ff90..1173d4db6d0 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md @@ -68,6 +68,9 @@ ip security ! ike policy IKE-1 local-id 192.168.100.1 + ike-lifetime 24 + encryption aes256 + dh-group 20 ! ike policy IKE-2 ! diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg index 68ee2b76db1..176d311dd66 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg @@ -11,6 +11,9 @@ ip security ! ike policy IKE-1 local-id 192.168.100.1 + ike-lifetime 24 + encryption aes256 + dh-group 20 ! ike policy IKE-2 ! From 0c3e479d0e7c43f278ea9bea4502dd3bedd09ad5 Mon Sep 17 00:00:00 2001 From: gusmb Date: Tue, 31 Oct 2023 15:55:59 +0100 Subject: [PATCH 03/12] update docs --- .../documentation/devices/ip-security.md | 17 +++++++++++++---- .../templates/documentation/ip-security.j2 | 8 ++++---- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md index 1173d4db6d0..73e6b9bbc40 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md @@ -6,6 +6,7 @@ - [Management Interfaces](#management-interfaces) - [IP Security](#ip-security) - [IKE policies](#ike-policies) + - [Security Association policies](#security-association-policies) - [IPSec profiles](#ipsec-profiles) - [Key controller](#key-controller) - [IP Security Configuration](#ip-security-configuration) @@ -42,10 +43,18 @@ interface Management1 ### IKE policies -| Policy name | Local ID | -| ----------- | -------- | -| IKE-1 | 192.168.100.1 | -| IKE-2 | - | +| Policy name | IKE lifetime | Encryption | DH group | Local ID | +| ----------- | ------------ | ---------- | -------- | -------- | +| IKE-1 | 24 | aes256 | 20 | 192.168.100.1 | +| IKE-2 | - | - | - | - | + +### Security Association policies + +| Policy name | ESP Integrity | ESP Encryption | PFS DH Group | +| ----------- | ------------- | -------------- | ------------ | +| SA-1 | - | aes128 | 14 | +| SA-2 | - | aes128 | 14 | +| SA-3 | null | null | 17 | ### IPSec profiles diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 index 81fa80e6027..249932e081f 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 @@ -11,13 +11,13 @@ ### IKE policies -| Policy name | Local ID | -| ----------- | -------- | +| Policy name | IKE lifetime | Encryption | DH group | Local ID | +| ----------- | ------------ | ---------- | -------- | -------- | {% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %} -| {{ ike_policy.name }} | {{ ike_policy.local_id | arista.avd.default("-") }} | +| {{ ike_policy.name }} | {{ ike_policy.ike_lifetime | arista.avd.default("-") }} | {{ ike_policy.encryption | arista.avd.default("-") }} | {{ ike_policy.dh_group | arista.avd.default("-") }} | {{ ike_policy.local_id | arista.avd.default("-") }} | {% endfor %} {% endif %} -{% if ip_security.ike_policie is arista.avd.defined %} +{% if ip_security.sa_policies is arista.avd.defined %} ### Security Association policies From c1ca94a394523c6ef99de0407244ce613c7b07fd Mon Sep 17 00:00:00 2001 From: gusmb Date: Wed, 8 Nov 2023 16:05:42 +0100 Subject: [PATCH 04/12] update schemas --- .../eos_cli_config_gen/docs/tables/ip-security.md | 8 ++++---- .../schemas/eos_cli_config_gen.jsonschema.json | 14 ++++++++------ .../schemas/eos_cli_config_gen.schema.yml | 11 +++++++---- .../schema_fragments/ip_security.schema.yml | 10 ++++++---- 4 files changed, 25 insertions(+), 18 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md index b8a75e9a7b1..71dd9231857 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md @@ -12,13 +12,13 @@ | [    - name](## "ip_security.ike_policies.[].name") | String | Required, Unique | | | Policy name. | | [      local_id](## "ip_security.ike_policies.[].local_id") | String | | | | Local IKE Identification.
Can be an IPv4 or an IPv6 address.
| | [      ike_lifetime](## "ip_security.ike_policies.[].ike_lifetime") | Integer | | | Min: 1
Max: 24 | IKE lifetime in hours.
| - | [      encryption](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:
- null
- 3des
- aes128
- aes256 | Local IKE Identification.
Can be an IPv4 or an IPv6 address.
| + | [      encryption](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:
- disabled
- 3des
- aes128
- aes256 | Local IKE Identification.
Can be an IPv4 or an IPv6 address.
| | [      dh_group](## "ip_security.ike_policies.[].dh_group") | Integer | | | Valid Values:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 20
- 21
- 24 | Diffie-Hellman group for the key exchange.
| | [  sa_policies](## "ip_security.sa_policies") | List, items: Dictionary | | | | Security Association policies. | - | [    - name](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. | + | [    - name](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. The "null" value is deprecated and will be removed on AVD 5.0.0 | | [      esp](## "ip_security.sa_policies.[].esp") | Dictionary | | | | | - | [        integrity](## "ip_security.sa_policies.[].esp.integrity") | String | | | Valid Values:
- null
- sha1
- sha256 | | - | [        encryption](## "ip_security.sa_policies.[].esp.encryption") | String | | | Valid Values:
- null
- aes128
- aes128gcm128
- aes128gcm64
- aes256
- aes256gcm256 | | + | [        integrity](## "ip_security.sa_policies.[].esp.integrity") | String | | | Valid Values:
- disabled
- sha1
- sha256
- null | | + | [        encryption](## "ip_security.sa_policies.[].esp.encryption") | String | | | Valid Values:
- disabled
- aes128
- aes128gcm128
- aes128gcm64
- aes256
- aes256gcm256
- null | | | [      pfs_dh_group](## "ip_security.sa_policies.[].pfs_dh_group") | Integer | | | Valid Values:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 20
- 21
- 24 | | | [  profiles](## "ip_security.profiles") | List, items: Dictionary | | | | IPSec profiles. | | [    - name](## "ip_security.profiles.[].name") | String | Required, Unique | | | Name of the IPsec profile. | diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json index a92906f53ca..b331a1cd9d5 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json @@ -6608,7 +6608,7 @@ "encryption": { "type": "string", "enum": [ - "null", + "disabled", "3des", "aes128", "aes256" @@ -6652,7 +6652,7 @@ "properties": { "name": { "type": "string", - "description": "Name of the SA policy.", + "description": "Name of the SA policy. The \"null\" value is deprecated and will be removed on AVD 5.0.0", "title": "Name" }, "esp": { @@ -6661,21 +6661,23 @@ "integrity": { "type": "string", "enum": [ - "null", + "disabled", "sha1", - "sha256" + "sha256", + "null" ], "title": "Integrity" }, "encryption": { "type": "string", "enum": [ - "null", + "disabled", "aes128", "aes128gcm128", "aes128gcm64", "aes256", - "aes256gcm256" + "aes256gcm256", + "null" ], "title": "Encryption" } diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml index 96fd7bb3e57..bbb71fd8a22 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml @@ -3801,7 +3801,7 @@ keys: encryption: type: str valid_values: - - 'null' + - disabled - 3des - aes128 - aes256 @@ -3837,25 +3837,28 @@ keys: keys: name: type: str - description: Name of the SA policy. + description: Name of the SA policy. The "null" value is deprecated and + will be removed on AVD 5.0.0 esp: type: dict keys: integrity: type: str valid_values: - - 'null' + - disabled - sha1 - sha256 + - 'null' encryption: type: str valid_values: - - 'null' + - disabled - aes128 - aes128gcm128 - aes128gcm64 - aes256 - aes256gcm256 + - 'null' pfs_dh_group: type: int convert_types: diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml index 5253c5a219d..c4c37a48ea2 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml @@ -35,7 +35,7 @@ keys: encryption: type: str valid_values: - - "null" + - disabled - 3des - aes128 - aes256 @@ -58,25 +58,27 @@ keys: keys: name: type: str - description: Name of the SA policy. + description: Name of the SA policy. The "null" value is deprecated and will be removed on AVD 5.0.0 esp: type: dict keys: integrity: type: str valid_values: - - "null" + - disabled - sha1 - sha256 + - "null" # TODO: AVD 5.0.0 encryption: type: str valid_values: - - "null" + - disabled - aes128 - aes128gcm128 - aes128gcm64 - aes256 - aes256gcm256 + - "null" # TODO: AVD 5.0.0 pfs_dh_group: type: int convert_types: From 9838b60ef2e770e7c319baaae72f35fa140bcd9e Mon Sep 17 00:00:00 2001 From: gusmb Date: Wed, 8 Nov 2023 16:14:30 +0100 Subject: [PATCH 05/12] update eos template --- .../roles/eos_cli_config_gen/templates/eos/ip-security.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 index 8c25bab6001..8e78114c504 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 @@ -16,7 +16,7 @@ ip security {% if ike_policy.ike_lifetime is arista.avd.defined %} ike-lifetime {{ ike_policy.ike_lifetime }} {% endif %} -{% if ike_policy.encryption is arista.avd.defined %} +{% if ike_policy.encryption is arista.avd.defined and ike_policy.encryption != "disabled" %} encryption {{ ike_policy.encryption }} {% endif %} {% if ike_policy.dh_group is arista.avd.defined %} @@ -26,10 +26,10 @@ ip security {% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} ! sa policy {{ sa_policy.name }} -{% if sa_policy.esp.intergrity is arista.avd.defined %} +{% if sa_policy.esp.intergrity is arista.avd.defined and sa_policy.esp.intergrity != "disabled" %} esp intergrity {{ sa_policy.esp.intergrity }} {% endif %} -{% if sa_policy.esp.encryption is arista.avd.defined %} +{% if sa_policy.esp.encryption is arista.avd.defined and sa_policy.esp.encryption != "disabled" %} esp encryption {{ sa_policy.esp.encryption }} {% endif %} {% if sa_policy.pfs_dh_group is arista.avd.defined %} From 2286652cc4f2bc0153e2b08bccc1b6c6c5e4f6dd Mon Sep 17 00:00:00 2001 From: gusmb Date: Wed, 8 Nov 2023 16:41:19 +0100 Subject: [PATCH 06/12] refresh molecule --- .../eos_cli_config_gen/documentation/devices/ip-security.md | 3 +-- .../eos_cli_config_gen/intended/configs/ip-security.cfg | 1 - .../eos_cli_config_gen/inventory/host_vars/ip-security.yml | 4 ++-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md index 73e6b9bbc40..a9faeb7eeff 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md @@ -54,7 +54,7 @@ interface Management1 | ----------- | ------------- | -------------- | ------------ | | SA-1 | - | aes128 | 14 | | SA-2 | - | aes128 | 14 | -| SA-3 | null | null | 17 | +| SA-3 | disabled | disabled | 17 | ### IPSec profiles @@ -92,7 +92,6 @@ ip security pfs dh-group 14 ! sa policy SA-3 - esp encryption null pfs dh-group 17 ! profile Profile-1 diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg index 176d311dd66..12d785f01fd 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg @@ -26,7 +26,6 @@ ip security pfs dh-group 14 ! sa policy SA-3 - esp encryption null pfs dh-group 17 ! profile Profile-1 diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml index 8222ebf0a8d..b1c7f699330 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml @@ -18,8 +18,8 @@ ip_security: pfs_dh_group: 14 - name: SA-3 esp: - integrity: "null" - encryption: "null" + integrity: "disabled" + encryption: "disabled" pfs_dh_group: 17 profiles: - name: Profile-1 From 22542f39aa5340dd50e799b07e9e23662cd03fe8 Mon Sep 17 00:00:00 2001 From: gusmb Date: Wed, 8 Nov 2023 16:59:17 +0100 Subject: [PATCH 07/12] refresh molecule --- .../documentation/devices/ip-security.md | 2 ++ .../intended/configs/ip-security.cfg | 2 ++ .../templates/eos/ip-security.j2 | 14 +++++++++++--- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md index a9faeb7eeff..09931db04ed 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md @@ -92,6 +92,8 @@ ip security pfs dh-group 14 ! sa policy SA-3 + esp integrity null + esp encryption null pfs dh-group 17 ! profile Profile-1 diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg index 12d785f01fd..d67f114f9de 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg @@ -26,6 +26,8 @@ ip security pfs dh-group 14 ! sa policy SA-3 + esp integrity null + esp encryption null pfs dh-group 17 ! profile Profile-1 diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 index 8e78114c504..d85d2a610a1 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 @@ -26,11 +26,19 @@ ip security {% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} ! sa policy {{ sa_policy.name }} -{% if sa_policy.esp.intergrity is arista.avd.defined and sa_policy.esp.intergrity != "disabled" %} - esp intergrity {{ sa_policy.esp.intergrity }} +{% if sa_policy.esp.integrity is arista.avd.defined %} +{% if sa_policy.esp.integrity == "disabled" %} + esp integrity null +{% else %} + esp integrity {{ sa_policy.esp.integrity }} +{% endif %} {% endif %} -{% if sa_policy.esp.encryption is arista.avd.defined and sa_policy.esp.encryption != "disabled" %} +{% if sa_policy.esp.encryption is arista.avd.defined %} +{% if sa_policy.esp.encryption == "disabled" %} + esp encryption null +{% else %} esp encryption {{ sa_policy.esp.encryption }} +{% endif %} {% endif %} {% if sa_policy.pfs_dh_group is arista.avd.defined %} pfs dh-group {{ sa_policy.pfs_dh_group }} From b05d8bb19f839c84b0467ad8740df5a90bdedf4c Mon Sep 17 00:00:00 2001 From: Claus Holbech Date: Thu, 9 Nov 2023 14:14:51 +0100 Subject: [PATCH 08/12] Apply suggestions from code review Co-authored-by: Guillaume Mulocher --- .../inventory/host_vars/ip-security.yml | 4 ++-- .../schemas/schema_fragments/ip_security.schema.yml | 10 ++++------ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml index b1c7f699330..f0c328404f2 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml @@ -18,8 +18,8 @@ ip_security: pfs_dh_group: 14 - name: SA-3 esp: - integrity: "disabled" - encryption: "disabled" + integrity: disabled + encryption: disabled pfs_dh_group: 17 profiles: - name: Profile-1 diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml index c4c37a48ea2..a508fc159d8 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml @@ -30,8 +30,7 @@ keys: - str min: 1 max: 24 - description: | - IKE lifetime in hours. + description: IKE lifetime in hours. encryption: type: str valid_values: @@ -39,7 +38,7 @@ keys: - 3des - aes128 - aes256 - description: | + description: |- Local IKE Identification. Can be an IPv4 or an IPv6 address. dh_group: @@ -47,8 +46,7 @@ keys: convert_types: - str valid_values: [1, 2, 5, 14, 15, 16, 17, 20, 21, 24] - description: | - Diffie-Hellman group for the key exchange. + description: Diffie-Hellman group for the key exchange. sa_policies: type: list description: Security Association policies. @@ -58,7 +56,7 @@ keys: keys: name: type: str - description: Name of the SA policy. The "null" value is deprecated and will be removed on AVD 5.0.0 + description: Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0 esp: type: dict keys: From b08957381a604eec144b9c0d757a95883d033939 Mon Sep 17 00:00:00 2001 From: Claus Holbech Date: Thu, 9 Nov 2023 14:17:39 +0100 Subject: [PATCH 09/12] Rebuild schemas after review changes --- .../eos_cli_config_gen/docs/tables/ip-security.md | 8 ++++---- .../schemas/eos_cli_config_gen.jsonschema.json | 8 ++++---- .../schemas/eos_cli_config_gen.schema.yml | 14 ++++---------- 3 files changed, 12 insertions(+), 18 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md index 71dd9231857..b01950cfa42 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md @@ -11,11 +11,11 @@ | [  ike_policies](## "ip_security.ike_policies") | List, items: Dictionary | | | | Internet Security Association and Key Mgmt Protocol. | | [    - name](## "ip_security.ike_policies.[].name") | String | Required, Unique | | | Policy name. | | [      local_id](## "ip_security.ike_policies.[].local_id") | String | | | | Local IKE Identification.
Can be an IPv4 or an IPv6 address.
| - | [      ike_lifetime](## "ip_security.ike_policies.[].ike_lifetime") | Integer | | | Min: 1
Max: 24 | IKE lifetime in hours.
| - | [      encryption](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:
- disabled
- 3des
- aes128
- aes256 | Local IKE Identification.
Can be an IPv4 or an IPv6 address.
| - | [      dh_group](## "ip_security.ike_policies.[].dh_group") | Integer | | | Valid Values:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 20
- 21
- 24 | Diffie-Hellman group for the key exchange.
| + | [      ike_lifetime](## "ip_security.ike_policies.[].ike_lifetime") | Integer | | | Min: 1
Max: 24 | IKE lifetime in hours. | + | [      encryption](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:
- disabled
- 3des
- aes128
- aes256 | Local IKE Identification.
Can be an IPv4 or an IPv6 address. | + | [      dh_group](## "ip_security.ike_policies.[].dh_group") | Integer | | | Valid Values:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 20
- 21
- 24 | Diffie-Hellman group for the key exchange. | | [  sa_policies](## "ip_security.sa_policies") | List, items: Dictionary | | | | Security Association policies. | - | [    - name](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. The "null" value is deprecated and will be removed on AVD 5.0.0 | + | [    - name](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0 | | [      esp](## "ip_security.sa_policies.[].esp") | Dictionary | | | | | | [        integrity](## "ip_security.sa_policies.[].esp.integrity") | String | | | Valid Values:
- disabled
- sha1
- sha256
- null | | | [        encryption](## "ip_security.sa_policies.[].esp.encryption") | String | | | Valid Values:
- disabled
- aes128
- aes128gcm128
- aes128gcm64
- aes256
- aes256gcm256
- null | | diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json index b331a1cd9d5..7576cc3213d 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json @@ -6602,7 +6602,7 @@ "type": "integer", "minimum": 1, "maximum": 24, - "description": "IKE lifetime in hours.\n", + "description": "IKE lifetime in hours.", "title": "Ike Lifetime" }, "encryption": { @@ -6613,7 +6613,7 @@ "aes128", "aes256" ], - "description": "Local IKE Identification.\nCan be an IPv4 or an IPv6 address.\n", + "description": "Local IKE Identification.\nCan be an IPv4 or an IPv6 address.", "title": "Encryption" }, "dh_group": { @@ -6630,7 +6630,7 @@ 21, 24 ], - "description": "Diffie-Hellman group for the key exchange.\n", + "description": "Diffie-Hellman group for the key exchange.", "title": "Dh Group" } }, @@ -6652,7 +6652,7 @@ "properties": { "name": { "type": "string", - "description": "Name of the SA policy. The \"null\" value is deprecated and will be removed on AVD 5.0.0", + "description": "Name of the SA policy. The \"null\" value is deprecated and will be removed in AVD 5.0.0", "title": "Name" }, "esp": { diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml index bbb71fd8a22..b7e339c0ae8 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml @@ -3795,9 +3795,7 @@ keys: - str min: 1 max: 24 - description: 'IKE lifetime in hours. - - ' + description: IKE lifetime in hours. encryption: type: str valid_values: @@ -3807,9 +3805,7 @@ keys: - aes256 description: 'Local IKE Identification. - Can be an IPv4 or an IPv6 address. - - ' + Can be an IPv4 or an IPv6 address.' dh_group: type: int convert_types: @@ -3825,9 +3821,7 @@ keys: - 20 - 21 - 24 - description: 'Diffie-Hellman group for the key exchange. - - ' + description: Diffie-Hellman group for the key exchange. sa_policies: type: list description: Security Association policies. @@ -3838,7 +3832,7 @@ keys: name: type: str description: Name of the SA policy. The "null" value is deprecated and - will be removed on AVD 5.0.0 + will be removed in AVD 5.0.0 esp: type: dict keys: From f0b38b62b947cee596b577d36ff234b6e890fef2 Mon Sep 17 00:00:00 2001 From: Claus Holbech Date: Fri, 10 Nov 2023 13:01:43 +0100 Subject: [PATCH 10/12] Remove disabled from ike encryption --- .../avd/roles/eos_cli_config_gen/docs/tables/ip-security.md | 2 +- .../schemas/eos_cli_config_gen.jsonschema.json | 3 +-- .../eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml | 5 +---- .../schemas/schema_fragments/ip_security.schema.yml | 5 +---- .../roles/eos_cli_config_gen/templates/eos/ip-security.j2 | 2 +- 5 files changed, 5 insertions(+), 12 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md index b01950cfa42..8b2f6faa529 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md @@ -12,7 +12,7 @@ | [    - name](## "ip_security.ike_policies.[].name") | String | Required, Unique | | | Policy name. | | [      local_id](## "ip_security.ike_policies.[].local_id") | String | | | | Local IKE Identification.
Can be an IPv4 or an IPv6 address.
| | [      ike_lifetime](## "ip_security.ike_policies.[].ike_lifetime") | Integer | | | Min: 1
Max: 24 | IKE lifetime in hours. | - | [      encryption](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:
- disabled
- 3des
- aes128
- aes256 | Local IKE Identification.
Can be an IPv4 or an IPv6 address. | + | [      encryption](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:
- 3des
- aes128
- aes256 | IKE encryption algorithm. | | [      dh_group](## "ip_security.ike_policies.[].dh_group") | Integer | | | Valid Values:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 20
- 21
- 24 | Diffie-Hellman group for the key exchange. | | [  sa_policies](## "ip_security.sa_policies") | List, items: Dictionary | | | | Security Association policies. | | [    - name](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0 | diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json index 7576cc3213d..9e2f7855cd0 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json @@ -6608,12 +6608,11 @@ "encryption": { "type": "string", "enum": [ - "disabled", "3des", "aes128", "aes256" ], - "description": "Local IKE Identification.\nCan be an IPv4 or an IPv6 address.", + "description": "IKE encryption algorithm.", "title": "Encryption" }, "dh_group": { diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml index b7e339c0ae8..c4c373abe2f 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml @@ -3799,13 +3799,10 @@ keys: encryption: type: str valid_values: - - disabled - 3des - aes128 - aes256 - description: 'Local IKE Identification. - - Can be an IPv4 or an IPv6 address.' + description: IKE encryption algorithm. dh_group: type: int convert_types: diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml index a508fc159d8..3e06942fb67 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml @@ -34,13 +34,10 @@ keys: encryption: type: str valid_values: - - disabled - 3des - aes128 - aes256 - description: |- - Local IKE Identification. - Can be an IPv4 or an IPv6 address. + description: IKE encryption algorithm. dh_group: type: int convert_types: diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 index d85d2a610a1..52351ee94ec 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2 @@ -16,7 +16,7 @@ ip security {% if ike_policy.ike_lifetime is arista.avd.defined %} ike-lifetime {{ ike_policy.ike_lifetime }} {% endif %} -{% if ike_policy.encryption is arista.avd.defined and ike_policy.encryption != "disabled" %} +{% if ike_policy.encryption is arista.avd.defined %} encryption {{ ike_policy.encryption }} {% endif %} {% if ike_policy.dh_group is arista.avd.defined %} From b357ea838b4aa8c1029e26387903ab1e9d3a9003 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Fri, 10 Nov 2023 14:26:11 +0100 Subject: [PATCH 11/12] Doc: Fix space issue in documentation template (piggybacking) --- .../documentation/devices/ip-security.md | 6 +-- .../templates/documentation/ip-security.j2 | 46 +++++++++---------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md index 09931db04ed..7a61dd5dfda 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md @@ -52,9 +52,9 @@ interface Management1 | Policy name | ESP Integrity | ESP Encryption | PFS DH Group | | ----------- | ------------- | -------------- | ------------ | -| SA-1 | - | aes128 | 14 | -| SA-2 | - | aes128 | 14 | -| SA-3 | disabled | disabled | 17 | +| SA-1 | - | aes128 | 14 | +| SA-2 | - | aes128 | 14 | +| SA-3 | disabled | disabled | 17 | ### IPSec profiles diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 index 249932e081f..7de9ce1dcc2 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 @@ -7,55 +7,55 @@ {% if ip_security is arista.avd.defined %} ## IP Security -{% if ip_security.ike_policies is arista.avd.defined %} +{% if ip_security.ike_policies is arista.avd.defined %} ### IKE policies | Policy name | IKE lifetime | Encryption | DH group | Local ID | | ----------- | ------------ | ---------- | -------- | -------- | -{% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %} +{% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %} | {{ ike_policy.name }} | {{ ike_policy.ike_lifetime | arista.avd.default("-") }} | {{ ike_policy.encryption | arista.avd.default("-") }} | {{ ike_policy.dh_group | arista.avd.default("-") }} | {{ ike_policy.local_id | arista.avd.default("-") }} | -{% endfor %} -{% endif %} -{% if ip_security.sa_policies is arista.avd.defined %} +{% endfor %} +{% endif %} +{% if ip_security.sa_policies is arista.avd.defined %} ### Security Association policies | Policy name | ESP Integrity | ESP Encryption | PFS DH Group | | ----------- | ------------- | -------------- | ------------ | -{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} -| {{ sa_policy.name }} | {{ sa_policy.esp.integrity | arista.avd.default("-") }} | {{ sa_policy.esp.encryption | arista.avd.default("-") }} | {{ sa_policy.pfs_dh_group | arista.avd.default("-") }} | -{% endfor %} -{% endif %} -{% if ip_security.profiles is arista.avd.defined %} +{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} +| {{ sa_policy.name }} | {{ sa_policy.esp.integrity | arista.avd.default("-") }} | {{ sa_policy.esp.encryption | arista.avd.default("-") }} | {{ sa_policy.pfs_dh_group | arista.avd.default("-") }} | +{% endfor %} +{% endif %} +{% if ip_security.profiles is arista.avd.defined %} ### IPSec profiles | Profile name | IKE policy | SA policy | Connection | DPD Interval | DPD Time | DPD action | Mode | | ------------ | ---------- | ----------| ---------- | ------------ | -------- | ---------- | ---- | -{% for profile in ip_security.profiles | arista.avd.default([]) %} -{% set ike_policy = profile.ike_policy | arista.avd.default("-") %} -{% set sa_policy = profile.sa_policy | arista.avd.default("-") %} -{% set connection = profile.connection | arista.avd.default("-") %} -{% set dpd_interval = profile.dpd_interval | arista.avd.default("-") %} -{% set dpd_time = profile.dpd_time | arista.avd.default("-") %} -{% set dpd_action = profile.dpd_action | arista.avd.default("-") %} -{% set mode = profile.mode | arista.avd.default("-") %} +{% for profile in ip_security.profiles | arista.avd.default([]) %} +{% set ike_policy = profile.ike_policy | arista.avd.default("-") %} +{% set sa_policy = profile.sa_policy | arista.avd.default("-") %} +{% set connection = profile.connection | arista.avd.default("-") %} +{% set dpd_interval = profile.dpd_interval | arista.avd.default("-") %} +{% set dpd_time = profile.dpd_time | arista.avd.default("-") %} +{% set dpd_action = profile.dpd_action | arista.avd.default("-") %} +{% set mode = profile.mode | arista.avd.default("-") %} | {{ profile.name }} | {{ ike_policy }} | {{ sa_policy }} | {{ connection }} | {{ dpd_interval }} | {{ dpd_time }} | {{ dpd_action }} | {{ mode }} | -{% endfor %} -{% endif %} -{% if ip_security.key_controller is arista.avd.defined %} +{% endfor %} +{% endif %} +{% if ip_security.key_controller is arista.avd.defined %} ### Key controller | Profile name | | ------------ | | {{ ip_security.key_controller.profile | arista.avd.default("-") }} | -{% endif %} +{% endif %} ### IP Security Configuration ```eos -{% include 'eos/ip-security.j2' %} +{% include 'eos/ip-security.j2' %} ``` {% endif %} From 07568ce4fcbe569771c9906bebf8164c878096e5 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Fri, 10 Nov 2023 14:29:41 +0100 Subject: [PATCH 12/12] Doc: Fix control F mistake --- .../templates/documentation/ip-security.j2 | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 index 7de9ce1dcc2..f673dd59d35 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2 @@ -7,55 +7,55 @@ {% if ip_security is arista.avd.defined %} ## IP Security -{% if ip_security.ike_policies is arista.avd.defined %} +{% if ip_security.ike_policies is arista.avd.defined %} ### IKE policies | Policy name | IKE lifetime | Encryption | DH group | Local ID | | ----------- | ------------ | ---------- | -------- | -------- | -{% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %} +{% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %} | {{ ike_policy.name }} | {{ ike_policy.ike_lifetime | arista.avd.default("-") }} | {{ ike_policy.encryption | arista.avd.default("-") }} | {{ ike_policy.dh_group | arista.avd.default("-") }} | {{ ike_policy.local_id | arista.avd.default("-") }} | -{% endfor %} -{% endif %} -{% if ip_security.sa_policies is arista.avd.defined %} +{% endfor %} +{% endif %} +{% if ip_security.sa_policies is arista.avd.defined %} ### Security Association policies | Policy name | ESP Integrity | ESP Encryption | PFS DH Group | | ----------- | ------------- | -------------- | ------------ | -{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} +{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} | {{ sa_policy.name }} | {{ sa_policy.esp.integrity | arista.avd.default("-") }} | {{ sa_policy.esp.encryption | arista.avd.default("-") }} | {{ sa_policy.pfs_dh_group | arista.avd.default("-") }} | -{% endfor %} -{% endif %} -{% if ip_security.profiles is arista.avd.defined %} +{% endfor %} +{% endif %} +{% if ip_security.profiles is arista.avd.defined %} ### IPSec profiles | Profile name | IKE policy | SA policy | Connection | DPD Interval | DPD Time | DPD action | Mode | | ------------ | ---------- | ----------| ---------- | ------------ | -------- | ---------- | ---- | -{% for profile in ip_security.profiles | arista.avd.default([]) %} -{% set ike_policy = profile.ike_policy | arista.avd.default("-") %} -{% set sa_policy = profile.sa_policy | arista.avd.default("-") %} -{% set connection = profile.connection | arista.avd.default("-") %} -{% set dpd_interval = profile.dpd_interval | arista.avd.default("-") %} -{% set dpd_time = profile.dpd_time | arista.avd.default("-") %} -{% set dpd_action = profile.dpd_action | arista.avd.default("-") %} -{% set mode = profile.mode | arista.avd.default("-") %} +{% for profile in ip_security.profiles | arista.avd.default([]) %} +{% set ike_policy = profile.ike_policy | arista.avd.default("-") %} +{% set sa_policy = profile.sa_policy | arista.avd.default("-") %} +{% set connection = profile.connection | arista.avd.default("-") %} +{% set dpd_interval = profile.dpd_interval | arista.avd.default("-") %} +{% set dpd_time = profile.dpd_time | arista.avd.default("-") %} +{% set dpd_action = profile.dpd_action | arista.avd.default("-") %} +{% set mode = profile.mode | arista.avd.default("-") %} | {{ profile.name }} | {{ ike_policy }} | {{ sa_policy }} | {{ connection }} | {{ dpd_interval }} | {{ dpd_time }} | {{ dpd_action }} | {{ mode }} | -{% endfor %} -{% endif %} -{% if ip_security.key_controller is arista.avd.defined %} +{% endfor %} +{% endif %} +{% if ip_security.key_controller is arista.avd.defined %} ### Key controller | Profile name | | ------------ | | {{ ip_security.key_controller.profile | arista.avd.default("-") }} | -{% endif %} +{% endif %} ### IP Security Configuration ```eos -{% include 'eos/ip-security.j2' %} +{% include 'eos/ip-security.j2' %} ``` {% endif %}