Fix(eos_designs): Use CP-Profile for WAN HA when DP-Profile is not configured

ansible_collections/arista/avd/docs/release-notes/5.x.x.md

@@ -196,6 +196,11 @@ With AVD version 5.0.0 the valid values for `wan_mode` key are now `legacy-autov
 
 See the [porting guide](../porting-guides/5.x.x.md#wan-mode-autovpn-renamed-wan-mode-legacy-vpn) for details.
 
+#### Use Control Plane IPsec profile for WAN HA when Data Plane profile is not configured
+
+For `wan_ipsec_profiles`, AVD now uses the `control_plane` profile for WAN HA Data
+Plane when the `data_plane` profile is not configured.
+
 ### Other breaking or behavioral changes
 
 Breaking changes may require modifications to the inventory or playbook. See the [Porting guide for AVD 5.x.x](../porting-guides/5.x.x.md)

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg

@@ -119,7 +119,7 @@ router path-selection
    tcp mss ceiling ipv4 ingress
    !
    path-group CUSTOM_LAN_HA id 65535
-      ipsec profile DP-PROFILE
+      ipsec profile ONE-PROFILE-TO-CONTROL-THEM-ALL
       flow assignment lan
       !
       local interface Ethernet52
@@ -200,35 +200,20 @@ ip security
    ike policy CP-IKE-POLICY
       local-id 192.168.142.3
    !
-   ike policy DP-IKE-POLICY
-      local-id 192.168.142.3
-   !
    sa policy CP-SA-POLICY
       esp encryption aes256gcm128
       pfs dh-group 14
    !
-   sa policy DP-SA-POLICY
-      esp encryption aes256gcm128
-      pfs dh-group 14
-   !
-   profile CP-PROFILE
+   profile ONE-PROFILE-TO-CONTROL-THEM-ALL
       ike-policy CP-IKE-POLICY
       sa-policy CP-SA-POLICY
       connection start
       shared-key 7 ABCDEF1234567890
       dpd 10 50 clear
       mode transport
    !
-   profile DP-PROFILE
-      ike-policy DP-IKE-POLICY
-      sa-policy DP-SA-POLICY
-      connection start
-      shared-key 7 ABCDEF1234567890666
-      dpd 10 50 clear
-      mode transport
-   !
    key controller
-      profile DP-PROFILE
+      profile ONE-PROFILE-TO-CONTROL-THEM-ALL
 !
 interface Dps1
    description DPS Interface

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge2B.yml

@@ -420,31 +420,15 @@ ip_extcommunity_lists:
     extcommunities: soo 192.168.42.2:423
 ip_security:
   ike_policies:
-  - name: DP-IKE-POLICY
-    local_id: 192.168.142.3
   - name: CP-IKE-POLICY
     local_id: 192.168.142.3
   sa_policies:
-  - name: DP-SA-POLICY
-    esp:
-      encryption: aes256gcm128
-    pfs_dh_group: 14
   - name: CP-SA-POLICY
     esp:
       encryption: aes256gcm128
     pfs_dh_group: 14
   profiles:
-  - name: DP-PROFILE
-    ike_policy: DP-IKE-POLICY
-    sa_policy: DP-SA-POLICY
-    connection: start
-    shared_key: ABCDEF1234567890666
-    dpd:
-      interval: 10
-      time: 50
-      action: clear
-    mode: transport
-  - name: CP-PROFILE
+  - name: ONE-PROFILE-TO-CONTROL-THEM-ALL
     ike_policy: CP-IKE-POLICY
     sa_policy: CP-SA-POLICY
     connection: start
@@ -455,7 +439,7 @@ ip_security:
       action: clear
     mode: transport
   key_controller:
-    profile: DP-PROFILE
+    profile: ONE-PROFILE-TO-CONTROL-THEM-ALL
 management_security:
   ssl_profiles:
   - name: profileA
@@ -595,7 +579,7 @@ router_path_selection:
       ipv4_addresses:
       - 172.17.0.5
       - 172.17.0.7
-    ipsec_profile: DP-PROFILE
+    ipsec_profile: ONE-PROFILE-TO-CONTROL-THEM-ALL
   load_balance_policies:
   - name: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE
     path_groups:

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge1.yml

@@ -3,10 +3,6 @@
 # Make sure to set the cv_token var on the molecule command line like:
 # molecule converge -s eos_designs_unit_tests -- --limit cv-pathfinder-edge1 -e cv_token=$CV_TOKEN -v
 
-# serial_number: mockZscaler
-# cv_server: "www.cv-play.corp.arista.io"
-# zscaler_endpoints: null
-
 # Testing multiple pathinfders on one device
 wan_route_servers:
   - hostname: cv-pathfinder-pathfinder1

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge2B.yml

@@ -4,3 +4,11 @@
 
 wan_ha:
   lan_ha_path_group_name: CUSTOM_LAN_HA
+
+# Testing having only control_plane ipsec profile and making sure it is used for
+# HA path-group. Yes it makes for asymmetric config with 2A but this is a unit
+# test.
+wan_ipsec_profiles:
+  control_plane:
+    profile_name: ONE-PROFILE-TO-CONTROL-THEM-ALL
+    shared_key: ABCDEF1234567890

python-avd/pyavd/_eos_designs/structured_config/overlay/ip_security.py

@@ -47,7 +47,7 @@ def ip_security(self: AvdStructuredConfigOverlay) -> dict | None:
         return strip_null_from_data(ip_security)
 
     def _append_data_plane(self: AvdStructuredConfigOverlay, ip_security: dict, data_plane_config: dict) -> None:
-        """In place update of ip_security."""
+        """In place update of ip_security for DataPlane."""
         ike_policy_name = get(data_plane_config, "ike_policy_name", default="DP-IKE-POLICY") if self.shared_utils.wan_ha_ipsec else None
         sa_policy_name = get(data_plane_config, "sa_policy_name", default="DP-SA-POLICY")
         profile_name = get(data_plane_config, "profile_name", default="DP-PROFILE")
@@ -66,7 +66,7 @@ def _append_control_plane(self: AvdStructuredConfigOverlay, ip_security: dict, c
         """
         In place update of ip_security for control plane data.
 
-        expected to be called AFTER _append_data_plane
+        expected to be called AFTER _append_data_plane as CP is used for data-plane as well if not configured.
         """
         ike_policy_name = get(control_plane_config, "ike_policy_name", default="CP-IKE-POLICY")
         sa_policy_name = get(control_plane_config, "sa_policy_name", default="CP-SA-POLICY")
@@ -78,7 +78,7 @@ def _append_control_plane(self: AvdStructuredConfigOverlay, ip_security: dict, c
         ip_security["profiles"].append(self._profile(profile_name, ike_policy_name, sa_policy_name, key))
 
         if not ip_security.get("key_controller"):
-            # If there is not data plane IPSec profile, use the control plane one for key controller
+            # If there is no data plane IPSec profile, use the control plane one for key controller
             ip_security["key_controller"] = self._key_controller(profile_name)
 
     def _ike_policy(self: AvdStructuredConfigOverlay, name: str) -> dict | None:
@@ -126,7 +126,4 @@ def _profile(self: AvdStructuredConfigOverlay, profile_name: str, ike_policy_nam
 
     def _key_controller(self: AvdStructuredConfigOverlay, profile_name: str) -> dict | None:
         """Return a key_controller structure if the device is not a RR or pathfinder."""
-        if self.shared_utils.is_wan_server:
-            return None
-
-        return {"profile": profile_name}
+        return None if self.shared_utils.is_wan_server else {"profile": profile_name}

python-avd/pyavd/_eos_designs/structured_config/overlay/router_path_selection.py

@@ -45,9 +45,13 @@ def _cp_ipsec_profile_name(self: AvdStructuredConfigOverlay) -> str:
 
     @cached_property
     def _dp_ipsec_profile_name(self: AvdStructuredConfigOverlay) -> str:
-        """Returns the IPsec profile name to use for Data-Plane."""
-        # TODO: need to use CP one if 'wan_ipsec_profiles.data_plane' not present
-        return get(self._hostvars, "wan_ipsec_profiles.data_plane.profile_name", default="DP-PROFILE")
+        """Returns the IPsec profile name to use for Data-Plane.
+
+        If no data-plane config is present for IPsec, default to _cp_ipsec_profile_name
+        """
+        if (data_plane := get(self._hostvars, "wan_ipsec_profiles.data_plane")) is not None:
+            return get(data_plane, "profile_name", default="DP-PROFILE")
+        return self._cp_ipsec_profile_name
 
     def _get_path_groups(self: AvdStructuredConfigOverlay) -> list:
         """Generate the required path-groups locally."""