jugatsu · January 10, 2018 14:13
diff --git a/ansible-mikrotik-example.yml b/ansible-mikrotik-example.yml
 ---
 # tasks file for ansible-role-mikrotik-ipsec

 - name: Check RouterOS version.
  raw: ":local varif [/system package update get installed-version]; :put \"$varif\""
  args: { executable: False }
  register: installed_version
  changed_when: False

 - name: Set custom fact for RouterOS version.
  set_fact:
    ros_version: "{{ installed_version.stdout|regex_replace('(\\r\\n)','') }}"

 - name: Ensure ipsec is configured.
  raw: ":local varif [/ip ipsec peer find address={{ item.peer | ipsubnet | quote }}]; :if ([:len $varif ] = 0) \
    do={/ip ipsec peer add address={{ item.peer | ipsubnet | quote }} enc-algorithm=des hash-algorithm=md5 \
    nat-traversal=no secret={{ item.secret | quote }} send-initial-contact=no; \
    /ip ipsec policy add dst-address={{ item.remote_policy | quote }} sa-dst-address={{ item.peer | quote }} \
    sa-src-address={{ item.my_address | quote }} src-address={{ item.local_policy | quote }} tunnel=yes; \
    /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=des lifetime=1d name=default pfs-group=modp1024; \
    :put \"Changed: true\"}"
  args: { executable: False }
  register: ipsec_result
  failed_when: "'input does not match' in ipsec_result.stdout
    or 'expected end of command' in ipsec_result.stdout
    or 'syntax error' in ipsec_result.stdout
    or 'bad command' in ipsec_result.stdout
    or 'invalid value for argument' in ipsec_result.stdout
    or 'no such item' in ipsec_result.stdout"
  changed_when: "'Changed: true' in ipsec_result.stdout"
  when: (item.peer and item.secret ) is defined
  with_items:
    - "{{ mikrotik_ipsec }}"

 # TODO: make idempotent
 - name: Ensure firewall filter and nat tables for IPsec is configured.
  raw: "/ip firewall filter add chain=forward action=accept connection-state=established,related src-address={{ item.remote_policy | quote }} dst-address={{ item.local_policy | quote }} place-before=1; \
    /ip firewall filter add chain=forward action=accept connection-state=established,related src-address={{ item.local_policy | quote }} dst-address={{ item.remote_policy | quote }} place-before=1; \
    /ip firewall filter add chain=input action=accept comment=\"Allow IKE\" dst-port=500 protocol=udp place-before=1; \
    /ip firewall filter add chain=input action=accept comment=\"Allow IPSec-ESP\" protocol=ipsec-esp place-before=1; \
    /ip firewall filter add chain=input action=accept comment=\"Allow IPSec-AH\" protocol=ipsec-ah place-before=1; \
    /ip firewall nat add chain=srcnat action=accept src-address={{ item.local_policy | quote }} dst-address={{ item.remote_policy | quote }} place-before=0; \
    :put \"Changed: true\"}"
  args: { executable: False }
  register: fw_result
  failed_when: "'input does not match' in fw_result.stdout
    or 'expected end of command' in fw_result.stdout
    or 'syntax error' in fw_result.stdout
    or 'bad command' in fw_result.stdout
    or 'no such item' in fw_result.stdout"
  changed_when: "'Changed: true' in fw_result.stdout"
  when: ipsec_result | changed
  with_items:
    - "{{ mikrotik_ipsec }}"

 # TODO: make idempotent
 # RAW tables require >=6.36
 - name: Ensure firewall raw tables for IPsec is configured.
  raw: "/ip firewall raw add action=notrack chain=prerouting src-address={{ item.remote_policy | quote }} dst-address={{ item.local_policy | quote }}; \
    /ip firewall raw add action=notrack chain=prerouting src-address={{ item.local_policy | quote }} dst-address={{ item.remote_policy | quote }}; \
    :put \"Changed: true\"}"
  args: { executable: False }
  register: raw_result
  failed_when: "'input does not match' in raw_result.stdout
    or 'expected end of command' in raw_result.stdout
    or 'syntax error' in raw_result.stdout
    or 'bad command' in raw_result.stdout
    or 'no such item' in raw_result.stdout"
  changed_when: "'Changed: true' in raw_result.stdout"
  when: ipsec_result | changed and ros_version.find('6.38.5') != -1
  with_items:
    - "{{ mikrotik_ipsec }}"
	---
	# tasks file for ansible-role-mikrotik-ipsec

	- name: Check RouterOS version.
	raw: ":local varif [/system package update get installed-version]; :put \"$varif\""
	args: { executable: False }
	register: installed_version
	changed_when: False

	- name: Set custom fact for RouterOS version.
	set_fact:
	ros_version: "{{ installed_version.stdout\|regex_replace('(\\r\\n)','') }}"

	- name: Ensure ipsec is configured.
	raw: ":local varif [/ip ipsec peer find address={{ item.peer \| ipsubnet \| quote }}]; :if ([:len $varif ] = 0) \
	do={/ip ipsec peer add address={{ item.peer \| ipsubnet \| quote }} enc-algorithm=des hash-algorithm=md5 \
	nat-traversal=no secret={{ item.secret \| quote }} send-initial-contact=no; \
	/ip ipsec policy add dst-address={{ item.remote_policy \| quote }} sa-dst-address={{ item.peer \| quote }} \
	sa-src-address={{ item.my_address \| quote }} src-address={{ item.local_policy \| quote }} tunnel=yes; \
	/ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=des lifetime=1d name=default pfs-group=modp1024; \
	:put \"Changed: true\"}"
	args: { executable: False }
	register: ipsec_result
	failed_when: "'input does not match' in ipsec_result.stdout
	or 'expected end of command' in ipsec_result.stdout
	or 'syntax error' in ipsec_result.stdout
	or 'bad command' in ipsec_result.stdout
	or 'invalid value for argument' in ipsec_result.stdout
	or 'no such item' in ipsec_result.stdout"
	changed_when: "'Changed: true' in ipsec_result.stdout"
	when: (item.peer and item.secret ) is defined
	with_items:
	- "{{ mikrotik_ipsec }}"

	# TODO: make idempotent
	- name: Ensure firewall filter and nat tables for IPsec is configured.
	raw: "/ip firewall filter add chain=forward action=accept connection-state=established,related src-address={{ item.remote_policy \| quote }} dst-address={{ item.local_policy \| quote }} place-before=1; \
	/ip firewall filter add chain=forward action=accept connection-state=established,related src-address={{ item.local_policy \| quote }} dst-address={{ item.remote_policy \| quote }} place-before=1; \
	/ip firewall filter add chain=input action=accept comment=\"Allow IKE\" dst-port=500 protocol=udp place-before=1; \
	/ip firewall filter add chain=input action=accept comment=\"Allow IPSec-ESP\" protocol=ipsec-esp place-before=1; \
	/ip firewall filter add chain=input action=accept comment=\"Allow IPSec-AH\" protocol=ipsec-ah place-before=1; \
	/ip firewall nat add chain=srcnat action=accept src-address={{ item.local_policy \| quote }} dst-address={{ item.remote_policy \| quote }} place-before=0; \
	:put \"Changed: true\"}"
	args: { executable: False }
	register: fw_result
	failed_when: "'input does not match' in fw_result.stdout
	or 'expected end of command' in fw_result.stdout
	or 'syntax error' in fw_result.stdout
	or 'bad command' in fw_result.stdout
	or 'no such item' in fw_result.stdout"
	changed_when: "'Changed: true' in fw_result.stdout"
	when: ipsec_result \| changed
	with_items:
	- "{{ mikrotik_ipsec }}"

	# TODO: make idempotent
	# RAW tables require >=6.36
	- name: Ensure firewall raw tables for IPsec is configured.
	raw: "/ip firewall raw add action=notrack chain=prerouting src-address={{ item.remote_policy \| quote }} dst-address={{ item.local_policy \| quote }}; \
	/ip firewall raw add action=notrack chain=prerouting src-address={{ item.local_policy \| quote }} dst-address={{ item.remote_policy \| quote }}; \
	:put \"Changed: true\"}"
	args: { executable: False }
	register: raw_result
	failed_when: "'input does not match' in raw_result.stdout
	or 'expected end of command' in raw_result.stdout
	or 'syntax error' in raw_result.stdout
	or 'bad command' in raw_result.stdout
	or 'no such item' in raw_result.stdout"
	changed_when: "'Changed: true' in raw_result.stdout"
	when: ipsec_result \| changed and ros_version.find('6.38.5') != -1
	with_items:
	- "{{ mikrotik_ipsec }}"