Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 26 subscribers
  • Views 776 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ipsec Vpn and API

Jamie Salmon

So I've been playing around with the api, I'm a bit of a novice at these things but have managed to get it to update the ipsec vpn details, my problem is that whenever I edit the settings it seems to deactivate the vpn, even if I set the activate on save property it doesn't actually activate again unless I go into the gui and set it.

Is anyone familiar with this? Is it by design?

Unless someone can think of a smarter workaround to my actual issue which is trying to automatically proviso a site to site with azure via terraform.

I can get the azure end fine, but can't set the virtual network gateway id to anything other than the dynamically generated external ip.,which is why I have the need to programatically update that field from the api. I have a feeling I'm just doing something wrong as my xml is updating all the connection fields rather than just the remote Id. Let me know if it would be useful to see the xml query 



This thread was automatically locked due to age.
Parents
  • 0

    Here's what I'm running as I say config applies successfully - If I only wanted to 

    $fw = "x.x.x.x"
    $port = "4444"
    $username = "API"
    $pw = "xxxxxxx"
    $authentication = "<Request><Login><Username>$username</Username><Password>$pw</Password></Login>"
    $azureip = "xxxxx"
    $request = Write Verbose "<Set>
    <VPNIPSecConnection>
    <Configuration>
    <Name>azure</Name>
    <Description/>
    <ConnectionType>SiteToSite</ConnectionType>
    <Policy>Test</Policy>
    <ActivateOnSave>y</ActivateOnSave>
    <AliasLocalWANPort>Port2</AliasLocalWANPort>
    <RemoteHost>xxxxxx</RemoteHost>
    <LocalIDType>IP Address</LocalIDType>
    <LocalID>x.x.x.x</LocalID>
    <RemoteIDType>DNS</RemoteIDType>
    <RemoteID>$azureip</RemoteID>
    <LocalSubnet>onprem</LocalSubnet>
    <Status>Active</Status>
    </Configuration>
    </VPNIPSecConnection>
    </Set>
    </Request>"

    $uri = "https://${fw}:$port/webconsole/APIController?reqxml=$authentication$request"
    add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
    ServicePoint srvPoint, X509Certificate certificate,
    WebRequest request, int certificateProblem) {
    return true;
    }
    }
    "@
    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

    $result = Invoke-WebRequest -uri $uri
    $result.content

    Like I say all I actually "NEED" to update a this stage would be the RemoteID with the azure external IP as I am not aware of a way to change the ID, although I can have automated the creation of a DNS entry.

    If I just try to update that field I get 

    <Response APIVersion="1800.2" IPS_CAT_VER="1">
    <Login>
    <status>Authentication Successful</status>
    </Login>
    <Configuration transactionid="">
    <Status code="501">Configuration parameters validation failed.</Status>
    <InvalidParams>
    <Params>/VPNIPSecConnection/Configuration/AliasLocalWANPort</Params>
    <Params>/VPNIPSecConnection/Configuration/LocalSubnet</Params>
    <Params>/VPNIPSecConnection/Configuration/LocalID</Params>
    <Params>/VPNIPSecConnection/Configuration/RemoteIDType</Params>
    <Params>/VPNIPSecConnection/Configuration/LocalIDType</Params>
    <Params>/VPNIPSecConnection/Configuration/RemoteID</Params>
    <Params>/VPNIPSecConnection/Configuration/Policy</Params>
    </InvalidParams>
    </Configuration>
    </Response>

    If I enter all that information on top of the single change i want to make I get 

    <Response APIVersion="1800.2" IPS_CAT_VER="1">
    <Login>
    <status>Authentication Successful</status>
    </Login>
    <Configuration transactionid="">
    <Status code="545">Operation failed. For details, go to https://docs.sophos.com, select XG Firewall, and select API help. Go to the module and scroll down to "Status message information".
    </Status>
    </Configuration>
    </Response>

    The error correlates to 

    Add Failover Group IPSEC Connection 545

    Interfaces configured in WAN zone can only be selected for local endpoint.

    If that sheds any light on the issue?

Reply
  • 0

    Here's what I'm running as I say config applies successfully - If I only wanted to 

    $fw = "x.x.x.x"
    $port = "4444"
    $username = "API"
    $pw = "xxxxxxx"
    $authentication = "<Request><Login><Username>$username</Username><Password>$pw</Password></Login>"
    $azureip = "xxxxx"
    $request = Write Verbose "<Set>
    <VPNIPSecConnection>
    <Configuration>
    <Name>azure</Name>
    <Description/>
    <ConnectionType>SiteToSite</ConnectionType>
    <Policy>Test</Policy>
    <ActivateOnSave>y</ActivateOnSave>
    <AliasLocalWANPort>Port2</AliasLocalWANPort>
    <RemoteHost>xxxxxx</RemoteHost>
    <LocalIDType>IP Address</LocalIDType>
    <LocalID>x.x.x.x</LocalID>
    <RemoteIDType>DNS</RemoteIDType>
    <RemoteID>$azureip</RemoteID>
    <LocalSubnet>onprem</LocalSubnet>
    <Status>Active</Status>
    </Configuration>
    </VPNIPSecConnection>
    </Set>
    </Request>"

    $uri = "https://${fw}:$port/webconsole/APIController?reqxml=$authentication$request"
    add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
    ServicePoint srvPoint, X509Certificate certificate,
    WebRequest request, int certificateProblem) {
    return true;
    }
    }
    "@
    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

    $result = Invoke-WebRequest -uri $uri
    $result.content

    Like I say all I actually "NEED" to update a this stage would be the RemoteID with the azure external IP as I am not aware of a way to change the ID, although I can have automated the creation of a DNS entry.

    If I just try to update that field I get 

    <Response APIVersion="1800.2" IPS_CAT_VER="1">
    <Login>
    <status>Authentication Successful</status>
    </Login>
    <Configuration transactionid="">
    <Status code="501">Configuration parameters validation failed.</Status>
    <InvalidParams>
    <Params>/VPNIPSecConnection/Configuration/AliasLocalWANPort</Params>
    <Params>/VPNIPSecConnection/Configuration/LocalSubnet</Params>
    <Params>/VPNIPSecConnection/Configuration/LocalID</Params>
    <Params>/VPNIPSecConnection/Configuration/RemoteIDType</Params>
    <Params>/VPNIPSecConnection/Configuration/LocalIDType</Params>
    <Params>/VPNIPSecConnection/Configuration/RemoteID</Params>
    <Params>/VPNIPSecConnection/Configuration/Policy</Params>
    </InvalidParams>
    </Configuration>
    </Response>

    If I enter all that information on top of the single change i want to make I get 

    <Response APIVersion="1800.2" IPS_CAT_VER="1">
    <Login>
    <status>Authentication Successful</status>
    </Login>
    <Configuration transactionid="">
    <Status code="545">Operation failed. For details, go to https://docs.sophos.com, select XG Firewall, and select API help. Go to the module and scroll down to "Status message information".
    </Status>
    </Configuration>
    </Response>

    The error correlates to 

    Add Failover Group IPSEC Connection 545

    Interfaces configured in WAN zone can only be selected for local endpoint.

    If that sheds any light on the issue?

Children
No Data