fortinet.fortios.fortios_vpn_ipsec_phase1_interface – Configure VPN remote gateway in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ipsec_phase1_interface
.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ipsec feature and phase1_interface category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
access_token string | Token-based authentication. Generated from GUI of Fortigate. | |||
enable_log boolean |
| Enable/Disable logging for task. | ||
state string / required |
| Indicates whether to create or remove the object. | ||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
vpn_ipsec_phase1_interface dictionary | Configure VPN remote gateway. | |||
acct_verify string |
| Enable/disable verification of RADIUS accounting record. | ||
add_gw_route string |
| Enable/disable automatically add a route to the remote gateway. | ||
add_route string |
| Enable/disable control addition of a route to peer destination selector. | ||
aggregate_member string |
| Enable/disable use as an aggregate member. | ||
aggregate_weight integer | Link weight for aggregate. | |||
assign_ip string |
| Enable/disable assignment of IP to IPsec interface via configuration method. | ||
assign_ip_from string |
| Method by which the IP address will be assigned. | ||
authmethod string |
| Authentication method. | ||
authmethod_remote string |
| Authentication method (remote side). | ||
authpasswd string | XAuth password (max 35 characters). | |||
authusr string | XAuth user name. | |||
authusrgrp string | Authentication user group. Source user.group.name. | |||
auto_discovery_forwarder string |
| Enable/disable forwarding auto-discovery short-cut messages. | ||
auto_discovery_psk string |
| Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. | ||
auto_discovery_receiver string |
| Enable/disable accepting auto-discovery short-cut messages. | ||
auto_discovery_sender string |
| Enable/disable sending auto-discovery short-cut messages. | ||
auto_discovery_shortcuts string |
| Control deletion of child short-cut tunnels when the parent tunnel goes down. | ||
auto_negotiate string |
| Enable/disable automatic initiation of IKE SA negotiation. | ||
backup_gateway list / elements=string | Instruct unity clients about the backup gateway address(es). | |||
address string / required | Address of backup gateway. | |||
banner string | Message that unity client should display after connecting. | |||
cert_id_validation string |
| Enable/disable cross validation of peer ID and the identity in the peer"s certificate as specified in RFC 4945. | ||
certificate list / elements=string | The names of up to 4 signed personal certificates. | |||
name string / required | Certificate name. Source vpn.certificate.local.name. | |||
childless_ike string |
| Enable/disable childless IKEv2 initiation (RFC 6023). | ||
client_auto_negotiate string |
| Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. | ||
client_keep_alive string |
| Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. | ||
comments string | Comment. | |||
default_gw string | IPv4 address of default route gateway to use for traffic exiting the interface. | |||
default_gw_priority integer | Priority for default gateway route. A higher priority number signifies a less preferred route. | |||
dhcp6_ra_linkaddr string | Relay agent IPv6 link address to use in DHCP6 requests. | |||
dhcp_ra_giaddr string | Relay agent gateway IP address to use in the giaddr field of DHCP requests. | |||
dhgrp list / elements=string |
| DH group. | ||
digital_signature_auth string |
| Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). | ||
distance integer | Distance for routes added by IKE (1 - 255). | |||
dns_mode string |
| DNS server mode. | ||
domain string | Instruct unity clients about the default DNS domain. | |||
dpd string |
| Dead Peer Detection mode. | ||
dpd_retrycount integer | Number of DPD retry attempts. | |||
dpd_retryinterval string | DPD retry interval. | |||
eap string |
| Enable/disable IKEv2 EAP authentication. | ||
eap_exclude_peergrp string | Peer group excluded from EAP authentication. Source user.peergrp.name. | |||
eap_identity string |
| IKEv2 EAP peer identity type. | ||
encap_local_gw4 string | Local IPv4 address of GRE/VXLAN tunnel. | |||
encap_local_gw6 string | Local IPv6 address of GRE/VXLAN tunnel. | |||
encap_remote_gw4 string | Remote IPv4 address of GRE/VXLAN tunnel. | |||
encap_remote_gw6 string | Remote IPv6 address of GRE/VXLAN tunnel. | |||
encapsulation string |
| Enable/disable GRE/VXLAN encapsulation. | ||
encapsulation_address string |
| Source for GRE/VXLAN tunnel address. | ||
enforce_unique_id string |
| Enable/disable peer ID uniqueness check. | ||
esn string |
| Extended sequence number (ESN) negotiation. | ||
exchange_interface_ip string |
| Enable/disable exchange of IPsec interface IP address. | ||
exchange_ip_addr4 string | IPv4 address to exchange with peers. | |||
exchange_ip_addr6 string | IPv6 address to exchange with peers | |||
fec_base integer | Number of base Forward Error Correction packets (1 - 100). | |||
fec_codec integer | ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). | |||
fec_egress string |
| Enable/disable Forward Error Correction for egress IPsec traffic. | ||
fec_ingress string |
| Enable/disable Forward Error Correction for ingress IPsec traffic. | ||
fec_receive_timeout integer | Timeout in milliseconds before dropping Forward Error Correction packets (1 - 10000). | |||
fec_redundant integer | Number of redundant Forward Error Correction packets (1 - 100). | |||
fec_send_timeout integer | Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). | |||
forticlient_enforcement string |
| Enable/disable FortiClient enforcement. | ||
fragmentation string |
| Enable/disable fragment IKE message on re-transmission. | ||
fragmentation_mtu integer | IKE fragmentation MTU (500 - 16000). | |||
group_authentication string |
| Enable/disable IKEv2 IDi group authentication. | ||
group_authentication_secret string | Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.) | |||
ha_sync_esp_seqno string |
| Enable/disable sequence number jump ahead for IPsec HA. | ||
idle_timeout string |
| Enable/disable IPsec tunnel idle timeout. | ||
idle_timeoutinterval integer | IPsec tunnel idle timeout in minutes (5 - 43200). | |||
ike_version string |
| IKE protocol version. | ||
include_local_lan string |
| Enable/disable allow local LAN access on unity clients. | ||
interface string | Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name. | |||
ip_fragmentation string |
| Determine whether IP packets are fragmented before or after IPsec encapsulation. | ||
ip_version string |
| IP version to use for VPN interface. | ||
ipv4_dns_server1 string | IPv4 DNS server 1. | |||
ipv4_dns_server2 string | IPv4 DNS server 2. | |||
ipv4_dns_server3 string | IPv4 DNS server 3. | |||
ipv4_end_ip string | End of IPv4 range. | |||
ipv4_exclude_range list / elements=string | Configuration Method IPv4 exclude ranges. | |||
end_ip string | End of IPv4 exclusive range. | |||
id integer / required | ID. | |||
start_ip string | Start of IPv4 exclusive range. | |||
ipv4_name string | IPv4 address name. Source firewall.address.name firewall.addrgrp.name. | |||
ipv4_netmask string | IPv4 Netmask. | |||
ipv4_split_exclude string | IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name. | |||
ipv4_split_include string | IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name. | |||
ipv4_start_ip string | Start of IPv4 range. | |||
ipv4_wins_server1 string | WINS server 1. | |||
ipv4_wins_server2 string | WINS server 2. | |||
ipv6_dns_server1 string | IPv6 DNS server 1. | |||
ipv6_dns_server2 string | IPv6 DNS server 2. | |||
ipv6_dns_server3 string | IPv6 DNS server 3. | |||
ipv6_end_ip string | End of IPv6 range. | |||
ipv6_exclude_range list / elements=string | Configuration method IPv6 exclude ranges. | |||
end_ip string | End of IPv6 exclusive range. | |||
id integer / required | ID. | |||
start_ip string | Start of IPv6 exclusive range. | |||
ipv6_name string | IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. | |||
ipv6_prefix integer | IPv6 prefix. | |||
ipv6_split_exclude string | IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name. | |||
ipv6_split_include string | IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name. | |||
ipv6_start_ip string | Start of IPv6 range. | |||
keepalive integer | NAT-T keep alive interval. | |||
keylife integer | Time to wait in seconds before phase 1 encryption key expires. | |||
local_gw string | IPv4 address of the local gateway"s external interface. | |||
local_gw6 string | IPv6 address of the local gateway"s external interface. | |||
localid string | Local ID. | |||
localid_type string |
| Local ID type. | ||
loopback_asymroute string |
| Enable/disable asymmetric routing for IKE traffic on loopback interface. | ||
mesh_selector_type string |
| Add selectors containing subsets of the configuration depending on traffic. | ||
mode string |
| The ID protection mode used to establish a secure channel. | ||
mode_cfg string |
| Enable/disable configuration method. | ||
monitor string | IPsec interface as backup for primary interface. Source vpn.ipsec.phase1-interface.name. | |||
monitor_hold_down_delay integer | Time to wait in seconds before recovery once primary re-establishes. | |||
monitor_hold_down_time string | Time of day at which to fail back to primary after it re-establishes. | |||
monitor_hold_down_type string |
| Recovery time method when primary interface re-establishes. | ||
monitor_hold_down_weekday string |
| Day of the week to recover once primary re-establishes. | ||
name string / required | IPsec remote gateway name. | |||
nattraversal string |
| Enable/disable NAT traversal. | ||
negotiate_timeout integer | IKE SA negotiation timeout in seconds (1 - 300). | |||
net_device string |
| Enable/disable kernel device creation for dialup instances. | ||
network_id integer | VPN gateway network ID. | |||
network_overlay string |
| Enable/disable network overlays. | ||
npu_offload string |
| Enable/disable offloading NPU. | ||
passive_mode string |
| Enable/disable IPsec passive mode for static tunnels. | ||
peer string | Accept this peer certificate. Source user.peer.name. | |||
peergrp string | Accept this peer certificate group. Source user.peergrp.name. | |||
peerid string | Accept this peer identity. | |||
peertype string |
| Accept this peer type. | ||
ppk string |
| Enable/disable IKEv2 Postquantum Preshared Key (PPK). | ||
ppk_identity string | IKEv2 Postquantum Preshared Key Identity. | |||
ppk_secret string | IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). | |||
priority integer | Priority for routes added by IKE (0 - 4294967295). | |||
proposal list / elements=string |
| Phase1 proposal. | ||
psksecret string | Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). | |||
psksecret_remote string | Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). | |||
reauth string |
| Enable/disable re-authentication upon IKE SA lifetime expiration. | ||
rekey string |
| Enable/disable phase1 rekey. | ||
remote_gw string | IPv4 address of the remote gateway"s external interface. | |||
remote_gw6 string | IPv6 address of the remote gateway"s external interface. | |||
remotegw_ddns string | Domain name of remote gateway (eg. name.DDNS.com). | |||
rsa_signature_format string |
| Digital Signature Authentication RSA signature format. | ||
save_password string |
| Enable/disable saving XAuth username and password on VPN clients. | ||
send_cert_chain string |
| Enable/disable sending certificate chain. | ||
signature_hash_alg list / elements=string |
| Digital Signature Authentication hash algorithms. | ||
split_include_service string | Split-include services. Source firewall.service.group.name firewall.service.custom.name. | |||
suite_b string |
| Use Suite-B. | ||
tunnel_search string |
| Tunnel search method for when the interface is shared. | ||
type string |
| Remote gateway type. | ||
unity_support string |
| Enable/disable support for Cisco UNITY Configuration Method extensions. | ||
usrgrp string | User group name for dialup peers. Source user.group.name. | |||
vni integer | VNI of VXLAN tunnel. | |||
wizard_type string |
| GUI VPN Wizard Type. | ||
xauthtype string |
| XAuth type. |
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure VPN remote gateway. fortios_vpn_ipsec_phase1_interface: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" vpn_ipsec_phase1_interface: acct_verify: "enable" add_gw_route: "enable" add_route: "disable" aggregate_member: "enable" aggregate_weight: "7" assign_ip: "disable" assign_ip_from: "range" authmethod: "psk" authmethod_remote: "psk" authpasswd: "<your_own_value>" authusr: "<your_own_value>" authusrgrp: "<your_own_value> (source user.group.name)" auto_discovery_forwarder: "enable" auto_discovery_psk: "enable" auto_discovery_receiver: "enable" auto_discovery_sender: "enable" auto_discovery_shortcuts: "independent" auto_negotiate: "enable" backup_gateway: - address: "<your_own_value>" banner: "<your_own_value>" cert_id_validation: "enable" certificate: - name: "default_name_26 (source vpn.certificate.local.name)" childless_ike: "enable" client_auto_negotiate: "disable" client_keep_alive: "disable" comments: "<your_own_value>" default_gw: "<your_own_value>" default_gw_priority: "32" dhcp_ra_giaddr: "<your_own_value>" dhcp6_ra_linkaddr: "<your_own_value>" dhgrp: "1" digital_signature_auth: "enable" distance: "37" dns_mode: "manual" domain: "<your_own_value>" dpd: "disable" dpd_retrycount: "41" dpd_retryinterval: "<your_own_value>" eap: "enable" eap_exclude_peergrp: "<your_own_value> (source user.peergrp.name)" eap_identity: "use-id-payload" encap_local_gw4: "<your_own_value>" encap_local_gw6: "<your_own_value>" encap_remote_gw4: "<your_own_value>" encap_remote_gw6: "<your_own_value>" encapsulation: "none" encapsulation_address: "ike" enforce_unique_id: "disable" esn: "require" exchange_interface_ip: "enable" exchange_ip_addr4: "<your_own_value>" exchange_ip_addr6: "<your_own_value>" fec_base: "57" fec_codec: "58" fec_egress: "enable" fec_ingress: "enable" fec_receive_timeout: "61" fec_redundant: "62" fec_send_timeout: "63" forticlient_enforcement: "enable" fragmentation: "enable" fragmentation_mtu: "66" group_authentication: "enable" group_authentication_secret: "<your_own_value>" ha_sync_esp_seqno: "enable" idle_timeout: "enable" idle_timeoutinterval: "71" ike_version: "1" include_local_lan: "disable" interface: "<your_own_value> (source system.interface.name)" ip_fragmentation: "pre-encapsulation" ip_version: "4" ipv4_dns_server1: "<your_own_value>" ipv4_dns_server2: "<your_own_value>" ipv4_dns_server3: "<your_own_value>" ipv4_end_ip: "<your_own_value>" ipv4_exclude_range: - end_ip: "<your_own_value>" id: "83" start_ip: "<your_own_value>" ipv4_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" ipv4_netmask: "<your_own_value>" ipv4_split_exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" ipv4_split_include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" ipv4_start_ip: "<your_own_value>" ipv4_wins_server1: "<your_own_value>" ipv4_wins_server2: "<your_own_value>" ipv6_dns_server1: "<your_own_value>" ipv6_dns_server2: "<your_own_value>" ipv6_dns_server3: "<your_own_value>" ipv6_end_ip: "<your_own_value>" ipv6_exclude_range: - end_ip: "<your_own_value>" id: "98" start_ip: "<your_own_value>" ipv6_name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)" ipv6_prefix: "101" ipv6_split_exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)" ipv6_split_include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)" ipv6_start_ip: "<your_own_value>" keepalive: "105" keylife: "106" local_gw: "<your_own_value>" local_gw6: "<your_own_value>" localid: "<your_own_value>" localid_type: "auto" loopback_asymroute: "enable" mesh_selector_type: "disable" mode: "aggressive" mode_cfg: "disable" monitor: "<your_own_value> (source vpn.ipsec.phase1-interface.name)" monitor_hold_down_delay: "116" monitor_hold_down_time: "<your_own_value>" monitor_hold_down_type: "immediate" monitor_hold_down_weekday: "everyday" name: "default_name_120" nattraversal: "enable" negotiate_timeout: "122" net_device: "enable" network_id: "124" network_overlay: "disable" npu_offload: "enable" passive_mode: "enable" peer: "<your_own_value> (source user.peer.name)" peergrp: "<your_own_value> (source user.peergrp.name)" peerid: "<your_own_value>" peertype: "any" ppk: "disable" ppk_identity: "<your_own_value>" ppk_secret: "<your_own_value>" priority: "135" proposal: "des-md5" psksecret: "<your_own_value>" psksecret_remote: "<your_own_value>" reauth: "disable" rekey: "enable" remote_gw: "<your_own_value>" remote_gw6: "<your_own_value>" remotegw_ddns: "<your_own_value>" rsa_signature_format: "pkcs1" save_password: "disable" send_cert_chain: "enable" signature_hash_alg: "sha1" split_include_service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)" suite_b: "disable" tunnel_search: "selectors" type: "static" unity_support: "disable" usrgrp: "<your_own_value> (source user.group.name)" vni: "154" wizard_type: "custom" xauthtype: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_vpn_ipsec_phase1_interface_module.html