fortios_vpn_ipsec_phase1_interface – Configure VPN remote gateway in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ipsec feature and phase1_interface category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| host
string
|
FortiOS or FortiGate IP address.
|
|||
| https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol.
|
||
| password
string
|
Default:
""
|
FortiOS or FortiGate password.
|
||
| ssl_verify
boolean
added in 2.9
|
|
Ensures FortiGate certificate must be verified by a proper CA.
|
||
| state
string
added in 2.9
|
|
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
|
||
| username
string
|
FortiOS or FortiGate username.
|
|||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
| vpn_ipsec_phase1_interface
dictionary
|
Default:
null
|
Configure VPN remote gateway.
|
||
| acct_verify
string
|
|
Enable/disable verification of RADIUS accounting record.
|
||
| add_gw_route
string
|
|
Enable/disable automatically add a route to the remote gateway.
|
||
| add_route
string
|
|
Enable/disable control addition of a route to peer destination selector.
|
||
| assign_ip
string
|
|
Enable/disable assignment of IP to IPsec interface via configuration method.
|
||
| assign_ip_from
string
|
|
Method by which the IP address will be assigned.
|
||
| authmethod
string
|
|
Authentication method.
|
||
| authmethod_remote
string
|
|
Authentication method (remote side).
|
||
| authpasswd
string
|
XAuth password (max 35 characters).
|
|||
| authusr
string
|
XAuth user name.
|
|||
| authusrgrp
string
|
Authentication user group. Source user.group.name.
|
|||
| auto_discovery_forwarder
string
|
|
Enable/disable forwarding auto-discovery short-cut messages.
|
||
| auto_discovery_psk
string
|
|
Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.
|
||
| auto_discovery_receiver
string
|
|
Enable/disable accepting auto-discovery short-cut messages.
|
||
| auto_discovery_sender
string
|
|
Enable/disable sending auto-discovery short-cut messages.
|
||
| auto_negotiate
string
|
|
Enable/disable automatic initiation of IKE SA negotiation.
|
||
| backup_gateway
list
|
Instruct unity clients about the backup gateway address(es).
|
|||
| address
string / required
|
Address of backup gateway.
|
|||
| banner
string
|
Message that unity client should display after connecting.
|
|||
| cert_id_validation
string
|
|
Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
|
||
| certificate
list
|
The names of up to 4 signed personal certificates.
|
|||
| name
string / required
|
Certificate name. Source vpn.certificate.local.name.
|
|||
| childless_ike
string
|
|
Enable/disable childless IKEv2 initiation (RFC 6023).
|
||
| client_auto_negotiate
string
|
|
Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
|
||
| client_keep_alive
string
|
|
Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
|
||
| comments
string
|
Comment.
|
|||
| default_gw
string
|
IPv4 address of default route gateway to use for traffic exiting the interface.
|
|||
| default_gw_priority
integer
|
Priority for default gateway route. A higher priority number signifies a less preferred route.
|
|||
| dhgrp
string
|
|
DH group.
|
||
| digital_signature_auth
string
|
|
Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
|
||
| distance
integer
|
Distance for routes added by IKE (1 - 255).
|
|||
| dns_mode
string
|
|
DNS server mode.
|
||
| domain
string
|
Instruct unity clients about the default DNS domain.
|
|||
| dpd
string
|
|
Dead Peer Detection mode.
|
||
| dpd_retrycount
integer
|
Number of DPD retry attempts.
|
|||
| dpd_retryinterval
string
|
DPD retry interval.
|
|||
| eap
string
|
|
Enable/disable IKEv2 EAP authentication.
|
||
| eap_identity
string
|
|
IKEv2 EAP peer identity type.
|
||
| encap_local_gw4
string
|
Local IPv4 address of GRE/VXLAN tunnel.
|
|||
| encap_local_gw6
string
|
Local IPv6 address of GRE/VXLAN tunnel.
|
|||
| encap_remote_gw4
string
|
Remote IPv4 address of GRE/VXLAN tunnel.
|
|||
| encap_remote_gw6
string
|
Remote IPv6 address of GRE/VXLAN tunnel.
|
|||
| encapsulation
string
|
|
Enable/disable GRE/VXLAN encapsulation.
|
||
| encapsulation_address
string
|
|
Source for GRE/VXLAN tunnel address.
|
||
| enforce_unique_id
string
|
|
Enable/disable peer ID uniqueness check.
|
||
| exchange_interface_ip
string
|
|
Enable/disable exchange of IPsec interface IP address.
|
||
| exchange_ip_addr4
string
|
IPv4 address to exchange with peers.
|
|||
| exchange_ip_addr6
string
|
IPv6 address to exchange with peers
|
|||
| forticlient_enforcement
string
|
|
Enable/disable FortiClient enforcement.
|
||
| fragmentation
string
|
|
Enable/disable fragment IKE message on re-transmission.
|
||
| fragmentation_mtu
integer
|
IKE fragmentation MTU (500 - 16000).
|
|||
| group_authentication
string
|
|
Enable/disable IKEv2 IDi group authentication.
|
||
| group_authentication_secret
string
|
Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.)
|
|||
| ha_sync_esp_seqno
string
|
|
Enable/disable sequence number jump ahead for IPsec HA.
|
||
| idle_timeout
string
|
|
Enable/disable IPsec tunnel idle timeout.
|
||
| idle_timeoutinterval
integer
|
IPsec tunnel idle timeout in minutes (5 - 43200).
|
|||
| ike_version
string
|
|
IKE protocol version.
|
||
| include_local_lan
string
|
|
Enable/disable allow local LAN access on unity clients.
|
||
| interface
string
|
Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name.
|
|||
| ip_version
string
|
|
IP version to use for VPN interface.
|
||
| ipv4_dns_server1
string
|
IPv4 DNS server 1.
|
|||
| ipv4_dns_server2
string
|
IPv4 DNS server 2.
|
|||
| ipv4_dns_server3
string
|
IPv4 DNS server 3.
|
|||
| ipv4_end_ip
string
|
End of IPv4 range.
|
|||
| ipv4_exclude_range
list
|
Configuration Method IPv4 exclude ranges.
|
|||
| end_ip
string
|
End of IPv4 exclusive range.
|
|||
| id
integer / required
|
ID.
|
|||
| start_ip
string
|
Start of IPv4 exclusive range.
|
|||
| ipv4_name
string
|
IPv4 address name. Source firewall.address.name firewall.addrgrp.name.
|
|||
| ipv4_netmask
string
|
IPv4 Netmask.
|
|||
| ipv4_split_exclude
string
|
IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name.
|
|||
| ipv4_split_include
string
|
IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name.
|
|||
| ipv4_start_ip
string
|
Start of IPv4 range.
|
|||
| ipv4_wins_server1
string
|
WINS server 1.
|
|||
| ipv4_wins_server2
string
|
WINS server 2.
|
|||
| ipv6_dns_server1
string
|
IPv6 DNS server 1.
|
|||
| ipv6_dns_server2
string
|
IPv6 DNS server 2.
|
|||
| ipv6_dns_server3
string
|
IPv6 DNS server 3.
|
|||
| ipv6_end_ip
string
|
End of IPv6 range.
|
|||
| ipv6_exclude_range
list
|
Configuration method IPv6 exclude ranges.
|
|||
| end_ip
string
|
End of IPv6 exclusive range.
|
|||
| id
integer / required
|
ID.
|
|||
| start_ip
string
|
Start of IPv6 exclusive range.
|
|||
| ipv6_name
string
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
| ipv6_prefix
integer
|
IPv6 prefix.
|
|||
| ipv6_split_exclude
string
|
IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
| ipv6_split_include
string
|
IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
| ipv6_start_ip
string
|
Start of IPv6 range.
|
|||
| keepalive
integer
|
NAT-T keep alive interval.
|
|||
| keylife
integer
|
Time to wait in seconds before phase 1 encryption key expires.
|
|||
| local_gw
string
|
IPv4 address of the local gateway's external interface.
|
|||
| local_gw6
string
|
IPv6 address of the local gateway's external interface.
|
|||
| localid
string
|
Local ID.
|
|||
| localid_type
string
|
|
Local ID type.
|
||
| mesh_selector_type
string
|
|
Add selectors containing subsets of the configuration depending on traffic.
|
||
| mode
string
|
|
The ID protection mode used to establish a secure channel.
|
||
| mode_cfg
string
|
|
Enable/disable configuration method.
|
||
| monitor
string
|
IPsec interface as backup for primary interface. Source vpn.ipsec.phase1-interface.name.
|
|||
| monitor_hold_down_delay
integer
|
Time to wait in seconds before recovery once primary re-establishes.
|
|||
| monitor_hold_down_time
string
|
Time of day at which to fail back to primary after it re-establishes.
|
|||
| monitor_hold_down_type
string
|
|
Recovery time method when primary interface re-establishes.
|
||
| monitor_hold_down_weekday
string
|
|
Day of the week to recover once primary re-establishes.
|
||
| name
string / required
|
IPsec remote gateway name.
|
|||
| nattraversal
string
|
|
Enable/disable NAT traversal.
|
||
| negotiate_timeout
integer
|
IKE SA negotiation timeout in seconds (1 - 300).
|
|||
| net_device
string
|
|
Enable/disable kernel device creation for dialup instances.
|
||
| passive_mode
string
|
|
Enable/disable IPsec passive mode for static tunnels.
|
||
| peer
string
|
Accept this peer certificate. Source user.peer.name.
|
|||
| peergrp
string
|
Accept this peer certificate group. Source user.peergrp.name.
|
|||
| peerid
string
|
Accept this peer identity.
|
|||
| peertype
string
|
|
Accept this peer type.
|
||
| ppk
string
|
|
Enable/disable IKEv2 Postquantum Preshared Key (PPK).
|
||
| ppk_identity
string
|
IKEv2 Postquantum Preshared Key Identity.
|
|||
| ppk_secret
string
|
IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
| priority
integer
|
Priority for routes added by IKE (0 - 4294967295).
|
|||
| proposal
string
|
|
Phase1 proposal.
|
||
| psksecret
string
|
Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
| psksecret_remote
string
|
Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
| reauth
string
|
|
Enable/disable re-authentication upon IKE SA lifetime expiration.
|
||
| rekey
string
|
|
Enable/disable phase1 rekey.
|
||
| remote_gw
string
|
IPv4 address of the remote gateway's external interface.
|
|||
| remote_gw6
string
|
IPv6 address of the remote gateway's external interface.
|
|||
| remotegw_ddns
string
|
Domain name of remote gateway (eg. name.DDNS.com).
|
|||
| rsa_signature_format
string
|
|
Digital Signature Authentication RSA signature format.
|
||
| save_password
string
|
|
Enable/disable saving XAuth username and password on VPN clients.
|
||
| send_cert_chain
string
|
|
Enable/disable sending certificate chain.
|
||
| signature_hash_alg
string
|
|
Digital Signature Authentication hash algorithms.
|
||
| split_include_service
string
|
Split-include services. Source firewall.service.group.name firewall.service.custom.name.
|
|||
| state
string
|
|
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.
Indicates whether to create or remove the object.
|
||
| suite_b
string
|
|
Use Suite-B.
|
||
| tunnel_search
string
|
|
Tunnel search method for when the interface is shared.
|
||
| type
string
|
|
Remote gateway type.
|
||
| unity_support
string
|
|
Enable/disable support for Cisco UNITY Configuration Method extensions.
|
||
| usrgrp
string
|
User group name for dialup peers. Source user.group.name.
|
|||
| vni
integer
|
VNI of VXLAN tunnel.
|
|||
| wizard_type
string
|
|
GUI VPN Wizard Type.
|
||
| xauthtype
string
|
|
XAuth type.
|
||
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure VPN remote gateway.
fortios_vpn_ipsec_phase1_interface:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
state: "present"
vpn_ipsec_phase1_interface:
acct_verify: "enable"
add_gw_route: "enable"
add_route: "disable"
assign_ip: "disable"
assign_ip_from: "range"
authmethod: "psk"
authmethod_remote: "psk"
authpasswd: "<your_own_value>"
authusr: "<your_own_value>"
authusrgrp: "<your_own_value> (source user.group.name)"
auto_discovery_forwarder: "enable"
auto_discovery_psk: "enable"
auto_discovery_receiver: "enable"
auto_discovery_sender: "enable"
auto_negotiate: "enable"
backup_gateway:
-
address: "<your_own_value>"
banner: "<your_own_value>"
cert_id_validation: "enable"
certificate:
-
name: "default_name_23 (source vpn.certificate.local.name)"
childless_ike: "enable"
client_auto_negotiate: "disable"
client_keep_alive: "disable"
comments: "<your_own_value>"
default_gw: "<your_own_value>"
default_gw_priority: "29"
dhgrp: "1"
digital_signature_auth: "enable"
distance: "32"
dns_mode: "manual"
domain: "<your_own_value>"
dpd: "disable"
dpd_retrycount: "36"
dpd_retryinterval: "<your_own_value>"
eap: "enable"
eap_identity: "use-id-payload"
encap_local_gw4: "<your_own_value>"
encap_local_gw6: "<your_own_value>"
encap_remote_gw4: "<your_own_value>"
encap_remote_gw6: "<your_own_value>"
encapsulation: "none"
encapsulation_address: "ike"
enforce_unique_id: "disable"
exchange_interface_ip: "enable"
exchange_ip_addr4: "<your_own_value>"
exchange_ip_addr6: "<your_own_value>"
forticlient_enforcement: "enable"
fragmentation: "enable"
fragmentation_mtu: "52"
group_authentication: "enable"
group_authentication_secret: "<your_own_value>"
ha_sync_esp_seqno: "enable"
idle_timeout: "enable"
idle_timeoutinterval: "57"
ike_version: "1"
include_local_lan: "disable"
interface: "<your_own_value> (source system.interface.name)"
ip_version: "4"
ipv4_dns_server1: "<your_own_value>"
ipv4_dns_server2: "<your_own_value>"
ipv4_dns_server3: "<your_own_value>"
ipv4_end_ip: "<your_own_value>"
ipv4_exclude_range:
-
end_ip: "<your_own_value>"
id: "68"
start_ip: "<your_own_value>"
ipv4_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_netmask: "<your_own_value>"
ipv4_split_exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_split_include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_start_ip: "<your_own_value>"
ipv4_wins_server1: "<your_own_value>"
ipv4_wins_server2: "<your_own_value>"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_dns_server3: "<your_own_value>"
ipv6_end_ip: "<your_own_value>"
ipv6_exclude_range:
-
end_ip: "<your_own_value>"
id: "83"
start_ip: "<your_own_value>"
ipv6_name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_prefix: "86"
ipv6_split_exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_split_include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_start_ip: "<your_own_value>"
keepalive: "90"
keylife: "91"
local_gw: "<your_own_value>"
local_gw6: "<your_own_value>"
localid: "<your_own_value>"
localid_type: "auto"
mesh_selector_type: "disable"
mode: "aggressive"
mode_cfg: "disable"
monitor: "<your_own_value> (source vpn.ipsec.phase1-interface.name)"
monitor_hold_down_delay: "100"
monitor_hold_down_time: "<your_own_value>"
monitor_hold_down_type: "immediate"
monitor_hold_down_weekday: "everyday"
name: "default_name_104"
nattraversal: "enable"
negotiate_timeout: "106"
net_device: "enable"
passive_mode: "enable"
peer: "<your_own_value> (source user.peer.name)"
peergrp: "<your_own_value> (source user.peergrp.name)"
peerid: "<your_own_value>"
peertype: "any"
ppk: "disable"
ppk_identity: "<your_own_value>"
ppk_secret: "<your_own_value>"
priority: "116"
proposal: "des-md5"
psksecret: "<your_own_value>"
psksecret_remote: "<your_own_value>"
reauth: "disable"
rekey: "enable"
remote_gw: "<your_own_value>"
remote_gw6: "<your_own_value>"
remotegw_ddns: "<your_own_value>"
rsa_signature_format: "pkcs1"
save_password: "disable"
send_cert_chain: "enable"
signature_hash_alg: "sha1"
split_include_service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
suite_b: "disable"
tunnel_search: "selectors"
type: "static"
unity_support: "disable"
usrgrp: "<your_own_value> (source user.group.name)"
vni: "135"
wizard_type: "custom"
xauthtype: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_vpn_ipsec_phase1_interface_module.html