fortios_vpn_ipsec_phase1 – Configure VPN remote gateway in Fortinet’s FortiOS and FortiGate¶
New in version 2.8.
Synopsis¶
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify vpn_ipsec feature and phase1 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
Requirements¶
The below requirements are needed on the host that executes this module.
fortiosapi>=0.9.8
Parameters¶
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
|
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
|
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
|
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
|
vpn_ipsec_phase1
-
|
Default: null
|
Configure VPN remote gateway.
|
||
|
acct-verify
-
|
|
Enable/disable verification of RADIUS accounting record.
|
||
|
add-gw-route
-
|
|
Enable/disable automatically add a route to the remote gateway.
|
||
|
add-route
-
|
|
Enable/disable control addition of a route to peer destination selector.
|
||
|
assign-ip
-
|
|
Enable/disable assignment of IP to IPsec interface via configuration method.
|
||
|
assign-ip-from
-
|
|
Method by which the IP address will be assigned.
|
||
|
authmethod
-
|
|
Authentication method.
|
||
|
authmethod-remote
-
|
|
Authentication method (remote side).
|
||
|
authpasswd
-
|
XAuth password (max 35 characters).
|
|||
|
authusr
-
|
XAuth user name.
|
|||
|
authusrgrp
-
|
Authentication user group. Source user.group.name.
|
|||
|
auto-negotiate
-
|
|
Enable/disable automatic initiation of IKE SA negotiation.
|
||
|
backup-gateway
-
|
Instruct unity clients about the backup gateway address(es).
|
|||
|
address
-
/ required
|
Address of backup gateway.
|
|||
|
banner
-
|
Message that unity client should display after connecting.
|
|||
|
cert-id-validation
-
|
|
Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
|
||
|
certificate
-
|
Names of up to 4 signed personal certificates.
|
|||
|
name
-
/ required
|
Certificate name. Source vpn.certificate.local.name.
|
|||
|
childless-ike
-
|
|
Enable/disable childless IKEv2 initiation (RFC 6023).
|
||
|
client-auto-negotiate
-
|
|
Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
|
||
|
client-keep-alive
-
|
|
Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
|
||
|
comments
-
|
Comment.
|
|||
|
dhgrp
-
|
|
DH group.
|
||
|
digital-signature-auth
-
|
|
Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
|
||
|
distance
-
|
Distance for routes added by IKE (1 - 255).
|
|||
|
dns-mode
-
|
|
DNS server mode.
|
||
|
domain
-
|
Instruct unity clients about the default DNS domain.
|
|||
|
dpd
-
|
|
Dead Peer Detection mode.
|
||
|
dpd-retrycount
-
|
Number of DPD retry attempts.
|
|||
|
dpd-retryinterval
-
|
DPD retry interval.
|
|||
|
eap
-
|
|
Enable/disable IKEv2 EAP authentication.
|
||
|
eap-identity
-
|
|
IKEv2 EAP peer identity type.
|
||
|
enforce-unique-id
-
|
|
Enable/disable peer ID uniqueness check.
|
||
|
forticlient-enforcement
-
|
|
Enable/disable FortiClient enforcement.
|
||
|
fragmentation
-
|
|
Enable/disable fragment IKE message on re-transmission.
|
||
|
fragmentation-mtu
-
|
IKE fragmentation MTU (500 - 16000).
|
|||
|
group-authentication
-
|
|
Enable/disable IKEv2 IDi group authentication.
|
||
|
group-authentication-secret
-
|
Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.)
|
|||
|
ha-sync-esp-seqno
-
|
|
Enable/disable sequence number jump ahead for IPsec HA.
|
||
|
idle-timeout
-
|
|
Enable/disable IPsec tunnel idle timeout.
|
||
|
idle-timeoutinterval
-
|
IPsec tunnel idle timeout in minutes (5 - 43200).
|
|||
|
ike-version
-
|
|
IKE protocol version.
|
||
|
include-local-lan
-
|
|
Enable/disable allow local LAN access on unity clients.
|
||
|
interface
-
|
Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name.
|
|||
|
ipv4-dns-server1
-
|
IPv4 DNS server 1.
|
|||
|
ipv4-dns-server2
-
|
IPv4 DNS server 2.
|
|||
|
ipv4-dns-server3
-
|
IPv4 DNS server 3.
|
|||
|
ipv4-end-ip
-
|
End of IPv4 range.
|
|||
|
ipv4-exclude-range
-
|
Configuration Method IPv4 exclude ranges.
|
|||
|
end-ip
-
|
End of IPv4 exclusive range.
|
|||
|
id
-
/ required
|
ID.
|
|||
|
start-ip
-
|
Start of IPv4 exclusive range.
|
|||
|
ipv4-name
-
|
IPv4 address name. Source firewall.address.name firewall.addrgrp.name.
|
|||
|
ipv4-netmask
-
|
IPv4 Netmask.
|
|||
|
ipv4-split-exclude
-
|
IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name.
|
|||
|
ipv4-split-include
-
|
IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name.
|
|||
|
ipv4-start-ip
-
|
Start of IPv4 range.
|
|||
|
ipv4-wins-server1
-
|
WINS server 1.
|
|||
|
ipv4-wins-server2
-
|
WINS server 2.
|
|||
|
ipv6-dns-server1
-
|
IPv6 DNS server 1.
|
|||
|
ipv6-dns-server2
-
|
IPv6 DNS server 2.
|
|||
|
ipv6-dns-server3
-
|
IPv6 DNS server 3.
|
|||
|
ipv6-end-ip
-
|
End of IPv6 range.
|
|||
|
ipv6-exclude-range
-
|
Configuration method IPv6 exclude ranges.
|
|||
|
end-ip
-
|
End of IPv6 exclusive range.
|
|||
|
id
-
/ required
|
ID.
|
|||
|
start-ip
-
|
Start of IPv6 exclusive range.
|
|||
|
ipv6-name
-
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
|
ipv6-prefix
-
|
IPv6 prefix.
|
|||
|
ipv6-split-exclude
-
|
IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
|
ipv6-split-include
-
|
IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
|
ipv6-start-ip
-
|
Start of IPv6 range.
|
|||
|
keepalive
-
|
NAT-T keep alive interval.
|
|||
|
keylife
-
|
Time to wait in seconds before phase 1 encryption key expires.
|
|||
|
local-gw
-
|
Local VPN gateway.
|
|||
|
localid
-
|
Local ID.
|
|||
|
localid-type
-
|
|
Local ID type.
|
||
|
mesh-selector-type
-
|
|
Add selectors containing subsets of the configuration depending on traffic.
|
||
|
mode
-
|
|
ID protection mode used to establish a secure channel.
|
||
|
mode-cfg
-
|
|
Enable/disable configuration method.
|
||
|
name
-
/ required
|
IPsec remote gateway name.
|
|||
|
nattraversal
-
|
|
Enable/disable NAT traversal.
|
||
|
negotiate-timeout
-
|
IKE SA negotiation timeout in seconds (1 - 300).
|
|||
|
npu-offload
-
|
|
Enable/disable offloading NPU.
|
||
|
peer
-
|
Accept this peer certificate. Source user.peer.name.
|
|||
|
peergrp
-
|
Accept this peer certificate group. Source user.peergrp.name.
|
|||
|
peerid
-
|
Accept this peer identity.
|
|||
|
peertype
-
|
|
Accept this peer type.
|
||
|
ppk
-
|
|
Enable/disable IKEv2 Postquantum Preshared Key (PPK).
|
||
|
ppk-identity
-
|
IKEv2 Postquantum Preshared Key Identity.
|
|||
|
ppk-secret
-
|
IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
|
priority
-
|
Priority for routes added by IKE (0 - 4294967295).
|
|||
|
proposal
-
|
|
Phase1 proposal.
|
||
|
psksecret
-
|
Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
|
psksecret-remote
-
|
Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
|
reauth
-
|
|
Enable/disable re-authentication upon IKE SA lifetime expiration.
|
||
|
rekey
-
|
|
Enable/disable phase1 rekey.
|
||
|
remote-gw
-
|
Remote VPN gateway.
|
|||
|
remotegw-ddns
-
|
Domain name of remote gateway (eg. name.DDNS.com).
|
|||
|
rsa-signature-format
-
|
|
Digital Signature Authentication RSA signature format.
|
||
|
save-password
-
|
|
Enable/disable saving XAuth username and password on VPN clients.
|
||
|
send-cert-chain
-
|
|
Enable/disable sending certificate chain.
|
||
|
signature-hash-alg
-
|
|
Digital Signature Authentication hash algorithms.
|
||
|
split-include-service
-
|
Split-include services. Source firewall.service.group.name firewall.service.custom.name.
|
|||
|
state
-
|
|
Indicates whether to create or remove the object
|
||
|
suite-b
-
|
|
Use Suite-B.
|
||
|
type
-
|
|
Remote gateway type.
|
||
|
unity-support
-
|
|
Enable/disable support for Cisco UNITY Configuration Method extensions.
|
||
|
usrgrp
-
|
User group name for dialup peers. Source user.group.name.
|
|||
|
wizard-type
-
|
|
GUI VPN Wizard Type.
|
||
|
xauthtype
-
|
|
XAuth type.
|
||
Notes¶
Note
Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook
Examples¶
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure VPN remote gateway.
fortios_vpn_ipsec_phase1:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ipsec_phase1:
state: "present"
acct-verify: "enable"
add-gw-route: "enable"
add-route: "disable"
assign-ip: "disable"
assign-ip-from: "range"
authmethod: "psk"
authmethod-remote: "psk"
authpasswd: "<your_own_value>"
authusr: "<your_own_value>"
authusrgrp: "<your_own_value> (source user.group.name)"
auto-negotiate: "enable"
backup-gateway:
-
address: "<your_own_value>"
banner: "<your_own_value>"
cert-id-validation: "enable"
certificate:
-
name: "default_name_19 (source vpn.certificate.local.name)"
childless-ike: "enable"
client-auto-negotiate: "disable"
client-keep-alive: "disable"
comments: "<your_own_value>"
dhgrp: "1"
digital-signature-auth: "enable"
distance: "26"
dns-mode: "manual"
domain: "<your_own_value>"
dpd: "disable"
dpd-retrycount: "30"
dpd-retryinterval: "<your_own_value>"
eap: "enable"
eap-identity: "use-id-payload"
enforce-unique-id: "disable"
forticlient-enforcement: "enable"
fragmentation: "enable"
fragmentation-mtu: "37"
group-authentication: "enable"
group-authentication-secret: "<your_own_value>"
ha-sync-esp-seqno: "enable"
idle-timeout: "enable"
idle-timeoutinterval: "42"
ike-version: "1"
include-local-lan: "disable"
interface: "<your_own_value> (source system.interface.name)"
ipv4-dns-server1: "<your_own_value>"
ipv4-dns-server2: "<your_own_value>"
ipv4-dns-server3: "<your_own_value>"
ipv4-end-ip: "<your_own_value>"
ipv4-exclude-range:
-
end-ip: "<your_own_value>"
id: "52"
start-ip: "<your_own_value>"
ipv4-name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-netmask: "<your_own_value>"
ipv4-split-exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-split-include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-start-ip: "<your_own_value>"
ipv4-wins-server1: "<your_own_value>"
ipv4-wins-server2: "<your_own_value>"
ipv6-dns-server1: "<your_own_value>"
ipv6-dns-server2: "<your_own_value>"
ipv6-dns-server3: "<your_own_value>"
ipv6-end-ip: "<your_own_value>"
ipv6-exclude-range:
-
end-ip: "<your_own_value>"
id: "67"
start-ip: "<your_own_value>"
ipv6-name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-prefix: "70"
ipv6-split-exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-split-include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-start-ip: "<your_own_value>"
keepalive: "74"
keylife: "75"
local-gw: "<your_own_value>"
localid: "<your_own_value>"
localid-type: "auto"
mesh-selector-type: "disable"
mode: "aggressive"
mode-cfg: "disable"
name: "default_name_82"
nattraversal: "enable"
negotiate-timeout: "84"
npu-offload: "enable"
peer: "<your_own_value> (source user.peer.name)"
peergrp: "<your_own_value> (source user.peergrp.name)"
peerid: "<your_own_value>"
peertype: "any"
ppk: "disable"
ppk-identity: "<your_own_value>"
ppk-secret: "<your_own_value>"
priority: "93"
proposal: "des-md5"
psksecret: "<your_own_value>"
psksecret-remote: "<your_own_value>"
reauth: "disable"
rekey: "enable"
remote-gw: "<your_own_value>"
remotegw-ddns: "<your_own_value>"
rsa-signature-format: "pkcs1"
save-password: "disable"
send-cert-chain: "enable"
signature-hash-alg: "sha1"
split-include-service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
suite-b: "disable"
type: "static"
unity-support: "disable"
usrgrp: "<your_own_value> (source user.group.name)"
wizard-type: "custom"
xauthtype: "disable"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]