Parameter |
Choices/Defaults |
Comments |
auth_algorithm
string
|
Choices:
- sha1
- sha256
- sha384
- sha512
- aes-gcm128
- aes-gcm192
- aes-gcm256
- aes-gmac128
- aes-gmac192
- aes-gmac256
|
Specifies the algorithm to use for IKE authentication.
|
description
string
|
|
Description of the policy
|
encrypt_algorithm
string
|
Choices:
- none
- 3des
- aes128
- aes192
- aes256
- aes-gmac256
- aes-gmac192
- aes-gmac128
- aes-gcm256
- aes-gcm192
- aes-gcm256
- aes-gcm128
|
Specifies the algorithm to use for IKE encryption.
|
ipcomp
string
|
Choices:
- none
- null
- deflate
|
Specifies whether to use IPComp encapsulation.
When none , specifies IPComp is disabled.
When deflate , specifies IPComp is enabled and uses the Deflate compression algorithm.
|
ipv4_interface
boolean
|
|
When mode is interface , indicates if the IPv4 any address should be used. By default BIG-IP assumes any6 address for tunnel addresses when mode is interface .
This option takes effect only when mode is set to interface .
|
kb_lifetime
integer
|
|
Specifies the length of time before the IKE security association, in kilobytes. expires.
|
lifetime
integer
|
|
Specifies the length of time before the IKE security association expires, in minutes.
|
mode
string
|
Choices:
- transport
- interface
- isession
- tunnel
|
Specifies the processing mode.
When transport , specifies a mode that encapsulates only the payload (adding an ESP header, trailer, and authentication tag).
When tunnel , specifies a mode that includes encapsulation of the header as well as the payload (adding a new IP header, in addition to adding an ESP header, trailer, and authentication tag). If you select this option, you must also provide IP addresses for the local and remote endpoints of the IPsec tunnel.
When isession , specifies the use of iSession over an IPsec tunnel. To use this option, you must also configure the iSession endpoints with IPsec in the Acceleration section of the user interface.
When interface , specifies the IPsec policy can be used in the tunnel profile for network interfaces.
|
name
string
/ required
|
|
Specifies the name of the IPSec policy.
|
partition
string
|
Default:
"Common"
|
Device partition to manage resources on.
|
perfect_forward_secrecy
string
|
Choices:
- none
- modp768
- modp1024
- modp1536
- modp2048
- modp3072
- modp4096
- modp6144
- modp8192
|
Specifies the Diffie-Hellman group to use for IKE Phase 2 negotiation.
|
protocol
string
|
|
Specifies the IPsec protocol.
Options include ESP (Encapsulating Security Protocol) or AH (Authentication Header).
|
provider
dictionary
added in 1.0.0 of f5networks.f5_modules
|
|
A dict object containing connection details.
|
|
auth_provider
string
|
|
Configures the auth provider for to obtain authentication tokens from the remote device.
This option is really used when working with BIG-IQ devices.
|
|
no_f5_teem
boolean
|
|
If yes , TEEM telemetry data is not sent to F5.
You may omit this option by setting the environment variable F5_TEEM .
|
|
password
string
/ required
|
|
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable F5_PASSWORD .
aliases: pass, pwd
|
|
server
string
/ required
|
|
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER .
|
|
server_port
integer
|
Default:
443
|
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT .
|
|
timeout
integer
|
|
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
|
|
transport
string
|
|
Configures the transport connection to use when connecting to the remote device.
|
|
user
string
/ required
|
|
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER .
|
|
validate_certs
boolean
|
|
If no , SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS .
|
route_domain
integer
|
|
Specifies the route domain, when interface is selected for the mode setting.
|
state
string
|
Choices:
present ←
- absent
|
When present , ensures the resource exists.
When absent , ensures the resource is removed.
|
tunnel_local_address
string
|
|
Specifies the local endpoint IP address of the IPsec tunnel.
This parameter is only valid when mode is tunnel .
|
tunnel_remote_address
string
|
|
Specifies the remote endpoint IP address of the IPsec tunnel.
This parameter is only valid when mode is tunnel .
|