f5networks.f5_modules.bigip_ipsec_policy – Manage IPSec policies on a BIG-IP

Note

This plugin is part of the f5networks.f5_modules collection (version 1.9.0).

To install it use: ansible-galaxy collection install f5networks.f5_modules.

To use it in a playbook, specify: f5networks.f5_modules.bigip_ipsec_policy.

New in version 1.0.0: of f5networks.f5_modules

Synopsis

  • Manage IPSec policies on a BIG-IP device.

Parameters

Parameter Choices/Defaults Comments
auth_algorithm
string
    Choices:
  • sha1
  • sha256
  • sha384
  • sha512
  • aes-gcm128
  • aes-gcm192
  • aes-gcm256
  • aes-gmac128
  • aes-gmac192
  • aes-gmac256
Specifies the algorithm to use for IKE authentication.
description
string
Description of the policy
encrypt_algorithm
string
    Choices:
  • none
  • 3des
  • aes128
  • aes192
  • aes256
  • aes-gmac256
  • aes-gmac192
  • aes-gmac128
  • aes-gcm256
  • aes-gcm192
  • aes-gcm256
  • aes-gcm128
Specifies the algorithm to use for IKE encryption.
ipcomp
string
    Choices:
  • none
  • null
  • deflate
Specifies whether to use IPComp encapsulation.
When none, specifies IPComp is disabled.
When deflate, specifies IPComp is enabled and uses the Deflate compression algorithm.
ipv4_interface
boolean
    Choices:
  • no
  • yes
When mode is interface, indicates if the IPv4 any address should be used. By default BIG-IP assumes any6 address for tunnel addresses when mode is interface.
This option takes effect only when mode is set to interface.
kb_lifetime
integer
Specifies the length of time before the IKE security association, in kilobytes. expires.
lifetime
integer
Specifies the length of time before the IKE security association expires, in minutes.
mode
string
    Choices:
  • transport
  • interface
  • isession
  • tunnel
Specifies the processing mode.
When transport, specifies a mode that encapsulates only the payload (adding an ESP header, trailer, and authentication tag).
When tunnel, specifies a mode that includes encapsulation of the header as well as the payload (adding a new IP header, in addition to adding an ESP header, trailer, and authentication tag). If you select this option, you must also provide IP addresses for the local and remote endpoints of the IPsec tunnel.
When isession, specifies the use of iSession over an IPsec tunnel. To use this option, you must also configure the iSession endpoints with IPsec in the Acceleration section of the user interface.
When interface, specifies the IPsec policy can be used in the tunnel profile for network interfaces.
name
string / required
Specifies the name of the IPSec policy.
partition
string
Default:
"Common"
Device partition to manage resources on.
perfect_forward_secrecy
string
    Choices:
  • none
  • modp768
  • modp1024
  • modp1536
  • modp2048
  • modp3072
  • modp4096
  • modp6144
  • modp8192
Specifies the Diffie-Hellman group to use for IKE Phase 2 negotiation.
protocol
string
    Choices:
  • esp
  • ah
Specifies the IPsec protocol.
Options include ESP (Encapsulating Security Protocol) or AH (Authentication Header).
provider
dictionary
added in 1.0.0 of f5networks.f5_modules
A dict object containing connection details.
auth_provider
string
Configures the auth provider for to obtain authentication tokens from the remote device.
This option is really used when working with BIG-IQ devices.
no_f5_teem
boolean
    Choices:
  • no
  • yes
If yes, TEEM telemetry data is not sent to F5.
You may omit this option by setting the environment variable F5_TEEM.
password
string / required
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable F5_PASSWORD.

aliases: pass, pwd
server
string / required
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER.
server_port
integer
Default:
443
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT.
timeout
integer
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
transport
string
    Choices:
  • rest ←
Configures the transport connection to use when connecting to the remote device.
user
string / required
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER.
validate_certs
boolean
    Choices:
  • no
  • yes ←
If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS.
route_domain
integer
Specifies the route domain, when interface is selected for the mode setting.
state
string
    Choices:
  • present ←
  • absent
When present, ensures the resource exists.
When absent, ensures the resource is removed.
tunnel_local_address
string
Specifies the local endpoint IP address of the IPsec tunnel.
This parameter is only valid when mode is tunnel.
tunnel_remote_address
string
Specifies the remote endpoint IP address of the IPsec tunnel.
This parameter is only valid when mode is tunnel.

Notes

Note

  • For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.

  • Requires BIG-IP software version >= 12.

  • The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples

- name: Create a IPSec policy
  bigip_ipsec_policy:
    name: policy1
    mode: tunnel
    tunnel_local_address: 1.1.1.1
    tunnel_remote_address: 2.2.2.
    auth_algorithm: sha1
    encrypt_algorithm: 3des
    protocol: esp
    perfect_forward_secrecy: modp1024
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
auth_algorithm
string
changed
The new IKE Phase 2 Authentication Algorithm value.

Sample:
sha512
description
string
changed
The new description value.

Sample:
My policy
encrypt_algorithm
string
changed
The new IKE Phase 2 Encryption Algorithm value.

Sample:
aes256
ipcomp
string
changed
The new IKE Phase 2 IPComp value.

Sample:
deflate
kb_lifetime
integer
changed
The new IKE Phase 2 KB Lifetime value.
lifetime
integer
changed
The new IKE Phase 2 Lifetime value.

Sample:
1440
mode
string
changed
The new Mode value.

Sample:
tunnel
perfect_forward_secrecy
string
changed
The new IKE Phase 2 Perfect Forward Secrecy value.

Sample:
modp2048
protocol
string
changed
The new IPsec Protocol value.

Sample:
ah
route_domain
integer
changed
The new Route Domain value when in Tunnel mode.

Sample:
2
tunnel_local_address
string
changed
The new Tunnel Local Address value.

Sample:
1.2.2.1
tunnel_remote_address
string
changed
The new Tunnel Remote Address value.

Sample:
2.1.1.2


Authors

  • Tim Rupp (@caphrim007)

  • Wojciech Wypior (@wojtek0806)