f5networks.f5_modules.bigip_ike_peer module – Manage IPSec IKE Peer configuration on BIG-IP
Note
This module is part of the f5networks.f5_modules collection (version 1.17.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install f5networks.f5_modules
.
To use it in a playbook, specify: f5networks.f5_modules.bigip_ike_peer
.
New in version 1.0.0: of f5networks.f5_modules
Parameters
Parameter |
Comments |
---|---|
Description of the IKE peer. |
|
Specifies the name of the IKE peer. |
|
Device partition to manage resources on. Default: “Common” |
|
Specifies the authentication method for phase 1 negotiation. When creating a new IKE peer, if this value is not specified, the default is Choices:
|
|
Specifies the digital certificate to use for the RSA signature. When creating a new IKE peer, if this value is not specified, and This parameter is invalid when |
|
Specifies the algorithm to use for IKE encryption. IKE Choices:
|
|
Specifies the algorithm to use for IKE authentication. Choices:
|
|
Specifies the public key the digital certificate contains. When creating a new IKE peer, if this value is not specified, and This parameter is invalid when |
|
Defines the lifetime in minutes of an IKE SA which will be proposed in the phase 1 negotiations. The accepted value range is When creating a new IKE peer, if this value is not specified, the default value set by the system is |
|
Specifies the Diffie-Hellman group to use for IKE Phase 1 and Phase 2 negotiations. Choices:
|
|
In IKEv2, specifies whether the certificate sent by the IKE peer is verified using the Trusted Certificate Authorities, a CRL, and/or a peer certificate. In IKEv1, specifies whether the identifier sent by the peer is verified with the credentials in the certificate, in the following manner - ASN1DN; specifies that the entire certificate subject name is compared with the identifier. Address, FQDN, or User FQDN; specifies that the certificate’s subjectAltName is compared with the identifier. If the two do not match, the negotiation fails. When creating a new IKE peer, if this value is not specified, and This parameter is invalid when Choices:
|
|
Specifies the identifier type the local system uses to identify itself to the peer during IKE Phase 1 negotiations. Choices:
|
|
Specifies a value for the identity when using a This is a required value when |
|
Specifies a string the IKE peers share for authenticating each other. This parameter is only relevant when This parameter is invalid when |
|
A dict object containing connection details. |
|
Configures the auth provider for to obtain authentication tokens from the remote device. This option is really used when working with BIG-IQ devices. |
|
If You may omit this option by setting the environment variable Previously used variable Choices:
|
|
The password for the user account used to connect to the BIG-IP. You may omit this option by setting the environment variable |
|
The BIG-IP host. You may omit this option by setting the environment variable |
|
The BIG-IP server port. You may omit this option by setting the environment variable Default: 443 |
|
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. |
|
Configures the transport connection to use when connecting to the remote device. Choices:
|
|
The username to connect to the BIG-IP with. This user must have administrative privileges on the device. You may omit this option by setting the environment variable |
|
If You may omit this option by setting the environment variable Choices:
|
|
Displays the IP address of the BIG-IP system that is remote to the system you are configuring. |
|
When When Choices:
|
|
Choices:
|
|
Specifies the identifier type the local system uses to identify the peer during IKE Phase 1 negotiation. This is a required value when When Choices:
|
|
Specifies a value for the identity when using a This is a required value when |
|
Specifies which version of IKE (Internet Key Exchange) is used. If the system you are configuring is the IPsec initiator, and you select both versions, the system tries using IKEv2 for negotiation. If the remote peer does not support IKEv2, the IPsec tunnel fails. To use IKEv1 in this case, you must deselect Version 2 and try again. If the system you are configuring is the IPsec responder, and you select both versions, the IPsec initiator system determines which IKE version to use. When creating a new IKE peer, this value is required. Choices:
|
Notes
Note
For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
Requires BIG-IP software version >= 12.
The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.
Examples
- name: Create new IKE peer
bigip_ike_peer:
name: ike1
remote_address: 1.2.3.4
version:
- v1
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Change presented id type - keyid-tag
bigip_ike_peer:
name: ike1
presented_id_type: keyid-tag
presented_id_value: key1
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Remove IKE peer
bigip_ike_peer:
name: ike1
state: absent
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The new IKE Phase 1 Credentials Authentication Method value of the resource. Returned: changed Sample: “rsa-signature” |
|
The new IKE Phase 1 Certificate Credentials. Returned: changed Sample: “/Common/cert1.crt” |
|
The new IKE Phase 1 Encryption Algorithm. Returned: changed Sample: “3des” |
|
The new IKE Phase 1 Authentication Algorithm. Returned: changed Sample: “sha256” |
|
The new IKE Phase 1 Key Credentials. Returned: changed Sample: “/Common/cert1.key” |
|
The new IKE Phase 1 Perfect Forward Secrecy. Returned: changed Sample: “modp1024” |
|
The new IKE Phase 1 Key Verify Peer Certificate setting. Returned: changed Sample: true |
|
The new Presented ID Type value of the resource. Returned: changed Sample: “address” |
|
The new Presented ID Value setting for the Presented ID Type. Returned: changed Sample: “1.2.3.1” |
|
The new Remote Address value of the resource. Returned: changed Sample: “1.2.2.1” |
|
The new Verified ID Type value of the resource. Returned: changed Sample: “address” |
|
The new Verified ID Value setting for the Verified ID Type. Returned: changed Sample: “1.2.3.1” |
|
The new list of IKE versions. Returned: changed Sample: [“v1”, “v2”] |
Authors
Tim Rupp (@caphrim007)
Wojciech Wypior (@wojtek0806)