fortinet.fortios.fortios_vpn_ipsec_phase1 module – Configure VPN remote gateway in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.1.6).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ipsec_phase1
.
New in version 2.0.0: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ipsec feature and phase1 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
|
Configure VPN remote gateway. |
|
Enable/disable verification of RADIUS accounting record. Choices:
|
|
Enable/disable automatically add a route to the remote gateway. Choices:
|
|
Enable/disable control addition of a route to peer destination selector. Choices:
|
|
Enable/disable assignment of IP to IPsec interface via configuration method. Choices:
|
|
Method by which the IP address will be assigned. Choices:
|
|
Authentication method. Choices:
|
|
Authentication method (remote side). Choices:
|
|
XAuth password (max 35 characters). |
|
XAuth user name. |
|
Authentication user group. Source user.group.name. |
|
Enable/disable automatic initiation of IKE SA negotiation. Choices:
|
|
Instruct unity clients about the backup gateway address(es). |
|
Address of backup gateway. |
|
Message that unity client should display after connecting. |
|
Enable/disable cross validation of peer ID and the identity in the peer”s certificate as specified in RFC 4945. Choices:
|
|
Names of up to 4 signed personal certificates. |
|
Certificate name. Source vpn.certificate.local.name. |
|
Enable/disable childless IKEv2 initiation (RFC 6023). Choices:
|
|
Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Choices:
|
|
Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Choices:
|
|
Comment. |
|
Relay agent IPv6 link address to use in DHCP6 requests. |
|
Relay agent gateway IP address to use in the giaddr field of DHCP requests. |
|
DH group. Choices:
|
|
Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Choices:
|
|
Distance for routes added by IKE (1 - 255). |
|
DNS server mode. Choices:
|
|
Instruct unity clients about the single default DNS domain. |
|
Dead Peer Detection mode. Choices:
|
|
Number of DPD retry attempts. |
|
DPD retry interval. |
|
Enable/disable IKEv2 EAP authentication. Choices:
|
|
Peer group excluded from EAP authentication. Source user.peergrp.name. |
|
IKEv2 EAP peer identity type. Choices:
|
|
Enable/disable peer ID uniqueness check. Choices:
|
|
Extended sequence number (ESN) negotiation. Choices:
|
|
Number of base Forward Error Correction packets (1 - 20). |
|
Forward Error Correction encoding/decoding algorithm. Choices:
|
|
Enable/disable Forward Error Correction for egress IPsec traffic. Choices:
|
|
SD-WAN health check. Source system.sdwan.health-check.name. |
|
Enable/disable Forward Error Correction for ingress IPsec traffic. Choices:
|
|
Forward Error Correction (FEC) mapping profile. |
|
Timeout in milliseconds before dropping Forward Error Correction packets (1 - 1000). |
|
Number of redundant Forward Error Correction packets (1 - 5 for reed-solomon, 1 for xor). |
|
Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). |
|
Enable/disable FortiClient enforcement. Choices:
|
|
Enable/disable fragment IKE message on re-transmission. Choices:
|
|
IKE fragmentation MTU (500 - 16000). |
|
Enable/disable IKEv2 IDi group authentication. Choices:
|
|
Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x. |
|
Enable/disable sequence number jump ahead for IPsec HA. Choices:
|
|
Enable/disable IPsec tunnel idle timeout. Choices:
|
|
IPsec tunnel idle timeout in minutes (5 - 43200). |
|
IKE protocol version. Choices:
|
|
Enable/disable allow local LAN access on unity clients. Choices:
|
|
Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name. |
|
IP address reuse delay interval in seconds (0 - 28800). |
|
IPv4 DNS server 1. |
|
IPv4 DNS server 2. |
|
IPv4 DNS server 3. |
|
End of IPv4 range. |
|
Configuration Method IPv4 exclude ranges. |
|
End of IPv4 exclusive range. |
|
ID. |
|
Start of IPv4 exclusive range. |
|
IPv4 address name. Source firewall.address.name firewall.addrgrp.name. |
|
IPv4 Netmask. |
|
IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name. |
|
IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name. |
|
Start of IPv4 range. |
|
WINS server 1. |
|
WINS server 2. |
|
IPv6 DNS server 1. |
|
IPv6 DNS server 2. |
|
IPv6 DNS server 3. |
|
End of IPv6 range. |
|
Configuration method IPv6 exclude ranges. |
|
End of IPv6 exclusive range. |
|
ID. |
|
Start of IPv6 exclusive range. |
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
IPv6 prefix. |
|
IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name. |
|
IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name. |
|
Start of IPv6 range. |
|
NAT-T keep alive interval. |
|
Time to wait in seconds before phase 1 encryption key expires. |
|
Local VPN gateway. |
|
Local ID. |
|
Local ID type. Choices:
|
|
Enable/disable asymmetric routing for IKE traffic on loopback interface. Choices:
|
|
Add selectors containing subsets of the configuration depending on traffic. Choices:
|
|
ID protection mode used to establish a secure channel. Choices:
|
|
Enable/disable configuration method. Choices:
|
|
IPsec remote gateway name. |
|
Enable/disable NAT traversal. Choices:
|
|
IKE SA negotiation timeout in seconds (1 - 300). |
|
VPN gateway network ID. |
|
Enable/disable network overlays. Choices:
|
|
Enable/disable offloading NPU. Choices:
|
|
Accept this peer certificate. Source user.peer.name. |
|
Accept this peer certificate group. Source user.peergrp.name. |
|
Accept this peer identity. |
|
Accept this peer type. Choices:
|
|
Enable/disable IKEv2 Postquantum Preshared Key (PPK). Choices:
|
|
IKEv2 Postquantum Preshared Key Identity. |
|
IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). |
|
Priority for routes added by IKE (1 - 65535). |
|
Phase1 proposal. Choices:
|
|
Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). |
|
Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). |
|
Enable/disable re-authentication upon IKE SA lifetime expiration. Choices:
|
|
Enable/disable phase1 rekey. Choices:
|
|
Remote VPN gateway. |
|
Domain name of remote gateway. For example, name.ddns.com. |
|
Digital Signature Authentication RSA signature format. Choices:
|
|
Enable/disable saving XAuth username and password on VPN clients. Choices:
|
|
Enable/disable sending certificate chain. Choices:
|
|
Digital Signature Authentication hash algorithms. Choices:
|
|
Split-include services. Source firewall.service.group.name firewall.service.custom.name. |
|
Use Suite-B. Choices:
|
|
Remote gateway type. Choices:
|
|
Enable/disable support for Cisco UNITY Configuration Method extensions. Choices:
|
|
User group name for dialup peers. Source user.group.name. |
|
GUI VPN Wizard Type. Choices:
|
|
XAuth type. Choices:
|
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure VPN remote gateway.
fortios_vpn_ipsec_phase1:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
vpn_ipsec_phase1:
acct_verify: "enable"
add_gw_route: "enable"
add_route: "disable"
assign_ip: "disable"
assign_ip_from: "range"
authmethod: "psk"
authmethod_remote: "psk"
authpasswd: "<your_own_value>"
authusr: "<your_own_value>"
authusrgrp: "<your_own_value> (source user.group.name)"
auto_negotiate: "enable"
backup_gateway:
-
address: "<your_own_value>"
banner: "<your_own_value>"
cert_id_validation: "enable"
certificate:
-
name: "default_name_19 (source vpn.certificate.local.name)"
childless_ike: "enable"
client_auto_negotiate: "disable"
client_keep_alive: "disable"
comments: "<your_own_value>"
dhcp_ra_giaddr: "<your_own_value>"
dhcp6_ra_linkaddr: "<your_own_value>"
dhgrp: "1"
digital_signature_auth: "enable"
distance: "28"
dns_mode: "manual"
domain: "<your_own_value>"
dpd: "disable"
dpd_retrycount: "32"
dpd_retryinterval: "<your_own_value>"
eap: "enable"
eap_exclude_peergrp: "<your_own_value> (source user.peergrp.name)"
eap_identity: "use-id-payload"
enforce_unique_id: "disable"
esn: "require"
fec_base: "39"
fec_codec: "rs"
fec_egress: "enable"
fec_health_check: "<your_own_value> (source system.sdwan.health-check.name)"
fec_ingress: "enable"
fec_mapping_profile: "<your_own_value>"
fec_receive_timeout: "45"
fec_redundant: "46"
fec_send_timeout: "47"
forticlient_enforcement: "enable"
fragmentation: "enable"
fragmentation_mtu: "50"
group_authentication: "enable"
group_authentication_secret: "<your_own_value>"
ha_sync_esp_seqno: "enable"
idle_timeout: "enable"
idle_timeoutinterval: "55"
ike_version: "1"
include_local_lan: "disable"
interface: "<your_own_value> (source system.interface.name)"
ip_delay_interval: "59"
ipv4_dns_server1: "<your_own_value>"
ipv4_dns_server2: "<your_own_value>"
ipv4_dns_server3: "<your_own_value>"
ipv4_end_ip: "<your_own_value>"
ipv4_exclude_range:
-
end_ip: "<your_own_value>"
id: "66"
start_ip: "<your_own_value>"
ipv4_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_netmask: "<your_own_value>"
ipv4_split_exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_split_include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_start_ip: "<your_own_value>"
ipv4_wins_server1: "<your_own_value>"
ipv4_wins_server2: "<your_own_value>"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_dns_server3: "<your_own_value>"
ipv6_end_ip: "<your_own_value>"
ipv6_exclude_range:
-
end_ip: "<your_own_value>"
id: "81"
start_ip: "<your_own_value>"
ipv6_name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_prefix: "84"
ipv6_split_exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_split_include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_start_ip: "<your_own_value>"
keepalive: "88"
keylife: "89"
local_gw: "<your_own_value>"
localid: "<your_own_value>"
localid_type: "auto"
loopback_asymroute: "enable"
mesh_selector_type: "disable"
mode: "aggressive"
mode_cfg: "disable"
name: "default_name_97"
nattraversal: "enable"
negotiate_timeout: "99"
network_id: "100"
network_overlay: "disable"
npu_offload: "enable"
peer: "<your_own_value> (source user.peer.name)"
peergrp: "<your_own_value> (source user.peergrp.name)"
peerid: "<your_own_value>"
peertype: "any"
ppk: "disable"
ppk_identity: "<your_own_value>"
ppk_secret: "<your_own_value>"
priority: "110"
proposal: "des-md5"
psksecret: "<your_own_value>"
psksecret_remote: "<your_own_value>"
reauth: "disable"
rekey: "enable"
remote_gw: "<your_own_value>"
remotegw_ddns: "<your_own_value>"
rsa_signature_format: "pkcs1"
save_password: "disable"
send_cert_chain: "enable"
signature_hash_alg: "sha1"
split_include_service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
suite_b: "disable"
type: "static"
unity_support: "disable"
usrgrp: "<your_own_value> (source user.group.name)"
wizard_type: "custom"
xauthtype: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)