fortinet.fortios.fortios_vpn_ipsec_phase1_interface module – Configure VPN remote gateway in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ipsec_phase1_interface
.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ipsec feature and phase1_interface category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
|
Configure VPN remote gateway. |
|
Enable/disable verification of RADIUS accounting record. Choices:
|
|
Enable/disable automatically add a route to the remote gateway. Choices:
|
|
Enable/disable control addition of a route to peer destination selector. Choices:
|
|
Enable/disable use as an aggregate member. Choices:
|
|
Link weight for aggregate. |
|
Enable/disable assignment of IP to IPsec interface via configuration method. Choices:
|
|
Method by which the IP address will be assigned. Choices:
|
|
Authentication method. Choices:
|
|
Authentication method (remote side). Choices:
|
|
XAuth password (max 35 characters). |
|
XAuth user name. |
|
Authentication user group. Source user.group.name. |
|
Allow/block set-up of short-cut tunnels between different network IDs. Choices:
|
|
Enable/disable forwarding auto-discovery short-cut messages. Choices:
|
|
Interval between shortcut offer messages in seconds (1 - 300). |
|
Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Choices:
|
|
Enable/disable accepting auto-discovery short-cut messages. Choices:
|
|
Enable/disable sending auto-discovery short-cut messages. Choices:
|
|
Control deletion of child short-cut tunnels when the parent tunnel goes down. Choices:
|
|
Enable/disable automatic initiation of IKE SA negotiation. Choices:
|
|
Instruct unity clients about the backup gateway address(es). |
|
Address of backup gateway. |
|
Message that unity client should display after connecting. |
|
Enable/disable cross validation of peer ID and the identity in the peer”s certificate as specified in RFC 4945. Choices:
|
|
The names of up to 4 signed personal certificates. |
|
Certificate name. Source vpn.certificate.local.name. |
|
Enable/disable childless IKEv2 initiation (RFC 6023). Choices:
|
|
Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Choices:
|
|
Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Choices:
|
|
Comment. |
|
IPv4 address of default route gateway to use for traffic exiting the interface. |
|
Priority for default gateway route. A higher priority number signifies a less preferred route. |
|
Device ID carried by the device ID notification. |
|
Enable/disable device ID notification. Choices:
|
|
Relay agent IPv6 link address to use in DHCP6 requests. |
|
Relay agent gateway IP address to use in the giaddr field of DHCP requests. |
|
DH group. Choices:
|
|
Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Choices:
|
|
Distance for routes added by IKE (1 - 255). |
|
DNS server mode. Choices:
|
|
Instruct unity clients about the single default DNS domain. |
|
Dead Peer Detection mode. Choices:
|
|
Number of DPD retry attempts. |
|
DPD retry interval. |
|
Enable/disable IKEv2 EAP authentication. Choices:
|
|
Peer group excluded from EAP authentication. Source user.peergrp.name. |
|
IKEv2 EAP peer identity type. Choices:
|
|
Local IPv4 address of GRE/VXLAN tunnel. |
|
Local IPv6 address of GRE/VXLAN tunnel. |
|
Remote IPv4 address of GRE/VXLAN tunnel. |
|
Remote IPv6 address of GRE/VXLAN tunnel. |
|
Enable/disable GRE/VXLAN/VPNID encapsulation. Choices:
|
|
Source for GRE/VXLAN tunnel address. Choices:
|
|
Enable/disable peer ID uniqueness check. Choices:
|
|
Extended sequence number (ESN) negotiation. Choices:
|
|
Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Choices:
|
|
Enable/disable exchange of IPsec interface IP address. Choices:
|
|
IPv4 address to exchange with peers. |
|
IPv6 address to exchange with peers. |
|
Number of base Forward Error Correction packets (1 - 20). |
|
Forward Error Correction encoding/decoding algorithm. Choices:
|
|
Enable/disable Forward Error Correction for egress IPsec traffic. Choices:
|
|
SD-WAN health check. Source system.sdwan.health-check.name. |
|
Enable/disable Forward Error Correction for ingress IPsec traffic. Choices:
|
|
Forward Error Correction (FEC) mapping profile. Source vpn.ipsec.fec.name. |
|
Timeout in milliseconds before dropping Forward Error Correction packets (1 - 1000). |
|
Number of redundant Forward Error Correction packets (1 - 5 for reed-solomon, 1 for xor). |
|
Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). |
|
Enable/disable IPsec syncing of tunnels for FGSP IPsec. Choices:
|
|
Enable/disable FortiClient enforcement. Choices:
|
|
Enable/disable fragment IKE message on re-transmission. Choices:
|
|
IKE fragmentation MTU (500 - 16000). |
|
Enable/disable IKEv2 IDi group authentication. Choices:
|
|
Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x. |
|
Enable/disable sequence number jump ahead for IPsec HA. Choices:
|
|
Enable/disable IPsec tunnel idle timeout. Choices:
|
|
IPsec tunnel idle timeout in minutes (5 - 43200). |
|
IKE protocol version. Choices:
|
|
Enable/disable copy the dscp in the ESP header to the inner IP Header. Choices:
|
|
Enable/disable allow local LAN access on unity clients. Choices:
|
|
Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name. |
|
IP address reuse delay interval in seconds (0 - 28800). |
|
Determine whether IP packets are fragmented before or after IPsec encapsulation. Choices:
|
|
IP version to use for VPN interface. Choices:
|
|
IPv4 DNS server 1. |
|
IPv4 DNS server 2. |
|
IPv4 DNS server 3. |
|
End of IPv4 range. |
|
Configuration Method IPv4 exclude ranges. |
|
End of IPv4 exclusive range. |
|
ID. |
|
Start of IPv4 exclusive range. |
|
IPv4 address name. Source firewall.address.name firewall.addrgrp.name. |
|
IPv4 Netmask. |
|
IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name. |
|
IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name. |
|
Start of IPv4 range. |
|
WINS server 1. |
|
WINS server 2. |
|
IPv6 DNS server 1. |
|
IPv6 DNS server 2. |
|
IPv6 DNS server 3. |
|
End of IPv6 range. |
|
Configuration method IPv6 exclude ranges. |
|
End of IPv6 exclusive range. |
|
ID. |
|
Start of IPv6 exclusive range. |
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
IPv6 prefix. |
|
IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name. |
|
IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name. |
|
Start of IPv6 range. |
|
NAT-T keep alive interval. |
|
Time to wait in seconds before phase 1 encryption key expires. |
|
Key Management Services server. Source vpn.kmip-server.name. |
|
VPN tunnel underlay link cost. |
|
IPv4 address of the local gateway”s external interface. |
|
IPv6 address of the local gateway”s external interface. |
|
Local ID. |
|
Local ID type. Choices:
|
|
Enable/disable asymmetric routing for IKE traffic on loopback interface. Choices:
|
|
Add selectors containing subsets of the configuration depending on traffic. Choices:
|
|
The ID protection mode used to establish a secure channel. Choices:
|
|
Enable/disable configuration method. Choices:
|
|
Enable/disable mode-cfg client to use custom phase2 selectors. Choices:
|
|
IPsec interface as backup for primary interface. Source vpn.ipsec.phase1-interface.name. |
|
Time to wait in seconds before recovery once primary re-establishes. |
|
Time of day at which to fail back to primary after it re-establishes. |
|
Recovery time method when primary interface re-establishes. Choices:
|
|
Day of the week to recover once primary re-establishes. Choices:
|
|
IPsec remote gateway name. |
|
Enable/disable NAT traversal. Choices:
|
|
IKE SA negotiation timeout in seconds (1 - 300). |
|
Enable/disable kernel device creation. Choices:
|
|
VPN gateway network ID. |
|
Enable/disable network overlays. Choices:
|
|
Enable/disable offloading NPU. Choices:
|
|
Enable/disable packet distribution (RPS) on the IPsec interface. Choices:
|
|
Enable/disable IPsec passive mode for static tunnels. Choices:
|
|
Accept this peer certificate. Source user.peer.name. |
|
Accept this peer certificate group. Source user.peergrp.name. |
|
Accept this peer identity. |
|
Accept this peer type. Choices:
|
|
Enable/disable IKEv2 Postquantum Preshared Key (PPK). Choices:
|
|
IKEv2 Postquantum Preshared Key Identity. |
|
IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). |
|
Priority for routes added by IKE (1 - 65535). |
|
Phase1 proposal. Choices:
|
|
Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). |
|
Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). |
|
Enable/disable re-authentication upon IKE SA lifetime expiration. Choices:
|
|
Enable/disable phase1 rekey. Choices:
|
|
IPv4 address of the remote gateway”s external interface. |
|
IPv6 address of the remote gateway”s external interface. |
|
Domain name of remote gateway. For example, name.ddns.com. |
|
Digital Signature Authentication RSA signature format. Choices:
|
|
Enable/disable IKEv2 RSA signature hash algorithm override. Choices:
|
|
Enable/disable saving XAuth username and password on VPN clients. Choices:
|
|
Enable/disable sending certificate chain. Choices:
|
|
Digital Signature Authentication hash algorithms. Choices:
|
|
Split-include services. Source firewall.service.group.name firewall.service.custom.name. |
|
Use Suite-B. Choices:
|
|
Tunnel search method for when the interface is shared. Choices:
|
|
Remote gateway type. Choices:
|
|
Enable/disable support for Cisco UNITY Configuration Method extensions. Choices:
|
|
User group name for dialup peers. Source user.group.name. |
|
VNI of VXLAN tunnel. |
|
GUI VPN Wizard Type. Choices:
|
|
XAuth type. Choices:
|
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure VPN remote gateway.
fortios_vpn_ipsec_phase1_interface:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
vpn_ipsec_phase1_interface:
acct_verify: "enable"
add_gw_route: "enable"
add_route: "disable"
aggregate_member: "enable"
aggregate_weight: "1"
assign_ip: "disable"
assign_ip_from: "range"
authmethod: "psk"
authmethod_remote: "psk"
authpasswd: "<your_own_value>"
authusr: "<your_own_value>"
authusrgrp: "<your_own_value> (source user.group.name)"
auto_discovery_crossover: "allow"
auto_discovery_forwarder: "enable"
auto_discovery_offer_interval: "5"
auto_discovery_psk: "enable"
auto_discovery_receiver: "enable"
auto_discovery_sender: "enable"
auto_discovery_shortcuts: "independent"
auto_negotiate: "enable"
backup_gateway:
-
address: "<your_own_value>"
banner: "<your_own_value>"
cert_id_validation: "enable"
certificate:
-
name: "default_name_28 (source vpn.certificate.local.name)"
childless_ike: "enable"
client_auto_negotiate: "disable"
client_keep_alive: "disable"
comments: "<your_own_value>"
default_gw: "<your_own_value>"
default_gw_priority: "0"
dev_id: "<your_own_value>"
dev_id_notification: "disable"
dhcp_ra_giaddr: "<your_own_value>"
dhcp6_ra_linkaddr: "<your_own_value>"
dhgrp: "1"
digital_signature_auth: "enable"
distance: "15"
dns_mode: "manual"
domain: "<your_own_value>"
dpd: "disable"
dpd_retrycount: "3"
dpd_retryinterval: "<your_own_value>"
eap: "enable"
eap_exclude_peergrp: "<your_own_value> (source user.peergrp.name)"
eap_identity: "use-id-payload"
encap_local_gw4: "<your_own_value>"
encap_local_gw6: "<your_own_value>"
encap_remote_gw4: "<your_own_value>"
encap_remote_gw6: "<your_own_value>"
encapsulation: "none"
encapsulation_address: "ike"
enforce_unique_id: "disable"
esn: "require"
exchange_fgt_device_id: "enable"
exchange_interface_ip: "enable"
exchange_ip_addr4: "<your_own_value>"
exchange_ip_addr6: "<your_own_value>"
fec_base: "10"
fec_codec: "rs"
fec_egress: "enable"
fec_health_check: "<your_own_value> (source system.sdwan.health-check.name)"
fec_ingress: "enable"
fec_mapping_profile: "<your_own_value> (source vpn.ipsec.fec.name)"
fec_receive_timeout: "50"
fec_redundant: "1"
fec_send_timeout: "5"
fgsp_sync: "enable"
forticlient_enforcement: "enable"
fragmentation: "enable"
fragmentation_mtu: "1200"
group_authentication: "enable"
group_authentication_secret: "<your_own_value>"
ha_sync_esp_seqno: "enable"
idle_timeout: "enable"
idle_timeoutinterval: "15"
ike_version: "1"
inbound_dscp_copy: "enable"
include_local_lan: "disable"
interface: "<your_own_value> (source system.interface.name)"
ip_delay_interval: "0"
ip_fragmentation: "pre-encapsulation"
ip_version: "4"
ipv4_dns_server1: "<your_own_value>"
ipv4_dns_server2: "<your_own_value>"
ipv4_dns_server3: "<your_own_value>"
ipv4_end_ip: "<your_own_value>"
ipv4_exclude_range:
-
end_ip: "<your_own_value>"
id: "93"
start_ip: "<your_own_value>"
ipv4_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_netmask: "<your_own_value>"
ipv4_split_exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_split_include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_start_ip: "<your_own_value>"
ipv4_wins_server1: "<your_own_value>"
ipv4_wins_server2: "<your_own_value>"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_dns_server3: "<your_own_value>"
ipv6_end_ip: "<your_own_value>"
ipv6_exclude_range:
-
end_ip: "<your_own_value>"
id: "108"
start_ip: "<your_own_value>"
ipv6_name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_prefix: "128"
ipv6_split_exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_split_include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_start_ip: "<your_own_value>"
keepalive: "10"
keylife: "86400"
kms: "<your_own_value> (source vpn.kmip-server.name)"
link_cost: "0"
local_gw: "<your_own_value>"
local_gw6: "<your_own_value>"
localid: "<your_own_value>"
localid_type: "auto"
loopback_asymroute: "enable"
mesh_selector_type: "disable"
mode: "aggressive"
mode_cfg: "disable"
mode_cfg_allow_client_selector: "disable"
monitor: "<your_own_value> (source vpn.ipsec.phase1-interface.name)"
monitor_hold_down_delay: "0"
monitor_hold_down_time: "<your_own_value>"
monitor_hold_down_type: "immediate"
monitor_hold_down_weekday: "everyday"
name: "default_name_133"
nattraversal: "enable"
negotiate_timeout: "30"
net_device: "enable"
network_id: "0"
network_overlay: "disable"
npu_offload: "enable"
packet_redistribution: "enable"
passive_mode: "enable"
peer: "<your_own_value> (source user.peer.name)"
peergrp: "<your_own_value> (source user.peergrp.name)"
peerid: "<your_own_value>"
peertype: "any"
ppk: "disable"
ppk_identity: "<your_own_value>"
ppk_secret: "<your_own_value>"
priority: "1"
proposal: "des-md5"
psksecret: "<your_own_value>"
psksecret_remote: "<your_own_value>"
reauth: "disable"
rekey: "enable"
remote_gw: "<your_own_value>"
remote_gw6: "<your_own_value>"
remotegw_ddns: "<your_own_value>"
rsa_signature_format: "pkcs1"
rsa_signature_hash_override: "enable"
save_password: "disable"
send_cert_chain: "enable"
signature_hash_alg: "sha1"
split_include_service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
suite_b: "disable"
tunnel_search: "selectors"
type: "static"
unity_support: "disable"
usrgrp: "<your_own_value> (source user.group.name)"
vni: "0"
wizard_type: "custom"
xauthtype: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |