fortinet.fortios.fortios_vpn_ipsec_phase1_interface module – Configure VPN remote gateway in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.8).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ipsec_phase1_interface
.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ipsec feature and phase1_interface category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.15
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
|
Configure VPN remote gateway. |
|
Enable/disable verification of RADIUS accounting record. Choices:
|
|
Enable/disable automatically add a route to the remote gateway. Choices:
|
|
Enable/disable control addition of a route to peer destination selector. Choices:
|
|
ADDKE1 group. Choices:
|
|
ADDKE2 group. Choices:
|
|
ADDKE3 group. Choices:
|
|
ADDKE4 group. Choices:
|
|
ADDKE5 group. Choices:
|
|
ADDKE6 group. Choices:
|
|
ADDKE7 group. Choices:
|
|
Enable/disable use as an aggregate member. Choices:
|
|
Link weight for aggregate. |
|
Enable/disable assignment of IP to IPsec interface via configuration method. Choices:
|
|
Method by which the IP address will be assigned. Choices:
|
|
Authentication method. Choices:
|
|
Authentication method (remote side). Choices:
|
|
XAuth password (max 35 characters). |
|
XAuth user name. |
|
Authentication user group. Source user.group.name. |
|
Allow/block set-up of short-cut tunnels between different network IDs. Choices:
|
|
Enable/disable forwarding auto-discovery short-cut messages. Choices:
|
|
Interval between shortcut offer messages in seconds (1 - 300). |
|
Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Choices:
|
|
Enable/disable accepting auto-discovery short-cut messages. Choices:
|
|
Enable/disable sending auto-discovery short-cut messages. Choices:
|
|
Control deletion of child short-cut tunnels when the parent tunnel goes down. Choices:
|
|
Enable/disable automatic initiation of IKE SA negotiation. Choices:
|
|
Timeout in seconds before falling back to next transport protocol. |
|
Enable/disable Azure AD Auto-Connect for FortiClient. Choices:
|
|
Instruct unity clients about the backup gateway address(es). |
|
Address of backup gateway. |
|
Message that unity client should display after connecting. |
|
Enable/disable cross validation of peer ID and the identity in the peer”s certificate as specified in RFC 4945. Choices:
|
|
Enable/disable domain stripping on certificate identity. Choices:
|
|
Enable/disable cross validation of peer username and the identity in the peer”s certificate. Choices:
|
|
CA certificate trust store. Choices:
|
|
The names of up to 4 signed personal certificates. |
|
Certificate name. Source vpn.certificate.local.name. |
|
Enable/disable childless IKEv2 initiation (RFC 6023). Choices:
|
|
Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Choices:
|
|
Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Choices:
|
|
Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Choices:
|
|
Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800). |
|
Comment. |
|
IPv4 address of default route gateway to use for traffic exiting the interface. |
|
Priority for default gateway route. A higher priority number signifies a less preferred route. |
|
Device ID carried by the device ID notification. |
|
Enable/disable device ID notification. Choices:
|
|
Relay agent IPv6 link address to use in DHCP6 requests. |
|
Relay agent gateway IP address to use in the giaddr field of DHCP requests. |
|
DH group. Choices:
|
|
Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Choices:
|
|
Distance for routes added by IKE (1 - 255). |
|
DNS server mode. Choices:
|
|
Instruct unity clients about the single default DNS domain. |
|
Dead Peer Detection mode. Choices:
|
|
Number of DPD retry attempts. |
|
DPD retry interval. |
|
Enable/disable IKEv2 EAP authentication. Choices:
|
|
Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Choices:
|
|
Peer group excluded from EAP authentication. Source user.peergrp.name. |
|
IKEv2 EAP peer identity type. Choices:
|
|
Enable/disable verification of EMS serial number. Choices:
|
|
Local IPv4 address of GRE/VXLAN tunnel. |
|
Local IPv6 address of GRE/VXLAN tunnel. |
|
Remote IPv4 address of GRE/VXLAN tunnel. |
|
Remote IPv6 address of GRE/VXLAN tunnel. |
|
Enable/disable GRE/VXLAN/VPNID encapsulation. Choices:
|
|
Source for GRE/VXLAN tunnel address. Choices:
|
|
Enable/disable peer ID uniqueness check. Choices:
|
|
Extended sequence number (ESN) negotiation. Choices:
|
|
Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Choices:
|
|
Enable/disable exchange of IPsec interface IP address. Choices:
|
|
IPv4 address to exchange with peers. |
|
IPv6 address to exchange with peers. |
|
Timeout in seconds before falling back IKE/IPsec traffic to tcp. |
|
Number of base Forward Error Correction packets (1 - 20). |
|
Forward Error Correction encoding/decoding algorithm. Choices:
|
|
Enable/disable Forward Error Correction for egress IPsec traffic. Choices:
|
|
SD-WAN health check. Source system.sdwan.health-check.name. |
|
Enable/disable Forward Error Correction for ingress IPsec traffic. Choices:
|
|
Forward Error Correction (FEC) mapping profile. Source vpn.ipsec.fec.name. |
|
Timeout in milliseconds before dropping Forward Error Correction packets (1 - 1000). |
|
Number of redundant Forward Error Correction packets (1 - 5 for reed-solomon, 1 for xor). |
|
Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). |
|
Enable/disable IPsec syncing of tunnels for FGSP IPsec. Choices:
|
|
Enable/disable FortiClient enforcement. Choices:
|
|
Enable/disable Fortinet ESP encapsulaton. Choices:
|
|
Enable/disable fragment IKE message on re-transmission. Choices:
|
|
IKE fragmentation MTU (500 - 16000). |
|
Enable/disable IKEv2 IDi group authentication. Choices:
|
|
Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x. |
|
Enable/disable sequence number jump ahead for IPsec HA. Choices:
|
|
Enable/disable IPsec tunnel idle timeout. Choices:
|
|
IPsec tunnel idle timeout in minutes (5 - 43200). |
|
IKE protocol version. Choices:
|
|
Enable/disable copy the dscp in the ESP header to the inner IP Header. Choices:
|
|
Enable/disable allow local LAN access on unity clients. Choices:
|
|
Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name. |
|
One or more internal domain names in quotes separated by spaces. |
|
Domain name. |
|
IP address reuse delay interval in seconds (0 - 28800). |
|
Determine whether IP packets are fragmented before or after IPsec encapsulation. Choices:
|
|
IP version to use for VPN interface. Choices:
|
|
IPv4 DNS server 1. |
|
IPv4 DNS server 2. |
|
IPv4 DNS server 3. |
|
End of IPv4 range. |
|
Configuration Method IPv4 exclude ranges. |
|
End of IPv4 exclusive range. |
|
ID. see <a href=’#notes’>Notes</a>. |
|
Start of IPv4 exclusive range. |
|
IPv4 address name. Source firewall.address.name firewall.addrgrp.name. |
|
IPv4 Netmask. |
|
IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name. |
|
IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name. |
|
Start of IPv4 range. |
|
WINS server 1. |
|
WINS server 2. |
|
Enable/disable auto generation of IPv6 link-local address using last 8 bytes of mode-cfg assigned IPv6 address. Choices:
|
|
IPv6 DNS server 1. |
|
IPv6 DNS server 2. |
|
IPv6 DNS server 3. |
|
End of IPv6 range. |
|
Configuration method IPv6 exclude ranges. |
|
End of IPv6 exclusive range. |
|
ID. see <a href=’#notes’>Notes</a>. |
|
Start of IPv6 exclusive range. |
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
IPv6 prefix. |
|
IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name. |
|
IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name. |
|
Start of IPv6 range. |
|
NAT-T keep alive interval. |
|
Time to wait in seconds before phase 1 encryption key expires. |
|
Key Management Services server. Source vpn.kmip-server.name. |
|
VPN tunnel underlay link cost. |
|
IPv4 address of the local gateway”s external interface. |
|
IPv6 address of the local gateway”s external interface. |
|
Local ID. |
|
Local ID type. Choices:
|
|
Enable/disable asymmetric routing for IKE traffic on loopback interface. Choices:
|
|
Add selectors containing subsets of the configuration depending on traffic. Choices:
|
|
The ID protection mode used to establish a secure channel. Choices:
|
|
Enable/disable configuration method. Choices:
|
|
Enable/disable mode-cfg client to use custom phase2 selectors. Choices:
|
|
IPsec interface as backup for primary interface. Source vpn.ipsec.phase1-interface.name. |
|
IPsec interface as backup for primary interface. |
|
IPsec interface as backup for primary interface. Source vpn.ipsec.phase1-interface.name. |
|
Time to wait in seconds before recovery once primary re-establishes. |
|
Time of day at which to fail back to primary after it re-establishes. |
|
Recovery time method when primary interface re-establishes. Choices:
|
|
Day of the week to recover once primary re-establishes. Choices:
|
|
Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface. |
|
IPsec remote gateway name. |
|
Enable/disable NAT traversal. Choices:
|
|
IKE SA negotiation timeout in seconds (1 - 300). |
|
Enable/disable kernel device creation. Choices:
|
|
VPN gateway network ID. |
|
Enable/disable network overlays. Choices:
|
|
Enable/disable offloading NPU. Choices:
|
|
Enable/disable packet distribution (RPS) on the IPsec interface. Choices:
|
|
Enable/disable IPsec passive mode for static tunnels. Choices:
|
|
Accept this peer certificate. Source user.peer.name. |
|
Accept this peer certificate group. Source user.peergrp.name. |
|
Accept this peer identity. |
|
Accept this peer type. Choices:
|
|
Enable/disable IKEv2 Postquantum Preshared Key (PPK). Choices:
|
|
IKEv2 Postquantum Preshared Key Identity. |
|
IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). |
|
Priority for routes added by IKE (1 - 65535). |
|
Phase1 proposal. Choices:
|
|
Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). |
|
Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). |
|
Enable/disable use of Quantum Key Distribution (QKD) server. Choices:
|
|
Quantum Key Distribution (QKD) server profile. Source vpn.qkd.name. |
|
Enable/disable re-authentication upon IKE SA lifetime expiration. Choices:
|
|
Enable/disable phase1 rekey. Choices:
|
|
IPv4 address of the remote gateway”s external interface. |
|
IPv6 address of the remote gateway”s external interface. |
|
IPv6 addresses associated to a specific country. |
|
Last IPv6 address in the range. |
|
Set type of IPv6 remote gateway address matching. Choices:
|
|
First IPv6 address in the range. |
|
IPv6 address and prefix. |
|
IPv4 addresses associated to a specific country. |
|
Last IPv4 address in the range. |
|
Set type of IPv4 remote gateway address matching. Choices:
|
|
First IPv4 address in the range. |
|
IPv4 address and subnet mask. |
|
IPv4 ZTNA posture tags. |
|
Address name. Source firewall.address.name firewall.addrgrp.name. |
|
Domain name of remote gateway. For example, name.ddns.com. |
|
Digital Signature Authentication RSA signature format. Choices:
|
|
Enable/disable IKEv2 RSA signature hash algorithm override. Choices:
|
|
Enable/disable saving XAuth username and password on VPN clients. Choices:
|
|
Enable/disable sending certificate chain. Choices:
|
|
Enable/disable IPsec tunnel shared idle timeout. Choices:
|
|
Digital Signature Authentication hash algorithms. Choices:
|
|
Split-include services. Source firewall.service.group.name firewall.service.custom.name. |
|
Use Suite-B. Choices:
|
|
Set IKE transport protocol. Choices:
|
|
Tunnel search method for when the interface is shared. Choices:
|
|
Remote gateway type. Choices:
|
|
Enable/disable support for Cisco UNITY Configuration Method extensions. Choices:
|
|
User group name for dialup peers. Source user.group.name. |
|
VNI of VXLAN tunnel. |
|
GUI VPN Wizard Type. Choices:
|
|
XAuth type. Choices:
|
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
The module supports check_mode.
Examples
- name: Configure VPN remote gateway.
fortinet.fortios.fortios_vpn_ipsec_phase1_interface:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
vpn_ipsec_phase1_interface:
acct_verify: "enable"
add_gw_route: "enable"
add_route: "disable"
addke1: "0"
addke2: "0"
addke3: "0"
addke4: "0"
addke5: "0"
addke6: "0"
addke7: "0"
aggregate_member: "enable"
aggregate_weight: "1"
assign_ip: "disable"
assign_ip_from: "range"
authmethod: "psk"
authmethod_remote: "psk"
authpasswd: "<your_own_value>"
authusr: "<your_own_value>"
authusrgrp: "<your_own_value> (source user.group.name)"
auto_discovery_crossover: "allow"
auto_discovery_forwarder: "enable"
auto_discovery_offer_interval: "5"
auto_discovery_psk: "enable"
auto_discovery_receiver: "enable"
auto_discovery_sender: "enable"
auto_discovery_shortcuts: "independent"
auto_negotiate: "enable"
auto_transport_threshold: "15"
azure_ad_autoconnect: "enable"
backup_gateway:
-
address: "<your_own_value>"
banner: "<your_own_value>"
cert_id_validation: "enable"
cert_peer_username_strip: "disable"
cert_peer_username_validation: "none"
cert_trust_store: "local"
certificate:
-
name: "default_name_40 (source vpn.certificate.local.name)"
childless_ike: "enable"
client_auto_negotiate: "disable"
client_keep_alive: "disable"
client_resume: "enable"
client_resume_interval: "7200"
comments: "<your_own_value>"
default_gw: "<your_own_value>"
default_gw_priority: "0"
dev_id: "<your_own_value>"
dev_id_notification: "disable"
dhcp_ra_giaddr: "<your_own_value>"
dhcp6_ra_linkaddr: "<your_own_value>"
dhgrp: "1"
digital_signature_auth: "enable"
distance: "15"
dns_mode: "manual"
domain: "<your_own_value>"
dpd: "disable"
dpd_retrycount: "3"
dpd_retryinterval: "<your_own_value>"
eap: "enable"
eap_cert_auth: "enable"
eap_exclude_peergrp: "<your_own_value> (source user.peergrp.name)"
eap_identity: "use-id-payload"
ems_sn_check: "enable"
encap_local_gw4: "<your_own_value>"
encap_local_gw6: "<your_own_value>"
encap_remote_gw4: "<your_own_value>"
encap_remote_gw6: "<your_own_value>"
encapsulation: "none"
encapsulation_address: "ike"
enforce_unique_id: "disable"
esn: "require"
exchange_fgt_device_id: "enable"
exchange_interface_ip: "enable"
exchange_ip_addr4: "<your_own_value>"
exchange_ip_addr6: "<your_own_value>"
fallback_tcp_threshold: "15"
fec_base: "10"
fec_codec: "rs"
fec_egress: "enable"
fec_health_check: "<your_own_value> (source system.sdwan.health-check.name)"
fec_ingress: "enable"
fec_mapping_profile: "<your_own_value> (source vpn.ipsec.fec.name)"
fec_receive_timeout: "50"
fec_redundant: "1"
fec_send_timeout: "5"
fgsp_sync: "enable"
forticlient_enforcement: "enable"
fortinet_esp: "enable"
fragmentation: "enable"
fragmentation_mtu: "1200"
group_authentication: "enable"
group_authentication_secret: "<your_own_value>"
ha_sync_esp_seqno: "enable"
idle_timeout: "enable"
idle_timeoutinterval: "15"
ike_version: "1"
inbound_dscp_copy: "enable"
include_local_lan: "disable"
interface: "<your_own_value> (source system.interface.name)"
internal_domain_list:
-
domain_name: "<your_own_value>"
ip_delay_interval: "0"
ip_fragmentation: "pre-encapsulation"
ip_version: "4"
ipv4_dns_server1: "<your_own_value>"
ipv4_dns_server2: "<your_own_value>"
ipv4_dns_server3: "<your_own_value>"
ipv4_end_ip: "<your_own_value>"
ipv4_exclude_range:
-
end_ip: "<your_own_value>"
id: "113"
start_ip: "<your_own_value>"
ipv4_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_netmask: "<your_own_value>"
ipv4_split_exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_split_include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_start_ip: "<your_own_value>"
ipv4_wins_server1: "<your_own_value>"
ipv4_wins_server2: "<your_own_value>"
ipv6_auto_linklocal: "enable"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_dns_server3: "<your_own_value>"
ipv6_end_ip: "<your_own_value>"
ipv6_exclude_range:
-
end_ip: "<your_own_value>"
id: "129"
start_ip: "<your_own_value>"
ipv6_name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_prefix: "128"
ipv6_split_exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_split_include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_start_ip: "<your_own_value>"
keepalive: "10"
keylife: "86400"
kms: "<your_own_value> (source vpn.kmip-server.name)"
link_cost: "0"
local_gw: "<your_own_value>"
local_gw6: "<your_own_value>"
localid: "<your_own_value>"
localid_type: "auto"
loopback_asymroute: "enable"
mesh_selector_type: "disable"
mode: "aggressive"
mode_cfg: "disable"
mode_cfg_allow_client_selector: "disable"
monitor: "<your_own_value> (source vpn.ipsec.phase1-interface.name)"
monitor_dict:
-
name: "default_name_151 (source vpn.ipsec.phase1-interface.name)"
monitor_hold_down_delay: "0"
monitor_hold_down_time: "<your_own_value>"
monitor_hold_down_type: "immediate"
monitor_hold_down_weekday: "everyday"
monitor_min: "0"
name: "default_name_157"
nattraversal: "enable"
negotiate_timeout: "30"
net_device: "enable"
network_id: "0"
network_overlay: "disable"
npu_offload: "enable"
packet_redistribution: "enable"
passive_mode: "enable"
peer: "<your_own_value> (source user.peer.name)"
peergrp: "<your_own_value> (source user.peergrp.name)"
peerid: "<your_own_value>"
peertype: "any"
ppk: "disable"
ppk_identity: "<your_own_value>"
ppk_secret: "<your_own_value>"
priority: "1"
proposal: "des-md5"
psksecret: "<your_own_value>"
psksecret_remote: "<your_own_value>"
qkd: "disable"
qkd_profile: "<your_own_value> (source vpn.qkd.name)"
reauth: "disable"
rekey: "enable"
remote_gw: "<your_own_value>"
remote_gw_country: "<your_own_value>"
remote_gw_end_ip: "<your_own_value>"
remote_gw_match: "any"
remote_gw_start_ip: "<your_own_value>"
remote_gw_subnet: "<your_own_value>"
remote_gw_ztna_tags:
-
name: "default_name_188 (source firewall.address.name firewall.addrgrp.name)"
remote_gw6: "<your_own_value>"
remote_gw6_country: "<your_own_value>"
remote_gw6_end_ip: "<your_own_value>"
remote_gw6_match: "any"
remote_gw6_start_ip: "<your_own_value>"
remote_gw6_subnet: "<your_own_value>"
remotegw_ddns: "<your_own_value>"
rsa_signature_format: "pkcs1"
rsa_signature_hash_override: "enable"
save_password: "disable"
send_cert_chain: "enable"
shared_idle_timeout: "enable"
signature_hash_alg: "sha1"
split_include_service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
suite_b: "disable"
transport: "udp"
tunnel_search: "selectors"
type: "static"
unity_support: "disable"
usrgrp: "<your_own_value> (source user.group.name)"
vni: "0"
wizard_type: "custom"
xauthtype: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |