ansible / ansible.builtin / v2.8.13 / module / fortios_vpn_ipsec_phase1 Configure VPN remote gateway in Fortinet's FortiOS and FortiGate. | "added in version" 2.8 of ansible.builtin" Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communityansible.builtin.fortios_vpn_ipsec_phase1 (v2.8.13) — module
pip
Install with pip install ansible==2.8.13
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify vpn_ipsec feature and phase1 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost vars: host: "192.168.122.40" username: "admin" password: "" vdom: "root" tasks: - name: Configure VPN remote gateway. fortios_vpn_ipsec_phase1: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" https: "False" vpn_ipsec_phase1: state: "present" acct-verify: "enable" add-gw-route: "enable" add-route: "disable" assign-ip: "disable" assign-ip-from: "range" authmethod: "psk" authmethod-remote: "psk" authpasswd: "<your_own_value>" authusr: "<your_own_value>" authusrgrp: "<your_own_value> (source user.group.name)" auto-negotiate: "enable" backup-gateway: - address: "<your_own_value>" banner: "<your_own_value>" cert-id-validation: "enable" certificate: - name: "default_name_19 (source vpn.certificate.local.name)" childless-ike: "enable" client-auto-negotiate: "disable" client-keep-alive: "disable" comments: "<your_own_value>" dhgrp: "1" digital-signature-auth: "enable" distance: "26" dns-mode: "manual" domain: "<your_own_value>" dpd: "disable" dpd-retrycount: "30" dpd-retryinterval: "<your_own_value>" eap: "enable" eap-identity: "use-id-payload" enforce-unique-id: "disable" forticlient-enforcement: "enable" fragmentation: "enable" fragmentation-mtu: "37" group-authentication: "enable" group-authentication-secret: "<your_own_value>" ha-sync-esp-seqno: "enable" idle-timeout: "enable" idle-timeoutinterval: "42" ike-version: "1" include-local-lan: "disable" interface: "<your_own_value> (source system.interface.name)" ipv4-dns-server1: "<your_own_value>" ipv4-dns-server2: "<your_own_value>" ipv4-dns-server3: "<your_own_value>" ipv4-end-ip: "<your_own_value>" ipv4-exclude-range: - end-ip: "<your_own_value>" id: "52" start-ip: "<your_own_value>" ipv4-name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" ipv4-netmask: "<your_own_value>" ipv4-split-exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" ipv4-split-include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" ipv4-start-ip: "<your_own_value>" ipv4-wins-server1: "<your_own_value>" ipv4-wins-server2: "<your_own_value>" ipv6-dns-server1: "<your_own_value>" ipv6-dns-server2: "<your_own_value>" ipv6-dns-server3: "<your_own_value>" ipv6-end-ip: "<your_own_value>" ipv6-exclude-range: - end-ip: "<your_own_value>" id: "67" start-ip: "<your_own_value>" ipv6-name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)" ipv6-prefix: "70" ipv6-split-exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)" ipv6-split-include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)" ipv6-start-ip: "<your_own_value>" keepalive: "74" keylife: "75" local-gw: "<your_own_value>" localid: "<your_own_value>" localid-type: "auto" mesh-selector-type: "disable" mode: "aggressive" mode-cfg: "disable" name: "default_name_82" nattraversal: "enable" negotiate-timeout: "84" npu-offload: "enable" peer: "<your_own_value> (source user.peer.name)" peergrp: "<your_own_value> (source user.peergrp.name)" peerid: "<your_own_value>" peertype: "any" ppk: "disable" ppk-identity: "<your_own_value>" ppk-secret: "<your_own_value>" priority: "93" proposal: "des-md5" psksecret: "<your_own_value>" psksecret-remote: "<your_own_value>" reauth: "disable" rekey: "enable" remote-gw: "<your_own_value>" remotegw-ddns: "<your_own_value>" rsa-signature-format: "pkcs1" save-password: "disable" send-cert-chain: "enable" signature-hash-alg: "sha1" split-include-service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)" suite-b: "disable" type: "static" unity-support: "disable" usrgrp: "<your_own_value> (source user.group.name)" wizard-type: "custom" xauthtype: "disable"
host: description: - FortiOS or FortiGate ip address. required: true vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. https: default: true description: - Indicates if the requests towards FortiGate must use HTTPS protocol type: bool password: default: '' description: - FortiOS or FortiGate password. username: description: - FortiOS or FortiGate username. required: true vpn_ipsec_phase1: default: null description: - Configure VPN remote gateway. suboptions: acct-verify: choices: - enable - disable description: - Enable/disable verification of RADIUS accounting record. add-gw-route: choices: - enable - disable description: - Enable/disable automatically add a route to the remote gateway. add-route: choices: - disable - enable description: - Enable/disable control addition of a route to peer destination selector. assign-ip: choices: - disable - enable description: - Enable/disable assignment of IP to IPsec interface via configuration method. assign-ip-from: choices: - range - usrgrp - dhcp - name description: - Method by which the IP address will be assigned. authmethod: choices: - psk - signature description: - Authentication method. authmethod-remote: choices: - psk - signature description: - Authentication method (remote side). authpasswd: description: - XAuth password (max 35 characters). authusr: description: - XAuth user name. authusrgrp: description: - Authentication user group. Source user.group.name. auto-negotiate: choices: - enable - disable description: - Enable/disable automatic initiation of IKE SA negotiation. backup-gateway: description: - Instruct unity clients about the backup gateway address(es). suboptions: address: description: - Address of backup gateway. required: true banner: description: - Message that unity client should display after connecting. cert-id-validation: choices: - enable - disable description: - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. certificate: description: - Names of up to 4 signed personal certificates. suboptions: name: description: - Certificate name. Source vpn.certificate.local.name. required: true childless-ike: choices: - enable - disable description: - Enable/disable childless IKEv2 initiation (RFC 6023). client-auto-negotiate: choices: - disable - enable description: - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. client-keep-alive: choices: - disable - enable description: - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. comments: description: - Comment. dhgrp: choices: - 1 - 2 - 5 - 14 - 15 - 16 - 17 - 18 - 19 - 20 - 21 - 27 - 28 - 29 - 30 - 31 description: - DH group. digital-signature-auth: choices: - enable - disable description: - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). distance: description: - Distance for routes added by IKE (1 - 255). dns-mode: choices: - manual - auto description: - DNS server mode. domain: description: - Instruct unity clients about the default DNS domain. dpd: choices: - disable - on-idle - on-demand description: - Dead Peer Detection mode. dpd-retrycount: description: - Number of DPD retry attempts. dpd-retryinterval: description: - DPD retry interval. eap: choices: - enable - disable description: - Enable/disable IKEv2 EAP authentication. eap-identity: choices: - use-id-payload - send-request description: - IKEv2 EAP peer identity type. enforce-unique-id: choices: - disable - keep-new - keep-old description: - Enable/disable peer ID uniqueness check. forticlient-enforcement: choices: - enable - disable description: - Enable/disable FortiClient enforcement. fragmentation: choices: - enable - disable description: - Enable/disable fragment IKE message on re-transmission. fragmentation-mtu: description: - IKE fragmentation MTU (500 - 16000). group-authentication: choices: - enable - disable description: - Enable/disable IKEv2 IDi group authentication. group-authentication-secret: description: - Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.) ha-sync-esp-seqno: choices: - enable - disable description: - Enable/disable sequence number jump ahead for IPsec HA. idle-timeout: choices: - enable - disable description: - Enable/disable IPsec tunnel idle timeout. idle-timeoutinterval: description: - IPsec tunnel idle timeout in minutes (5 - 43200). ike-version: choices: - 1 - 2 description: - IKE protocol version. include-local-lan: choices: - disable - enable description: - Enable/disable allow local LAN access on unity clients. interface: description: - Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name. ipv4-dns-server1: description: - IPv4 DNS server 1. ipv4-dns-server2: description: - IPv4 DNS server 2. ipv4-dns-server3: description: - IPv4 DNS server 3. ipv4-end-ip: description: - End of IPv4 range. ipv4-exclude-range: description: - Configuration Method IPv4 exclude ranges. suboptions: end-ip: description: - End of IPv4 exclusive range. id: description: - ID. required: true start-ip: description: - Start of IPv4 exclusive range. ipv4-name: description: - IPv4 address name. Source firewall.address.name firewall.addrgrp.name. ipv4-netmask: description: - IPv4 Netmask. ipv4-split-exclude: description: - IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name. ipv4-split-include: description: - IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name. ipv4-start-ip: description: - Start of IPv4 range. ipv4-wins-server1: description: - WINS server 1. ipv4-wins-server2: description: - WINS server 2. ipv6-dns-server1: description: - IPv6 DNS server 1. ipv6-dns-server2: description: - IPv6 DNS server 2. ipv6-dns-server3: description: - IPv6 DNS server 3. ipv6-end-ip: description: - End of IPv6 range. ipv6-exclude-range: description: - Configuration method IPv6 exclude ranges. suboptions: end-ip: description: - End of IPv6 exclusive range. id: description: - ID. required: true start-ip: description: - Start of IPv6 exclusive range. ipv6-name: description: - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. ipv6-prefix: description: - IPv6 prefix. ipv6-split-exclude: description: - IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name. ipv6-split-include: description: - IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name. ipv6-start-ip: description: - Start of IPv6 range. keepalive: description: - NAT-T keep alive interval. keylife: description: - Time to wait in seconds before phase 1 encryption key expires. local-gw: description: - Local VPN gateway. localid: description: - Local ID. localid-type: choices: - auto - fqdn - user-fqdn - keyid - address - asn1dn description: - Local ID type. mesh-selector-type: choices: - disable - subnet - host description: - Add selectors containing subsets of the configuration depending on traffic. mode: choices: - aggressive - main description: - ID protection mode used to establish a secure channel. mode-cfg: choices: - disable - enable description: - Enable/disable configuration method. name: description: - IPsec remote gateway name. required: true nattraversal: choices: - enable - disable - forced description: - Enable/disable NAT traversal. negotiate-timeout: description: - IKE SA negotiation timeout in seconds (1 - 300). npu-offload: choices: - enable - disable description: - Enable/disable offloading NPU. peer: description: - Accept this peer certificate. Source user.peer.name. peergrp: description: - Accept this peer certificate group. Source user.peergrp.name. peerid: description: - Accept this peer identity. peertype: choices: - any - one - dialup - peer - peergrp description: - Accept this peer type. ppk: choices: - disable - allow - require description: - Enable/disable IKEv2 Postquantum Preshared Key (PPK). ppk-identity: description: - IKEv2 Postquantum Preshared Key Identity. ppk-secret: description: - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). priority: description: - Priority for routes added by IKE (0 - 4294967295). proposal: choices: - des-md5 - des-sha1 - des-sha256 - des-sha384 - des-sha512 description: - Phase1 proposal. psksecret: description: - Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). psksecret-remote: description: - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). reauth: choices: - disable - enable description: - Enable/disable re-authentication upon IKE SA lifetime expiration. rekey: choices: - enable - disable description: - Enable/disable phase1 rekey. remote-gw: description: - Remote VPN gateway. remotegw-ddns: description: - Domain name of remote gateway (eg. name.DDNS.com). rsa-signature-format: choices: - pkcs1 - pss description: - Digital Signature Authentication RSA signature format. save-password: choices: - disable - enable description: - Enable/disable saving XAuth username and password on VPN clients. send-cert-chain: choices: - enable - disable description: - Enable/disable sending certificate chain. signature-hash-alg: choices: - sha1 - sha2-256 - sha2-384 - sha2-512 description: - Digital Signature Authentication hash algorithms. split-include-service: description: - Split-include services. Source firewall.service.group.name firewall.service.custom.name. state: choices: - present - absent description: - Indicates whether to create or remove the object suite-b: choices: - disable - suite-b-gcm-128 - suite-b-gcm-256 description: - Use Suite-B. type: choices: - static - dynamic - ddns description: - Remote gateway type. unity-support: choices: - disable - enable description: - Enable/disable support for Cisco UNITY Configuration Method extensions. usrgrp: description: - User group name for dialup peers. Source user.group.name. wizard-type: choices: - custom - dialup-forticlient - dialup-ios - dialup-android - dialup-windows - dialup-cisco - static-fortigate - dialup-fortigate - static-cisco - dialup-cisco-fw description: - GUI VPN Wizard Type. xauthtype: choices: - disable - client - pap - chap - auto description: - XAuth type.
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str