Try SpotterConfigure VPN remote gateway in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.8.20
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify vpn_ipsec feature and phase1 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure VPN remote gateway.
fortios_vpn_ipsec_phase1:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ipsec_phase1:
state: "present"
acct-verify: "enable"
add-gw-route: "enable"
add-route: "disable"
assign-ip: "disable"
assign-ip-from: "range"
authmethod: "psk"
authmethod-remote: "psk"
authpasswd: "<your_own_value>"
authusr: "<your_own_value>"
authusrgrp: "<your_own_value> (source user.group.name)"
auto-negotiate: "enable"
backup-gateway:
-
address: "<your_own_value>"
banner: "<your_own_value>"
cert-id-validation: "enable"
certificate:
-
name: "default_name_19 (source vpn.certificate.local.name)"
childless-ike: "enable"
client-auto-negotiate: "disable"
client-keep-alive: "disable"
comments: "<your_own_value>"
dhgrp: "1"
digital-signature-auth: "enable"
distance: "26"
dns-mode: "manual"
domain: "<your_own_value>"
dpd: "disable"
dpd-retrycount: "30"
dpd-retryinterval: "<your_own_value>"
eap: "enable"
eap-identity: "use-id-payload"
enforce-unique-id: "disable"
forticlient-enforcement: "enable"
fragmentation: "enable"
fragmentation-mtu: "37"
group-authentication: "enable"
group-authentication-secret: "<your_own_value>"
ha-sync-esp-seqno: "enable"
idle-timeout: "enable"
idle-timeoutinterval: "42"
ike-version: "1"
include-local-lan: "disable"
interface: "<your_own_value> (source system.interface.name)"
ipv4-dns-server1: "<your_own_value>"
ipv4-dns-server2: "<your_own_value>"
ipv4-dns-server3: "<your_own_value>"
ipv4-end-ip: "<your_own_value>"
ipv4-exclude-range:
-
end-ip: "<your_own_value>"
id: "52"
start-ip: "<your_own_value>"
ipv4-name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-netmask: "<your_own_value>"
ipv4-split-exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-split-include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-start-ip: "<your_own_value>"
ipv4-wins-server1: "<your_own_value>"
ipv4-wins-server2: "<your_own_value>"
ipv6-dns-server1: "<your_own_value>"
ipv6-dns-server2: "<your_own_value>"
ipv6-dns-server3: "<your_own_value>"
ipv6-end-ip: "<your_own_value>"
ipv6-exclude-range:
-
end-ip: "<your_own_value>"
id: "67"
start-ip: "<your_own_value>"
ipv6-name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-prefix: "70"
ipv6-split-exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-split-include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-start-ip: "<your_own_value>"
keepalive: "74"
keylife: "75"
local-gw: "<your_own_value>"
localid: "<your_own_value>"
localid-type: "auto"
mesh-selector-type: "disable"
mode: "aggressive"
mode-cfg: "disable"
name: "default_name_82"
nattraversal: "enable"
negotiate-timeout: "84"
npu-offload: "enable"
peer: "<your_own_value> (source user.peer.name)"
peergrp: "<your_own_value> (source user.peergrp.name)"
peerid: "<your_own_value>"
peertype: "any"
ppk: "disable"
ppk-identity: "<your_own_value>"
ppk-secret: "<your_own_value>"
priority: "93"
proposal: "des-md5"
psksecret: "<your_own_value>"
psksecret-remote: "<your_own_value>"
reauth: "disable"
rekey: "enable"
remote-gw: "<your_own_value>"
remotegw-ddns: "<your_own_value>"
rsa-signature-format: "pkcs1"
save-password: "disable"
send-cert-chain: "enable"
signature-hash-alg: "sha1"
split-include-service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
suite-b: "disable"
type: "static"
unity-support: "disable"
usrgrp: "<your_own_value> (source user.group.name)"
wizard-type: "custom"
xauthtype: "disable"
host:
description:
- FortiOS or FortiGate ip address.
required: true
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
https:
default: true
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
username:
description:
- FortiOS or FortiGate username.
required: true
vpn_ipsec_phase1:
default: null
description:
- Configure VPN remote gateway.
suboptions:
acct-verify:
choices:
- enable
- disable
description:
- Enable/disable verification of RADIUS accounting record.
add-gw-route:
choices:
- enable
- disable
description:
- Enable/disable automatically add a route to the remote gateway.
add-route:
choices:
- disable
- enable
description:
- Enable/disable control addition of a route to peer destination selector.
assign-ip:
choices:
- disable
- enable
description:
- Enable/disable assignment of IP to IPsec interface via configuration method.
assign-ip-from:
choices:
- range
- usrgrp
- dhcp
- name
description:
- Method by which the IP address will be assigned.
authmethod:
choices:
- psk
- signature
description:
- Authentication method.
authmethod-remote:
choices:
- psk
- signature
description:
- Authentication method (remote side).
authpasswd:
description:
- XAuth password (max 35 characters).
authusr:
description:
- XAuth user name.
authusrgrp:
description:
- Authentication user group. Source user.group.name.
auto-negotiate:
choices:
- enable
- disable
description:
- Enable/disable automatic initiation of IKE SA negotiation.
backup-gateway:
description:
- Instruct unity clients about the backup gateway address(es).
suboptions:
address:
description:
- Address of backup gateway.
required: true
banner:
description:
- Message that unity client should display after connecting.
cert-id-validation:
choices:
- enable
- disable
description:
- Enable/disable cross validation of peer ID and the identity in the peer's certificate
as specified in RFC 4945.
certificate:
description:
- Names of up to 4 signed personal certificates.
suboptions:
name:
description:
- Certificate name. Source vpn.certificate.local.name.
required: true
childless-ike:
choices:
- enable
- disable
description:
- Enable/disable childless IKEv2 initiation (RFC 6023).
client-auto-negotiate:
choices:
- disable
- enable
description:
- Enable/disable allowing the VPN client to bring up the tunnel when there is
no traffic.
client-keep-alive:
choices:
- disable
- enable
description:
- Enable/disable allowing the VPN client to keep the tunnel up when there is no
traffic.
comments:
description:
- Comment.
dhgrp:
choices:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 27
- 28
- 29
- 30
- 31
description:
- DH group.
digital-signature-auth:
choices:
- enable
- disable
description:
- Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
distance:
description:
- Distance for routes added by IKE (1 - 255).
dns-mode:
choices:
- manual
- auto
description:
- DNS server mode.
domain:
description:
- Instruct unity clients about the default DNS domain.
dpd:
choices:
- disable
- on-idle
- on-demand
description:
- Dead Peer Detection mode.
dpd-retrycount:
description:
- Number of DPD retry attempts.
dpd-retryinterval:
description:
- DPD retry interval.
eap:
choices:
- enable
- disable
description:
- Enable/disable IKEv2 EAP authentication.
eap-identity:
choices:
- use-id-payload
- send-request
description:
- IKEv2 EAP peer identity type.
enforce-unique-id:
choices:
- disable
- keep-new
- keep-old
description:
- Enable/disable peer ID uniqueness check.
forticlient-enforcement:
choices:
- enable
- disable
description:
- Enable/disable FortiClient enforcement.
fragmentation:
choices:
- enable
- disable
description:
- Enable/disable fragment IKE message on re-transmission.
fragmentation-mtu:
description:
- IKE fragmentation MTU (500 - 16000).
group-authentication:
choices:
- enable
- disable
description:
- Enable/disable IKEv2 IDi group authentication.
group-authentication-secret:
description:
- Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated
by a leading 0x.)
ha-sync-esp-seqno:
choices:
- enable
- disable
description:
- Enable/disable sequence number jump ahead for IPsec HA.
idle-timeout:
choices:
- enable
- disable
description:
- Enable/disable IPsec tunnel idle timeout.
idle-timeoutinterval:
description:
- IPsec tunnel idle timeout in minutes (5 - 43200).
ike-version:
choices:
- 1
- 2
description:
- IKE protocol version.
include-local-lan:
choices:
- disable
- enable
description:
- Enable/disable allow local LAN access on unity clients.
interface:
description:
- Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name.
ipv4-dns-server1:
description:
- IPv4 DNS server 1.
ipv4-dns-server2:
description:
- IPv4 DNS server 2.
ipv4-dns-server3:
description:
- IPv4 DNS server 3.
ipv4-end-ip:
description:
- End of IPv4 range.
ipv4-exclude-range:
description:
- Configuration Method IPv4 exclude ranges.
suboptions:
end-ip:
description:
- End of IPv4 exclusive range.
id:
description:
- ID.
required: true
start-ip:
description:
- Start of IPv4 exclusive range.
ipv4-name:
description:
- IPv4 address name. Source firewall.address.name firewall.addrgrp.name.
ipv4-netmask:
description:
- IPv4 Netmask.
ipv4-split-exclude:
description:
- IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name
firewall.addrgrp.name.
ipv4-split-include:
description:
- IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name.
ipv4-start-ip:
description:
- Start of IPv4 range.
ipv4-wins-server1:
description:
- WINS server 1.
ipv4-wins-server2:
description:
- WINS server 2.
ipv6-dns-server1:
description:
- IPv6 DNS server 1.
ipv6-dns-server2:
description:
- IPv6 DNS server 2.
ipv6-dns-server3:
description:
- IPv6 DNS server 3.
ipv6-end-ip:
description:
- End of IPv6 range.
ipv6-exclude-range:
description:
- Configuration method IPv6 exclude ranges.
suboptions:
end-ip:
description:
- End of IPv6 exclusive range.
id:
description:
- ID.
required: true
start-ip:
description:
- Start of IPv6 exclusive range.
ipv6-name:
description:
- IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
ipv6-prefix:
description:
- IPv6 prefix.
ipv6-split-exclude:
description:
- IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name
firewall.addrgrp6.name.
ipv6-split-include:
description:
- IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name.
ipv6-start-ip:
description:
- Start of IPv6 range.
keepalive:
description:
- NAT-T keep alive interval.
keylife:
description:
- Time to wait in seconds before phase 1 encryption key expires.
local-gw:
description:
- Local VPN gateway.
localid:
description:
- Local ID.
localid-type:
choices:
- auto
- fqdn
- user-fqdn
- keyid
- address
- asn1dn
description:
- Local ID type.
mesh-selector-type:
choices:
- disable
- subnet
- host
description:
- Add selectors containing subsets of the configuration depending on traffic.
mode:
choices:
- aggressive
- main
description:
- ID protection mode used to establish a secure channel.
mode-cfg:
choices:
- disable
- enable
description:
- Enable/disable configuration method.
name:
description:
- IPsec remote gateway name.
required: true
nattraversal:
choices:
- enable
- disable
- forced
description:
- Enable/disable NAT traversal.
negotiate-timeout:
description:
- IKE SA negotiation timeout in seconds (1 - 300).
npu-offload:
choices:
- enable
- disable
description:
- Enable/disable offloading NPU.
peer:
description:
- Accept this peer certificate. Source user.peer.name.
peergrp:
description:
- Accept this peer certificate group. Source user.peergrp.name.
peerid:
description:
- Accept this peer identity.
peertype:
choices:
- any
- one
- dialup
- peer
- peergrp
description:
- Accept this peer type.
ppk:
choices:
- disable
- allow
- require
description:
- Enable/disable IKEv2 Postquantum Preshared Key (PPK).
ppk-identity:
description:
- IKEv2 Postquantum Preshared Key Identity.
ppk-secret:
description:
- IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a
leading 0x).
priority:
description:
- Priority for routes added by IKE (0 - 4294967295).
proposal:
choices:
- des-md5
- des-sha1
- des-sha256
- des-sha384
- des-sha512
description:
- Phase1 proposal.
psksecret:
description:
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded
with a leading 0x).
psksecret-remote:
description:
- Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal
encoded with a leading 0x).
reauth:
choices:
- disable
- enable
description:
- Enable/disable re-authentication upon IKE SA lifetime expiration.
rekey:
choices:
- enable
- disable
description:
- Enable/disable phase1 rekey.
remote-gw:
description:
- Remote VPN gateway.
remotegw-ddns:
description:
- Domain name of remote gateway (eg. name.DDNS.com).
rsa-signature-format:
choices:
- pkcs1
- pss
description:
- Digital Signature Authentication RSA signature format.
save-password:
choices:
- disable
- enable
description:
- Enable/disable saving XAuth username and password on VPN clients.
send-cert-chain:
choices:
- enable
- disable
description:
- Enable/disable sending certificate chain.
signature-hash-alg:
choices:
- sha1
- sha2-256
- sha2-384
- sha2-512
description:
- Digital Signature Authentication hash algorithms.
split-include-service:
description:
- Split-include services. Source firewall.service.group.name firewall.service.custom.name.
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object
suite-b:
choices:
- disable
- suite-b-gcm-128
- suite-b-gcm-256
description:
- Use Suite-B.
type:
choices:
- static
- dynamic
- ddns
description:
- Remote gateway type.
unity-support:
choices:
- disable
- enable
description:
- Enable/disable support for Cisco UNITY Configuration Method extensions.
usrgrp:
description:
- User group name for dialup peers. Source user.group.name.
wizard-type:
choices:
- custom
- dialup-forticlient
- dialup-ios
- dialup-android
- dialup-windows
- dialup-cisco
- static-fortigate
- dialup-fortigate
- static-cisco
- dialup-cisco-fw
description:
- GUI VPN Wizard Type.
xauthtype:
choices:
- disable
- client
- pap
- chap
- auto
description:
- XAuth type.
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str