f5networks / f5networks.f5_modules / 1.28.0 / module / bigip_ike_peer Manage IPSec IKE Peer configuration on BIG-IP | "added in version" 1.0.0 of f5networks.f5_modules" Authors: Tim Rupp (@caphrim007), Wojciech Wypior (@wojtek0806)f5networks.f5_modules.bigip_ike_peer (1.28.0) — module
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections: - name: f5networks.f5_modules version: 1.28.0
Manage IPSec IKE Peer configuration on a BIG-IP device.
- name: Create new IKE peer bigip_ike_peer: name: ike1 remote_address: 1.2.3.4 version: - v1 provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
- name: Change presented id type - keyid-tag bigip_ike_peer: name: ike1 presented_id_type: keyid-tag presented_id_value: key1 provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
- name: Remove IKE peer bigip_ike_peer: name: ike1 state: absent provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
name: description: - Specifies the name of the IKE peer. required: true type: str state: choices: - present - absent default: present description: - When C(present), ensures the resource exists. - When C(absent), ensures the resource is removed. type: str version: choices: - v1 - v2 description: - Specifies which version of IKE (Internet Key Exchange) is used. - If the system you are configuring is the IPsec initiator, and you select both versions, the system tries using IKEv2 for negotiation. If the remote peer does not support IKEv2, the IPsec tunnel fails. To use IKEv1 in this case, you must deselect Version 2 and try again. - If the system you are configuring is the IPsec responder, and you select both versions, the IPsec initiator system determines which IKE version to use. - When creating a new IKE peer, this value is required. elements: str type: list provider: description: - A dict object containing connection details. suboptions: auth_provider: description: - Configures the auth provider for to obtain authentication tokens from the remote device. - This option is really used when working with BIG-IQ devices. type: str no_f5_teem: default: false description: - If C(yes), TEEM telemetry data is not sent to F5. - You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF). - Previously used variable C(F5_TEEM) is deprecated as its name was confusing. type: bool password: aliases: - pass - pwd description: - The password for the user account used to connect to the BIG-IP or the BIG-IQ. - You may omit this option by setting the environment variable C(F5_PASSWORD). required: true type: str server: description: - The BIG-IP host or the BIG-IQ host. - You may omit this option by setting the environment variable C(F5_SERVER). required: true type: str server_port: default: 443 description: - The BIG-IP server port. - You may omit this option by setting the environment variable C(F5_SERVER_PORT). type: int timeout: description: - Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. type: int transport: choices: - rest default: rest description: - Configures the transport connection to use when connecting to the remote device. type: str user: description: - The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative privileges on the device. - You may omit this option by setting the environment variable C(F5_USER). required: true type: str validate_certs: default: true description: - If C(no), SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates. - You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS). type: bool type: dict version_added: 1.0.0 version_added_collection: f5networks.f5_modules partition: default: Common description: - Device partition to manage resources on. type: str phase1_key: description: - Specifies the public key the digital certificate contains. - When creating a new IKE peer, if this value is not specified, and C(phase1_auth_method) is C(rsa-signature), the default is C(default.key). - This parameter is invalid when C(phase1_auth_method) is C(pre-shared-key). type: str description: description: - Description of the IKE peer. type: str phase1_cert: description: - Specifies the digital certificate to use for the RSA signature. - When creating a new IKE peer, if this value is not specified, and C(phase1_auth_method) is C(rsa-signature), the default is C(default.crt). - This parameter is invalid when C(phase1_auth_method) is C(pre-shared-key). type: str preshared_key: description: - Specifies a string the IKE peers share for authenticating each other. - This parameter is only relevant when C(phase1_auth_method) is C(pre-shared-key). - This parameter is invalid when C(phase1_auth_method) is C(rsa-signature). type: str remote_address: description: - Displays the IP address of the BIG-IP system that is remote to the system you are configuring. type: str phase1_lifetime: description: - Defines the lifetime in minutes of an IKE SA which will be proposed in the phase 1 negotiations. - The accepted value range is C(1 - 4294967295) minutes. - When creating a new IKE peer, if this value is not specified, the default value set by the system is C(1440) minutes. type: int version_added: 1.1.0 version_added_collection: f5networks.f5_modules update_password: choices: - always - on_create default: always description: - C(always) allows updating passwords if the user chooses to do so. C(on_create) only sets the password for newly created IKE peers. type: str verified_id_type: choices: - address - asn1dn - fqdn - keyid-tag - user-fqdn - override description: - Specifies the identifier type the local system uses to identify the peer during IKE Phase 1 negotiation. - This is a required value when C(version) includes (Cv2). - When C(user-fqdn), value of C(verified_id_value) must be in the form of User @ DNS domain string. type: str presented_id_type: choices: - address - asn1dn - fqdn - keyid-tag - user-fqdn - override description: - Specifies the identifier type the local system uses to identify itself to the peer during IKE Phase 1 negotiations. type: str verified_id_value: description: - Specifies a value for the identity when using a C(verified_id_type) of C(override). - This is a required value when C(version) includes (Cv2). type: str phase1_auth_method: choices: - pre-shared-key - rsa-signature description: - Specifies the authentication method for phase 1 negotiation. - When creating a new IKE peer, if this value is not specified, the default is C(rsa-signature). type: str presented_id_value: description: - Specifies a value for the identity when using a C(presented_id_type) of C(override). - This is a required value when C(version) includes (Cv2). type: str phase1_hash_algorithm: choices: - sha1 - md5 - sha256 - sha384 - sha512 description: - Specifies the algorithm to use for IKE authentication. type: str phase1_verify_peer_cert: description: - In IKEv2, specifies whether the certificate sent by the IKE peer is verified using the Trusted Certificate Authorities, a CRL, and/or a peer certificate. - In IKEv1, specifies whether the identifier sent by the peer is verified with the credentials in the certificate, in the following manner - ASN1DN; specifies that the entire certificate subject name is compared with the identifier. Address, FQDN, or User FQDN; specifies that the certificate's subjectAltName is compared with the identifier. If the two do not match, the negotiation fails. - When creating a new IKE peer, if this value is not specified, and C(phase1_auth_method) is C(rsa-signature), the default is C(false). - This parameter is invalid when C(phase1_auth_method) is C(pre-shared-key). type: bool phase1_encryption_algorithm: choices: - 3des - des - blowfish - cast128 - aes128 - aes192 - aes256 - camellia description: - Specifies the algorithm to use for IKE encryption. - IKE C(version) C(v2) does not support C(blowfish), C(camellia), or C(cast128). type: str phase1_perfect_forward_secrecy: choices: - ecp256 - ecp384 - ecp521 - modp768 - modp1024 - modp1536 - modp2048 - modp3072 - modp4096 - modp6144 - modp8192 description: - Specifies the Diffie-Hellman group to use for IKE Phase 1 and Phase 2 negotiations. type: str
phase1_auth_method: description: The new IKE Phase 1 Credentials Authentication Method value of the resource. returned: changed sample: rsa-signature type: str phase1_cert: description: The new IKE Phase 1 Certificate Credentials. returned: changed sample: /Common/cert1.crt type: str phase1_encryption_algorithm: description: The new IKE Phase 1 Encryption Algorithm. returned: changed sample: 3des type: str phase1_hash_algorithm: description: The new IKE Phase 1 Authentication Algorithm. returned: changed sample: sha256 type: str phase1_key: description: The new IKE Phase 1 Key Credentials. returned: changed sample: /Common/cert1.key type: str phase1_perfect_forward_secrecy: description: The new IKE Phase 1 Perfect Forward Secrecy. returned: changed sample: modp1024 type: str phase1_verify_peer_cert: description: The new IKE Phase 1 Key Verify Peer Certificate setting. returned: changed sample: true type: bool presented_id_type: description: The new Presented ID Type value of the resource. returned: changed sample: address type: str presented_id_value: description: The new Presented ID Value setting for the Presented ID Type. returned: changed sample: 1.2.3.1 type: str remote_address: description: The new Remote Address value of the resource. returned: changed sample: 1.2.2.1 type: str verified_id_type: description: The new Verified ID Type value of the resource. returned: changed sample: address type: str verified_id_value: description: The new Verified ID Value setting for the Verified ID Type. returned: changed sample: 1.2.3.1 type: str version: description: The new list of IKE versions. returned: changed sample: - v1 - v2 type: list