Try SpotterManage IPSec policies on a BIG-IP
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Tim Rupp (@caphrim007), Wojciech Wypior (@wojtek0806)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Manage IPSec policies on a BIG-IP device.
- name: Create a IPSec policy
bigip_ipsec_policy:
name: policy1
mode: tunnel
tunnel_local_address: 1.1.1.1
tunnel_remote_address: 2.2.2.
auth_algorithm: sha1
encrypt_algorithm: 3des
protocol: esp
perfect_forward_secrecy: modp1024
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
mode:
choices:
- transport
- interface
- isession
- tunnel
description:
- Specifies the processing mode.
- When C(transport), specifies a mode that encapsulates only the payload (adding an
ESP header, trailer, and authentication tag).
- When C(tunnel), specifies a mode that includes encapsulation of the header as well
as the payload (adding a new IP header, in addition to adding an ESP header, trailer,
and authentication tag). If you select this option, you must also provide IP addresses
for the local and remote endpoints of the IPsec tunnel.
- When C(isession), specifies the use of iSession over an IPsec tunnel. To use this
option, you must also configure the iSession endpoints with IPsec in the Acceleration
section of the user interface.
- When C(interface), specifies the IPsec policy can be used in the tunnel profile
for network interfaces.
type: str
name:
description:
- Specifies the name of the IPSec policy.
required: true
type: str
state:
choices:
- present
- absent
default: present
description:
- When C(present), ensures the resource exists.
- When C(absent), ensures the resource is removed.
type: str
ipcomp:
choices:
- none
- 'null'
- deflate
description:
- Specifies whether to use IPComp encapsulation.
- When C(none), specifies IPComp is disabled.
- When C(deflate), specifies IPComp is enabled and uses the Deflate compression algorithm.
type: str
lifetime:
description:
- Specifies the length of time before the IKE security association expires, in minutes.
type: int
protocol:
choices:
- esp
- ah
description:
- Specifies the IPsec protocol.
- Options include ESP (Encapsulating Security Protocol) or AH (Authentication Header).
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
partition:
default: Common
description:
- Device partition to manage resources on.
type: str
description:
description:
- Description of the policy
type: str
kb_lifetime:
description:
- Specifies the length of time before the IKE security association, in kilobytes.
expires.
type: int
route_domain:
description:
- Specifies the route domain, when C(interface) is selected for the C(mode) setting.
type: int
auth_algorithm:
choices:
- sha1
- sha256
- sha384
- sha512
- aes-gcm128
- aes-gcm192
- aes-gcm256
- aes-gmac128
- aes-gmac192
- aes-gmac256
description:
- Specifies the algorithm to use for IKE authentication.
type: str
ipv4_interface:
description:
- When C(mode) is C(interface), indicates if the IPv4 C(any) address should be used.
By default C(BIG-IP) assumes C(any6) address for tunnel addresses when C(mode) is
C(interface).
- This option takes effect only when C(mode) is set to C(interface).
type: bool
encrypt_algorithm:
choices:
- none
- 3des
- aes128
- aes192
- aes256
- aes-gmac256
- aes-gmac192
- aes-gmac128
- aes-gcm256
- aes-gcm192
- aes-gcm256
- aes-gcm128
description:
- Specifies the algorithm to use for IKE encryption.
type: str
tunnel_local_address:
description:
- Specifies the local endpoint IP address of the IPsec tunnel.
- This parameter is only valid when C(mode) is C(tunnel).
type: str
tunnel_remote_address:
description:
- Specifies the remote endpoint IP address of the IPsec tunnel.
- This parameter is only valid when C(mode) is C(tunnel).
type: str
perfect_forward_secrecy:
choices:
- none
- modp768
- modp1024
- modp1536
- modp2048
- modp3072
- modp4096
- modp6144
- modp8192
description:
- Specifies the Diffie-Hellman group to use for IKE Phase 2 negotiation.
type: str
auth_algorithm: description: The new IKE Phase 2 Authentication Algorithm value. returned: changed sample: sha512 type: str description: description: The new description value. returned: changed sample: My policy type: str encrypt_algorithm: description: The new IKE Phase 2 Encryption Algorithm value. returned: changed sample: aes256 type: str ipcomp: description: The new IKE Phase 2 IPComp value. returned: changed sample: deflate type: str kb_lifetime: description: The new IKE Phase 2 KB Lifetime value. returned: changed sample: 0 type: int lifetime: description: The new IKE Phase 2 Lifetime value. returned: changed sample: 1440 type: int mode: description: The new Mode value. returned: changed sample: tunnel type: str perfect_forward_secrecy: description: The new IKE Phase 2 Perfect Forward Secrecy value. returned: changed sample: modp2048 type: str protocol: description: The new IPsec Protocol value. returned: changed sample: ah type: str route_domain: description: The new Route Domain value when in Tunnel mode. returned: changed sample: 2 type: int tunnel_local_address: description: The new Tunnel Local Address value. returned: changed sample: 1.2.2.1 type: str tunnel_remote_address: description: The new Tunnel Remote Address value. returned: changed sample: 2.1.1.2 type: str