f5networks / f5networks.f5_modules / 1.28.0 / module / bigip_ipsec_policy Manage IPSec policies on a BIG-IP | "added in version" 1.0.0 of f5networks.f5_modules" Authors: Tim Rupp (@caphrim007), Wojciech Wypior (@wojtek0806)f5networks.f5_modules.bigip_ipsec_policy (1.28.0) — module
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections: - name: f5networks.f5_modules version: 1.28.0
Manage IPSec policies on a BIG-IP device.
- name: Create a IPSec policy bigip_ipsec_policy: name: policy1 mode: tunnel tunnel_local_address: 1.1.1.1 tunnel_remote_address: 2.2.2. auth_algorithm: sha1 encrypt_algorithm: 3des protocol: esp perfect_forward_secrecy: modp1024 provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
mode: choices: - transport - interface - isession - tunnel description: - Specifies the processing mode. - When C(transport), specifies a mode that encapsulates only the payload (adding an ESP header, trailer, and authentication tag). - When C(tunnel), specifies a mode that includes encapsulation of the header as well as the payload (adding a new IP header, in addition to adding an ESP header, trailer, and authentication tag). If you select this option, you must also provide IP addresses for the local and remote endpoints of the IPsec tunnel. - When C(isession), specifies the use of iSession over an IPsec tunnel. To use this option, you must also configure the iSession endpoints with IPsec in the Acceleration section of the user interface. - When C(interface), specifies the IPsec policy can be used in the tunnel profile for network interfaces. type: str name: description: - Specifies the name of the IPSec policy. required: true type: str state: choices: - present - absent default: present description: - When C(present), ensures the resource exists. - When C(absent), ensures the resource is removed. type: str ipcomp: choices: - none - 'null' - deflate description: - Specifies whether to use IPComp encapsulation. - When C(none), specifies IPComp is disabled. - When C(deflate), specifies IPComp is enabled and uses the Deflate compression algorithm. type: str lifetime: description: - Specifies the length of time before the IKE security association expires, in minutes. type: int protocol: choices: - esp - ah description: - Specifies the IPsec protocol. - Options include ESP (Encapsulating Security Protocol) or AH (Authentication Header). type: str provider: description: - A dict object containing connection details. suboptions: auth_provider: description: - Configures the auth provider for to obtain authentication tokens from the remote device. - This option is really used when working with BIG-IQ devices. type: str no_f5_teem: default: false description: - If C(yes), TEEM telemetry data is not sent to F5. - You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF). - Previously used variable C(F5_TEEM) is deprecated as its name was confusing. type: bool password: aliases: - pass - pwd description: - The password for the user account used to connect to the BIG-IP or the BIG-IQ. - You may omit this option by setting the environment variable C(F5_PASSWORD). required: true type: str server: description: - The BIG-IP host or the BIG-IQ host. - You may omit this option by setting the environment variable C(F5_SERVER). required: true type: str server_port: default: 443 description: - The BIG-IP server port. - You may omit this option by setting the environment variable C(F5_SERVER_PORT). type: int timeout: description: - Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. type: int transport: choices: - rest default: rest description: - Configures the transport connection to use when connecting to the remote device. type: str user: description: - The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative privileges on the device. - You may omit this option by setting the environment variable C(F5_USER). required: true type: str validate_certs: default: true description: - If C(no), SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates. - You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS). type: bool type: dict version_added: 1.0.0 version_added_collection: f5networks.f5_modules partition: default: Common description: - Device partition to manage resources on. type: str description: description: - Description of the policy type: str kb_lifetime: description: - Specifies the length of time before the IKE security association, in kilobytes. expires. type: int route_domain: description: - Specifies the route domain, when C(interface) is selected for the C(mode) setting. type: int auth_algorithm: choices: - sha1 - sha256 - sha384 - sha512 - aes-gcm128 - aes-gcm192 - aes-gcm256 - aes-gmac128 - aes-gmac192 - aes-gmac256 description: - Specifies the algorithm to use for IKE authentication. type: str ipv4_interface: description: - When C(mode) is C(interface), indicates if the IPv4 C(any) address should be used. By default C(BIG-IP) assumes C(any6) address for tunnel addresses when C(mode) is C(interface). - This option takes effect only when C(mode) is set to C(interface). type: bool encrypt_algorithm: choices: - none - 3des - aes128 - aes192 - aes256 - aes-gmac256 - aes-gmac192 - aes-gmac128 - aes-gcm256 - aes-gcm192 - aes-gcm256 - aes-gcm128 description: - Specifies the algorithm to use for IKE encryption. type: str tunnel_local_address: description: - Specifies the local endpoint IP address of the IPsec tunnel. - This parameter is only valid when C(mode) is C(tunnel). type: str tunnel_remote_address: description: - Specifies the remote endpoint IP address of the IPsec tunnel. - This parameter is only valid when C(mode) is C(tunnel). type: str perfect_forward_secrecy: choices: - none - modp768 - modp1024 - modp1536 - modp2048 - modp3072 - modp4096 - modp6144 - modp8192 description: - Specifies the Diffie-Hellman group to use for IKE Phase 2 negotiation. type: str
auth_algorithm: description: The new IKE Phase 2 Authentication Algorithm value. returned: changed sample: sha512 type: str description: description: The new description value. returned: changed sample: My policy type: str encrypt_algorithm: description: The new IKE Phase 2 Encryption Algorithm value. returned: changed sample: aes256 type: str ipcomp: description: The new IKE Phase 2 IPComp value. returned: changed sample: deflate type: str kb_lifetime: description: The new IKE Phase 2 KB Lifetime value. returned: changed sample: 0 type: int lifetime: description: The new IKE Phase 2 Lifetime value. returned: changed sample: 1440 type: int mode: description: The new Mode value. returned: changed sample: tunnel type: str perfect_forward_secrecy: description: The new IKE Phase 2 Perfect Forward Secrecy value. returned: changed sample: modp2048 type: str protocol: description: The new IPsec Protocol value. returned: changed sample: ah type: str route_domain: description: The new Route Domain value when in Tunnel mode. returned: changed sample: 2 type: int tunnel_local_address: description: The new Tunnel Local Address value. returned: changed sample: 1.2.2.1 type: str tunnel_remote_address: description: The new Tunnel Remote Address value. returned: changed sample: 2.1.1.2 type: str