Try SpotterConfigure VPN autokey tunnel in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of lix_fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections:
- name: lix_fortinet.fortios
version: 102.2.120This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ipsec feature and phase2_interface category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure VPN autokey tunnel.
fortios_vpn_ipsec_phase2_interface:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
vpn_ipsec_phase2_interface:
add_route: "phase1"
auto_discovery_forwarder: "phase1"
auto_discovery_sender: "phase1"
auto_negotiate: "enable"
comments: "<your_own_value>"
dhcp_ipsec: "enable"
dhgrp: "1"
diffserv: "enable"
diffservcode: "<your_own_value>"
dst_addr_type: "subnet"
dst_end_ip: "<your_own_value>"
dst_end_ip6: "<your_own_value>"
dst_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
dst_name6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
dst_port: "0"
dst_start_ip: "<your_own_value>"
dst_start_ip6: "<your_own_value>"
dst_subnet: "<your_own_value>"
dst_subnet6: "<your_own_value>"
encapsulation: "tunnel-mode"
inbound_dscp_copy: "phase1"
initiator_ts_narrow: "enable"
ipv4_df: "enable"
keepalive: "enable"
keylife_type: "seconds"
keylifekbs: "5120"
keylifeseconds: "43200"
l2tp: "enable"
name: "default_name_31"
pfs: "enable"
phase1name: "<your_own_value> (source vpn.ipsec.phase1-interface.name)"
proposal: "null-md5"
protocol: "0"
replay: "enable"
route_overlap: "use-old"
single_source: "enable"
src_addr_type: "subnet"
src_end_ip: "<your_own_value>"
src_end_ip6: "<your_own_value>"
src_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
src_name6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
src_port: "0"
src_start_ip: "<your_own_value>"
src_start_ip6: "<your_own_value>"
src_subnet: "<your_own_value>"
src_subnet6: "<your_own_value>"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
vpn_ipsec_phase2_interface:
default: null
description:
- Configure VPN autokey tunnel.
suboptions:
add_route:
choices:
- phase1
- enable
- disable
description:
- Enable/disable automatic route addition.
type: str
auto_discovery_forwarder:
choices:
- phase1
- enable
- disable
description:
- Enable/disable forwarding short-cut messages.
type: str
auto_discovery_sender:
choices:
- phase1
- enable
- disable
description:
- Enable/disable sending short-cut messages.
type: str
auto_negotiate:
choices:
- enable
- disable
description:
- Enable/disable IPsec SA auto-negotiation.
type: str
comments:
description:
- Comment.
type: str
dhcp_ipsec:
choices:
- enable
- disable
description:
- Enable/disable DHCP-IPsec.
type: str
dhgrp:
choices:
- '1'
- '2'
- '5'
- '14'
- '15'
- '16'
- '17'
- '18'
- '19'
- '20'
- '21'
- '27'
- '28'
- '29'
- '30'
- '31'
- '32'
description:
- Phase2 DH group.
elements: str
type: list
diffserv:
choices:
- enable
- disable
description:
- Enable/disable applying DSCP value to the IPsec tunnel outer IP header.
type: str
diffservcode:
description:
- DSCP value to be applied to the IPsec tunnel outer IP header.
type: str
dst_addr_type:
choices:
- subnet
- range
- ip
- name
- subnet6
- range6
- ip6
- name6
description:
- Remote proxy ID type.
type: str
dst_end_ip:
description:
- Remote proxy ID IPv4 end.
type: str
dst_end_ip6:
description:
- Remote proxy ID IPv6 end.
type: str
dst_name:
description:
- Remote proxy ID name. Source firewall.address.name firewall.addrgrp.name.
type: str
dst_name6:
description:
- Remote proxy ID name. Source firewall.address6.name firewall.addrgrp6.name.
type: str
dst_port:
description:
- Quick mode destination port (1 - 65535 or 0 for all).
type: int
dst_start_ip:
description:
- Remote proxy ID IPv4 start.
type: str
dst_start_ip6:
description:
- Remote proxy ID IPv6 start.
type: str
dst_subnet:
description:
- Remote proxy ID IPv4 subnet.
type: str
dst_subnet6:
description:
- Remote proxy ID IPv6 subnet.
type: str
encapsulation:
choices:
- tunnel-mode
- transport-mode
description:
- ESP encapsulation mode.
type: str
inbound_dscp_copy:
choices:
- phase1
- enable
- disable
description:
- Enable/disable copy the dscp in the ESP header to the inner IP Header.
type: str
initiator_ts_narrow:
choices:
- enable
- disable
description:
- Enable/disable traffic selector narrowing for IKEv2 initiator.
type: str
ipv4_df:
choices:
- enable
- disable
description:
- Enable/disable setting and resetting of IPv4 "Don"t Fragment" bit.
type: str
keepalive:
choices:
- enable
- disable
description:
- Enable/disable keep alive.
type: str
keylife_type:
choices:
- seconds
- kbs
- both
description:
- Keylife type.
type: str
keylifekbs:
description:
- Phase2 key life in number of kilobytes of traffic (5120 - 4294967295).
type: int
keylifeseconds:
description:
- Phase2 key life in time in seconds (120 - 172800).
type: int
l2tp:
choices:
- enable
- disable
description:
- Enable/disable L2TP over IPsec.
type: str
name:
description:
- IPsec tunnel name.
required: true
type: str
pfs:
choices:
- enable
- disable
description:
- Enable/disable PFS feature.
type: str
phase1name:
description:
- Phase 1 determines the options required for phase 2. Source vpn.ipsec.phase1-interface.name.
type: str
proposal:
choices:
- null-md5
- null-sha1
- null-sha256
- null-sha384
- null-sha512
- des-null
- des-md5
- des-sha1
- des-sha256
- des-sha384
- des-sha512
- 3des-null
- 3des-md5
- 3des-sha1
- 3des-sha256
- 3des-sha384
- 3des-sha512
- aes128-null
- aes128-md5
- aes128-sha1
- aes128-sha256
- aes128-sha384
- aes128-sha512
- aes128gcm
- aes192-null
- aes192-md5
- aes192-sha1
- aes192-sha256
- aes192-sha384
- aes192-sha512
- aes256-null
- aes256-md5
- aes256-sha1
- aes256-sha256
- aes256-sha384
- aes256-sha512
- aes256gcm
- chacha20poly1305
- aria128-null
- aria128-md5
- aria128-sha1
- aria128-sha256
- aria128-sha384
- aria128-sha512
- aria192-null
- aria192-md5
- aria192-sha1
- aria192-sha256
- aria192-sha384
- aria192-sha512
- aria256-null
- aria256-md5
- aria256-sha1
- aria256-sha256
- aria256-sha384
- aria256-sha512
- seed-null
- seed-md5
- seed-sha1
- seed-sha256
- seed-sha384
- seed-sha512
description:
- Phase2 proposal.
elements: str
type: list
protocol:
description:
- Quick mode protocol selector (1 - 255 or 0 for all).
type: int
replay:
choices:
- enable
- disable
description:
- Enable/disable replay detection.
type: str
route_overlap:
choices:
- use-old
- use-new
- allow
description:
- Action for overlapping routes.
type: str
single_source:
choices:
- enable
- disable
description:
- Enable/disable single source IP restriction.
type: str
src_addr_type:
choices:
- subnet
- range
- ip
- name
- subnet6
- range6
- ip6
- name6
description:
- Local proxy ID type.
type: str
src_end_ip:
description:
- Local proxy ID end.
type: str
src_end_ip6:
description:
- Local proxy ID IPv6 end.
type: str
src_name:
description:
- Local proxy ID name. Source firewall.address.name firewall.addrgrp.name.
type: str
src_name6:
description:
- Local proxy ID name. Source firewall.address6.name firewall.addrgrp6.name.
type: str
src_port:
description:
- Quick mode source port (1 - 65535 or 0 for all).
type: int
src_start_ip:
description:
- Local proxy ID start.
type: str
src_start_ip6:
description:
- Local proxy ID IPv6 start.
type: str
src_subnet:
description:
- Local proxy ID subnet.
type: str
src_subnet6:
description:
- Local proxy ID IPv6 subnet.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str