Try SpotterManage IKE gateway on the firewall with subset of settings.
| "added in version" 1.0.0 of paloaltonetworks.panos"
Authors: Ivan Bojer (@ivanbojer)
Install with ansible-galaxy collection install paloaltonetworks.panos:==2.19.1
collections:
- name: paloaltonetworks.panos
version: 2.19.1Use this to manage or define a gateway, including the configuration information necessary to perform Internet Key Exchange (IKE) protocol negotiation with a peer gateway. This is the Phase 1 portion of the IKE/IPSec VPN setup.
- name: Add IKE gateway config to the firewall
paloaltonetworks.panos.panos_ike_gateway:
provider: '{{ provider }}'
state: 'present'
name: 'IKEGW-Ansible'
version: 'ikev2'
interface: 'ethernet1/1'
enable_passive_mode: true
enable_liveness_check: true
liveness_check_interval: '5'
peer_ip_value: '1.2.3.4'
pre_shared_key: 'CHANGEME'
ikev2_crypto_profile: 'IKE-Ansible'
commit: false
- name: Create IKE gateway (dynamic)
paloaltonetworks.panos.panos_ike_gateway:
provider: '{{ device }}'
name: 'test-dynamic'
interface: 'ethernet1/1'
peer_ip_type: dynamic
pre_shared_key: 'CHANGEME'
commit: false
name:
description:
- Name for the profile.
type: str
port:
default: 443
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The port number to connect to the PAN-OS device on.
type: int
state:
choices:
- present
- absent
- replaced
- merged
- deleted
- gathered
default: present
description:
- The state.
type: str
commit:
description:
- B(Deprecated)
- Please use M(paloaltonetworks.panos.panos_commit_firewall), M(paloaltonetworks.panos.panos_commit_panorama),
M(paloaltonetworks.panos.panos_commit_push) instead.
- HORIZONTALLINE
- Commit changes after creating object. If I(ip_address) is a Panorama device, and
I(device_group) or I(template) are also set, perform a commit to Panorama and a
commit-all to the device group/template.
type: bool
api_key:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The API key to use instead of generating it using I(username) / I(password).
type: str
version:
aliases:
- protocol_version
choices:
- ikev1
- ikev2
- ikev2-preferred
default: ikev2
description:
- Specify the priority for Diffie-Hellman (DH) groups.
type: str
password:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
api_key:
description:
- The API key to use instead of generating it using I(username) / I(password).
type: str
ip_address:
description:
- The IP address or hostname of the PAN-OS device being configured.
type: str
password:
description:
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
port:
default: 443
description:
- The port number to connect to the PAN-OS device on.
type: int
serial_number:
description:
- The serial number of a firewall to use for targeted commands. If I(ip_address)
is not a Panorama PAN-OS device, then this param is ignored.
type: str
username:
default: admin
description:
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
type: dict
version_added: 1.0.0
version_added_collection: paloaltonetworks.panos
template:
description:
- (Panorama only) The template this operation should target. Mutually exclusive with
I(template_stack).
type: str
username:
default: admin
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
interface:
default: ethernet1/1
description:
- Specify the outgoing firewall interface to the VPN tunnel.
type: str
ip_address:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The IP address or hostname of the PAN-OS device being configured.
type: str
peer_id_type:
choices:
- ipaddr
- fqdn
- ufqdn
- keyid
- dn
description:
- Define the format of the identification of the peer gateway.
- 'ipaddr: IP address'
- 'fqdn: FQDN (hostname)'
- 'ufqdn: User FQDN (email address)'
- 'keyid: Key ID (binary format ID string in hex)'
type: str
peer_ip_type:
choices:
- ip
- dynamic
- fqdn
default: ip
description:
- IP or dynamic.
type: str
local_id_type:
choices:
- ipaddr
- fqdn
- ufqdn
- keyid
- dn
description:
- Define the format of the identification of the local gateway.
- 'ipaddr: IP address'
- 'fqdn: FQDN (hostname)'
- 'ufqdn: User FQDN (email address)'
- 'keyid: Key ID (binary format ID string in hex)'
type: str
peer_id_check:
choices:
- exact
- wildcard
description:
- Type of checking to do on peer_id.
type: str
peer_id_value:
description:
- Define the value for the identification of the peer gateway.
- Required when I(peer_id_type) is set.
type: str
peer_ip_value:
default: 127.0.0.1
description:
- IPv4 address of the peer gateway.
type: str
local_id_value:
description:
- Define the value for the identification of the local gateway.
- Required when I(local_id_type) is set.
type: str
pre_shared_key:
aliases:
- psk
default: CHANGEME
description:
- Specify pre-shared key.
type: str
template_stack:
description:
- (Panorama only) The template stack this operation should target. Mutually exclusive
with I(template).
type: str
gathered_filter:
description:
- When I(state=gathered).
- An advanced filtering option to filter results returned from PAN-OS.
- Refer to the guide discussing I(gathered_filter) for more information.
type: str
local_ip_address:
description:
- Bind IKE gateway to the specified interface IP address. Only needed if 'interface'
has multiple IP addresses associated with it.
- It should include the mask, such as '192.168.1.1/24'
type: str
enable_passive_mode:
aliases:
- passive_mode
default: true
description:
- True to have the firewall only respond to IKE connections and never initiate them.
type: bool
ikev1_exchange_mode:
choices:
- auto
- main
- aggressive
description:
- The IKE exchange mode to use
type: str
enable_fragmentation:
aliases:
- fragmentation
default: false
description:
- True to enable IKE fragmentation
- Incompatible with pre-shared keys, or 'aggressive' exchange mode
type: bool
enable_nat_traversal:
aliases:
- nat_traversal
default: false
description:
- True to NAT Traversal mode
type: bool
ikev1_crypto_profile:
aliases:
- crypto_profile_name
default: default
description:
- Crypto profile for IKEv1.
type: str
ikev2_crypto_profile:
aliases:
- crypto_profile_name
default: default
description:
- Crypto profile for IKEv2.
type: str
enable_liveness_check:
default: true
description:
- Enable sending empty information liveness check message.
type: bool
local_ip_address_type:
choices:
- ip
- floating-ip
description:
- The type of the bound interface IP address.
- 'ip: Specify exact IP address if interface has multiple addresses.'
- 'floating-ip: Floating IP address in HA Active-Active configuration.'
- Required when 'local_ip_address' is set.
type: str
liveness_check_interval:
aliases:
- liveness_check
default: 5
description:
- Delay interval before sending probing packets (in seconds).
type: int
dead_peer_detection_retry:
default: 10
description:
- Retry attempts before peer is marked dead.
type: int
enable_dead_peer_detection:
aliases:
- dead_peer_detection
default: false
description:
- True to enable Dead Peer Detection on the gateway.
type: bool
dead_peer_detection_interval:
default: 99
description:
- Time in seconds to check for a dead peer.
type: int