Try SpotterManage IPSec Tunnels on the firewall with subset of settings.
| "added in version" 1.0.0 of paloaltonetworks.panos"
Authors: Ivan Bojer (@ivanbojer)
Install with ansible-galaxy collection install paloaltonetworks.panos:==2.19.1
collections:
- name: paloaltonetworks.panos
version: 2.19.1Use IPSec Tunnels to establish and manage IPSec VPN tunnels between firewalls. This is the Phase 2 portion of the
IKE/IPSec VPN setup.
- name: Add IPSec tunnel to IKE gateway profile
paloaltonetworks.panos.panos_ipsec_tunnel:
provider: '{{ provider }}'
name: 'IPSecTunnel-Ansible'
tunnel_interface: 'tunnel.2'
ak_ike_gateway: 'IKEGW-Ansible'
ak_ipsec_crypto_profile: 'IPSec-Ansible'
ipv6:
default: false
description:
- Use IPv6 for the IPsec tunnel (7.0+)
type: bool
name:
description:
- Name for the IPSec tunnel.
type: str
port:
default: 443
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The port number to connect to the PAN-OS device on.
type: int
type:
choices:
- auto-key
- manual-key
- global-protect-satellite
default: auto-key
description:
- Type of IPsec tunnel.
type: str
state:
choices:
- present
- absent
- replaced
- merged
- deleted
- gathered
default: present
description:
- The state.
type: str
commit:
description:
- B(Deprecated)
- Please use M(paloaltonetworks.panos.panos_commit_firewall), M(paloaltonetworks.panos.panos_commit_panorama),
M(paloaltonetworks.panos.panos_commit_push) instead.
- HORIZONTALLINE
- Commit changes after creating object. If I(ip_address) is a Panorama device, and
I(device_group) or I(template) are also set, perform a commit to Panorama and a
commit-all to the device group/template.
type: bool
api_key:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The API key to use instead of generating it using I(username) / I(password).
type: str
copy_tos:
default: false
description:
- Copy IP TOS bits from inner packet to IPSec packet (not recommended).
type: bool
disabled:
default: false
description:
- Disable the IPsec tunnel.
type: bool
password:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
api_key:
description:
- The API key to use instead of generating it using I(username) / I(password).
type: str
ip_address:
description:
- The IP address or hostname of the PAN-OS device being configured.
type: str
password:
description:
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
port:
default: 443
description:
- The port number to connect to the PAN-OS device on.
type: int
serial_number:
description:
- The serial number of a firewall to use for targeted commands. If I(ip_address)
is not a Panorama PAN-OS device, then this param is ignored.
type: str
username:
default: admin
description:
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
type: dict
version_added: 1.0.0
version_added_collection: paloaltonetworks.panos
template:
description:
- (Panorama only) The template this operation should target. Mutually exclusive with
I(template_stack).
type: str
username:
default: admin
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
ip_address:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The IP address or hostname of the PAN-OS device being configured.
type: str
anti_replay:
default: true
description:
- Enable anti-replay check on this tunnel.
type: bool
mk_auth_key:
description:
- Authentication key (manual-key).
type: str
mk_protocol:
choices:
- esp
- ah
description:
- Protocol for traffic through the tunnel (manual-key).
type: str
mk_auth_type:
choices:
- md5
- sha1
- sha256
- sha384
- sha512
description:
- Authentication type for tunnel access (manual-key).
type: str
mk_interface:
description:
- Interface to terminate tunnel (manual-key).
type: str
mk_local_spi:
description:
- Outbound SPI in hex (manual-key).
type: str
gps_interface:
description:
- Interface to communicate with portal (global-protect-satellite).
type: str
mk_remote_spi:
description:
- Inbound SPI in hex (manual-key).
type: str
ak_ike_gateway:
aliases:
- ike_gtw_name
default: default
description:
- Name of the existing IKE gateway (auto-key).
type: str
template_stack:
description:
- (Panorama only) The template stack this operation should target. Mutually exclusive
with I(template).
type: str
copy_flow_label:
default: false
description:
- Copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended)
(7.0+).
type: bool
gathered_filter:
description:
- When I(state=gathered).
- An advanced filtering option to filter results returned from PAN-OS.
- Refer to the guide discussing I(gathered_filter) for more information.
type: str
gps_prefer_ipv6:
default: false
description:
- Prefer to register portal in IPv6 (8.0+) (global-protect-satellite).
type: bool
tunnel_interface:
default: tunnel.1
description:
- Specify existing tunnel interface that will be used.
type: str
mk_esp_encryption:
choices:
- des
- 3des
- aes-128-cbc
- aes-192-cbc
- aes-256-cbc
- 'null'
description:
- Encryption algorithm for tunnel traffic (manual-key).
type: str
mk_remote_address:
description:
- Tunnel peer IP address (manual-key).
type: str
gps_portal_address:
description:
- GlobalProtect portal address (global-protect-satellite).
type: str
gps_publish_routes:
description:
- Specify list of routes to publish to GlobalProtect gateway (global-protect-satellite).
elements: str
type: list
mk_local_address_ip:
description:
- Exact IP address if interface has multiple IP addresses (manual-key).
type: str
enable_tunnel_monitor:
default: false
description:
- Enable tunnel monitoring on this tunnel.
type: bool
gps_interface_ipv4_ip:
description:
- Exact IPv4 IP address if interface has multiple IP addresses (global-protect-satellite).
type: str
gps_interface_ipv6_ip:
description:
- Exact IPv6 IP address if interface has multiple IP addresses (8.0+) (global-protect-satellite).
type: str
gps_local_certificate:
description:
- GlobalProtect satellite certificate file name (global-protect-satellite).
type: str
mk_esp_encryption_key:
description:
- Encryption key (manual-key).
type: str
tunnel_monitor_dest_ip:
description:
- Destination IP to send ICMP probe.
type: str
tunnel_monitor_profile:
description:
- Monitoring action.
type: str
ak_ipsec_crypto_profile:
aliases:
- ipsec_profile
default: default
description:
- Name of the existing IPsec profile or use default (auto-key).
type: str
gps_certificate_profile:
description:
- Profile for authenticating GlobalProtect gateway certificates (global-protect-satellite).
type: str
tunnel_monitor_proxy_id:
description:
- Which proxy-id (or proxy-id-v6) the monitoring traffic will use.
type: str
gps_publish_connected_routes:
default: false
description:
- Enable publishing of connected and static routes (global-protect-satellite).
type: bool
mk_local_address_floating_ip:
description:
- Floating IP address in HA Active-Active configuration (manual-key).
type: str
gps_interface_ipv4_floating_ip:
description:
- Floating IPv4 IP address in HA Active-Active configuration (7.0+) (global-protect-satellite).
type: str
gps_interface_ipv6_floating_ip:
description:
- Floating IPv6 IP address in HA Active-Active configuration (8.0+) (global-protect-satellite).
type: str