fortios_vpn_ipsec_phase1 – Configure VPN remote gateway in Fortinet’s FortiOS and FortiGate.¶
New in version 2.0.0.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ipsec feature and phase1 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
FortiOS Version Compatibility¶
v6.0.0 |
v6.0.5 |
v6.0.11 |
v6.2.0 |
v6.2.3 |
v6.2.5 |
v6.2.7 |
v6.4.0 |
v6.4.1 |
v6.4.4 |
v7.0.0 |
v7.0.1 |
v7.0.2 |
v7.0.3 |
v7.0.4 |
v7.0.5 |
v7.0.6 |
v7.0.7 |
v7.0.8 |
v7.2.0 |
v7.2.1 |
v7.2.2 |
|
fortios_vpn_ipsec_phase1 | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes |
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- member_path - Member attribute path to operate on. type: str
- member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
- state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
- vpn_ipsec_phase1 - Configure VPN remote gateway. type: dict more...
- acct_verify - Enable/disable verification of RADIUS accounting record. type: str choices: enable, disable more...
- add_gw_route - Enable/disable automatically add a route to the remote gateway. type: str choices: enable, disable more...
- add_route - Enable/disable control addition of a route to peer destination selector. type: str choices: disable, enable more...
- assign_ip - Enable/disable assignment of IP to IPsec interface via configuration method. type: str choices: disable, enable more...
- assign_ip_from - Method by which the IP address will be assigned. type: str choices: range, usrgrp, dhcp, name more...
- authmethod - Authentication method. type: str choices: psk, signature more...
- authmethod_remote - Authentication method (remote side). type: str choices: psk, signature more...
- authpasswd - XAuth password (max 35 characters). type: str more...
- authusr - XAuth user name. type: str more...
- authusrgrp - Authentication user group. Source user.group.name. type: str more...
- auto_negotiate - Enable/disable automatic initiation of IKE SA negotiation. type: str choices: enable, disable more...
- backup_gateway - Instruct unity clients about the backup gateway address(es). type: list more...
- address - Address of backup gateway. type: str more...
- banner - Message that unity client should display after connecting. type: str more...
- cert_id_validation - Enable/disable cross validation of peer ID and the identity in the peer"s certificate as specified in RFC 4945. type: str choices: enable, disable more...
- certificate - Names of up to 4 signed personal certificates. type: list more...
- name - Certificate name. Source vpn.certificate.local.name. type: str more...
- childless_ike - Enable/disable childless IKEv2 initiation (RFC 6023). type: str choices: enable, disable more...
- client_auto_negotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. type: str choices: disable, enable more...
- client_keep_alive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. type: str choices: disable, enable more...
- comments - Comment. type: str more...
- dhcp_ra_giaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests. type: str more...
- dhcp6_ra_linkaddr - Relay agent IPv6 link address to use in DHCP6 requests. type: str more...
- dhgrp - DH group. type: list choices: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32 more...
- digital_signature_auth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). type: str choices: enable, disable more...
- distance - Distance for routes added by IKE (1 - 255). type: int more...
- dns_mode - DNS server mode. type: str choices: manual, auto more...
- domain - Instruct unity clients about the single default DNS domain. type: str more...
- dpd - Dead Peer Detection mode. type: str choices: disable, on-idle, on-demand more...
- dpd_retrycount - Number of DPD retry attempts. type: int more...
- dpd_retryinterval - DPD retry interval. type: str more...
- eap - Enable/disable IKEv2 EAP authentication. type: str choices: enable, disable more...
- eap_exclude_peergrp - Peer group excluded from EAP authentication. Source user.peergrp.name. type: str more...
- eap_identity - IKEv2 EAP peer identity type. type: str choices: use-id-payload, send-request more...
- enforce_unique_id - Enable/disable peer ID uniqueness check. type: str choices: disable, keep-new, keep-old more...
- esn - Extended sequence number (ESN) negotiation. type: str choices: require, allow, disable more...
- fec_base - Number of base Forward Error Correction packets (1 - 20). type: int more...
- fec_codec - Forward Error Correction encoding/decoding algorithm. type: str choices: rs, xor more...
- fec_egress - Enable/disable Forward Error Correction for egress IPsec traffic. type: str choices: enable, disable more...
- fec_health_check - SD-WAN health check. Source system.sdwan.health-check.name. type: str more...
- fec_ingress - Enable/disable Forward Error Correction for ingress IPsec traffic. type: str choices: enable, disable more...
- fec_mapping_profile - Forward Error Correction (FEC) mapping profile. type: str more...
- fec_receive_timeout - Timeout in milliseconds before dropping Forward Error Correction packets (1 - 1000). type: int more...
- fec_redundant - Number of redundant Forward Error Correction packets (1 - 5 for reed-solomon, 1 for xor). type: int more...
- fec_send_timeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). type: int more...
- fgsp_sync - Enable/disable IPsec syncing of tunnels for FGSP IPsec. type: str choices: enable, disable more...
- forticlient_enforcement - Enable/disable FortiClient enforcement. type: str choices: enable, disable more...
- fragmentation - Enable/disable fragment IKE message on re-transmission. type: str choices: enable, disable more...
- fragmentation_mtu - IKE fragmentation MTU (500 - 16000). type: int more...
- group_authentication - Enable/disable IKEv2 IDi group authentication. type: str choices: enable, disable more...
- group_authentication_secret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x. type: str more...
- ha_sync_esp_seqno - Enable/disable sequence number jump ahead for IPsec HA. type: str choices: enable, disable more...
- idle_timeout - Enable/disable IPsec tunnel idle timeout. type: str choices: enable, disable more...
- idle_timeoutinterval - IPsec tunnel idle timeout in minutes (5 - 43200). type: int more...
- ike_version - IKE protocol version. type: str choices: 1, 2 more...
- inbound_dscp_copy - Enable/disable copy the dscp in the ESP header to the inner IP Header. type: str choices: enable, disable more...
- include_local_lan - Enable/disable allow local LAN access on unity clients. type: str choices: disable, enable more...
- interface - Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name. type: str more...
- ip_delay_interval - IP address reuse delay interval in seconds (0 - 28800). type: int more...
- ipv4_dns_server1 - IPv4 DNS server 1. type: str more...
- ipv4_dns_server2 - IPv4 DNS server 2. type: str more...
- ipv4_dns_server3 - IPv4 DNS server 3. type: str more...
- ipv4_end_ip - End of IPv4 range. type: str more...
- ipv4_exclude_range - Configuration Method IPv4 exclude ranges. type: list more...
- end_ip - End of IPv4 exclusive range. type: str more...
- id - ID. type: int more...
- start_ip - Start of IPv4 exclusive range. type: str more...
- ipv4_name - IPv4 address name. Source firewall.address.name firewall.addrgrp.name. type: str more...
- ipv4_netmask - IPv4 Netmask. type: str more...
- ipv4_split_exclude - IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name. type: str more...
- ipv4_split_include - IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name. type: str more...
- ipv4_start_ip - Start of IPv4 range. type: str more...
- ipv4_wins_server1 - WINS server 1. type: str more...
- ipv4_wins_server2 - WINS server 2. type: str more...
- ipv6_dns_server1 - IPv6 DNS server 1. type: str more...
- ipv6_dns_server2 - IPv6 DNS server 2. type: str more...
- ipv6_dns_server3 - IPv6 DNS server 3. type: str more...
- ipv6_end_ip - End of IPv6 range. type: str more...
- ipv6_exclude_range - Configuration method IPv6 exclude ranges. type: list more...
- end_ip - End of IPv6 exclusive range. type: str more...
- id - ID. type: int more...
- start_ip - Start of IPv6 exclusive range. type: str more...
- ipv6_name - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
- ipv6_prefix - IPv6 prefix. type: int more...
- ipv6_split_exclude - IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
- ipv6_split_include - IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
- ipv6_start_ip - Start of IPv6 range. type: str more...
- keepalive - NAT-T keep alive interval. type: int more...
- keylife - Time to wait in seconds before phase 1 encryption key expires. type: int more...
- local_gw - Local VPN gateway. type: str more...
- localid - Local ID. type: str more...
- localid_type - Local ID type. type: str choices: auto, fqdn, user-fqdn, keyid, address, asn1dn more...
- loopback_asymroute - Enable/disable asymmetric routing for IKE traffic on loopback interface. type: str choices: enable, disable more...
- mesh_selector_type - Add selectors containing subsets of the configuration depending on traffic. type: str choices: disable, subnet, host more...
- mode - ID protection mode used to establish a secure channel. type: str choices: aggressive, main more...
- mode_cfg - Enable/disable configuration method. type: str choices: disable, enable more...
- mode_cfg_allow_client_selector - Enable/disable mode-cfg client to use custom phase2 selectors. type: str choices: disable, enable more...
- name - IPsec remote gateway name. type: str required: true more...
- nattraversal - Enable/disable NAT traversal. type: str choices: enable, disable, forced more...
- negotiate_timeout - IKE SA negotiation timeout in seconds (1 - 300). type: int more...
- network_id - VPN gateway network ID. type: int more...
- network_overlay - Enable/disable network overlays. type: str choices: disable, enable more...
- npu_offload - Enable/disable offloading NPU. type: str choices: enable, disable more...
- peer - Accept this peer certificate. Source user.peer.name. type: str more...
- peergrp - Accept this peer certificate group. Source user.peergrp.name. type: str more...
- peerid - Accept this peer identity. type: str more...
- peertype - Accept this peer type. type: str choices: any, one, dialup, peer, peergrp more...
- ppk - Enable/disable IKEv2 Postquantum Preshared Key (PPK). type: str choices: disable, allow, require more...
- ppk_identity - IKEv2 Postquantum Preshared Key Identity. type: str more...
- ppk_secret - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). type: str more...
- priority - Priority for routes added by IKE (1 - 65535). type: int more...
- proposal - Phase1 proposal. type: list choices: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512 more...
- psksecret - Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). type: str more...
- psksecret_remote - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). type: str more...
- reauth - Enable/disable re-authentication upon IKE SA lifetime expiration. type: str choices: disable, enable more...
- rekey - Enable/disable phase1 rekey. type: str choices: enable, disable more...
- remote_gw - Remote VPN gateway. type: str more...
- remotegw_ddns - Domain name of remote gateway. For example, name.ddns.com. type: str more...
- rsa_signature_format - Digital Signature Authentication RSA signature format. type: str choices: pkcs1, pss more...
- rsa_signature_hash_override - Enable/disable IKEv2 RSA signature hash algorithm override. type: str choices: enable, disable more...
- save_password - Enable/disable saving XAuth username and password on VPN clients. type: str choices: disable, enable more...
- send_cert_chain - Enable/disable sending certificate chain. type: str choices: enable, disable more...
- signature_hash_alg - Digital Signature Authentication hash algorithms. type: list choices: sha1, sha2-256, sha2-384, sha2-512 more...
- split_include_service - Split-include services. Source firewall.service.group.name firewall.service.custom.name. type: str more...
- suite_b - Use Suite-B. type: str choices: disable, suite-b-gcm-128, suite-b-gcm-256 more...
- type - Remote gateway type. type: str choices: static, dynamic, ddns more...
- unity_support - Enable/disable support for Cisco UNITY Configuration Method extensions. type: str choices: disable, enable more...
- usrgrp - User group name for dialup peers. Source user.group.name. type: str more...
- wizard_type - GUI VPN Wizard Type. type: str choices: custom, dialup-forticlient, dialup-ios, dialup-android, dialup-windows, dialup-cisco, static-fortigate, dialup-fortigate, static-cisco, dialup-cisco-fw, simplified-static-fortigate, hub-fortigate-auto-discovery, spoke-fortigate-auto-discovery more...
- xauthtype - XAuth type. type: str choices: disable, client, pap, chap, auto more...
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure VPN remote gateway.
fortios_vpn_ipsec_phase1:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
vpn_ipsec_phase1:
acct_verify: "enable"
add_gw_route: "enable"
add_route: "disable"
assign_ip: "disable"
assign_ip_from: "range"
authmethod: "psk"
authmethod_remote: "psk"
authpasswd: "<your_own_value>"
authusr: "<your_own_value>"
authusrgrp: "<your_own_value> (source user.group.name)"
auto_negotiate: "enable"
backup_gateway:
-
address: "<your_own_value>"
banner: "<your_own_value>"
cert_id_validation: "enable"
certificate:
-
name: "default_name_19 (source vpn.certificate.local.name)"
childless_ike: "enable"
client_auto_negotiate: "disable"
client_keep_alive: "disable"
comments: "<your_own_value>"
dhcp_ra_giaddr: "<your_own_value>"
dhcp6_ra_linkaddr: "<your_own_value>"
dhgrp: "1"
digital_signature_auth: "enable"
distance: "15"
dns_mode: "manual"
domain: "<your_own_value>"
dpd: "disable"
dpd_retrycount: "3"
dpd_retryinterval: "<your_own_value>"
eap: "enable"
eap_exclude_peergrp: "<your_own_value> (source user.peergrp.name)"
eap_identity: "use-id-payload"
enforce_unique_id: "disable"
esn: "require"
fec_base: "10"
fec_codec: "rs"
fec_egress: "enable"
fec_health_check: "<your_own_value> (source system.sdwan.health-check.name)"
fec_ingress: "enable"
fec_mapping_profile: "<your_own_value>"
fec_receive_timeout: "50"
fec_redundant: "1"
fec_send_timeout: "5"
fgsp_sync: "enable"
forticlient_enforcement: "enable"
fragmentation: "enable"
fragmentation_mtu: "1200"
group_authentication: "enable"
group_authentication_secret: "<your_own_value>"
ha_sync_esp_seqno: "enable"
idle_timeout: "enable"
idle_timeoutinterval: "15"
ike_version: "1"
inbound_dscp_copy: "enable"
include_local_lan: "disable"
interface: "<your_own_value> (source system.interface.name)"
ip_delay_interval: "0"
ipv4_dns_server1: "<your_own_value>"
ipv4_dns_server2: "<your_own_value>"
ipv4_dns_server3: "<your_own_value>"
ipv4_end_ip: "<your_own_value>"
ipv4_exclude_range:
-
end_ip: "<your_own_value>"
id: "68"
start_ip: "<your_own_value>"
ipv4_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_netmask: "<your_own_value>"
ipv4_split_exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_split_include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4_start_ip: "<your_own_value>"
ipv4_wins_server1: "<your_own_value>"
ipv4_wins_server2: "<your_own_value>"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_dns_server3: "<your_own_value>"
ipv6_end_ip: "<your_own_value>"
ipv6_exclude_range:
-
end_ip: "<your_own_value>"
id: "83"
start_ip: "<your_own_value>"
ipv6_name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_prefix: "128"
ipv6_split_exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_split_include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6_start_ip: "<your_own_value>"
keepalive: "10"
keylife: "86400"
local_gw: "<your_own_value>"
localid: "<your_own_value>"
localid_type: "auto"
loopback_asymroute: "enable"
mesh_selector_type: "disable"
mode: "aggressive"
mode_cfg: "disable"
mode_cfg_allow_client_selector: "disable"
name: "default_name_100"
nattraversal: "enable"
negotiate_timeout: "30"
network_id: "0"
network_overlay: "disable"
npu_offload: "enable"
peer: "<your_own_value> (source user.peer.name)"
peergrp: "<your_own_value> (source user.peergrp.name)"
peerid: "<your_own_value>"
peertype: "any"
ppk: "disable"
ppk_identity: "<your_own_value>"
ppk_secret: "<your_own_value>"
priority: "1"
proposal: "des-md5"
psksecret: "<your_own_value>"
psksecret_remote: "<your_own_value>"
reauth: "disable"
rekey: "enable"
remote_gw: "<your_own_value>"
remotegw_ddns: "<your_own_value>"
rsa_signature_format: "pkcs1"
rsa_signature_hash_override: "enable"
save_password: "disable"
send_cert_chain: "enable"
signature_hash_alg: "sha1"
split_include_service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
suite_b: "disable"
type: "static"
unity_support: "disable"
usrgrp: "<your_own_value> (source user.group.name)"
wizard_type: "custom"
xauthtype: "disable"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3