fortios_vpn_ipsec_phase1 – Configure VPN remote gateway in Fortinet’s FortiOS and FortiGate.

New in version 2.0.0.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ipsec feature and phase1 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.15

Tips

Using member operation to add an element to an existing object.

FortiOS Version Compatibility

Supported Version Ranges: v6.0.0 -> 7.4.3

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • member_path - Member attribute path to operate on. type: str
  • member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
  • state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
  • vpn_ipsec_phase1 - Configure VPN remote gateway. type: dict more...
    • acct_verify - Enable/disable verification of RADIUS accounting record. type: str choices: enable, disable more...
    • add_gw_route - Enable/disable automatically add a route to the remote gateway. type: str choices: enable, disable more...
    • add_route - Enable/disable control addition of a route to peer destination selector. type: str choices: disable, enable more...
    • assign_ip - Enable/disable assignment of IP to IPsec interface via configuration method. type: str choices: disable, enable more...
    • assign_ip_from - Method by which the IP address will be assigned. type: str choices: range, usrgrp, dhcp, name more...
    • authmethod - Authentication method. type: str choices: psk, signature more...
    • authmethod_remote - Authentication method (remote side). type: str choices: psk, signature more...
    • authpasswd - XAuth password (max 35 characters). type: str more...
    • authusr - XAuth user name. type: str more...
    • authusrgrp - Authentication user group. Source user.group.name. type: str more...
    • auto_negotiate - Enable/disable automatic initiation of IKE SA negotiation. type: str choices: enable, disable more...
    • azure_ad_autoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. type: str choices: enable, disable more...
    • backup_gateway - Instruct unity clients about the backup gateway address(es). type: list member_path: backup_gateway:address more...
      • address - Address of backup gateway. type: str required: true more...
    • banner - Message that unity client should display after connecting. type: str more...
    • cert_id_validation - Enable/disable cross validation of peer ID and the identity in the peer"s certificate as specified in RFC 4945. type: str choices: enable, disable more...
    • cert_trust_store - CA certificate trust store. type: str choices: local, ems more...
    • certificate - Names of up to 4 signed personal certificates. type: list member_path: certificate:name more...
      • name - Certificate name. Source vpn.certificate.local.name. type: str required: true more...
    • childless_ike - Enable/disable childless IKEv2 initiation (RFC 6023). type: str choices: enable, disable more...
    • client_auto_negotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. type: str choices: disable, enable more...
    • client_keep_alive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. type: str choices: disable, enable more...
    • comments - Comment. type: str more...
    • dev_id - Device ID carried by the device ID notification. type: str more...
    • dev_id_notification - Enable/disable device ID notification. type: str choices: disable, enable more...
    • dhcp_ra_giaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests. type: str more...
    • dhcp6_ra_linkaddr - Relay agent IPv6 link address to use in DHCP6 requests. type: str more...
    • dhgrp - DH group. type: list choices: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32 more...
    • digital_signature_auth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). type: str choices: enable, disable more...
    • distance - Distance for routes added by IKE (1 - 255). type: int more...
    • dns_mode - DNS server mode. type: str choices: manual, auto more...
    • domain - Instruct unity clients about the single default DNS domain. type: str more...
    • dpd - Dead Peer Detection mode. type: str choices: disable, on-idle, on-demand more...
    • dpd_retrycount - Number of DPD retry attempts. type: int more...
    • dpd_retryinterval - DPD retry interval. type: str more...
    • eap - Enable/disable IKEv2 EAP authentication. type: str choices: enable, disable more...
    • eap_cert_auth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. type: str choices: enable, disable more...
    • eap_exclude_peergrp - Peer group excluded from EAP authentication. Source user.peergrp.name. type: str more...
    • eap_identity - IKEv2 EAP peer identity type. type: str choices: use-id-payload, send-request more...
    • ems_sn_check - Enable/disable verification of EMS serial number. type: str choices: enable, disable more...
    • enforce_unique_id - Enable/disable peer ID uniqueness check. type: str choices: disable, keep-new, keep-old more...
    • esn - Extended sequence number (ESN) negotiation. type: str choices: require, allow, disable more...
    • exchange_fgt_device_id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. type: str choices: enable, disable more...
    • fallback_tcp_threshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp. type: int more...
    • fec_base - Number of base Forward Error Correction packets (1 - 20). type: int more...
    • fec_codec - Forward Error Correction encoding/decoding algorithm. type: str choices: rs, xor more...
    • fec_egress - Enable/disable Forward Error Correction for egress IPsec traffic. type: str choices: enable, disable more...
    • fec_health_check - SD-WAN health check. Source system.sdwan.health-check.name. type: str more...
    • fec_ingress - Enable/disable Forward Error Correction for ingress IPsec traffic. type: str choices: enable, disable more...
    • fec_mapping_profile - Forward Error Correction (FEC) mapping profile. Source vpn.ipsec.fec.name. type: str more...
    • fec_receive_timeout - Timeout in milliseconds before dropping Forward Error Correction packets (1 - 1000). type: int more...
    • fec_redundant - Number of redundant Forward Error Correction packets (1 - 5 for reed-solomon, 1 for xor). type: int more...
    • fec_send_timeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). type: int more...
    • fgsp_sync - Enable/disable IPsec syncing of tunnels for FGSP IPsec. type: str choices: enable, disable more...
    • forticlient_enforcement - Enable/disable FortiClient enforcement. type: str choices: enable, disable more...
    • fortinet_esp - Enable/disable Fortinet ESP encapsulaton. type: str choices: enable, disable more...
    • fragmentation - Enable/disable fragment IKE message on re-transmission. type: str choices: enable, disable more...
    • fragmentation_mtu - IKE fragmentation MTU (500 - 16000). type: int more...
    • group_authentication - Enable/disable IKEv2 IDi group authentication. type: str choices: enable, disable more...
    • group_authentication_secret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x. type: str more...
    • ha_sync_esp_seqno - Enable/disable sequence number jump ahead for IPsec HA. type: str choices: enable, disable more...
    • idle_timeout - Enable/disable IPsec tunnel idle timeout. type: str choices: enable, disable more...
    • idle_timeoutinterval - IPsec tunnel idle timeout in minutes (5 - 43200). type: int more...
    • ike_version - IKE protocol version. type: str choices: 1, 2 more...
    • inbound_dscp_copy - Enable/disable copy the dscp in the ESP header to the inner IP Header. type: str choices: enable, disable more...
    • include_local_lan - Enable/disable allow local LAN access on unity clients. type: str choices: disable, enable more...
    • interface - Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name. type: str more...
    • internal_domain_list - One or more internal domain names in quotes separated by spaces. type: list member_path: internal_domain_list:domain_name more...
      • domain_name - Domain name. type: str required: true more...
    • ip_delay_interval - IP address reuse delay interval in seconds (0 - 28800). type: int more...
    • ipv4_dns_server1 - IPv4 DNS server 1. type: str more...
    • ipv4_dns_server2 - IPv4 DNS server 2. type: str more...
    • ipv4_dns_server3 - IPv4 DNS server 3. type: str more...
    • ipv4_end_ip - End of IPv4 range. type: str more...
    • ipv4_exclude_range - Configuration Method IPv4 exclude ranges. type: list member_path: ipv4_exclude_range:id more...
      • end_ip - End of IPv4 exclusive range. type: str more...
      • id - ID. see Notes. type: int required: true more...
      • start_ip - Start of IPv4 exclusive range. type: str more...
    • ipv4_name - IPv4 address name. Source firewall.address.name firewall.addrgrp.name. type: str more...
    • ipv4_netmask - IPv4 Netmask. type: str more...
    • ipv4_split_exclude - IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name. type: str more...
    • ipv4_split_include - IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name. type: str more...
    • ipv4_start_ip - Start of IPv4 range. type: str more...
    • ipv4_wins_server1 - WINS server 1. type: str more...
    • ipv4_wins_server2 - WINS server 2. type: str more...
    • ipv6_dns_server1 - IPv6 DNS server 1. type: str more...
    • ipv6_dns_server2 - IPv6 DNS server 2. type: str more...
    • ipv6_dns_server3 - IPv6 DNS server 3. type: str more...
    • ipv6_end_ip - End of IPv6 range. type: str more...
    • ipv6_exclude_range - Configuration method IPv6 exclude ranges. type: list member_path: ipv6_exclude_range:id more...
      • end_ip - End of IPv6 exclusive range. type: str more...
      • id - ID. see Notes. type: int required: true more...
      • start_ip - Start of IPv6 exclusive range. type: str more...
    • ipv6_name - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
    • ipv6_prefix - IPv6 prefix. type: int more...
    • ipv6_split_exclude - IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
    • ipv6_split_include - IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
    • ipv6_start_ip - Start of IPv6 range. type: str more...
    • keepalive - NAT-T keep alive interval. type: int more...
    • keylife - Time to wait in seconds before phase 1 encryption key expires. type: int more...
    • kms - Key Management Services server. Source vpn.kmip-server.name. type: str more...
    • link_cost - VPN tunnel underlay link cost. type: int more...
    • local_gw - Local VPN gateway. type: str more...
    • localid - Local ID. type: str more...
    • localid_type - Local ID type. type: str choices: auto, fqdn, user-fqdn, keyid, address, asn1dn more...
    • loopback_asymroute - Enable/disable asymmetric routing for IKE traffic on loopback interface. type: str choices: enable, disable more...
    • mesh_selector_type - Add selectors containing subsets of the configuration depending on traffic. type: str choices: disable, subnet, host more...
    • mode - ID protection mode used to establish a secure channel. type: str choices: aggressive, main more...
    • mode_cfg - Enable/disable configuration method. type: str choices: disable, enable more...
    • mode_cfg_allow_client_selector - Enable/disable mode-cfg client to use custom phase2 selectors. type: str choices: disable, enable more...
    • name - IPsec remote gateway name. type: str required: true more...
    • nattraversal - Enable/disable NAT traversal. type: str choices: enable, disable, forced more...
    • negotiate_timeout - IKE SA negotiation timeout in seconds (1 - 300). type: int more...
    • network_id - VPN gateway network ID. type: int more...
    • network_overlay - Enable/disable network overlays. type: str choices: disable, enable more...
    • npu_offload - Enable/disable offloading NPU. type: str choices: enable, disable more...
    • peer - Accept this peer certificate. Source user.peer.name. type: str more...
    • peergrp - Accept this peer certificate group. Source user.peergrp.name. type: str more...
    • peerid - Accept this peer identity. type: str more...
    • peertype - Accept this peer type. type: str choices: any, one, dialup, peer, peergrp more...
    • ppk - Enable/disable IKEv2 Postquantum Preshared Key (PPK). type: str choices: disable, allow, require more...
    • ppk_identity - IKEv2 Postquantum Preshared Key Identity. type: str more...
    • ppk_secret - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). type: str more...
    • priority - Priority for routes added by IKE (1 - 65535). type: int more...
    • proposal - Phase1 proposal. type: list choices: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512 more...
    • psksecret - Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). type: str more...
    • psksecret_remote - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). type: str more...
    • qkd - Enable/disable use of Quantum Key Distribution (QKD) server. type: str choices: disable, allow, require more...
    • qkd_profile - Quantum Key Distribution (QKD) server profile. Source vpn.qkd.name. type: str more...
    • reauth - Enable/disable re-authentication upon IKE SA lifetime expiration. type: str choices: disable, enable more...
    • rekey - Enable/disable phase1 rekey. type: str choices: enable, disable more...
    • remote_gw - Remote VPN gateway. type: str more...
    • remotegw_ddns - Domain name of remote gateway. For example, name.ddns.com. type: str more...
    • rsa_signature_format - Digital Signature Authentication RSA signature format. type: str choices: pkcs1, pss more...
    • rsa_signature_hash_override - Enable/disable IKEv2 RSA signature hash algorithm override. type: str choices: enable, disable more...
    • save_password - Enable/disable saving XAuth username and password on VPN clients. type: str choices: disable, enable more...
    • send_cert_chain - Enable/disable sending certificate chain. type: str choices: enable, disable more...
    • signature_hash_alg - Digital Signature Authentication hash algorithms. type: list choices: sha1, sha2-256, sha2-384, sha2-512 more...
    • split_include_service - Split-include services. Source firewall.service.group.name firewall.service.custom.name. type: str more...
    • suite_b - Use Suite-B. type: str choices: disable, suite-b-gcm-128, suite-b-gcm-256 more...
    • transport - Set IKE transport protocol. type: str choices: udp, udp-fallback-tcp, tcp more...
    • type - Remote gateway type. type: str choices: static, dynamic, ddns more...
    • unity_support - Enable/disable support for Cisco UNITY Configuration Method extensions. type: str choices: disable, enable more...
    • usrgrp - User group name for dialup peers. Source user.group.name. type: str more...
    • wizard_type - GUI VPN Wizard Type. type: str choices: custom, dialup-forticlient, dialup-ios, dialup-android, dialup-windows, dialup-cisco, static-fortigate, dialup-fortigate, static-cisco, dialup-cisco-fw, simplified-static-fortigate, hub-fortigate-auto-discovery, spoke-fortigate-auto-discovery more...
    • xauthtype - XAuth type. type: str choices: disable, client, pap, chap, auto more...

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- name: Configure VPN remote gateway.
  fortinet.fortios.fortios_vpn_ipsec_phase1:
      vdom: "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      vpn_ipsec_phase1:
          acct_verify: "enable"
          add_gw_route: "enable"
          add_route: "disable"
          assign_ip: "disable"
          assign_ip_from: "range"
          authmethod: "psk"
          authmethod_remote: "psk"
          authpasswd: "<your_own_value>"
          authusr: "<your_own_value>"
          authusrgrp: "<your_own_value> (source user.group.name)"
          auto_negotiate: "enable"
          azure_ad_autoconnect: "enable"
          backup_gateway:
              -
                  address: "<your_own_value>"
          banner: "<your_own_value>"
          cert_id_validation: "enable"
          cert_trust_store: "local"
          certificate:
              -
                  name: "default_name_21 (source vpn.certificate.local.name)"
          childless_ike: "enable"
          client_auto_negotiate: "disable"
          client_keep_alive: "disable"
          comments: "<your_own_value>"
          dev_id: "<your_own_value>"
          dev_id_notification: "disable"
          dhcp_ra_giaddr: "<your_own_value>"
          dhcp6_ra_linkaddr: "<your_own_value>"
          dhgrp: "1"
          digital_signature_auth: "enable"
          distance: "15"
          dns_mode: "manual"
          domain: "<your_own_value>"
          dpd: "disable"
          dpd_retrycount: "3"
          dpd_retryinterval: "<your_own_value>"
          eap: "enable"
          eap_cert_auth: "enable"
          eap_exclude_peergrp: "<your_own_value> (source user.peergrp.name)"
          eap_identity: "use-id-payload"
          ems_sn_check: "enable"
          enforce_unique_id: "disable"
          esn: "require"
          exchange_fgt_device_id: "enable"
          fallback_tcp_threshold: "15"
          fec_base: "10"
          fec_codec: "rs"
          fec_egress: "enable"
          fec_health_check: "<your_own_value> (source system.sdwan.health-check.name)"
          fec_ingress: "enable"
          fec_mapping_profile: "<your_own_value> (source vpn.ipsec.fec.name)"
          fec_receive_timeout: "50"
          fec_redundant: "1"
          fec_send_timeout: "5"
          fgsp_sync: "enable"
          forticlient_enforcement: "enable"
          fortinet_esp: "enable"
          fragmentation: "enable"
          fragmentation_mtu: "1200"
          group_authentication: "enable"
          group_authentication_secret: "<your_own_value>"
          ha_sync_esp_seqno: "enable"
          idle_timeout: "enable"
          idle_timeoutinterval: "15"
          ike_version: "1"
          inbound_dscp_copy: "enable"
          include_local_lan: "disable"
          interface: "<your_own_value> (source system.interface.name)"
          internal_domain_list:
              -
                  domain_name: "<your_own_value>"
          ip_delay_interval: "0"
          ipv4_dns_server1: "<your_own_value>"
          ipv4_dns_server2: "<your_own_value>"
          ipv4_dns_server3: "<your_own_value>"
          ipv4_end_ip: "<your_own_value>"
          ipv4_exclude_range:
              -
                  end_ip: "<your_own_value>"
                  id: "79"
                  start_ip: "<your_own_value>"
          ipv4_name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
          ipv4_netmask: "<your_own_value>"
          ipv4_split_exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
          ipv4_split_include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
          ipv4_start_ip: "<your_own_value>"
          ipv4_wins_server1: "<your_own_value>"
          ipv4_wins_server2: "<your_own_value>"
          ipv6_dns_server1: "<your_own_value>"
          ipv6_dns_server2: "<your_own_value>"
          ipv6_dns_server3: "<your_own_value>"
          ipv6_end_ip: "<your_own_value>"
          ipv6_exclude_range:
              -
                  end_ip: "<your_own_value>"
                  id: "94"
                  start_ip: "<your_own_value>"
          ipv6_name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
          ipv6_prefix: "128"
          ipv6_split_exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
          ipv6_split_include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
          ipv6_start_ip: "<your_own_value>"
          keepalive: "10"
          keylife: "86400"
          kms: "<your_own_value> (source vpn.kmip-server.name)"
          link_cost: "0"
          local_gw: "<your_own_value>"
          localid: "<your_own_value>"
          localid_type: "auto"
          loopback_asymroute: "enable"
          mesh_selector_type: "disable"
          mode: "aggressive"
          mode_cfg: "disable"
          mode_cfg_allow_client_selector: "disable"
          name: "default_name_113"
          nattraversal: "enable"
          negotiate_timeout: "30"
          network_id: "0"
          network_overlay: "disable"
          npu_offload: "enable"
          peer: "<your_own_value> (source user.peer.name)"
          peergrp: "<your_own_value> (source user.peergrp.name)"
          peerid: "<your_own_value>"
          peertype: "any"
          ppk: "disable"
          ppk_identity: "<your_own_value>"
          ppk_secret: "<your_own_value>"
          priority: "1"
          proposal: "des-md5"
          psksecret: "<your_own_value>"
          psksecret_remote: "<your_own_value>"
          qkd: "disable"
          qkd_profile: "<your_own_value> (source vpn.qkd.name)"
          reauth: "disable"
          rekey: "enable"
          remote_gw: "<your_own_value>"
          remotegw_ddns: "<your_own_value>"
          rsa_signature_format: "pkcs1"
          rsa_signature_hash_override: "enable"
          save_password: "disable"
          send_cert_chain: "enable"
          signature_hash_alg: "sha1"
          split_include_service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
          suite_b: "disable"
          transport: "udp"
          type: "static"
          unity_support: "disable"
          usrgrp: "<your_own_value> (source user.group.name)"
          wizard_type: "custom"
          xauthtype: "disable"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.