panos_ipsec_tunnel – Configures IPSec Tunnels on the firewall with subset of settings¶
New in version 2.8.
Synopsis¶
Use IPSec Tunnels to establish and manage IPSec VPN tunnels between firewalls. This is the Phase 2 portion of the
IKE/IPSec VPN setup.
Requirements¶
The below requirements are needed on the host that executes this module.
pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
Parameters¶
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
ak_ike_gateway
-
|
Default: default
|
Name of the existing IKE gateway (auto-key).
aliases: i, k, e, _, g, t, w, _, n, a, m, e |
|
ak_ipsec_crypto_profile
-
|
Default: default
|
Name of the existing IPsec profile or use default (auto-key).
aliases: i, p, s, e, c, _, p, r, o, f, i, l, e |
|
anti_replay
-
|
Default: yes
|
Enable anti-replay check on this tunnel.
|
|
api_key
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
|
||
commit
-
|
Default: yes
|
Commit configuration if changed.
|
|
copy_flow_label
boolean
|
|
– Copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended) (7.0+).
|
|
copy_tos
boolean
|
|
Copy IP TOS bits from inner packet to IPSec packet (not recommended).
|
|
disabled
-
|
Default: no
|
Disable the IPsec tunnel.
|
|
enable_tunnel_monitor
-
|
Default: no
|
Enable tunnel monitoring on this tunnel.
|
|
gps_certificate_profile
-
|
– Profile for authenticating GlobalProtect gateway certificates (global-protect-satellite).
|
||
gps_interface
-
|
– Interface to communicate with portal (global-protect-satellite).
|
||
gps_interface_ipv4_floating_ip
-
|
– Floating IPv4 IP address in HA Active-Active configuration (7.0+) (global-protect-satellite).
|
||
gps_interface_ipv4_ip
-
|
– Exact IPv4 IP address if interface has multiple IP addresses (global-protect-satellite).
|
||
gps_interface_ipv6_floating_ip
-
|
– Floating IPv6 IP address in HA Active-Active configuration (8.0+) (global-protect-satellite).
|
||
gps_interface_ipv6_ip
-
|
– Exact IPv6 IP address if interface has multiple IP addresses (8.0+) (global-protect-satellite).
|
||
gps_local_certificate
-
|
GlobalProtect satellite certificate file name (global-protect-satellite).
|
||
gps_portal_address
-
|
– GlobalProtect portal address (global-protect-satellite).
|
||
gps_prefer_ipv6
boolean
|
|
– Prefer to register portal in IPv6 (8.0+) (global-protect-satellite).
|
|
gps_publish_connected_routes
boolean
|
|
– Enable publishing of connected and static routes (global-protect-satellite).
|
|
gps_publish_routes
list
|
Specify list of routes to publish to GlobalProtect gateway (global-protect-satellite).
|
||
ip_address
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
|
||
ipv6
boolean
|
|
Use IPv6 for the IPsec tunnel (7.0+)
|
|
mk_auth_key
-
|
– Authentication key (manual-key).
|
||
mk_auth_type
-
|
|
Authentication type for tunnel access (manual-key).
|
|
mk_esp_encryption
-
|
|
Encryption algorithm for tunnel traffic (manual-key).
|
|
mk_esp_encryption_key
-
|
Encryption key (manual-key).
|
||
mk_interface
-
|
– Interface to terminate tunnel (manual-key).
|
||
mk_local_address_floating_ip
-
|
– Floating IP address in HA Active-Active configuration (manual-key).
|
||
mk_local_address_ip
-
|
– Exact IP address if interface has multiple IP addresses (manual-key).
|
||
mk_local_spi
-
|
Outbound SPI in hex (manual-key).
|
||
mk_protocol
-
|
|
– Protocol for traffic through the tunnel (manual-key).
|
|
mk_remote_address
-
|
– Tunnel peer IP address (manual-key).
|
||
mk_remote_spi
-
|
– Inbound SPI in hex (manual-key).
|
||
name
-
/ required
|
Name for the IPSec tunnel.
|
||
password
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
|
|
provider
-
added in 2.8 |
A dict object containing connection details.
|
||
api_key
string
|
The API key to use instead of generating it using username / password.
|
||
ip_address
string
|
The IP address or hostname of the PAN-OS device being configured.
|
||
password
string
|
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
The port number to connect to the PAN-OS device on.
|
|
serial_number
string
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
|
||
username
string
|
Default: admin
|
The username to use for authentication. This is ignored if api_key is specified.
|
|
state
string
|
|
The state.
|
|
template
string
|
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
|
||
template_stack
string
|
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
|
||
tunnel_interface
-
|
Default: tunnel.1
|
Specify existing tunnel interface that will be used.
|
|
tunnel_monitor_dest_ip
-
|
Destination IP to send ICMP probe.
|
||
tunnel_monitor_profile
-
|
Default: None
|
Monitoring action.
|
|
tunnel_monitor_proxy_id
-
|
Default: None
|
Which proxy-id (or proxy-id-v6) the monitoring traffic will use.
|
|
type
-
|
|
Type of IPsec tunnel.
|
|
username
string
|
Default: admin
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
|
Notes¶
Note
Panorama is supported.
Check mode is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.
Examples¶
- name: Add IPSec tunnel to IKE gateway profile
panos_ipsec_tunnel:
provider: '{{ provider }}'
name: 'IPSecTunnel-Ansible'
tunnel_interface: 'tunnel.2'
ak_ike_gateway: 'IKEGW-Ansible'
ak_ipsec_crypto_profile: 'IPSec-Ansible'
state: 'present'
commit: False
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.
Authors¶
Ivan Bojer (@ivanbojer)