fortinet.fortimanager.fmgr_vpn_ipsec_phase1 module – Configure VPN remote gateway.
Note
This module is part of the fortinet.fortimanager collection (version 2.12.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortimanager.
To use it in a playbook, specify: fortinet.fortimanager.fmgr_vpn_ipsec_phase1.
New in fortinet.fortimanager 2.12.0
Synopsis
This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
Parameters
Parameter |
Comments |
|---|---|
The token to access FortiManager without using username and password. |
|
The parameter (adom) in requested url. |
|
Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. Choices:
|
|
Enable/Disable logging for task. Choices:
|
|
Authenticate Ansible client with forticloud API access token. |
|
The overridden method for the underlying Json RPC request. Choices:
|
|
The rc codes list with which the conditions to fail will be overriden. |
|
The rc codes list with which the conditions to succeed will be overriden. |
|
The change note that can be specified when an object is created or updated. |
|
The directive to create, update or delete an object. Choices:
|
|
The top level parameters set. |
|
Enable/disable verification of RADIUS accounting record. Choices:
|
|
Enable/disable automatically add a route to the remote gateway. Choices:
|
|
Enable/disable control addition of a route to peer destination selector. Choices:
|
|
ADDKE1 group. Choices:
|
|
ADDKE2 group. Choices:
|
|
ADDKE3 group. Choices:
|
|
ADDKE4 group. Choices:
|
|
ADDKE5 group. Choices:
|
|
ADDKE6 group. Choices:
|
|
ADDKE7 group. Choices:
|
|
Enable/disable assignment of IP to IPsec interface via configuration method. Choices:
|
|
Method by which the IP address will be assigned. Choices:
|
|
Authentication method. Choices:
|
|
Authentication method Choices:
|
|
XAuth password |
|
XAuth user name. |
|
Authentication user group. |
|
Enable/disable automatic initiation of IKE SA negotiation. Choices:
|
|
Timeout in seconds before falling back to next transport protocol. |
|
Enable/disable Azure AD Auto-Connect for FortiClient. Choices:
|
|
Instruct unity clients about the backup gateway address |
|
Message that unity client should display after connecting. |
|
Enable/disable cross validation of peer ID and the identity in the peers certificate as specified in RFC 4945. Choices:
|
|
Enable/disable domain stripping on certificate identity. Choices:
|
|
Enable/disable cross validation of peer username and the identity in the peers certificate. Choices:
|
|
CA certificate trust store. Choices:
|
|
Names of up to 4 signed personal certificates. |
|
Enable/disable childless IKEv2 initiation Choices:
|
|
Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Choices:
|
|
Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Choices:
|
|
Enable/disable resumption of offline FortiClient sessions. Choices:
|
|
Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or te… |
|
Comment. |
|
Device ID carried by the device ID notification. |
|
Enable/disable device ID notification. Choices:
|
|
Relay agent IPv6 link address to use in DHCP6 requests. |
|
Relay agent gateway IP address to use in the giaddr field of DHCP requests. |
|
DH group. Choices:
|
|
Enable/disable IKEv2 Digital Signature Authentication Choices:
|
|
Distance for routes added by IKE |
|
DNS server mode. Choices:
|
|
One or more DNS domain name suffixes in quotes separated by spaces. |
|
Instruct unity clients about the single default DNS domain. |
|
Dead Peer Detection mode. Choices:
|
|
Number of DPD retry attempts. |
|
DPD retry interval. |
|
Enable/disable IKEv2 EAP authentication. Choices:
|
|
Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Choices:
|
|
Peer group excluded from EAP authentication. |
|
IKEv2 EAP peer identity type. Choices:
|
|
Enable/disable verification of EMS serial number. Choices:
|
|
Enable/disable peer ID uniqueness check. Choices:
|
|
Extended sequence number Choices:
|
|
Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Choices:
|
|
Timeout in seconds before falling back IKE/IPsec traffic to tcp. |
|
Number of base Forward Error Correction packets |
|
Forward Error Correction encoding/decoding algorithm. Choices:
|
|
Enable/disable Forward Error Correction for egress IPsec traffic. Choices:
|
|
SD-WAN health check. |
|
Enable/disable Forward Error Correction for ingress IPsec traffic. Choices:
|
|
Forward Error Correction |
|
Timeout in milliseconds before dropping Forward Error Correction packets |
|
Number of redundant Forward Error Correction packets |
|
Timeout in milliseconds before sending Forward Error Correction packets |
|
Enable/disable IPsec syncing of tunnels for FGSP IPsec. Choices:
|
|
Enable/disable FortiClient enforcement. Choices:
|
|
Enable/disable Fortinet ESP encapsulaton. Choices:
|
|
Enable/disable fragment IKE message on re-transmission. Choices:
|
|
IKE fragmentation MTU |
|
Enable/disable IKEv2 IDi group authentication. Choices:
|
|
Password for IKEv2 ID group authentication. |
|
Enable/disable sequence number jump ahead for IPsec HA. Choices:
|
|
Enable/disable IPsec tunnel idle timeout. Choices:
|
|
IPsec tunnel idle timeout in minutes |
|
IKE protocol version. Choices:
|
|
Enable/disable copy the dscp in the ESP header to the inner IP Header. Choices:
|
|
Enable/disable allow local LAN access on unity clients. Choices:
|
|
Local physical, aggregate, or VLAN outgoing interface. |
|
One or more internal domain names in quotes separated by spaces. |
|
IP address reuse delay interval in seconds |
|
IPv4 DNS server 1. |
|
IPv4 DNS server 2. |
|
IPv4 DNS server 3. |
|
End of IPv4 range. |
|
Ipv4 exclude range. |
|
End of IPv4 exclusive range. |
|
ID. |
|
Start of IPv4 exclusive range. |
|
IPv4 address name. |
|
IPv4 Netmask. |
|
IPv4 subnets that should not be sent over the IPsec tunnel. |
|
IPv4 split-include subnets. |
|
Start of IPv4 range. |
|
WINS server 1. |
|
WINS server 2. |
|
Enable/disable auto generation of IPv6 link-local address using last 8 bytes of mode-cfg assigned IPv6 address. Choices:
|
|
IPv6 DNS server 1. |
|
IPv6 DNS server 2. |
|
IPv6 DNS server 3. |
|
End of IPv6 range. |
|
Ipv6 exclude range. |
|
End of IPv6 exclusive range. |
|
ID. |
|
Start of IPv6 exclusive range. |
|
IPv6 address name. |
|
IPv6 prefix. |
|
IPv6 subnets that should not be sent over the IPsec tunnel. |
|
IPv6 split-include subnets. |
|
Start of IPv6 range. |
|
NAT-T keep alive interval. |
|
Time to wait in seconds before phase 1 encryption key expires. |
|
Key Management Services server. |
|
VPN tunnel underlay link cost. |
|
Local VPN gateway. |
|
Local ID. |
|
Local ID type. Choices:
|
|
Enable/disable asymmetric routing for IKE traffic on loopback interface. Choices:
|
|
Add selectors containing subsets of the configuration depending on traffic. Choices:
|
|
ID protection mode used to establish a secure channel. Choices:
|
|
Enable/disable configuration method. Choices:
|
|
Enable/disable mode-cfg client to use custom phase2 selectors. Choices:
|
|
IPsec remote gateway name. |
|
Enable/disable NAT traversal. Choices:
|
|
IKE SA negotiation timeout in seconds |
|
VPN gateway network ID. |
|
Enable/disable network overlays. Choices:
|
|
Enable/disable offloading NPU. Choices:
|
|
Accept this peer certificate. |
|
Accept this peer certificate group. |
|
Accept this peer identity. |
|
Accept this peer type. Choices:
|
|
Enable/disable IKEv2 Postquantum Preshared Key Choices:
|
|
IKEv2 Postquantum Preshared Key Identity. |
|
IKEv2 Postquantum Preshared Key |
|
Priority for routes added by IKE |
|
Phase1 proposal. Choices:
|
|
Pre-shared secret for PSK authentication |
|
Pre-shared secret for remote side PSK authentication |
|
Enable/disable use of Quantum Key Distribution Choices:
|
|
Enable/disable use of Quantum Key Distribution Choices:
|
|
Quantum Key Distribution |
|
Enable/disable re-authentication upon IKE SA lifetime expiration. Choices:
|
|
Enable/disable phase1 rekey. Choices:
|
|
Remote VPN gateway. |
|
IPv6 addresses associated to a specific country. |
|
Last IPv6 address in the range. |
|
Set type of IPv6 remote gateway address matching. Choices:
|
|
First IPv6 address in the range. |
|
IPv6 address and prefix. |
|
IPv4 addresses associated to a specific country. |
|
Last IPv4 address in the range. |
|
Set type of IPv4 remote gateway address matching. Choices:
|
|
First IPv4 address in the range. |
|
IPv4 address and subnet mask. |
|
IPv4 ZTNA posture tags. |
|
Domain name of remote gateway. |
|
Digital Signature Authentication RSA signature format. Choices:
|
|
Enable/disable IKEv2 RSA signature hash algorithm override. Choices:
|
|
Enable/disable saving XAuth username and password on VPN clients. Choices:
|
|
Enable/disable sending certificate chain. Choices:
|
|
Enable/disable IPsec tunnel shared idle timeout. Choices:
|
|
Digital Signature Authentication hash algorithms. Choices:
|
|
Split-include services. |
|
Use Suite-B. Choices:
|
|
IPsec tunnel created by autoscaling to be used as a transit gateway. Choices:
|
|
Set IKE transport protocol. Choices:
|
|
Remote gateway type. Choices:
|
|
Enable/disable support for Cisco UNITY Configuration Method extensions. Choices:
|
|
User group name for dialup peers. |
|
GUI VPN Wizard Type. Choices:
|
|
XAuth type. Choices:
|
|
The adom to lock for FortiManager running in workspace mode, the value can be global and others including root. |
|
The maximum time in seconds to wait for other user to release the workspace lock. Default: |
Notes
Note
Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.
Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state present directive.
To delete an object, use state absent directive.
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
gather_facts: false
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure VPN remote gateway.
fortinet.fortimanager.fmgr_vpn_ipsec_phase1:
# bypass_validation: false
# workspace_locking_adom: <global or your adom name>
# workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
adom: <your own value>
state: present # <value in [present, absent]>
vpn_ipsec_phase1:
name: "your value" # Required variable, string
# acct_verify: <value in [disable, enable]>
# add_gw_route: <value in [disable, enable]>
# add_route: <value in [disable, enable]>
# addke1:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke2:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke3:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke4:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke5:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke6:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# addke7:
# - "0"
# - "1080"
# - "1081"
# - "1082"
# - "1083"
# - "1084"
# - "1085"
# - "1089"
# - "1090"
# - "1091"
# - "1092"
# - "1093"
# - "1094"
# - "35"
# - "36"
# - "37"
# assign_ip: <value in [disable, enable]>
# assign_ip_from: <value in [range, usrgrp, dhcp, ...]>
# authmethod: <value in [psk, signature]>
# authmethod_remote: <value in [psk, signature]>
# authpasswd: <list or string>
# authusr: <string>
# authusrgrp: <list or string>
# auto_negotiate: <value in [disable, enable]>
# auto_transport_threshold: <integer>
# azure_ad_autoconnect: <value in [disable, enable]>
# backup_gateway: <list or string>
# banner: <string>
# cert_id_validation: <value in [disable, enable]>
# cert_peer_username_strip: <value in [disable, enable]>
# cert_peer_username_validation: <value in [othername, rfc822name, cn, ...]>
# cert_trust_store: <value in [local, ems]>
# certificate: <list or string>
# childless_ike: <value in [disable, enable]>
# client_auto_negotiate: <value in [disable, enable]>
# client_keep_alive: <value in [disable, enable]>
# client_resume: <value in [disable, enable]>
# client_resume_interval: <integer>
# comments: <string>
# dev_id: <string>
# dev_id_notification: <value in [disable, enable]>
# dhcp_ra_giaddr: <string>
# dhcp6_ra_linkaddr: <string>
# dhgrp:
# - "1"
# - "2"
# - "5"
# - "14"
# - "15"
# - "16"
# - "17"
# - "18"
# - "19"
# - "20"
# - "21"
# - "27"
# - "28"
# - "29"
# - "30"
# - "31"
# - "32"
# digital_signature_auth: <value in [disable, enable]>
# distance: <integer>
# dns_mode: <value in [auto, manual]>
# dns_suffix_search: <list or string>
# domain: <string>
# dpd: <value in [disable, on-idle, on-demand]>
# dpd_retrycount: <integer>
# dpd_retryinterval: <list or integer>
# eap: <value in [disable, enable]>
# eap_cert_auth: <value in [disable, enable]>
# eap_exclude_peergrp: <list or string>
# eap_identity: <value in [use-id-payload, send-request]>
# ems_sn_check: <value in [enable, disable]>
# enforce_unique_id: <value in [disable, keep-new, keep-old]>
# esn: <value in [disable, require, allow]>
# exchange_fgt_device_id: <value in [disable, enable]>
# fec_base: <integer>
# fec_codec: <value in [rs, xor]>
# fec_egress: <value in [disable, enable]>
# fec_health_check: <list or string>
# fec_ingress: <value in [disable, enable]>
# fec_mapping_profile: <list or string>
# fec_receive_timeout: <integer>
# fec_redundant: <integer>
# fec_send_timeout: <integer>
# fgsp_sync: <value in [disable, enable]>
# fortinet_esp: <value in [disable, enable]>
# fragmentation: <value in [disable, enable]>
# fragmentation_mtu: <integer>
# group_authentication: <value in [disable, enable]>
# group_authentication_secret: <list or string>
# ha_sync_esp_seqno: <value in [disable, enable]>
# idle_timeout: <value in [disable, enable]>
# idle_timeoutinterval: <integer>
# ike_version: <value in [1, 2]>
# inbound_dscp_copy: <value in [disable, enable]>
# include_local_lan: <value in [disable, enable]>
# interface: <list or string>
# internal_domain_list: <list or string>
# ip_delay_interval: <integer>
# ipv4_dns_server1: <string>
# ipv4_dns_server2: <string>
# ipv4_dns_server3: <string>
# ipv4_end_ip: <string>
# ipv4_exclude_range:
# - end_ip: <string>
# id: <integer>
# start_ip: <string>
# ipv4_name: <list or string>
# ipv4_netmask: <string>
# ipv4_split_exclude: <list or string>
# ipv4_split_include: <list or string>
# ipv4_start_ip: <string>
# ipv4_wins_server1: <string>
# ipv4_wins_server2: <string>
# ipv6_auto_linklocal: <value in [disable, enable]>
# ipv6_dns_server1: <string>
# ipv6_dns_server2: <string>
# ipv6_dns_server3: <string>
# ipv6_end_ip: <string>
# ipv6_exclude_range:
# - end_ip: <string>
# id: <integer>
# start_ip: <string>
# ipv6_name: <list or string>
# ipv6_prefix: <integer>
# ipv6_split_exclude: <list or string>
# ipv6_split_include: <list or string>
# ipv6_start_ip: <string>
# keepalive: <integer>
# keylife: <integer>
# kms: <list or string>
# link_cost: <integer>
# local_gw: <string>
# localid: <string>
# localid_type: <value in [auto, fqdn, user-fqdn, ...]>
# loopback_asymroute: <value in [disable, enable]>
# mesh_selector_type: <value in [disable, subnet, host]>
# mode: <value in [main, aggressive]>
# mode_cfg: <value in [disable, enable]>
# mode_cfg_allow_client_selector: <value in [disable, enable]>
# nattraversal: <value in [disable, enable, forced]>
# negotiate_timeout: <integer>
# network_id: <integer>
# network_overlay: <value in [disable, enable]>
# npu_offload: <value in [disable, enable]>
# peer: <list or string>
# peergrp: <list or string>
# peerid: <string>
# peertype: <value in [any, one, dialup, ...]>
# ppk: <value in [disable, allow, require]>
# ppk_identity: <string>
# ppk_secret: <list or string>
# priority: <integer>
# proposal: <value in [des-md5, des-sha1, 3des-md5, ...]>
# psksecret: <list or string>
# psksecret_remote: <list or string>
# qkd: <value in [disable, allow, require]>
# qkd_hybrid: <value in [disable, require, allow]>
# qkd_profile: <list or string>
# reauth: <value in [disable, enable]>
# rekey: <value in [disable, enable]>
# remote_gw: <string>
# remote_gw_country: <string>
# remote_gw_end_ip: <string>
# remote_gw_match: <value in [any, ipmask, iprange, ...]>
# remote_gw_start_ip: <string>
# remote_gw_subnet: <list or string>
# remote_gw_ztna_tags: <list or string>
# remote_gw6_country: <string>
# remote_gw6_end_ip: <string>
# remote_gw6_match: <value in [any, iprange, geography, ...]>
# remote_gw6_start_ip: <string>
# remote_gw6_subnet: <string>
# remotegw_ddns: <string>
# rsa_signature_format: <value in [pkcs1, pss]>
# rsa_signature_hash_override: <value in [disable, enable]>
# save_password: <value in [disable, enable]>
# send_cert_chain: <value in [disable, enable]>
# shared_idle_timeout: <value in [disable, enable]>
# signature_hash_alg:
# - "sha1"
# - "sha2-256"
# - "sha2-384"
# - "sha2-512"
# split_include_service: <list or string>
# suite_b: <value in [disable, suite-b-gcm-128, suite-b-gcm-256]>
# transit_gateway: <value in [disable, enable]>
# transport: <value in [udp, tcp, auto, ...]>
# type: <value in [static, dynamic, ddns]>
# unity_support: <value in [disable, enable]>
# usrgrp: <list or string>
# wizard_type: <value in [custom, dialup-forticlient, dialup-ios, ...]>
# xauthtype: <value in [disable, client, pap, ...]>
# fallback_tcp_threshold: <integer>
# forticlient_enforcement: <value in [disable, enable]>
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The result of the request. Returned: always |
|
The full url requested. Returned: always Sample: |
|
The status of api request. Returned: always Sample: |
|
The api response. Returned: always |
|
The descriptive message of the api response. Returned: always Sample: |
|
The information of the target system. Returned: always |
|
The status the request. Returned: always Sample: |
|
Warning if the parameters used in the playbook are not supported by the current FortiManager version. Returned: complex |