This repository has been archived by the owner on Jan 6, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 48
pfsense_ipsec
Frederic Bor edited this page Mar 20, 2021
·
3 revisions
> PFSENSE_IPSEC (/home/fbor/ansible/lib/ansible/modules/network/pfsense/pfsense_ipsec.py)
Manage pfSense ipsec tunnels and phase 1 options
* This module is maintained by The Ansible Community
OPTIONS (= is mandatory):
- apply
Apply VPN configuration on target pfSense
[Default: True]
type: bool
- authentication_method
Authenticatin method. Must match the setting chosen on the remote side.
(Choices: pre_shared_key, rsasig)[Default: (null)]
type: str
- certificate
a certificate previously configured
[Default: (null)]
type: str
- certificate_authority
a certificate authority previously configured
[Default: (null)]
type: str
= descr
The description of the ipsec tunnel
[Default: None]
type: str
- disable_reauth
(IKEv2 only) Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done.
[Default: False]
type: bool
- disable_rekey
Disables renegotiation when a connection is about to expire (deprecated with pfSense 2.5.0)
[Default: (null)]
type: bool
- disabled
Set this option to disable this phase1 without removing it from the list.
[Default: (null)]
type: bool
- dpd_delay
Delay between requesting peer acknowledgement.
[Default: 10]
type: int
- dpd_maxfail
Number of consecutive failures allowed before disconnect.
[Default: 5]
type: int
- enable_dpd
Enable dead peer detection
[Default: True]
type: bool
- gw_duplicates
Allow multiple phase 1 configurations with the same endpoint
[Default: (null)]
type: bool
- iketype
Internet Key Exchange protocol version to be used. Auto uses IKEv2 when initiator, and accepts either IKEv1 or IKEv2 as responder.
(Choices: ikev1, ikev2, auto)[Default: (null)]
type: str
- interface
Interface for the local endpoint of this phase1 entry. Can be a virtual IP name or address prefixed with "vip:".
[Default: (null)]
type: str
- lifetime
The lifetime defines how often the connection will be rekeyed, in seconds.
[Default: 28800]
type: int
- margintime
How long before connection expiry or keying-channel expiry should attempt to negotiate a replacement begin (deprecated with pfSense 2.5.0)
[Default: (null)]
type: int
- mobike
(IKEv2 only) Set this option to control the use of MOBIKE
(Choices: on, off)[Default: off]
type: str
- mode
Negotiation mode. Aggressive is more flexible, but less secure. Only for IkeV1 or Auto.
(Choices: main, aggressive)[Default: (null)]
type: str
- myid_data
Local identifier value.
[Default: (null)]
type: str
- myid_type
Local identifier type.
(Choices: myaddress, address, fqdn, user_fqdn, asn1dn, keyid tag, dyn_dns)[Default: myaddress]
type: str
- nat_traversal
Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, which can help with clients that are behind restrictive firewalls.
(Choices: on, force)[Default: on]
type: str
- nattport
UDP port for NAT-T on the remote gateway.
[Default: (null)]
type: int
- peerid_data
Remote identifier value.
[Default: (null)]
type: str
- peerid_type
Remote identifier type.
(Choices: any, peeraddress, address, fqdn, user_fqdn, asn1dn, keyid tag)[Default: peeraddress]
type: str
- preshared_key
This key must match on both peers.
[Default: (null)]
type: str
- protocol
IP family
(Choices: inet, inet6, both)[Default: inet]
type: str
- rand_time
A random value up to this amount will be subtracted from Rekey Time/Reauth Time to avoid simultaneous renegotiation.
[Default: (null)]
type: int
- reauth_time
Time, in seconds, before an IKE SA is torn down and recreated from scratch, including authentication.
[Default: (null)]
type: int
- rekey_time
Time, in seconds, before an IKE SA establishes new keys.
[Default: (null)]
type: int
- remote_gateway
Public IP address or host name of the remote gateway.
[Default: (null)]
type: str
- responderonly
Enable this option to never initiate this connection from this side, only respond to incoming requests.
[Default: False]
type: bool
- splitconn
(IKEv2 only) Enable this to split connection entries with multiple phase 2 configurations
[Default: False]
type: bool
- state
State in which to leave the ipsec tunnel
(Choices: present, absent)[Default: present]
type: str
AUTHOR: Frederic Bor (@f-bor)
METADATA:
status:
- preview
supported_by: community
EXAMPLES:
- name: Add simple tunnel
pfsense_ipsec:
state: present
descr: test_tunnel
interface: wan
remote_gateway: 1.2.3.4
iketype: ikev2
authentication_method: pre_shared_key
preshared_key: azerty123
- name: Remove tunnel
pfsense_ipsec:
state: absent
descr: test_tunnel
RETURN VALUES:
commands:
description: the set of commands that would be pushed to the remote device (if pfSense had a CLI)
returned: always
type: list
sample: ["create ipsec 'test_tunnel', iketype='ikev2', protocol='inet', interface='wan', remote_gateway='1.2.3.4', ...", "delete ipsec 'test_tunnel'"]