Skip to content
This repository has been archived by the owner on Jan 6, 2023. It is now read-only.

pfsense_ipsec

Frederic Bor edited this page Mar 20, 2021 · 3 revisions
> PFSENSE_IPSEC    (/home/fbor/ansible/lib/ansible/modules/network/pfsense/pfsense_ipsec.py)

  Manage pfSense ipsec tunnels and phase 1 options

  * This module is maintained by The Ansible Community
OPTIONS (= is mandatory):

- apply
  Apply VPN configuration on target pfSense
  [Default: True]
  type: bool

- authentication_method
  Authenticatin method. Must match the setting chosen on the remote side.
  (Choices: pre_shared_key, rsasig)[Default: (null)]
  type: str

- certificate
  a certificate previously configured
  [Default: (null)]
  type: str

- certificate_authority
  a certificate authority previously configured
  [Default: (null)]
  type: str

= descr
  The description of the ipsec tunnel
  [Default: None]
  type: str

- disable_reauth
  (IKEv2 only) Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done.
  [Default: False]
  type: bool

- disable_rekey
  Disables renegotiation when a connection is about to expire (deprecated with pfSense 2.5.0)
  [Default: (null)]
  type: bool

- disabled
  Set this option to disable this phase1 without removing it from the list.
  [Default: (null)]
  type: bool

- dpd_delay
  Delay between requesting peer acknowledgement.
  [Default: 10]
  type: int

- dpd_maxfail
  Number of consecutive failures allowed before disconnect.
  [Default: 5]
  type: int

- enable_dpd
  Enable dead peer detection
  [Default: True]
  type: bool

- gw_duplicates
  Allow multiple phase 1 configurations with the same endpoint
  [Default: (null)]
  type: bool

- iketype
  Internet Key Exchange protocol version to be used. Auto uses IKEv2 when initiator, and accepts either IKEv1 or IKEv2 as responder.
  (Choices: ikev1, ikev2, auto)[Default: (null)]
  type: str

- interface
  Interface for the local endpoint of this phase1 entry.  Can be a virtual IP name or address prefixed with "vip:".
  [Default: (null)]
  type: str

- lifetime
  The lifetime defines how often the connection will be rekeyed, in seconds.
  [Default: 28800]
  type: int

- margintime
  How long before connection expiry or keying-channel expiry should attempt to negotiate a replacement begin (deprecated with pfSense 2.5.0)
  [Default: (null)]
  type: int

- mobike
  (IKEv2 only) Set this option to control the use of MOBIKE
  (Choices: on, off)[Default: off]
  type: str

- mode
  Negotiation mode. Aggressive is more flexible, but less secure. Only for IkeV1 or Auto.
  (Choices: main, aggressive)[Default: (null)]
  type: str

- myid_data
  Local identifier value.
  [Default: (null)]
  type: str

- myid_type
  Local identifier type.
  (Choices: myaddress, address, fqdn, user_fqdn, asn1dn, keyid tag, dyn_dns)[Default: myaddress]
  type: str

- nat_traversal
  Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, which can help with clients that are behind restrictive firewalls.
  (Choices: on, force)[Default: on]
  type: str

- nattport
  UDP port for NAT-T on the remote gateway.
  [Default: (null)]
  type: int

- peerid_data
  Remote identifier value.
  [Default: (null)]
  type: str

- peerid_type
  Remote identifier type.
  (Choices: any, peeraddress, address, fqdn, user_fqdn, asn1dn, keyid tag)[Default: peeraddress]
  type: str

- preshared_key
  This key must match on both peers.
  [Default: (null)]
  type: str

- protocol
  IP family
  (Choices: inet, inet6, both)[Default: inet]
  type: str

- rand_time
  A random value up to this amount will be subtracted from Rekey Time/Reauth Time to avoid simultaneous renegotiation.
  [Default: (null)]
  type: int

- reauth_time
  Time, in seconds, before an IKE SA is torn down and recreated from scratch, including authentication.
  [Default: (null)]
  type: int

- rekey_time
  Time, in seconds, before an IKE SA establishes new keys.
  [Default: (null)]
  type: int

- remote_gateway
  Public IP address or host name of the remote gateway.
  [Default: (null)]
  type: str

- responderonly
  Enable this option to never initiate this connection from this side, only respond to incoming requests.
  [Default: False]
  type: bool

- splitconn
  (IKEv2 only) Enable this to split connection entries with multiple phase 2 configurations
  [Default: False]
  type: bool

- state
  State in which to leave the ipsec tunnel
  (Choices: present, absent)[Default: present]
  type: str


AUTHOR: Frederic Bor (@f-bor)
  METADATA:
    status:
    - preview
    supported_by: community
  

EXAMPLES:

- name: Add simple tunnel
  pfsense_ipsec:
    state: present
    descr: test_tunnel
    interface: wan
    remote_gateway: 1.2.3.4
    iketype: ikev2
    authentication_method: pre_shared_key
    preshared_key: azerty123

- name: Remove tunnel
  pfsense_ipsec:
    state: absent
    descr: test_tunnel


RETURN VALUES:

commands:
    description: the set of commands that would be pushed to the remote device (if pfSense had a CLI)
    returned: always
    type: list
    sample: ["create ipsec 'test_tunnel', iketype='ikev2', protocol='inet', interface='wan', remote_gateway='1.2.3.4', ...", "delete ipsec 'test_tunnel'"]
Clone this wiki locally