paloaltonetworks.panos.panos_ike_gateway module – Manage IKE gateway on the firewall with subset of settings.

Note

This module is part of the paloaltonetworks.panos collection (version 2.21.2).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_ike_gateway.

New in paloaltonetworks.panos 1.0.0

Synopsis

  • Use this to manage or define a gateway, including the configuration information necessary to perform Internet Key Exchange (IKE) protocol negotiation with a peer gateway. This is the Phase 1 portion of the IKE/IPSec VPN setup.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

commit

boolean

Deprecated

Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead.

Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template.

Choices:

dead_peer_detection_interval

integer

Time in seconds to check for a dead peer.

Default: :ansible-option-default:`99`

dead_peer_detection_retry

integer

Retry attempts before peer is marked dead.

Default: :ansible-option-default:`10`

enable_dead_peer_detection

aliases: dead_peer_detection

boolean

True to enable Dead Peer Detection on the gateway.

Choices:

enable_fragmentation

aliases: fragmentation

boolean

True to enable IKE fragmentation

Incompatible with pre-shared keys, or ‘aggressive’ exchange mode

Choices:

enable_liveness_check

boolean

Enable sending empty information liveness check message.

Choices:

enable_nat_traversal

aliases: nat_traversal

boolean

True to NAT Traversal mode

Choices:

enable_passive_mode

aliases: passive_mode

boolean

True to have the firewall only respond to IKE connections and never initiate them.

Choices:

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

ikev1_crypto_profile

aliases: crypto_profile_name

string

Crypto profile for IKEv1.

Default: :ansible-option-default:`"default"`

ikev1_exchange_mode

string

The IKE exchange mode to use

Choices:

ikev2_crypto_profile

aliases: crypto_profile_name

string

Crypto profile for IKEv2.

Default: :ansible-option-default:`"default"`

interface

string

Specify the outgoing firewall interface to the VPN tunnel.

Default: :ansible-option-default:`"ethernet1/1"`

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

liveness_check_interval

aliases: liveness_check

integer

Delay interval before sending probing packets (in seconds).

Default: :ansible-option-default:`5`

local_id_type

string

Define the format of the identification of the local gateway.

ipaddr: IP address

fqdn: FQDN (hostname)

ufqdn: User FQDN (email address)

keyid: Key ID (binary format ID string in hex)

Choices:

local_id_value

string

Define the value for the identification of the local gateway.

Required when local_id_type is set.

local_ip_address

string

Bind IKE gateway to the specified interface IP address. Only needed if ‘interface’ has multiple IP addresses associated with it.

It should include the mask, such as ‘192.168.1.1/24’

local_ip_address_type

string

The type of the bound interface IP address.

ip: Specify exact IP address if interface has multiple addresses.

floating-ip: Floating IP address in HA Active-Active configuration.

Required when ‘local_ip_address’ is set.

Choices:

name

string

Name for the profile.

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

peer_id_check

string

Type of checking to do on peer_id.

Choices:

peer_id_type

string

Define the format of the identification of the peer gateway.

ipaddr: IP address

fqdn: FQDN (hostname)

ufqdn: User FQDN (email address)

keyid: Key ID (binary format ID string in hex)

Choices:

peer_id_value

string

Define the value for the identification of the peer gateway.

Required when peer_id_type is set.

peer_ip_type

string

IP or dynamic.

Choices:

peer_ip_value

string

IPv4 address of the peer gateway.

Default: :ansible-option-default:`"127.0.0.1"`

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

pre_shared_key

aliases: psk

string

Specify pre-shared key.

Default: :ansible-option-default:`"CHANGEME"`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

state

string

The state.

Choices:

template

string

(Panorama only) The template this operation should target. Mutually exclusive with template_stack.

template_stack

string

(Panorama only) The template stack this operation should target. Mutually exclusive with template.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

version

aliases: protocol_version

string

Specify the priority for Diffie-Hellman (DH) groups.

Choices:

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

- name: Add IKE gateway config to the firewall
  paloaltonetworks.panos.panos_ike_gateway:
    provider: '{{ provider }}'
    state: 'present'
    name: 'IKEGW-Ansible'
    version: 'ikev2'
    interface: 'ethernet1/1'
    enable_passive_mode: true
    enable_liveness_check: true
    liveness_check_interval: '5'
    peer_ip_value: '1.2.3.4'
    pre_shared_key: 'CHANGEME'
    ikev2_crypto_profile: 'IKE-Ansible'
    commit: false

- name: Create IKE gateway (dynamic)
  paloaltonetworks.panos.panos_ike_gateway:
    provider: '{{ device }}'
    name: 'test-dynamic'
    interface: 'ethernet1/1'
    peer_ip_type: dynamic
    pre_shared_key: 'CHANGEME'
    commit: false

Authors

  • Ivan Bojer (@ivanbojer)