paloaltonetworks.panos.panos_ipsec_tunnel module – Manage IPSec Tunnels on the firewall with subset of settings.

Note

This module is part of the paloaltonetworks.panos collection (version 2.21.2).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_ipsec_tunnel.

New in paloaltonetworks.panos 1.0.0

Synopsis

  • Use IPSec Tunnels to establish and manage IPSec VPN tunnels between firewalls. This is the Phase 2 portion of the

  • IKE/IPSec VPN setup.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

ak_ike_gateway

aliases: ike_gtw_name

string

Name of the existing IKE gateway (auto-key).

Default: :ansible-option-default:`"default"`

ak_ipsec_crypto_profile

aliases: ipsec_profile

string

Name of the existing IPsec profile or use default (auto-key).

Default: :ansible-option-default:`"default"`

anti_replay

boolean

Enable anti-replay check on this tunnel.

Choices:

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

commit

boolean

Deprecated

Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead.

Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template.

Choices:

copy_flow_label

boolean

Copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended) (7.0+).

Choices:

copy_tos

boolean

Copy IP TOS bits from inner packet to IPSec packet (not recommended).

Choices:

disabled

boolean

Disable the IPsec tunnel.

Choices:

enable_tunnel_monitor

boolean

Enable tunnel monitoring on this tunnel.

Choices:

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

gps_certificate_profile

string

Profile for authenticating GlobalProtect gateway certificates (global-protect-satellite).

gps_interface

string

Interface to communicate with portal (global-protect-satellite).

gps_interface_ipv4_floating_ip

string

Floating IPv4 IP address in HA Active-Active configuration (7.0+) (global-protect-satellite).

gps_interface_ipv4_ip

string

Exact IPv4 IP address if interface has multiple IP addresses (global-protect-satellite).

gps_interface_ipv6_floating_ip

string

Floating IPv6 IP address in HA Active-Active configuration (8.0+) (global-protect-satellite).

gps_interface_ipv6_ip

string

Exact IPv6 IP address if interface has multiple IP addresses (8.0+) (global-protect-satellite).

gps_local_certificate

string

GlobalProtect satellite certificate file name (global-protect-satellite).

gps_portal_address

string

GlobalProtect portal address (global-protect-satellite).

gps_prefer_ipv6

boolean

Prefer to register portal in IPv6 (8.0+) (global-protect-satellite).

Choices:

gps_publish_connected_routes

boolean

Enable publishing of connected and static routes (global-protect-satellite).

Choices:

gps_publish_routes

list / elements=string

Specify list of routes to publish to GlobalProtect gateway (global-protect-satellite).

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

ipv6

boolean

Use IPv6 for the IPsec tunnel (7.0+)

Choices:

mk_auth_key

string

Authentication key (manual-key).

mk_auth_type

string

Authentication type for tunnel access (manual-key).

Choices:

mk_esp_encryption

string

Encryption algorithm for tunnel traffic (manual-key).

Choices:

mk_esp_encryption_key

string

Encryption key (manual-key).

mk_interface

string

Interface to terminate tunnel (manual-key).

mk_local_address_floating_ip

string

Floating IP address in HA Active-Active configuration (manual-key).

mk_local_address_ip

string

Exact IP address if interface has multiple IP addresses (manual-key).

mk_local_spi

string

Outbound SPI in hex (manual-key).

mk_protocol

string

Protocol for traffic through the tunnel (manual-key).

Choices:

mk_remote_address

string

Tunnel peer IP address (manual-key).

mk_remote_spi

string

Inbound SPI in hex (manual-key).

name

string

Name for the IPSec tunnel.

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

state

string

The state.

Choices:

template

string

(Panorama only) The template this operation should target. Mutually exclusive with template_stack.

template_stack

string

(Panorama only) The template stack this operation should target. Mutually exclusive with template.

tunnel_interface

string

Specify existing tunnel interface that will be used.

Default: :ansible-option-default:`"tunnel.1"`

tunnel_monitor_dest_ip

string

Destination IP to send ICMP probe.

tunnel_monitor_profile

string

Monitoring action.

tunnel_monitor_proxy_id

string

Which proxy-id (or proxy-id-v6) the monitoring traffic will use.

type

string

Type of IPsec tunnel.

Choices:

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

- name: Add IPSec tunnel to IKE gateway profile
  paloaltonetworks.panos.panos_ipsec_tunnel:
    provider: '{{ provider }}'
    name: 'IPSecTunnel-Ansible'
    tunnel_interface: 'tunnel.2'
    ak_ike_gateway: 'IKEGW-Ansible'
    ak_ipsec_crypto_profile: 'IPSec-Ansible'

Authors

  • Ivan Bojer (@ivanbojer)