panos_ike_gateway – Configures IKE gateway on the firewall with subset of settings

New in version 2.8.

Synopsis

  • Use this to manage or define a gateway, including the configuration information necessary to perform Internet Key Exchange (IKE) protocol negotiation with a peer gateway. This is the Phase 1 portion of the IKE/IPSec VPN setup.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
dead_peer_detection_interval
integer
Default:
99
Time in seconds to check for a dead peer.
dead_peer_detection_retry
integer
Default:
10
Retry attempts before peer is marked dead.
enable_dead_peer_detection
boolean
    Choices:
  • no ←
  • yes
True to enable Dead Peer Detection on the gateway.

aliases: d, e, a, d, _, p, e, e, r, _, d, e, t, e, c, t, i, o, n
enable_fragmentation
boolean
    Choices:
  • no ←
  • yes
True to enable IKE fragmentation
Incompatible with pre-shared keys, or 'aggressive' exchange mode

aliases: f, r, a, g, m, e, n, t, a, t, i, o, n
enable_liveness_check
boolean
    Choices:
  • no
  • yes ←
Enable sending empty information liveness check message.
enable_nat_traversal
boolean
    Choices:
  • no ←
  • yes
True to NAT Traversal mode

aliases: n, a, t, _, t, r, a, v, e, r, s, a, l
enable_passive_mode
boolean
    Choices:
  • no
  • yes ←
True to have the firewall only respond to IKE connections and never initiate them.

aliases: p, a, s, s, i, v, e, _, m, o, d, e
ikev1_crypto_profile
-
Default:
"default"
Crypto profile for IKEv1.

aliases: c, r, y, p, t, o, _, p, r, o, f, i, l, e, _, n, a, m, e
ikev1_exchange_mode
-
    Choices:
  • auto
  • main
  • aggressive
Default:
"None"
The IKE exchange mode to use
ikev2_crypto_profile
-
Default:
"default"
Crypto profile for IKEv2.

aliases: c, r, y, p, t, o, _, p, r, o, f, i, l, e, _, n, a, m, e
interface
-
Default:
"ethernet1/1"
Specify the outgoing firewall interface to the VPN tunnel.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.
liveness_check_interval
integer
Default:
5
Delay interval before sending probing packets (in seconds).

aliases: l, i, v, e, n, e, s, s, _, c, h, e, c, k
local_id_type
-
    Choices:
  • ipaddr
  • fwdn
  • ufqdn
  • keyid
  • dn
Default:
"None"
Specify the type of local ID.
local_id_value
-
Default:
"None"
The value for the local_id. (See also local_id_type, above.)
local_ip_address
-
Default:
"None"
Bind IKE gateway to the specified interface IP address
It should include the mask, such as '192.168.1.1/24'
local_ip_address_type
-
    Choices:
  • ip
  • floating-ip
Default:
"None"
The address type of the bound interface IP address
name
- / required
Name for the profile.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.
peer_id_check
-
    Choices:
  • exact
  • wildcard
Type of checking to do on peer_id.
peer_id_type
-
    Choices:
  • ipaddr
  • fwdn
  • ufqdn
  • keyid
  • dn
Default:
"None"
Specify the type of peer ID.
peer_id_value
-
Default:
"None"
The value for the peer_id. (See also peer_id_type, above.)
peer_ip_value
-
Default:
"127.0.0.1"
IPv4 address of the peer gateway.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.
pre_shared_key
-
Default:
"CHANGEME"
Specify pre-shared key.

aliases: p, s, k
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
"admin"
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
"admin"
Deprecated
Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.
version
-
    Choices:
  • ikev1
  • ikev2
  • ikev2-preferred
Default:
"ike2"
Specify the priority for Diffie-Hellman (DH) groups.

aliases: p, r, o, t, o, c, o, l, _, v, e, r, s, i, o, n

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

- name: Add IKE gateway config to the firewall
  panos_ike_gateway:
    provider: '{{ provider }}'
    state: 'present'
    name: 'IKEGW-Ansible'
    version: 'ikev2'
    interface: 'ethernet1/1'
    enable_passive_mode: True
    enable_liveness_check: True
    liveness_check_interval: '5'
    peer_ip_value: '1.2.3.4'
    pre_shared_key: 'CHANGEME'
    ikev2_crypto_profile: 'IKE-Ansible'
    commit: False

Status

Authors

  • Ivan Bojer (@ivanbojer)