panos_ipsec_profile – Configures IPSec Crypto profile on the firewall with subset of settings

New in version 2.8.

Synopsis

  • IPSec Crypto profiles specify protocols and algorithms for authentication and encryption in VPN tunnels based on IPSec SA negotiation (Phase 2).

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
ah_authentication
-
    Choices:
  • md5
  • sha1
  • sha256
  • sha384
  • sha512
Authentication algorithms for AH mode.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.
commit
-
Default:
"yes"
Commit configuration if changed.
dh_group
-
    Choices:
  • no-pfs
  • group1
  • group2 ←
  • group5
  • group14
  • group19
  • group20
Diffie-Hellman (DH) groups.

aliases: d, h, g, r, o, u, p
esp_authentication
-
    Choices:
  • none
  • md5
  • sha1 ←
  • sha256
  • sha384
  • sha512
Authentication algorithms for ESP mode.

aliases: a, u, t, h, e, n, t, i, c, a, t, i, o, n
esp_encryption
-
    Choices:
  • des
  • 3des ←
  • null
  • aes-128-cbc
  • aes-192-cbc
  • aes-256-cbc ←
  • aes-128-gcm
  • aes-256-gcm
Default:
["aes-256-cbc", "3des"]
Encryption algorithms for ESP mode.

aliases: e, n, c, r, y, p, t, i, o, n
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.
lifesize_gb
-
IPSec SA lifetime in gigabytes.
lifesize_kb
-
IPSec SA lifetime in kilobytes.
lifesize_mb
-
IPSec SA lifetime in megabytes.
lifesize_tb
-
IPSec SA lifetime in terabytes.
lifetime_days
-
IPSec SA lifetime in days.
lifetime_hours
-
IPSec SA lifetime in hours. If no other key lifetimes are specified, default to 1 hour.

aliases: l, i, f, e, t, i, m, e, _, h, r, s
lifetime_minutes
-
IPSec SA lifetime in minutes.
lifetime_seconds
-
IPSec SA lifetime in seconds.
name
- / required
Name for the profile.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
"admin"
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
"admin"
Deprecated
Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

- name: Add IPSec crypto config to the firewall
    panos_ipsec_profile:
      provider: '{{ provider }}'
      state: 'present'
      name: 'ipsec-vpn-0cc61dd8c06f95cfd-0'
      esp_authentication: ['sha1']
      esp_encryption: ['aes-128-cbc']
      lifetime_seconds: '3600'

Status

Authors

  • Ivan Bojer (@ivanbojer)