New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
vpn_ipsec_phase1_interface
-
|
Default: null
|
Configure VPN remote gateway.
|
||
acct-verify
-
|
|
Enable/disable verification of RADIUS accounting record.
|
||
add-gw-route
-
|
|
Enable/disable automatically add a route to the remote gateway.
|
||
add-route
-
|
|
Enable/disable control addition of a route to peer destination selector.
|
||
assign-ip
-
|
|
Enable/disable assignment of IP to IPsec interface via configuration method.
|
||
assign-ip-from
-
|
|
Method by which the IP address will be assigned.
|
||
authmethod
-
|
|
Authentication method.
|
||
authmethod-remote
-
|
|
Authentication method (remote side).
|
||
authpasswd
-
|
XAuth password (max 35 characters).
|
|||
authusr
-
|
XAuth user name.
|
|||
authusrgrp
-
|
Authentication user group. Source user.group.name.
|
|||
auto-discovery-forwarder
-
|
|
Enable/disable forwarding auto-discovery short-cut messages.
|
||
auto-discovery-psk
-
|
|
Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.
|
||
auto-discovery-receiver
-
|
|
Enable/disable accepting auto-discovery short-cut messages.
|
||
auto-discovery-sender
-
|
|
Enable/disable sending auto-discovery short-cut messages.
|
||
auto-negotiate
-
|
|
Enable/disable automatic initiation of IKE SA negotiation.
|
||
backup-gateway
-
|
Instruct unity clients about the backup gateway address(es).
|
|||
address
-
/ required
|
Address of backup gateway.
|
|||
banner
-
|
Message that unity client should display after connecting.
|
|||
cert-id-validation
-
|
|
Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
|
||
certificate
-
|
The names of up to 4 signed personal certificates.
|
|||
name
-
/ required
|
Certificate name. Source vpn.certificate.local.name.
|
|||
childless-ike
-
|
|
Enable/disable childless IKEv2 initiation (RFC 6023).
|
||
client-auto-negotiate
-
|
|
Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
|
||
client-keep-alive
-
|
|
Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
|
||
comments
-
|
Comment.
|
|||
default-gw
-
|
IPv4 address of default route gateway to use for traffic exiting the interface.
|
|||
default-gw-priority
-
|
Priority for default gateway route. A higher priority number signifies a less preferred route.
|
|||
dhgrp
-
|
|
DH group.
|
||
digital-signature-auth
-
|
|
Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
|
||
distance
-
|
Distance for routes added by IKE (1 - 255).
|
|||
dns-mode
-
|
|
DNS server mode.
|
||
domain
-
|
Instruct unity clients about the default DNS domain.
|
|||
dpd
-
|
|
Dead Peer Detection mode.
|
||
dpd-retrycount
-
|
Number of DPD retry attempts.
|
|||
dpd-retryinterval
-
|
DPD retry interval.
|
|||
eap
-
|
|
Enable/disable IKEv2 EAP authentication.
|
||
eap-identity
-
|
|
IKEv2 EAP peer identity type.
|
||
encap-local-gw4
-
|
Local IPv4 address of GRE/VXLAN tunnel.
|
|||
encap-local-gw6
-
|
Local IPv6 address of GRE/VXLAN tunnel.
|
|||
encap-remote-gw4
-
|
Remote IPv4 address of GRE/VXLAN tunnel.
|
|||
encap-remote-gw6
-
|
Remote IPv6 address of GRE/VXLAN tunnel.
|
|||
encapsulation
-
|
|
Enable/disable GRE/VXLAN encapsulation.
|
||
encapsulation-address
-
|
|
Source for GRE/VXLAN tunnel address.
|
||
enforce-unique-id
-
|
|
Enable/disable peer ID uniqueness check.
|
||
exchange-interface-ip
-
|
|
Enable/disable exchange of IPsec interface IP address.
|
||
forticlient-enforcement
-
|
|
Enable/disable FortiClient enforcement.
|
||
fragmentation
-
|
|
Enable/disable fragment IKE message on re-transmission.
|
||
fragmentation-mtu
-
|
IKE fragmentation MTU (500 - 16000).
|
|||
group-authentication
-
|
|
Enable/disable IKEv2 IDi group authentication.
|
||
group-authentication-secret
-
|
Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.)
|
|||
ha-sync-esp-seqno
-
|
|
Enable/disable sequence number jump ahead for IPsec HA.
|
||
idle-timeout
-
|
|
Enable/disable IPsec tunnel idle timeout.
|
||
idle-timeoutinterval
-
|
IPsec tunnel idle timeout in minutes (5 - 43200).
|
|||
ike-version
-
|
|
IKE protocol version.
|
||
include-local-lan
-
|
|
Enable/disable allow local LAN access on unity clients.
|
||
interface
-
|
Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name.
|
|||
ip-version
-
|
|
IP version to use for VPN interface.
|
||
ipv4-dns-server1
-
|
IPv4 DNS server 1.
|
|||
ipv4-dns-server2
-
|
IPv4 DNS server 2.
|
|||
ipv4-dns-server3
-
|
IPv4 DNS server 3.
|
|||
ipv4-end-ip
-
|
End of IPv4 range.
|
|||
ipv4-exclude-range
-
|
Configuration Method IPv4 exclude ranges.
|
|||
end-ip
-
|
End of IPv4 exclusive range.
|
|||
id
-
/ required
|
ID.
|
|||
start-ip
-
|
Start of IPv4 exclusive range.
|
|||
ipv4-name
-
|
IPv4 address name. Source firewall.address.name firewall.addrgrp.name.
|
|||
ipv4-netmask
-
|
IPv4 Netmask.
|
|||
ipv4-split-exclude
-
|
IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name.
|
|||
ipv4-split-include
-
|
IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name.
|
|||
ipv4-start-ip
-
|
Start of IPv4 range.
|
|||
ipv4-wins-server1
-
|
WINS server 1.
|
|||
ipv4-wins-server2
-
|
WINS server 2.
|
|||
ipv6-dns-server1
-
|
IPv6 DNS server 1.
|
|||
ipv6-dns-server2
-
|
IPv6 DNS server 2.
|
|||
ipv6-dns-server3
-
|
IPv6 DNS server 3.
|
|||
ipv6-end-ip
-
|
End of IPv6 range.
|
|||
ipv6-exclude-range
-
|
Configuration method IPv6 exclude ranges.
|
|||
end-ip
-
|
End of IPv6 exclusive range.
|
|||
id
-
/ required
|
ID.
|
|||
start-ip
-
|
Start of IPv6 exclusive range.
|
|||
ipv6-name
-
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
ipv6-prefix
-
|
IPv6 prefix.
|
|||
ipv6-split-exclude
-
|
IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
ipv6-split-include
-
|
IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
ipv6-start-ip
-
|
Start of IPv6 range.
|
|||
keepalive
-
|
NAT-T keep alive interval.
|
|||
keylife
-
|
Time to wait in seconds before phase 1 encryption key expires.
|
|||
local-gw
-
|
IPv4 address of the local gateway's external interface.
|
|||
local-gw6
-
|
IPv6 address of the local gateway's external interface.
|
|||
localid
-
|
Local ID.
|
|||
localid-type
-
|
|
Local ID type.
|
||
mesh-selector-type
-
|
|
Add selectors containing subsets of the configuration depending on traffic.
|
||
mode
-
|
|
The ID protection mode used to establish a secure channel.
|
||
mode-cfg
-
|
|
Enable/disable configuration method.
|
||
monitor
-
|
IPsec interface as backup for primary interface. Source vpn.ipsec.phase1-interface.name.
|
|||
monitor-hold-down-delay
-
|
Time to wait in seconds before recovery once primary re-establishes.
|
|||
monitor-hold-down-time
-
|
Time of day at which to fail back to primary after it re-establishes.
|
|||
monitor-hold-down-type
-
|
|
Recovery time method when primary interface re-establishes.
|
||
monitor-hold-down-weekday
-
|
|
Day of the week to recover once primary re-establishes.
|
||
name
-
/ required
|
IPsec remote gateway name.
|
|||
nattraversal
-
|
|
Enable/disable NAT traversal.
|
||
negotiate-timeout
-
|
IKE SA negotiation timeout in seconds (1 - 300).
|
|||
net-device
-
|
|
Enable/disable kernel device creation for dialup instances.
|
||
npu-offload
-
|
|
Enable/disable offloading NPU.
|
||
passive-mode
-
|
|
Enable/disable IPsec passive mode for static tunnels.
|
||
peer
-
|
Accept this peer certificate. Source user.peer.name.
|
|||
peergrp
-
|
Accept this peer certificate group. Source user.peergrp.name.
|
|||
peerid
-
|
Accept this peer identity.
|
|||
peertype
-
|
|
Accept this peer type.
|
||
ppk
-
|
|
Enable/disable IKEv2 Postquantum Preshared Key (PPK).
|
||
ppk-identity
-
|
IKEv2 Postquantum Preshared Key Identity.
|
|||
ppk-secret
-
|
IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
priority
-
|
Priority for routes added by IKE (0 - 4294967295).
|
|||
proposal
-
|
|
Phase1 proposal.
|
||
psksecret
-
|
Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
psksecret-remote
-
|
Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
|
|||
reauth
-
|
|
Enable/disable re-authentication upon IKE SA lifetime expiration.
|
||
rekey
-
|
|
Enable/disable phase1 rekey.
|
||
remote-gw
-
|
IPv4 address of the remote gateway's external interface.
|
|||
remote-gw6
-
|
IPv6 address of the remote gateway's external interface.
|
|||
remotegw-ddns
-
|
Domain name of remote gateway (eg. name.DDNS.com).
|
|||
rsa-signature-format
-
|
|
Digital Signature Authentication RSA signature format.
|
||
save-password
-
|
|
Enable/disable saving XAuth username and password on VPN clients.
|
||
send-cert-chain
-
|
|
Enable/disable sending certificate chain.
|
||
signature-hash-alg
-
|
|
Digital Signature Authentication hash algorithms.
|
||
split-include-service
-
|
Split-include services. Source firewall.service.group.name firewall.service.custom.name.
|
|||
state
-
|
|
Indicates whether to create or remove the object
|
||
suite-b
-
|
|
Use Suite-B.
|
||
tunnel-search
-
|
|
Tunnel search method for when the interface is shared.
|
||
type
-
|
|
Remote gateway type.
|
||
unity-support
-
|
|
Enable/disable support for Cisco UNITY Configuration Method extensions.
|
||
usrgrp
-
|
User group name for dialup peers. Source user.group.name.
|
|||
vni
-
|
VNI of VXLAN tunnel.
|
|||
wizard-type
-
|
|
GUI VPN Wizard Type.
|
||
xauthtype
-
|
|
XAuth type.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure VPN remote gateway.
fortios_vpn_ipsec_phase1_interface:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ipsec_phase1_interface:
state: "present"
acct-verify: "enable"
add-gw-route: "enable"
add-route: "disable"
assign-ip: "disable"
assign-ip-from: "range"
authmethod: "psk"
authmethod-remote: "psk"
authpasswd: "<your_own_value>"
authusr: "<your_own_value>"
authusrgrp: "<your_own_value> (source user.group.name)"
auto-discovery-forwarder: "enable"
auto-discovery-psk: "enable"
auto-discovery-receiver: "enable"
auto-discovery-sender: "enable"
auto-negotiate: "enable"
backup-gateway:
-
address: "<your_own_value>"
banner: "<your_own_value>"
cert-id-validation: "enable"
certificate:
-
name: "default_name_23 (source vpn.certificate.local.name)"
childless-ike: "enable"
client-auto-negotiate: "disable"
client-keep-alive: "disable"
comments: "<your_own_value>"
default-gw: "<your_own_value>"
default-gw-priority: "29"
dhgrp: "1"
digital-signature-auth: "enable"
distance: "32"
dns-mode: "manual"
domain: "<your_own_value>"
dpd: "disable"
dpd-retrycount: "36"
dpd-retryinterval: "<your_own_value>"
eap: "enable"
eap-identity: "use-id-payload"
encap-local-gw4: "<your_own_value>"
encap-local-gw6: "<your_own_value>"
encap-remote-gw4: "<your_own_value>"
encap-remote-gw6: "<your_own_value>"
encapsulation: "none"
encapsulation-address: "ike"
enforce-unique-id: "disable"
exchange-interface-ip: "enable"
forticlient-enforcement: "enable"
fragmentation: "enable"
fragmentation-mtu: "50"
group-authentication: "enable"
group-authentication-secret: "<your_own_value>"
ha-sync-esp-seqno: "enable"
idle-timeout: "enable"
idle-timeoutinterval: "55"
ike-version: "1"
include-local-lan: "disable"
interface: "<your_own_value> (source system.interface.name)"
ip-version: "4"
ipv4-dns-server1: "<your_own_value>"
ipv4-dns-server2: "<your_own_value>"
ipv4-dns-server3: "<your_own_value>"
ipv4-end-ip: "<your_own_value>"
ipv4-exclude-range:
-
end-ip: "<your_own_value>"
id: "66"
start-ip: "<your_own_value>"
ipv4-name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-netmask: "<your_own_value>"
ipv4-split-exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-split-include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
ipv4-start-ip: "<your_own_value>"
ipv4-wins-server1: "<your_own_value>"
ipv4-wins-server2: "<your_own_value>"
ipv6-dns-server1: "<your_own_value>"
ipv6-dns-server2: "<your_own_value>"
ipv6-dns-server3: "<your_own_value>"
ipv6-end-ip: "<your_own_value>"
ipv6-exclude-range:
-
end-ip: "<your_own_value>"
id: "81"
start-ip: "<your_own_value>"
ipv6-name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-prefix: "84"
ipv6-split-exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-split-include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ipv6-start-ip: "<your_own_value>"
keepalive: "88"
keylife: "89"
local-gw: "<your_own_value>"
local-gw6: "<your_own_value>"
localid: "<your_own_value>"
localid-type: "auto"
mesh-selector-type: "disable"
mode: "aggressive"
mode-cfg: "disable"
monitor: "<your_own_value> (source vpn.ipsec.phase1-interface.name)"
monitor-hold-down-delay: "98"
monitor-hold-down-time: "<your_own_value>"
monitor-hold-down-type: "immediate"
monitor-hold-down-weekday: "everyday"
name: "default_name_102"
nattraversal: "enable"
negotiate-timeout: "104"
net-device: "enable"
npu-offload: "enable"
passive-mode: "enable"
peer: "<your_own_value> (source user.peer.name)"
peergrp: "<your_own_value> (source user.peergrp.name)"
peerid: "<your_own_value>"
peertype: "any"
ppk: "disable"
ppk-identity: "<your_own_value>"
ppk-secret: "<your_own_value>"
priority: "115"
proposal: "des-md5"
psksecret: "<your_own_value>"
psksecret-remote: "<your_own_value>"
reauth: "disable"
rekey: "enable"
remote-gw: "<your_own_value>"
remote-gw6: "<your_own_value>"
remotegw-ddns: "<your_own_value>"
rsa-signature-format: "pkcs1"
save-password: "disable"
send-cert-chain: "enable"
signature-hash-alg: "sha1"
split-include-service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
suite-b: "disable"
tunnel-search: "selectors"
type: "static"
unity-support: "disable"
usrgrp: "<your_own_value> (source user.group.name)"
vni: "134"
wizard-type: "custom"
xauthtype: "disable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.