New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
|
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
|
username
-
/ required
|
FortiOS or FortiGate username.
|
||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
|
vpn_ipsec_phase2
-
|
Default: null
|
Configure VPN autokey tunnel.
|
|
add-route
-
|
|
Enable/disable automatic route addition.
|
|
auto-negotiate
-
|
|
Enable/disable IPsec SA auto-negotiation.
|
|
comments
-
|
Comment.
|
||
dhcp-ipsec
-
|
|
Enable/disable DHCP-IPsec.
|
|
dhgrp
-
|
|
Phase2 DH group.
|
|
dst-addr-type
-
|
|
Remote proxy ID type.
|
|
dst-end-ip
-
|
Remote proxy ID IPv4 end.
|
||
dst-end-ip6
-
|
Remote proxy ID IPv6 end.
|
||
dst-name
-
|
Remote proxy ID name. Source firewall.address.name firewall.addrgrp.name.
|
||
dst-name6
-
|
Remote proxy ID name. Source firewall.address6.name firewall.addrgrp6.name.
|
||
dst-port
-
|
Quick mode destination port (1 - 65535 or 0 for all).
|
||
dst-start-ip
-
|
Remote proxy ID IPv4 start.
|
||
dst-start-ip6
-
|
Remote proxy ID IPv6 start.
|
||
dst-subnet
-
|
Remote proxy ID IPv4 subnet.
|
||
dst-subnet6
-
|
Remote proxy ID IPv6 subnet.
|
||
encapsulation
-
|
|
ESP encapsulation mode.
|
|
keepalive
-
|
|
Enable/disable keep alive.
|
|
keylife-type
-
|
|
Keylife type.
|
|
keylifekbs
-
|
Phase2 key life in number of bytes of traffic (5120 - 4294967295).
|
||
keylifeseconds
-
|
Phase2 key life in time in seconds (120 - 172800).
|
||
l2tp
-
|
|
Enable/disable L2TP over IPsec.
|
|
name
-
/ required
|
IPsec tunnel name.
|
||
pfs
-
|
|
Enable/disable PFS feature.
|
|
phase1name
-
|
Phase 1 determines the options required for phase 2. Source vpn.ipsec.phase1.name.
|
||
proposal
-
|
|
Phase2 proposal.
|
|
protocol
-
|
Quick mode protocol selector (1 - 255 or 0 for all).
|
||
replay
-
|
|
Enable/disable replay detection.
|
|
route-overlap
-
|
|
Action for overlapping routes.
|
|
selector-match
-
|
|
Match type to use when comparing selectors.
|
|
single-source
-
|
|
Enable/disable single source IP restriction.
|
|
src-addr-type
-
|
|
Local proxy ID type.
|
|
src-end-ip
-
|
Local proxy ID end.
|
||
src-end-ip6
-
|
Local proxy ID IPv6 end.
|
||
src-name
-
|
Local proxy ID name. Source firewall.address.name firewall.addrgrp.name.
|
||
src-name6
-
|
Local proxy ID name. Source firewall.address6.name firewall.addrgrp6.name.
|
||
src-port
-
|
Quick mode source port (1 - 65535 or 0 for all).
|
||
src-start-ip
-
|
Local proxy ID start.
|
||
src-start-ip6
-
|
Local proxy ID IPv6 start.
|
||
src-subnet
-
|
Local proxy ID subnet.
|
||
src-subnet6
-
|
Local proxy ID IPv6 subnet.
|
||
state
-
|
|
Indicates whether to create or remove the object
|
|
use-natip
-
|
|
Enable to use the FortiGate public IP as the source selector when outbound NAT is used.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure VPN autokey tunnel.
fortios_vpn_ipsec_phase2:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ipsec_phase2:
state: "present"
add-route: "phase1"
auto-negotiate: "enable"
comments: "<your_own_value>"
dhcp-ipsec: "enable"
dhgrp: "1"
dst-addr-type: "subnet"
dst-end-ip: "<your_own_value>"
dst-end-ip6: "<your_own_value>"
dst-name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
dst-name6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
dst-port: "13"
dst-start-ip: "<your_own_value>"
dst-start-ip6: "<your_own_value>"
dst-subnet: "<your_own_value>"
dst-subnet6: "<your_own_value>"
encapsulation: "tunnel-mode"
keepalive: "enable"
keylife-type: "seconds"
keylifekbs: "21"
keylifeseconds: "22"
l2tp: "enable"
name: "default_name_24"
pfs: "enable"
phase1name: "<your_own_value> (source vpn.ipsec.phase1.name)"
proposal: "null-md5"
protocol: "28"
replay: "enable"
route-overlap: "use-old"
selector-match: "exact"
single-source: "enable"
src-addr-type: "subnet"
src-end-ip: "<your_own_value>"
src-end-ip6: "<your_own_value>"
src-name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
src-name6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
src-port: "38"
src-start-ip: "<your_own_value>"
src-start-ip6: "<your_own_value>"
src-subnet: "<your_own_value>"
src-subnet6: "<your_own_value>"
use-natip: "enable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.