This repository has been archived by the owner on Jan 6, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 47
pfsense_ipsec_aggregate
Frederic Bor edited this page Mar 20, 2021
·
3 revisions
> PFSENSE_IPSEC_AGGREGATE (/home/fbor/ansible/lib/ansible/modules/network/pfsense/pfsense_ipsec_aggregate.py)
Manage multiple pfSense ipsec tunnels, phases 1, phases 2 and proposals
* This module is maintained by The Ansible Community
OPTIONS (= is mandatory):
- aggregated_ipsec_p2s
Dict of ipsec tunnels phase 2 options to apply on the target
[Default: (null)]
suboptions:
aes:
description: Set this option to enable AES encryption.
required: false
type: bool
aes128gcm:
description: Set this option to enable AES128-GCM encryption.
required: false
type: bool
aes128gcm_len:
choices:
- auto
- '64'
- '96'
- '128'
description: AES128-GCM encryption key length
required: false
type: str
aes192gcm:
description: Set this option to enable AES192-GCM encryption.
required: false
type: bool
aes192gcm_len:
choices:
- auto
- '64'
- '96'
- '128'
description: AES192-GCM encryption key length
required: false
type: str
aes256gcm:
description: Set this option to enable AES256-GCM encryption.
required: false
type: bool
aes256gcm_len:
choices:
- auto
- '64'
- '96'
- '128'
description: AES256-GCM encryption key length
required: false
type: str
aes_len:
choices:
- auto
- '128'
- '192'
- '256'
description: AES encryption key length
required: false
type: str
aesxcbc:
description: Set this option to enable AES-XCBC hashing.
required: false
type: bool
apply:
default: true
description: Apply VPN configuration on target pfSense
type: bool
blowfish:
description: Set this option to enable Blowfish encryption.
required: false
type: bool
blowfish_len:
choices:
- auto
- '128'
- '192'
- '256'
description: AES encryption key length
required: false
type: str
cast128:
description: Set this option to enable CAST128 encryption.
required: false
type: bool
des:
description: Set this option to enable 3DES encryption.
required: false
type: bool
descr:
description: The description of the ipsec tunnel phase2
required: true
type: str
disabled:
description: Set this option to disable this phase2 without removing it from the
list.
required: false
type: bool
lifetime:
default: 3600
description: Specifies how often the connection must be rekeyed, in seconds
type: int
local:
description: Local network component of this IPsec security association.
required: false
type: str
md5:
description: Set this option to enable MD5 hashing.
required: false
type: bool
mode:
choices:
- tunnel
- tunnel6
- transport
- vti
description: Method for managing ipsec traffic
required: false
type: str
nat:
description: If NAT/BINAT is required on the local network specify the address
to be translated
required: false
type: str
p1_descr:
description: The description of the ipsec tunnel
required: true
type: str
pfsgroup:
choices:
- '0'
- '1'
- '2'
- '5'
- '14'
- '15'
- '16'
- '17'
- '18'
- '19'
- '20'
- '21'
- '22'
- '23'
- '24'
- '28'
- '29'
- '30'
default: '14'
description: PFS key group, 0 for off. DH groups 1, 2, 22, 23, and 24 provide
weak security and should be avoided.
type: str
pinghost:
description: Automatically ping host
required: false
type: str
protocol:
choices:
- esp
- ah
default: esp
description: Encapsulating Security Payload (ESP) is encryption, Authentication
Header (AH) is authentication only.
type: str
remote:
description: Remote network component of this IPsec security association.
required: false
type: str
sha1:
description: Set this option to enable SHA1 hashing.
required: false
type: bool
sha256:
description: Set this option to enable SHA256 hashing.
required: false
type: bool
sha384:
description: Set this option to enable SHA384 hashing.
required: false
type: bool
sha512:
description: Set this option to enable SHA512 hashing.
required: false
type: bool
state:
choices:
- present
- absent
default: present
description: State in which to leave the ipsec tunnel phase2
type: str
type: list
- aggregated_ipsec_proposals
Dict of ipsec proposals to apply on the target
[Default: (null)]
suboptions:
apply:
default: true
description: Apply VPN configuration on target pfSense
type: bool
descr:
default: null
description: The description of the ipsec tunnel on which to create/delete the
proposal.
type: str
dhgroup:
choices:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 28
- 29
- 30
description: DH group. DH groups 1, 2, 22, 23, and 24 provide weak security and
should be avoided.
required: true
type: int
encryption:
choices:
- aes
- aes128gcm
- aes192gcm
- aes256gcm
- blowfish
- 3des
- cast128
description: Encryption algorithm. aes128gcm, aes192gcm and aes256gcm can only
be used with IKEv2 tunnels. Blowfish, 3DES and CAST128 provide weak security
and should be avoided.
required: true
type: str
hash:
choices:
- md5
- sha1
- sha256
- sha384
- sha512
- aesxcbc
description: Hash algorithm. MD5 and SHA1 provide weak security and should be
avoided.
required: true
type: str
key_length:
choices:
- 64
- 96
- 128
- 192
- 256
description: Encryption key length
required: false
type: int
prf:
choices:
- md5
- sha1
- sha256
- sha384
- sha512
- aesxcbc
description: PRF algorithm. Manual PRF selection is not required, but can be useful
in combination with AEAD Encryption Algorithms such as AES-GCM
required: false
type: str
state:
choices:
- present
- absent
default: present
description: State in which to leave the ipsec proposal.
type: str
type: list
- aggregated_ipsecs
Dict of ipsec tunnels and phase 1 options to apply on the target
[Default: (null)]
suboptions:
apply:
default: true
description: Apply VPN configuration on target pfSense
type: bool
authentication_method:
choices:
- pre_shared_key
- rsasig
description: Authenticatin method. Must match the setting chosen on the remote
side.
type: str
certificate:
description: a certificate previously configured
required: false
type: str
certificate_authority:
description: a certificate authority previously configured
required: false
type: str
descr:
default: null
description: The description of the ipsec tunnel
required: true
type: str
disable_reauth:
default: false
description: (IKEv2 only) Whether rekeying of an IKE_SA should also reauthenticate
the peer. In IKEv1, reauthentication is always done.
type: bool
disable_rekey:
description: Disables renegotiation when a connection is about to expire (deprecated
with pfSense 2.5.0)
required: false
type: bool
disabled:
description: Set this option to disable this phase1 without removing it from the
list.
required: false
type: bool
dpd_delay:
default: 10
description: Delay between requesting peer acknowledgement.
type: int
dpd_maxfail:
default: 5
description: Number of consecutive failures allowed before disconnect.
type: int
enable_dpd:
default: true
description: Enable dead peer detection
type: bool
gw_duplicates:
description: Allow multiple phase 1 configurations with the same endpoint
required: false
type: bool
iketype:
choices:
- ikev1
- ikev2
- auto
description: Internet Key Exchange protocol version to be used. Auto uses IKEv2
when initiator, and accepts either IKEv1 or IKEv2 as responder.
required: false
type: str
interface:
description: Interface for the local endpoint of this phase1 entry.
required: false
type: str
lifetime:
default: 28800
description: The lifetime defines how often the connection will be rekeyed, in
seconds.
type: int
margintime:
description: How long before connection expiry or keying-channel expiry should
attempt to negotiate a replacement begin (deprecated with pfSense 2.5.0)
required: false
type: int
mobike:
choices:
- 'on'
- 'off'
default: 'off'
description: (IKEv2 only) Set this option to control the use of MOBIKE
type: str
mode:
choices:
- main
- aggressive
description: Negotiation mode. Aggressive is more flexible, but less secure. Only
for IkeV1 or Auto.
type: str
myid_data:
description: Local identifier value.
required: false
type: str
myid_type:
choices:
- myaddress
- address
- fqdn
- user_fqdn
- asn1dn
- keyid tag
- dyn_dns
default: myaddress
description: Local identifier type.
type: str
nat_traversal:
choices:
- 'on'
- force
default: 'on'
description: Set this option to enable the use of NAT-T (i.e. the encapsulation
of ESP in UDP packets) if needed, which can help with clients that are behind
restrictive firewalls.
type: str
nattport:
description: UDP port for NAT-T on the remote gateway.
required: false
type: int
peerid_data:
description: Remote identifier value.
required: false
type: str
peerid_type:
choices:
- any
- peeraddress
- address
- fqdn
- user_fqdn
- asn1dn
- keyid tag
default: peeraddress
description: Remote identifier type.
type: str
preshared_key:
description: This key must match on both peers.
required: false
type: str
protocol:
choices:
- inet
- inet6
- both
default: inet
description: IP family
type: str
rand_time:
description: A random value up to this amount will be subtracted from Rekey Time/Reauth
Time to avoid simultaneous renegotiation.
required: false
type: int
reauth_time:
description: Time, in seconds, before an IKE SA is torn down and recreated from
scratch, including authentication.
required: false
type: int
rekey_time:
description: Time, in seconds, before an IKE SA establishes new keys.
required: false
type: int
remote_gateway:
description: Public IP address or host name of the remote gateway.
required: false
type: str
responderonly:
default: false
description: Enable this option to never initiate this connection from this side,
only respond to incoming requests.
type: bool
splitconn:
default: false
description: (IKEv2 only) Enable this to split connection entries with multiple
phase 2 configurations
type: bool
state:
choices:
- present
- absent
default: present
description: State in which to leave the ipsec tunnel
type: str
type: list
- apply
Apply VPN configuration on target pfSense
[Default: True]
type: bool
- purge_ipsec_p2s
delete all the phase2 that are not defined into aggregated_ipsec_p2s
[Default: False]
type: bool
- purge_ipsec_proposals
delete all the phase1 proposals that are not defined into aggregated_ipsec_proposals
[Default: False]
type: bool
- purge_ipsecs
delete all the ipsec tunnels that are not defined into aggregated_ipsecs
[Default: False]
type: bool
NOTES:
* aggregated_* use the same options definitions than pfsense corresponding module
AUTHOR: Frederic Bor (@f-bor)
METADATA:
status:
- preview
supported_by: community
EXAMPLES:
- name: "Setup two tunnels with two proposals and and two phase 2 each, and delete everything else"
pfsense_ipsec_aggregate:
purge_ipsecs: true
purge_ipsec_proposals: true
purge_ipsec_p2s: true
aggregated_ipsecs:
- { descr: t1, interface: wan, remote_gateway: 1.3.3.1, iketype: ikev2, authentication_method: pre_shared_key, preshared_key: azerty123 }
- { descr: t2, interface: wan, remote_gateway: 1.3.4.1, iketype: ikev2, authentication_method: pre_shared_key, preshared_key: qwerty123 }
aggregated_ipsec_proposals:
- { descr: t1, encryption: aes, key_length: 128, hash: md5, dhgroup: 14}
- { descr: t2, encryption: 3des, hash: sha512, dhgroup: 14}
aggregated_ipsec_p2s:
- { descr: t1_p2_1, p1_descr: t1, mode: tunnel, local: 1.2.3.4/24, remote: 10.20.30.40/24, aes: True, aes_len: auto, sha256: True }
- { descr: t1_p2_2, p1_descr: t1, mode: tunnel, local: 1.2.3.4/24, remote: 10.20.30.50/24, aes: True, aes_len: auto, sha256: True }
- { descr: t2_p2_1, p1_descr: t2, mode: tunnel, local: 1.2.3.4/24, remote: 10.20.40.40/24, aes: True, aes_len: auto, sha256: True }
- { descr: t2_p2_2, p1_descr: t2, mode: tunnel, local: 1.2.3.4/24, remote: 10.20.40.50/24, aes: True, aes_len: auto, sha256: True }
RETURN VALUES:
result_ipsecs:
description: the set of separators commands that would be pushed to the remote device (if pfSense had a CLI)
returned: success
type: list
sample: ["create ipsec 'test_tunnel', iketype='ikev2', protocol='inet', interface='wan', remote_gateway='1.2.3.4', ...", "delete ipsec 'test_tunnel'"]
result_ipsec_proposals:
description: the set of commands that would be pushed to the remote device (if pfSense had a CLI)
returned: success
type: list
sample: [
"create ipsec_proposal on 'test_tunnel', encryption='aes128gcm', key_length=128, hash='sha256', dhgroup='14'",
"delete ipsec_proposal on 'test_tunnel', encryption='aes128gcm', key_length=128, hash='sha256', dhgroup='14'",
]
result_ipsec_p2s:
description: the set of commands that would be pushed to the remote device (if pfSense had a CLI)
returned: success
type: list
sample: ["create ipsec_p2 'test_p2' on 'test_tunnel', disabled='False', mode='vti', local='1.2.3.1', ...", "delete ipsec_p2 'test_p2' on 'test_tunnel'"]