-
Notifications
You must be signed in to change notification settings - Fork 52
pfsense_ipsec
Orion Poplawski edited this page Jan 1, 2024
·
5 revisions
Manage pfSense IPsec tunnels and phase 1 options
ADDED IN: version 0.1.0 of pfsensible.core
OPTIONS (= is mandatory):
- apply
Apply VPN configuration on target pfSense
default: true
type: bool
- authentication_method
Authenticatin method. Must match the setting chosen on the
remote side.
choices: [pre_shared_key, rsasig]
default: null
type: str
- certificate
a certificate previously configured
default: null
type: str
- certificate_authority
a certificate authority previously configured
default: null
type: str
- closeaction
Set this option to control the behavior when the remote peer
unexpectedly closes a child SA (P2). New in pfSense 2.5.2.
choices: ['', none, start, trap]
default: ''
type: str
added in: version 0.5.2 of pfsensible.core
= descr
The description of the IPsec tunnel
default: null
type: str
- disable_reauth
(IKEv2 only) Whether rekeying of an IKE_SA should also
reauthenticate the peer. In IKEv1, reauthentication is always
done.
default: false
type: bool
- disable_rekey
Disables renegotiation when a connection is about to expire
(deprecated with pfSense 2.5.0)
default: null
type: bool
- disabled
Set this option to disable this phase1 without removing it
from the list.
default: null
type: bool
- dpd_delay
Delay between requesting peer acknowledgement.
default: 10
type: int
- dpd_maxfail
Number of consecutive failures allowed before disconnect.
default: 5
type: int
- enable_dpd
Enable dead peer detection
default: true
type: bool
- gw_duplicates
Allow multiple phase 1 configurations with the same endpoint
default: null
type: bool
- iketype
Internet Key Exchange protocol version to be used. Auto uses
IKEv2 when initiator, and accepts either IKEv1 or IKEv2 as
responder.
choices: [ikev1, ikev2, auto]
default: null
type: str
- interface
Interface for the local endpoint of this phase1 entry. Can be
a virtual IP name or address prefixed with "vip:".
default: null
type: str
- lifetime
The lifetime defines how often the connection will be rekeyed,
in seconds.
default: 28800
type: int
- margintime
How long before connection expiry or keying-channel expiry
should attempt to negotiate a replacement begin (deprecated
with pfSense 2.5.0)
default: null
type: int
- mobike
(IKEv2 only) Set this option to control the use of MOBIKE
choices: ['on', 'off']
default: 'off'
type: str
- mode
Negotiation mode. Aggressive is more flexible, but less
secure. Only for IkeV1 or Auto.
choices: [main, aggressive]
default: null
type: str
- myid_data
Local identifier value.
default: null
type: str
- myid_type
Local identifier type.
choices: [myaddress, address, fqdn, user_fqdn, asn1dn, keyid tag, dyn_dns]
default: myaddress
type: str
- nat_traversal
Set this option to enable the use of NAT-T (i.e. the
encapsulation of ESP in UDP packets) if needed, which can help
with clients that are behind restrictive firewalls.
choices: ['on', force]
default: 'on'
type: str
- nattport
UDP port for NAT-T on the remote gateway.
default: null
type: int
- peerid_data
Remote identifier value.
default: null
type: str
- peerid_type
Remote identifier type.
choices: [any, peeraddress, address, fqdn, user_fqdn, asn1dn, keyid tag]
default: peeraddress
type: str
- preshared_key
This key must match on both peers.
default: null
type: str
- protocol
IP family
choices: [inet, inet6, both]
default: inet
type: str
- rand_time
A random value up to this amount will be subtracted from Rekey
Time/Reauth Time to avoid simultaneous renegotiation.
default: null
type: int
- reauth_time
Time, in seconds, before an IKE SA is torn down and recreated
from scratch, including authentication.
default: null
type: int
- rekey_time
Time, in seconds, before an IKE SA establishes new keys.
default: null
type: int
- remote_gateway
Public IP address or host name of the remote gateway.
default: null
type: str
- responderonly
Enable this option to never initiate this connection from this
side, only respond to incoming requests. Removed in pfSense
2.5.2.
default: null
type: bool
- splitconn
(IKEv2 only) Enable this to split connection entries with
multiple phase 2 configurations
default: false
type: bool
- startaction
Set this option to force specific initiation/responder
behavior for child SA (P2) entries. New in pfSense 2.5.2.
choices: ['', none, start, trap]
default: ''
type: str
added in: version 0.5.2 of pfsensible.core
- state
State in which to leave the IPsec tunnel
choices: [present, absent]
default: present
type: str
AUTHOR: Frederic Bor (@f-bor)
METADATA:
metadata_version: '1.1'
status:
- preview
supported_by: community
EXAMPLES:
- name: Add simple tunnel
pfsense_ipsec:
state: present
descr: test_tunnel
interface: wan
remote_gateway: 1.2.3.4
iketype: ikev2
authentication_method: pre_shared_key
preshared_key: azerty123
- name: Remove tunnel
pfsense_ipsec:
state: absent
descr: test_tunnel
RETURN VALUES:
- commands
the set of commands that would be pushed to the remote device
(if pfSense had a CLI)
returned: always
sample: ['create ipsec ''test_tunnel'', iketype=''ikev2'', protocol=''inet'', interface=''wan'',
remote_gateway=''1.2.3.4'', ...', delete ipsec 'test_tunnel']
type: list