-
Notifications
You must be signed in to change notification settings - Fork 52
pfsense_ipsec_p2
Orion Poplawski edited this page Jan 13, 2023
·
2 revisions
Manage pfSense IPsec tunnels phase 2 options
ADDED IN: version 0.1.0 of pfsensible.core
OPTIONS (= is mandatory):
- aes
Set this option to enable AES encryption.
default: null
type: bool
- aes128gcm
Set this option to enable AES128-GCM encryption.
default: null
type: bool
- aes128gcm_len
AES128-GCM encryption key length
choices: [auto, '64', '96', '128']
default: null
type: str
- aes192gcm
Set this option to enable AES192-GCM encryption.
default: null
type: bool
- aes192gcm_len
AES192-GCM encryption key length
choices: [auto, '64', '96', '128']
default: null
type: str
- aes256gcm
Set this option to enable AES256-GCM encryption.
default: null
type: bool
- aes256gcm_len
AES256-GCM encryption key length
choices: [auto, '64', '96', '128']
default: null
type: str
- aes_len
AES encryption key length
choices: [auto, '128', '192', '256']
default: null
type: str
- aesxcbc
Set this option to enable AES-XCBC hashing.
default: null
type: bool
- apply
Apply VPN configuration on target pfSense
default: true
type: bool
- blowfish
Set this option to enable Blowfish encryption.
default: null
type: bool
- blowfish_len
AES encryption key length
choices: [auto, '128', '192', '256']
default: null
type: str
- cast128
Set this option to enable CAST128 encryption.
default: null
type: bool
- des
Set this option to enable 3DES encryption.
default: null
type: bool
= descr
The description of the IPsec tunnel phase2
type: str
- disabled
Set this option to disable this phase2 without removing it
from the list.
default: false
type: bool
- lifetime
Specifies how often the connection must be rekeyed, in seconds
default: 3600
type: int
- local
Local network component of this IPsec security association.
default: null
type: str
- md5
Set this option to enable MD5 hashing.
default: null
type: bool
- mode
Method for managing IPsec traffic
choices: [tunnel, tunnel6, transport, vti]
default: null
type: str
- nat
If NAT/BINAT is required on the local network specify the
address to be translated
default: null
type: str
= p1_descr
The description of the IPsec tunnel
type: str
- pfsgroup
PFS key group, 0 for off. DH groups 1, 2, 22, 23, and 24
provide weak security and should be avoided.
choices: ['0', '1', '2', '5', '14', '15', '16', '17', '18', '19', '20', '21', '22', '23', '24',
'28', '29', '30']
default: '14'
type: str
- pinghost
Automatically ping host
default: null
type: str
- protocol
Encapsulating Security Payload (ESP) is encryption,
Authentication Header (AH) is authentication only.
choices: [esp, ah]
default: esp
type: str
- remote
Remote network component of this IPsec security association.
default: null
type: str
- sha1
Set this option to enable SHA1 hashing.
default: null
type: bool
- sha256
Set this option to enable SHA256 hashing.
default: null
type: bool
- sha384
Set this option to enable SHA384 hashing.
default: null
type: bool
- sha512
Set this option to enable SHA512 hashing.
default: null
type: bool
- state
State in which to leave the IPsec tunnel phase2
choices: [present, absent]
default: present
type: str
AUTHOR: Frederic Bor (@f-bor)
METADATA:
metadata_version: '1.1'
status:
- preview
supported_by: community
EXAMPLES:
- name: Add simple phase2
pfsense_ipsec_p2:
p1_descr: test_tunnel
descr: test_p2
state: present
apply: False
mode: vti
local: 1.2.3.1
remote: 1.2.3.2
aes: True
aes_len: auto
sha256: True
- name: Remove phase2
pfsense_ipsec_p2:
state: absent
p1_descr: test_tunnel
descr: test_p2
apply: False
RETURN VALUES:
- commands
the set of commands that would be pushed to the remote device
(if pfSense had a CLI)
returned: always
sample: ['create ipsec_p2 ''test_p2'' on ''test_tunnel'', disabled=''False'', mode=''vti'',
local=''1.2.3.1'', ...', delete ipsec_p2 'test_p2' on 'test_tunnel']
type: list