sophos.sophos_firewall.sfos_ipsec_connection module – Manage IPSec Connection (Configure > Site-to-site VPN > IPSec)

Note

This module is part of the sophos.sophos_firewall collection (version 2.5.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install sophos.sophos_firewall. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: sophos.sophos_firewall.sfos_ipsec_connection.

New in sophos.sophos_firewall 1.5.0

Synopsis

• Manage IPSec Connection (Configure > Site-to-site VPN > IPSec) on Sophos Firewall

Requirements

The below requirements are needed on the host that executes this module.

• sophosfirewall-python

• Beginning in version 2.0.0, this module requires use of an httpapi connection plugin. See the HTTPAPI example for details.

Parameters

Parameter	Comments
active boolean	Activate the connection (only available after creation) Choices: false true
allow_nat_traversal string	Enable or Disable NAT traversal Choices: "Enable" "Disable"
as_client_password string	Password for user authentication in AsClient authentication mode
as_client_username string	Username for user authentication in AsClient authentication mode
as_server_user string	User for user authentication in AsServer authentication mode
authentication_type string	Authentication type based on the Connection type Choices: "PresharedKey" "DigitalCertificate" "RSAKey"
connection boolean	Establish a connection (only available after creation) Choices: false true
connection_type string	Type of VPN connection Choices: "RemoteAccess" "SiteToSite" "HostToHost" "TunnelInterface"
description string	VPN Connection description
disconnect_on_idle_interval string	Disconnect on idle interval in seconds
gateway_address string	Remote host
gateway_type string	Action to be taken when VPN Services restarts Choices: "Disable" "RespondOnly" ← (default) "Initiate"
ip_version string	IP address family of local and remote subnets Choices: "IPv4" ← (default) "IPv6"
listening_interface string	A WAN interface on the local firewall
local_certificate string	Name of local certificate to be used when authentication_type=DigitalCertificate
local_id string	Local ID
local_id_type string	Local ID type Choices: "DNS" "IP Address" "Email" "DER ASN1 DN (X.509)"
local_port string	Local port
local_subnet list / elements=string	Local subnet
name string / required	VPN Connection name
nat_lan string	Host for NAT (Hide) mode
preshared_key string	Preshared key
profile string	IPSec Profile to be used for connection Choices: "Default Profile" "Microsof Azure (IKEv2)" "IKEv2" "DefaultRemoteAccess" "DefaultL2TP" "DefaultHeadOffice" "DefaultBranchOffice" "Branch Office (IKEv2)" "Head office (IKEv2)"
protocol string	Protocol Choices: "ALL" "UDP" "TCP" "ICMP"
remote_certificate string	Name of remote certificate to be used when authentication_type=DigitalCertificate
remote_id string	Remote ID to be used with RemoteAccess or HostToHost connection type
remote_id_type string	Remote ID type to be used with RemoteAccess or HostToHost connection type Choices: "DNS" "IP Address" "Email" "DER ASN1 DN (X.509)"
remote_port string	Remote port
remote_rsa_key string	RSA key of remote peer
remote_subnet list / elements=string	Remote network for RemoteAccess or HostToHost connection type
state string / required	Use query to retrieve or updated to modify Choices: "present" "updated" "query"
user_authentication_mode string	User authentication mode for RemoteAccess or HostToHost connection type Choices: "Disable" "AsServer" "AsClient"

Examples

- name: Create IPSec Connection Site-to-Site
  sophos.sophos_firewall.sfos_ipsec_connection:
    name: Test_IPSec_Connection_S2S
    description: Testing IPSec Connection from Ansible
    connection_type: SiteToSite
    gateway_type: RespondOnly
    profile: IKEv2
    authentication_type: PresharedKey
    preshared_key: testkey1234567890!
    listening_interface: PortB
    gateway_address: 10.100.100.10
    local_id_type: DNS
    local_id: portB.example.vpn.sophos.com
    local_subnet:
        - TESTVPNSUB1
    remote_subnet:
        - TESTVPNSUB2
    state: present

- name: Create IPSec Connection with Tunnel Interface
  sophos.sophos_firewall.sfos_ipsec_connection:
    name: Test_IPSec_Connection_Tunnel
    description: Testing IPSec Connection from Ansible
    connection_type: TunnelInterface
    gateway_type: RespondOnly
    profile: DefaultBranchOffice
    authentication_type: RSAKey
    remote_rsa_key: testkey
    listening_interface: PortB
    gateway_address: 10.10.10.1
    local_id_type: DNS
    local_id: portB.example.vpn.sophos.com
    remote_id_type: IP Address
    remote_id: 2.2.2.2
    state: present
  tags: tunnel

- name: Query IPSec Connection
  sophos.sophos_firewall.sfos_ipsec_connection:
    name: Test IPSec Connection
    state: query

- name: Activate IPSec Connection
  sophos.sophos_firewall.sfos_ipsec_connection:
    enabled: true
    name: Test IPSec Connection
    active: true
    state: updated

- name: Remove IPSec Connection
  sophos.sophos_firewall.sfos_ipsec_connection:
    enabled: true
    name: snmpv3user
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
api_response dictionary	Serialized object containing the API response. Returned: always

Authors

• Matt Mullen (@mamullen13316)

Collection links

• Issue Tracker
• Repository (Sources)

Warning

If the firewall is a member of a group in Central, the changes made by Ansible will override the settings of the group. The actual configuration on the firewall may then differ from what is displayed for the same setting in the Central group.