route_vpn - Create a route based VPN

New in version 2.5.

Synopsis

• Create a route based VPN. Route VPN’s are typically created between a managed Stonesoft FW and a 3rd party device (AWS, Azure, etc). You must pre-create the internal FW prior to running this module. If doing an IPSEC wrapped VPN, you must also specify a tunnel interface for which to bind (must be pre-created) and specify an IP address/interface id to specify the ISAKMP listener.

Requirements (on host that executes module)

• smc-python

Options

parameter	required	default	choices	comments
enabled	no		yes no	Whether the VPN is enabled or disabled
local_gw	no			Represents the locally managed Stonesoft FW gateway. If the remote_gw is also a Stonesoft managed device, use the same parameters to define
	Dictionary object local_gw parameter required default choices comments tunnel_interface yes The ID for the tunnel interface interface_id yes The interface ID to enable IPSEC. If multiple IP addresses exist on the interface, IPSEC will be enabled on all. Use interface_ip as an alternative. name yes The name of the Stonesoft FW gateway address no An interface IP addresses to enable IPSEC. If there are multiple IP addresses on a single interface specified with interface_id and you want to bind to only that address
name	yes			The name for this route VPN.
remote_gw	no			The name of the remote GW. If the remote gateway is an Stonesoft FW, it must pre-exist. Use the local_gw documentation for settings. If it is an External Gateway, this module will create the gateway based on the gateway settings provided if it doesn't already exist. This documents an External Gateway configuration. See also the external_gateway module for additional external endpoint settings.
	Dictionary object remote_gw parameter required default choices comments preshared_key no If this is an External Gateway, you must provide a pre-shared key to be used between the gateways. If the gateway is another Stonesoft FW, a key will be auto-generated. external_endpoint yes The external endpoint gateways where the RBVPN will terminate. Any options that are supported by the smcpython ExternalEndpoint.create constructor are supported values for this definition type no Set to external_gateway if this is an external gateway element type vpn_site no Defines the VPN site for the protected networks on other end of external gateway name yes The name of the External Gateway. If the gateway does not exist, it will be created if you provide the address and networks parameters.
smc_address	no			FQDN with port of SMC. The default value is the environment variable SMC_ADDRESS
smc_alt_filepath	no			Provide an alternate path location to read the credentials from. File is expected to be stored in ~.smcrc. If provided, url and api_key settings are not required and will be ignored.
smc_api_key	no			API key for api client. The default value is the environment variable SMC_API_KEY Required if url
smc_api_version	no			Optional API version to connect to. If none is provided, the latest SMC version API will be used based on the Management Center version. Can be set though the environment variable SMC_API_VERSION
smc_domain	no			Optional domain to log in to. If no domain is provided, 'Shared Domain' is used. Can be set throuh the environment variable SMC_DOMAIN
smc_extra_args	no			Extra arguments to pass to login constructor. These are generally only used if specifically requested by support personnel.
	Dictionary object smc_extra_args parameter required default choices comments verify no True yes no Is the connection to SMC is HTTPS, you can set this to True, or provide a path to a client certificate to verify the SMC SSL certificate. You can also explicitly set this to False.
smc_logging	no			Optionally enable SMC API logging to a file
	Dictionary object smc_logging parameter required default choices comments path yes Full path to the log file level no Log level as specified by the standard python logging library, in int format. Default setting is logging.DEBUG.
smc_timeout	no			Optional timeout for connections to the SMC. Can be set through environment SMC_TIMEOUT
state	no	present	present absent	Specify a create or delete operation
tags	no			Provide an optional category tag to the engine. If the category does not exist, it will be created
type	no	ipsec	ipsec gre	The type of IPSEC vpn to create

Examples

- name: Route VPN between internal engine and 3rd party external gateway
  register: result
  route_vpn:
    smc_logging:
      level: 10
      path: ansible-smc.log
    enabled: true
    local_gw:
        address: 50.50.50.1
        name: newcluster
        tunnel_interface: '1001'
    name: myrbvpn
    remote_gw:
        external_endpoint:
        -   address: 33.33.33.41
            enabled: true
            name: extgw3 (33.33.33.41)
        -   address: 34.34.34.34
            enabled: true
            name: endpoint2 (34.34.34.34)
        -   address: 44.44.44.44
            enabled: false
            name: extgw4 (44.44.44.44)
        -   address: 33.33.33.50
            enabled: false
            name: endpoint1 (33.33.33.50)
        name: extgw3
        preshared_key: '********'
        type: external_gateway
        vpn_site:
            name: extgw3-site
            network:
            - network-172.18.15.0/24
            - network-172.18.1.0/24
            - network-172.18.2.0/24

- name: Create a new Route VPN with internal gateways
  route_vpn:
    smc_logging:
      level: 10
      path: ansible-smc.log
    name: myrbvpn
    type: ipsec
    local_gw:
      name: newcluster
      tunnel_interface: 1001
      interface_id: 1
      #address: 2.2.2.2
    remote_gw:
      name: myfw
      tunnel_interface: 1000
      interface_id: 0
  tags:
    - footag

Return Values

Common return values are documented Return Values, the following are the fields unique to this module:

name	description	returned	type	sample
state	The current state of the element		dict
changed	Whether or not the change succeeded	always	bool

Notes

Note

• Login credential information is either obtained by providing them directly to the task/play, specifying an alt_filepath to read the credentials from to the play, or from environment variables (in that order). See http://smc-python.readthedocs.io/en/latest/pages/session.html for more information.

Author

• David LePage (@gabstopper)

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.