route_vpn - Create a route-based VPN

Synopsis

• Create a route-based VPN. Route-based VPNs are typically created between a managed Forcepoint NGFW Engine and a third-party device, such as AWS or Azure. You must create the firewall before running this module. If you are configuring a route-based VPN tunnel of the VPN tunnel type, you must also specify an existing tunnel interface to bind and specify an IP address or interface ID to specify the ISAKMP listener.

Requirements (on host that executes module)

• smc-python

Options

parameter	required	default	choices	comments
enabled	no		yes no	Whether the VPN is enabled or disabled
local_gw	no			Represents the locally managed Forcepoint NGFW Engine. If the remote_gw is also a managed device, use the same parameters to define it.
	Dictionary object local_gw parameter required default choices comments tunnel_interface yes The ID for the tunnel interface interface_id yes The interface ID to enable IPSec. If multiple IP addresses exist on the interface, IPSec will be enabled on all. Use interface_ip as an alternative. name yes The name of the Forcepoint NGFW Engine address no An interface IP addresses to enable IPSec. Use this parameter if there are multiple IP addresses on a single interface specified with interface_id and you want to bind to only that address.
name	yes			The name for this route-based VPN.
remote_gw	no			The name of the remote gateway. If the remote gateway is a Forcepoint NGFW Engine, it must already exist. See the local_gw documentation for settings. If the remote gateway is an external VPN gateway, this module will create the gateway based on the gateway settings provided if it does not already exist. This documents an external VPN gateway configuration. See also the external_gateway module for additional external endpoint settings.
	Dictionary object remote_gw parameter required default choices comments preshared_key no A pre-shared key to be used between the gateways. external_endpoint yes The external endpoint where the route-based VPN will terminate. Any options that are supported by the smcpython ExternalEndpoint.create constructor are supported values for this definition. type no Set to external_gateway if this is an external VPN gateway element vpn_site no Defines the VPN site for the protected networks on other end of external VPN gateway name yes The name of the external VPN gateway. If the external VPN gateway element does not exist, it will be created if you provide the address and networks parameters.
smc_address	no			FQDN with port of SMC. The default value is the environment variable SMC_ADDRESS
smc_alt_filepath	no			Provide an alternate path location to read the credentials from. File is expected to be stored in ~.smcrc. If provided, url and api_key settings are not required and will be ignored.
smc_api_key	no			API key for api client. The default value is the environment variable SMC_API_KEY Required if url
smc_api_version	no			Optional API version to connect to. If none is provided, the latests LTS SMC API version will be used based on the Management Center version. Can be set though the environment variable SMC_API_VERSION
smc_domain	no			Optional domain to log in to. If no domain is provided, 'Shared Domain' is used. Can be set throuh the environment variable SMC_DOMAIN
smc_extra_args	no			Extra arguments to pass to login constructor. These are generally only used if specifically requested by support personnel.
	Dictionary object smc_extra_args parameter required default choices comments verify no True yes no Is the connection to SMC is HTTPS, you can set this to True, or provide a path to a client certificate to verify the SMC SSL certificate. You can also explicitly set this to False.
smc_logging	no			Optionally enable SMC API logging to a file
	Dictionary object smc_logging parameter required default choices comments path yes Full path to the log file level no Log level as specified by the standard python logging library, in int format. Default setting is logging.DEBUG.
smc_timeout	no			Optional timeout for connections to the SMC. Can be set through environment SMC_TIMEOUT
state	no	present	present absent	Specify a create or delete operation
tags	no			Provide an optional category tag to the engine. If the category does not exist, it will be created
type	no	ipsec	ipsec gre	The type of route-based VPN tunnel to create

Examples

- name: Route VPN between internal engine and 3rd party external gateway
  register: result
  route_vpn:
    smc_logging:
      level: 10
      path: ansible-smc.log
    enabled: true
    local_gw:
        address: 50.50.50.1
        name: newcluster
        tunnel_interface: '1001'
    name: myrbvpn
    remote_gw:
        external_endpoint:
        -   address: 33.33.33.41
            enabled: true
            name: extgw3 (33.33.33.41)
            connection_type: 'Active 1'
        -   address: 34.34.34.34
            enabled: true
            name: endpoint2 (34.34.34.34)
            connection_type: 'Active 1'
        -   address: 44.44.44.44
            enabled: false
            name: extgw4 (44.44.44.44)
            connection_type: 'Active 1'
        -   address: 33.33.33.50
            enabled: false
            name: endpoint1 (33.33.33.50)
            connection_type: 'Active 1'
        name: extgw3
        preshared_key: '********'
        type: external_gateway
        vpn_site:
            name: extgw3-site
            network:
            - network-172.18.15.0/24
            - network-172.18.1.0/24
            - network-172.18.2.0/24

- name: Create a new Route VPN with internal gateways
  route_vpn:
    smc_logging:
      level: 10
      path: ansible-smc.log
    name: myrbvpn
    type: ipsec
    local_gw:
      name: newcluster
      tunnel_interface: 1001
      interface_id: 1
      #address: 2.2.2.2
    remote_gw:
      name: myfw
      tunnel_interface: 1000
      interface_id: 0
  tags:
    - footag

Return Values

Common return values are documented Return Values, the following are the fields unique to this module:

name	description	returned	type	sample
state	The current state of the element		dict
changed	Whether or not the change succeeded	always	bool

Notes

Note

• Login credential information is either obtained by providing them directly to the task/play, specifying an alt_filepath to read the credentials from to the play, or from environment variables (in that order). See http://smc-python.readthedocs.io/en/latest/pages/session.html for more information.

Author

• Forcepoint

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.