a10_vpn

Synopsis

VPN Commands

Parameters

Parameters

Choices/Defaults

Comment

state

str/required

[‘noop’, ‘present’, ‘absent’]

State of the object to be created.

ansible_host

str/required

Host for AXAPI authentication

ansible_username

str/required

Username for AXAPI authentication

ansible_password

str/required

Password for AXAPI authentication

ansible_port

int/required

Port for AXAPI authentication

a10_device_context_id

int

[‘1-8’]

Device ID for aVCS configuration

a10_partition

str

Destination/target partition for object/command

asymmetric_flow_support

bool

Support asymmetric flows pass through IPsec tunnel

stateful_mode

bool

VPN module will work in stateful mode and create sessions

fragment_after_encap

bool

Fragment after adding IPsec headers

nat_traversal_flow_affinity

bool

Choose IPsec UDP source port based on port of inner flow (only for A10 to A10)

tcp_mss_adjust_disable

bool

Disable TCP MSS adjustment in SYN packet

jumbo_fragment

bool

Support IKE jumbo fragment packet

ike_sa_timeout

int

Timeout IKE-SA in connecting state in seconds (default 600s)

ike_acc_enable

bool

Enable IKE Acceleration by Cavium Nitrox card

ike_logging_enable

bool

Enable IKE negotiation logging

ipsec_error_dump

bool

Support record the error ipsec cavium information in dump file

ipsec_mgmt_default_policy_drop

bool

Drop MGMT traffic that is not match ipsec tunnel, share partition only

extended_matching

bool

Enable session extended matching for packet comes from IPsec tunnel

enable_vpn_metrics

bool

Enable exporting vpn statstics to Harmony

ipsec_cipher_check

bool

Enable cipher check, IPsec SA cipher must weaker than IKE gateway cipher, and DES/3DES/MD5/null will not work.

signature_authentication

bool

Enable use of different hash algorithms for signature authentication in IKEv2

uuid

str

uuid of the object

sampling_enable

list

Field sampling_enable

counters1

str

‘all’= all; ‘passthrough’= passthrough; ‘ha-standby-drop’= ha-standby-drop;

error

dict

Field error

uuid

str

uuid of the object

errordump

dict

Field errordump

uuid

str

uuid of the object

default

dict

Field default

uuid

str

uuid of the object

log

dict

Field log

uuid

str

uuid of the object

ike_stats_global

dict

Field ike_stats_global

uuid

str

uuid of the object

sampling_enable

list

Field sampling_enable

ike_gateway_list

list

Field ike_gateway_list

name

str

IKE-gateway name

ike_version

str

‘v1’= IKEv1 key exchange; ‘v2’= IKEv2 key exchange;

mode

str

‘main’= Negotiate Main mode (Default); ‘aggressive’= Negotiate Aggressive mode;

auth_method

str

‘preshare-key’= Authenticate the remote gateway using a pre-shared key (Default); ‘rsa-signature’= Authenticate the remote gateway using an RSA certificate; ‘ecdsa-signature’= Authenticate the remote gateway using an ECDSA certificate; ‘eap-radius’= Authenticate the remote gateway using an EAP Radius server; ‘eap-tls’= Authenticate the remote gateway using EAP TLS;

preshare_key_value

str

pre-shared key

preshare_key_encrypted

str

Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED pre-shared key string)

hash

str

‘sha256’= Secure Hash Algorithm 256; ‘sha384’= Secure Hash Algorithm 384; ‘sha512’= Secure Hash Algorithm 512;

interface_management

bool

only handle traffic on management interface, share partition only

key

str

Private Key

key_passphrase

str

Private Key Pass Phrase

key_passphrase_encrypted

str

Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED key string)

vrid

dict

Field vrid

local_cert

dict

Field local_cert

remote_ca_cert

dict

Field remote_ca_cert

local_id

str

Local Gateway Identity

remote_id

str

Remote Gateway Identity

enc_cfg

list

Field enc_cfg

dh_group

str

‘1’= Diffie-Hellman group 1 - 768-bit(Default); ‘2’= Diffie-Hellman group 2 - 1024-bit; ‘5’= Diffie-Hellman group 5 - 1536-bit; ‘14’= Diffie-Hellman group 14 - 2048-bit; ‘15’= Diffie-Hellman group 15 - 3072-bit; ‘16’= Diffie-Hellman group 16 - 4096-bit; ‘18’= Diffie-Hellman group 18 - 8192-bit; ‘19’= Diffie- Hellman group 19 - 256-bit Elliptic Curve; ‘20’= Diffie-Hellman group 20 - 384-bit Elliptic Curve;

local_address

dict

Field local_address

remote_address

dict

Field remote_address

lifetime

int

IKE SA age in seconds

fragment_size

int

Enable IKE message fragment and set fragment size

nat_traversal

bool

Field nat_traversal

dpd

dict

Field dpd

disable_rekey

bool

Disable initiating rekey

configuration_payload

str

‘dhcp’= Enable DHCP configuration-payload; ‘radius’= Enable RADIUS configuration-payload;

dhcp_server

dict

Field dhcp_server

radius_server

dict

Field radius_server

uuid

str

uuid of the object

user_tag

str

Customized tag

sampling_enable

list

Field sampling_enable

ipsec_list

list

Field ipsec_list

name

str

IPsec name

mode

str

‘tunnel’= Encapsulating the packet in IPsec tunnel mode (Default);

dscp

str

‘default’= Default dscp (000000); ‘af11’= AF11 (001010); ‘af12’= AF12 (001100); ‘af13’= AF13 (001110); ‘af21’= AF21 (010010); ‘af22’= AF22 (010100); ‘af23’= AF23 (010110); ‘af31’= AF31 (011010); ‘af32’= AF32 (011100); ‘af33’= AF33 (011110); ‘af41’= AF41 (100010); ‘af42’= AF42 (100100); ‘af43’= AF43 (100110); ‘cs1’= CS1 (001000); ‘cs2’= CS2 (010000); ‘cs3’= CS3 (011000); ‘cs4’= CS4 (100000); ‘cs5’= CS5 (101000); ‘cs6’= CS6 (110000); ‘cs7’= CS7 (111000); ‘ef’= EF (101110); ‘0’= 000000; ‘1’= 000001; ‘2’= 000010; ‘3’= 000011; ‘4’= 000100; ‘5’= 000101; ‘6’= 000110; ‘7’= 000111; ‘8’= 001000; ‘9’= 001001; ‘10’= 001010; ‘11’= 001011; ‘12’= 001100; ‘13’= 001101; ‘14’= 001110; ‘15’= 001111; ‘16’= 010000; ‘17’= 010001; ‘18’= 010010; ‘19’= 010011; ‘20’= 010100; ‘21’= 010101; ‘22’= 010110; ‘23’= 010111; ‘24’= 011000; ‘25’= 011001; ‘26’= 011010; ‘27’= 011011; ‘28’= 011100; ‘29’= 011101; ‘30’= 011110; ‘31’= 011111; ‘32’= 100000; ‘33’= 100001; ‘34’= 100010; ‘35’= 100011; ‘36’= 100100; ‘37’= 100101; ‘38’= 100110; ‘39’= 100111; ‘40’= 101000; ‘41’= 101001; ‘42’= 101010; ‘43’= 101011; ‘44’= 101100; ‘45’= 101101; ‘46’= 101110; ‘47’= 101111; ‘48’= 110000; ‘49’= 110001; ‘50’= 110010; ‘51’= 110011; ‘52’= 110100; ‘53’= 110101; ‘54’= 110110; ‘55’= 110111; ‘56’= 111000; ‘57’= 111001; ‘58’= 111010; ‘59’= 111011; ‘60’= 111100; ‘61’= 111101; ‘62’= 111110; ‘63’= 111111;

proto

str

‘esp’= Encapsulating security protocol (Default);

dh_group

str

‘0’= Diffie-Hellman group 0 (Default); ‘1’= Diffie-Hellman group 1 - 768-bits; ‘2’= Diffie-Hellman group 2 - 1024-bits; ‘5’= Diffie-Hellman group 5 - 1536-bits; ‘14’= Diffie-Hellman group 14 - 2048-bits; ‘15’= Diffie-Hellman group 15 - 3072-bits; ‘16’= Diffie-Hellman group 16 - 4096-bits; ‘18’= Diffie- Hellman group 18 - 8192-bits; ‘19’= Diffie-Hellman group 19 - 256-bit Elliptic Curve; ‘20’= Diffie-Hellman group 20 - 384-bit Elliptic Curve;

enc_cfg

list

Field enc_cfg

lifetime

int

IPsec SA age in seconds

lifebytes

int

IPsec SA age in megabytes (0 indicates unlimited bytes)

anti_replay_window

str

‘0’= Disable Anti-Replay Window Check; ‘32’= Window size of 32; ‘64’= Window size of 64; ‘128’= Window size of 128; ‘256’= Window size of 256; ‘512’= Window size of 512; ‘1024’= Window size of 1024; ‘2048’= Window size of 2048; ‘3072’= Window size of 3072; ‘4096’= Window size of 4096; ‘8192’= Window size of 8192;

up

bool

Initiates SA negotiation to bring the IPsec connection up

sequence_number_disable

bool

Do not use incremental sequence number in the ESP header

traffic_selector

dict

Field traffic_selector

enforce_traffic_selector

bool

Enforce Traffic Selector

uuid

str

uuid of the object

user_tag

str

Customized tag

sampling_enable

list

Field sampling_enable

bind_tunnel

dict

Field bind_tunnel

ipsec_gateway

dict

Field ipsec_gateway

ipsec_group_list

list

Field ipsec_group_list

name

str

Group name

ipsecgroup_cfg

list

Field ipsecgroup_cfg

uuid

str

uuid of the object

user_tag

str

Customized tag

group_list

dict

Field group_list

uuid

str

uuid of the object

ipsec_sa_stats_list

list

Field ipsec_sa_stats_list

sampling_enable

list

Field sampling_enable

revocation_list

list

Field revocation_list

name

str

Revocation name

ca

str

Certificate Authority file name

crl

dict

Field crl

ocsp

dict

Field ocsp

uuid

str

uuid of the object

user_tag

str

Customized tag

crl

dict

Field crl

uuid

str

uuid of the object

ocsp

dict

Field ocsp

uuid

str

uuid of the object

ipsec_sa_by_gw

dict

Field ipsec_sa_by_gw

uuid

str

uuid of the object

ike_sa

dict

Field ike_sa

uuid

str

uuid of the object

ipsec_sa

dict

Field ipsec_sa

uuid

str

uuid of the object

ike_sa_brief

dict

Field ike_sa_brief

uuid

str

uuid of the object

ike_sa_clients

dict

Field ike_sa_clients

uuid

str

uuid of the object

ipsec_sa_clients

dict

Field ipsec_sa_clients

uuid

str

uuid of the object

ike_stats_by_gw

dict

Field ike_stats_by_gw

uuid

str

uuid of the object

oper

dict

Field oper

IKE_Gateway_total

int

Field IKE_Gateway_total

IPsec_total

int

Field IPsec_total

IKE_SA_total

int

Field IKE_SA_total

IPsec_SA_total

int

Field IPsec_SA_total

IPsec_mode

str

Field IPsec_mode

Num_hardware_devices

int

Field Num_hardware_devices

Crypto_cores_total

int

Field Crypto_cores_total

Crypto_cores_assigned_to_IPsec

int

Field Crypto_cores_assigned_to_IPsec

Crypto_mem

int

Field Crypto_mem

all_partition_list

list

Field all_partition_list

all_partitions

bool

Field all_partitions

shared

bool

Field shared

specific_partition

str

Field specific_partition

errordump

dict

Field errordump

default

dict

Field default

log

dict

Field log

ike_gateway_list

list

Field ike_gateway_list

ipsec_list

list

Field ipsec_list

group_list

dict

Field group_list

crl

dict

Field crl

ocsp

dict

Field ocsp

ipsec_sa_by_gw

dict

Field ipsec_sa_by_gw

ike_sa

dict

Field ike_sa

ipsec_sa

dict

Field ipsec_sa

ike_sa_brief

dict

Field ike_sa_brief

ike_sa_clients

dict

Field ike_sa_clients

ipsec_sa_clients

dict

Field ipsec_sa_clients

ike_stats_by_gw

dict

Field ike_stats_by_gw

stats

dict

Field stats

passthrough

str

Field passthrough

ha_standby_drop

str

Field ha_standby_drop

error

dict

Field error

ike_stats_global

dict

Field ike_stats_global

ike_gateway_list

list

Field ike_gateway_list

ipsec_list

list

Field ipsec_list

ipsec_sa_stats_list

list

Field ipsec_sa_stats_list

Examples


Return Values

modified_values (changed, dict, )

Values modified (or potential changes if using check_mode) as a result of task operation

axapi_calls (always, list, )

Sequential list of AXAPI calls made by the task

endpoint (, str, [‘/axapi/v3/slb/virtual_server’, ‘/axapi/v3/file/ssl-cert’])

The AXAPI endpoint being accessed.

http_method (, str, [‘POST’, ‘GET’])

HTTP method being used by the primary task to interact with the AXAPI endpoint.

request_body (, complex, )

Params used to query the AXAPI

response_body (, complex, )

Response from the AXAPI

Status

  • This module is not guaranteed to have a backwards compatible interface. [preview]

  • This module is maintained by community.

Authors

  • A10 Networks