search

JonTheNiceGuy / fortigate_policy

An Ansible Role to deliver FortiGate Firewall policy changes. THIS ROLE CAN BE DESTRUCTIVE - PLEASE ENSURE YOU HAVE A BACKUP OF YOUR CONFIG BEFORE USING THIS ROLE!
MIT License
2 stars 0 forks source link

Enhancement: Create VPNs in Ansible #13

Open JonTheNiceGuy opened 5 years ago

JonTheNiceGuy commented 5 years ago

Requires multiple modules, extra config, more validation checks and more things to parse in vars/main.yml

FGT config sample to construct a FGT->FGT VPN.

config system interface
    edit "site-to-site"
        set vdom "root"
        set type tunnel
        set interface "port1"
    next
end
config firewall address
    edit "site-to-site_local_subnet_1"
        set allow-routing enable
        set subnet 10.0.2.0 255.255.255.0
    next
    edit "site-to-site_remote_subnet_1"
        set allow-routing enable
        set subnet 198.51.100.0 255.255.255.0
    next
end
config firewall addrgrp
    edit "site-to-site_local"
        set member "site-to-site_local_subnet_1"
        set comment "VPN: site-to-site (Created by VPN wizard)"
        set allow-routing enable
    next
    edit "site-to-site_remote"
        set member "site-to-site_remote_subnet_1"
        set comment "VPN: site-to-site (Created by VPN wizard)"
        set allow-routing enable
    next
end
config vpn ipsec phase1-interface
    edit "site-to-site"
        set interface "port1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: site-to-site (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 192.0.2.100
        set psksecret SomePassword
    next
end
config vpn ipsec phase2-interface
    edit "site-to-site"
        set phase1name "site-to-site"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: site-to-site (Created by VPN wizard)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "site-to-site_local"
        set dst-name "site-to-site_remote"
    next
end
config firewall policy
    edit 1
        set name "vpn_site-to-site_local"
        set srcintf "port1"
        set dstintf "site-to-site"
        set srcaddr "site-to-site_local"
        set dstaddr "site-to-site_remote"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: site-to-site (Created by VPN wizard)"
    next
    edit 2
        set name "vpn_site-to-site_remote"
        set srcintf "site-to-site"
        set dstintf "port1"
        set srcaddr "site-to-site_remote"
        set dstaddr "site-to-site_local"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: site-to-site (Created by VPN wizard)"
    next
end
config router static
    edit 1
        set device "site-to-site"
        set comment "VPN: site-to-site (Created by VPN wizard)"
        set dstaddr "site-to-site_remote"
    next
    edit 2
        set distance 254
        set comment "VPN: site-to-site (Created by VPN wizard)"
        set blackhole enable
        set dstaddr "site-to-site_remote"
    next
end