Generic IPsec VPN client Terraform resources

[tkoeck]

Hi,

are there also some Terraform resources for creating a generic IPsec connection? I didn't find any. Also no CISCO-specific ones.

Can it be modelled with other Terraform resources?

[MaxxLiu22]

Hi @tkoeck ,

Here is an example of how to create an simple IPsec tunnel, if that is what you asked for. Let me know if you have other questions.

#step 1: create phase1interface & vpnipsec_phase2interface by running: terraform apply
resource "fortios_vpnipsec_phase1interface" "vpn" {
  name              = "ipsec_tunnel"
  local_gw          = "3.3.3.3"
  remote_gw         = "4.4.4.4"
  interface         = "port3"
  proposal          = "aes128-sha1"
  psksecret         = "eTGJ8Ly5OYp2zpAQF8FytnD5NPFiFgPf"
}

resource "fortios_vpnipsec_phase2interface" "test" {
  name           = "ipsec_interface2"
  phase1name     = "ipsec_tunnel"
  proposal       = "aes128-sha1"
  depends_on     = [fortios_vpnipsec_phase1interface.vpn] 
}
#step 2: comment out the follwoing code to add interface resource into terraform file, then import it by running:  terraform import fortios_system_interface.vpn ipsec_tunnel
# resource "fortios_system_interface" "vpn" {
#   name        = "ipsec_tunnel"
#   ip          = "169.254.2.2/32" 
#   remote_ip   = "169.254.2.1 255.255.255.0"
#   vdom        = "root"
#   allowaccess = "ping http https"
# }

Thanks, Maxx

[tkoeck]

Thanks.

Can you please tell me more about that import necessity?

It should probably be possible to configure a complete new Fortigate device (after the manual api-token setup) in one Terraform run without having to do something manually? At least that would be 'ideal' idea of Infrastructure as Code and Terraform. :)

[tkoeck]

It would be very time-consuming if I had to this for every new VPN. And it would be not Infrastructure as Code in one run.

[MaxxLiu22]

Hi @tkoeck ,

FOS will automatically creates an VPN interface after you finish the phase2interface, Terraform needs to import that created interface into local state file, otherwise Terraform will try to create an new interface with a duplicated name error. Sorry for any inconvenience, Terraform currently uses REST API as basic method, so it just simulates how GUI works, I will let the development team know this concern, and find out if there is a easier way to achieve this function, Thank you for your suggestions, and sorry again for inconvenience.

Thanks, Maxx

[tkoeck]

Hi Maxx,

thanks for the detailed answer.

Our use case is migrating around 50 IPSec Site-to-Site VPN channels and around 60 IPSec Client VPN connections from our old VPN router. The VPN Client connections could potentially also be migrated to SSL VPN client connections. I didn't evaluate SSL Client VPNs yet, but I suppose they would have the same 'import' problem?

So, you probably see that around 110+ manual steps would be a little bit cumbersome. In that case, Terraform wouldn't give us a good effort and time advantage over dumping Terraform and configuring it manually. ;)

If you use more VPN connections with similar basic configuration with Terraform, it is also possible to write Terraform modules. In that situation, a manual import wouldn't work even if I wanted to.

[dicristina]

Use the autogenerated="auto" argument in the fortios_system_interface resource corresponding to the tunnel interface. This will prevent any errors due to trying to create an already existing interface and there will be no need for an import.