addIkevTwoPolicy

The addIkevTwoPolicy operation handles configuration related to IkevTwoPolicy model. 

Description

This API call is not allowed on the standby unit in an HA pair.

Data Parameters

Parameter Required Type Description
name True string The name of the object, up to 128 characters.
enabled True boolean A mandatory Boolean value, TRUE or FALSE (the default). The TRUE value enables the policy, which means remote peers can use it when negotiating a site-to-site VPN connection. FALSE indicates that although the policy is defined, remote peers cannot negotiate connections based on the policy.
Field level constraints: cannot be null. (Note: Additional constraints might exist)
lifeTime False integer An optional integer that defines the lifetime of the security association (SA), in seconds, from 120 to 2147483647, with the typical limit being 86400. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. Leave the option as null to specify no lifetime limit.
priority True integer A required integer that determines the relative priority of the IKE policy, from 1 to 65535. The priority determines the order of the IKE policy compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your highest priority policy, it tries to use the parameters defined in the next lowest priority. The lower the number, the higher the priority. A given number is meaningful only in relation to the priority numbers defined on the other IKE policies.
Field level constraints: cannot be null. (Note: Additional constraints might exist)
encryptionTypes False [object] A list of enum values that specifies the encryption algorithm used to establish the Phase 1 security association (SA) for protecting Phase 2 negotiations. Specify all algorithms that you want to allow, although you cannot include both mixed-mode (AES-GCM) and normal mode options in the same policy. (Normal mode requires that you select an integrity hash, whereas mixed mode prohibits a separate integrity hash selection.) The system negotiates with the peer, starting from the strongest to the weakest algorithm, until a match is agreed upon. Possible values are, in order of strength:
(unsupported) NULL - A null encryption algorithm provides authentication without encryption. This is typically used for testing purposes only.
DES - Data Encryption Standard, which encrypts using 56-bit keys, is a symmetric secret-key block algorithm (unsupported when strong crypto license is enabled).
(unsupported) THREE_DES - Triple DES, which encrypts three times using 56-bit keys.
AES - Advanced Encryption Standard is a symmetric cipher algorithm. AES uses 128--bit keys.
AES192 - An Advanced Encryption Standard algorithm that uses 192--bit keys.
AES256 - An Advanced Encryption Standard algorithm that uses 256--bit keys.
AES_GCM - Advanced Encryption Standard in Galois/Counter Mode is a block cipher mode of operation providing confidentiality and data-origin authentication. AES_GCM uses 128-bit keys.
AES_GCM192 - An Advanced Encryption Standard in Galois/Counter Mode that uses 192-bit keys.
AES_GCM256 - An Advanced Encryption Standard in Galois/Counter Mode that uses 256-bit keys.
groupTypes False [object] A list of enum values that specifies the Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Specify all algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest group, until a match is agreed upon. Possible values are:
(unsupported) GROUP2 - 1024-bit modulus.
(deprecated) GROUP5 - 1536-bit modulus.
GROUP14 - 2048 bit modulus.
GROUP19 - 256 bit elliptic curve.
GROUP20 - 384 bit elliptic curve.
GROUP21 - 521 bit elliptic curve.
(unsupported) GROUP24 - 2048-bit modulus and 256-bit prime order subgroup.
GROUP31 - 256-bit elliptic curve.
integrityTypes False [object] A list of enum values that specifies the integrity portion of the hash algorithm for creating a message digest, which is used to ensure message integrity. Select all algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm, until a match is agreed upon. The integrity hash is not used with the AES-GCM encryption options. Possible values are:
NULL - A null hash algorithm. This is typically used for testing purposes only. However, you should choose the null integrity algorithm if you select one of the AES-GCM/GMAC options as the encryption algorithm. Even if you choose a non-null option, the integrity hash is ignored for these encryption standards.
(unsupported) MD5 - The Message Digest 5 algorithm, which produces a 128-bit digest.
SHA - The Secure Hash Algorithm, which produces a 160-bit digest.
SHA256 - The Secure Hash Algorithm SHA 2 with a 256-bit digest.
SHA384 - The Secure Hash Algorithm SHA 2 with a 384-bit digest.
SHA512 - The Secure Hash Algorithm SHA 2 with a 512-bit digest.
prfTypes False [object] A list of enum values that specifies the pseudo-random function (PRF) portion of the hash algorithm, which is used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption. Select all algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm, until a match is agreed upon. Possible values are:
(unsupported) MD5 - The Message Digest 5 algorithm, which produces a 128-bit digest.
SHA - The Secure Hash Algorithm, which produces a 160-bit digest.
SHA256 - The Secure Hash Algorithm SHA 2 with a 256-bit digest.
SHA384 - The Secure Hash Algorithm SHA 2 with a 384-bit digest.
SHA512 - The Secure Hash Algorithm SHA 2 with a 512-bit digest.
cryptoRestricted False boolean A system-provided Boolean value, TRUE or FALSE. The TRUE value indicates that the policy uses strong cryptography, which is controlled by export regulations. A device must be registered export-controlled functionality to use a strong encryption policy.
summaryLabel False string A system-provided string that describes the IKE policy.
isSystemDefined False boolean A Boolean value, TRUE or FALSE (the default). The TRUE value indicates that the system created the object. FALSE indicates that the object is user-defined.
type True string A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name.

Example

- name: Execute 'addIkevTwoPolicy' operation
  ftd_configuration:
    operation: "addIkevTwoPolicy"
    data:
        name: "{{ name }}"
        enabled: "{{ enabled }}"
        lifeTime: "{{ life_time }}"
        priority: "{{ priority }}"
        encryptionTypes: "{{ encryption_types }}"
        groupTypes: "{{ group_types }}"
        integrityTypes: "{{ integrity_types }}"
        prfTypes: "{{ prf_types }}"
        cryptoRestricted: "{{ crypto_restricted }}"
        summaryLabel: "{{ summary_label }}"
        isSystemDefined: "{{ is_system_defined }}"
        type: "{{ type }}"