addSToSConnectionProfile
The addSToSConnectionProfile operation handles configuration related to SToSConnectionProfile model.
Description
This API call is not allowed on the standby unit in an HA pair.
Data Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| name | True | string | A string containing the name of the VPN profile. The string can be up to 50 characters, but can only consist of alphanumeric characters and the following special characters: _.+- | |||
| outsideInterfaces | True | [object] | A mandatory list of a PhysicalInterface or SubInterface objects that can be used for establishing the VPN connection. Field level constraints: cannot be null. (Note: Additional constraints might exist) Allowed types are: [EtherChannelInterface, PhysicalInterface, SubInterface, VirtualTunnelInterface, VlanInterface] |
|||
| localNetworks | False | [object] | A list of NetworkObject or NetworkObjectGroup objects of the source of the traffic that is to be routed through the VPN tunnel. If no source networks are provided, then traffic from any source may be forwarded through the tunnel. Allowed types are: [NetworkObject, NetworkObjectGroup] |
|||
| isRemotePeerIpDynamic | False | boolean | A Boolean value that determines whether the remote peer ip is static or dynamic. FALSE is the default. | |||
| ikev1AuthMethod | True | string | Determines whether the IKEv1 authentication is done using a pre-shared key or a certificate. EnumType with values PRE_SHARED_KEY or CERTIFICATE. PRE_SHARE is the default. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| ikev2AuthMethod | True | string | Determines whether the IKEv2 authentication is done using a pre-shared key or a certificate. EnumType with values PRE_SHARED_KEY or CERTIFICATE. PRE_SHARE is the default. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| ikev1IDCertificate | False | object | Reference to an identity certificate of type internalcertificate. Allowed types are: [InternalCertificate] |
|||
| ikev2IDCertificate | False | object | Reference to an identity certificate of type internalcertificate. Allowed types are: [InternalCertificate] |
|||
| remotePeerIpAddress | False | string | A mandatory string that contains the IP address of the site-to-site VPN peer to connect to Field level constraints: must be a valid IP address. (Note: Additional constraints might exist) |
|||
| remoteBackupPeers | False | [object] | A list of remote backup peers. The backups could be a device redundancy terminating on two different remote devices or an ISP redundancy terminating on the same remote device but on two different interfaces | |||
| remoteNetworks | False | [object] | A list of NetworkObject or NetworkObjectGroup objects of the destination of the traffic that is to be routed through the VPN tunnel. If no remote networks are provided, then traffic going to any destination may be forwarded through the tunnel. Allowed types are: [NetworkObject, NetworkObjectGroup] |
|||
| ikev1Enabled | True | boolean | A mandatory Boolean value, TRUE (default) or FALSE. The TRUE value indicates that IKEv1 will be used by the VPN tunnel in connection attempts and negotiations. Note that if both IKEv1 and IKEv2 are enabled, IKEv2 will be used first. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| ikev2Enabled | True | boolean | A mandatory Boolean value, TRUE (default) or FALSE. The TRUE value indicates that IKEv2 will be used by the VPN tunnel in connection attempts and negotiations. Note that if both IKEv1 and IKEv2 are enabled, IKEv2 will be used first. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| rriEnabled | True | boolean | A Boolean Value that determines whether static routes needs to be automatically inserted into routing process for those networks and hosts protected by a remote tunnel endpoint. FALSE is the default. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| dynamicRRIEnabled | True | boolean | A Boolean Value that determines whether static routes needs to be added to the routing process after IPSec Site to Site VPN Establishment. FALSE is the default Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| staticVTIEnabled | False | boolean | A boolean value (FALSE by default), used to specify whether the profile is VTI-based(Route-based) or Policy-based. | |||
| ikev1PreSharedKey | False | string | A string containing the pre-shared key for IKE v1 connections. This is mandatory if IKEv1 is enabled. The key is encrypted when stored in the system, and the system will return a generic string instead of the key string for security reasons. | |||
| diffieHellmanGroup | False | string | An enum value that defines the Diffie-Hellman group to use for Perfect Forwarding Secrecy. If left empty, Perfect Forward Secrecy is disabled. Possible values are: (unsupported) GROUP1 - 768-bit modulus. (unsupported) GROUP2 - 1024-bit modulus. (deprecated) GROUP5 - 1536-bit modulus. GROUP14 - 2048 bit modulus. GROUP15 - 3072 bit modulus. GROUP16 - 4096 bit modulus. GROUP19 - 256 bit elliptic curve. GROUP20 - 384 bit elliptic curve. GROUP21 - 521 bit elliptic curve. (unsupported) GROUP24 - 2048-bit modulus and 256-bit prime order subgroup. GROUP31 - 256-bit elliptic curve. |
|||
| ikev2LocalPreSharedKey | False | string | A string containing the local pre-shared key for IKE v2 connections. This is mandatory if IKEv2 is enabled. The key is encrypted when stored in the system, and the system will return a generic string instead of the key string for security reasons. | |||
| ikev2RemotePeerPreSharedKey | False | string | A string containing the remote pre-shared key for IKE v2 connections. This is mandatory if IKEv2 is enabled. The key is encrypted when stored in the system, and the system will return a generic string instead of the key string for security reasons. | |||
| ikev1Proposals | False | [object] | A list of IkevOneProposal objects to be used in IKEv1 connections. The list cannot be empty if IKEv1 is enabled. Allowed types are: [IkevOneProposal] |
|||
| ikev2Proposals | False | [object] | A list of IkevTwoProposal objects to be used in IKEv2 connections. The list cannot be empty if IKEv2 is enabled. Allowed types are: [IkevTwoProposal] |
|||
| connectionType | False | string | Determines whether the IKE connection type is bidirectional, initiator-only or responder-only. EnumType with values BIDIRECTIONAL, INITIATE_ONLY or RESPOND_ONLY. | |||
| ipsecLifetimeInSeconds | True | integer | Specifies the number of seconds a security associatiob will live before it expires. Range is 120 to 214783647. Default value is 28800 seconds (eight hours) Field level constraints: must be between 120 and 2147483647 (inclusive), cannot be null. (Note: Additional constraints might exist) |
|||
| ipsecLifetimeInKiloBytes | True | integer | Specifies the volume of traffic (in kilobytes) that can pass between peers using a given security association before it expires. Range is 10 to 214783647 kilobytes. Default value is 4608000 kilobytes Field level constraints: must be between 10 and 2147483647 (inclusive), cannot be null. (Note: Additional constraints might exist) |
|||
| ipsecLifetimeUnlimited | True | boolean | A Boolean value (FALSE by default), is used to determine if the ipsec lifetime in kilobytes is set to unlimited. When this value is set ipsecLifetimeInKiloBytes, the value is saved, however cli will be deployed with unlimited kilobytes Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| interfaceForNatExempt | False | object | A PhysicalInterface or SubInterface object that needs a NAT exempt rule generated for access through VPN. If left empty, no NAT exempt rules will be automatically generated. Allowed types are: [EtherChannelInterface, PhysicalInterface, SubInterface, VirtualTunnelInterface, VlanInterface] |
|||
| type | True | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | |||
Example
- name: Execute 'addSToSConnectionProfile' operation
ftd_configuration:
operation: "addSToSConnectionProfile"
data:
name: "{{ name }}"
outsideInterfaces: "{{ outside_interfaces }}"
localNetworks: "{{ local_networks }}"
isRemotePeerIpDynamic: "{{ is_remote_peer_ip_dynamic }}"
ikev1AuthMethod: "{{ ikev1_auth_method }}"
ikev2AuthMethod: "{{ ikev2_auth_method }}"
ikev1IDCertificate: "{{ ikev1_id_certificate }}"
ikev2IDCertificate: "{{ ikev2_id_certificate }}"
remotePeerIpAddress: "{{ remote_peer_ip_address }}"
remoteBackupPeers: "{{ remote_backup_peers }}"
remoteNetworks: "{{ remote_networks }}"
ikev1Enabled: "{{ ikev1_enabled }}"
ikev2Enabled: "{{ ikev2_enabled }}"
rriEnabled: "{{ rri_enabled }}"
dynamicRRIEnabled: "{{ dynamic_rri_enabled }}"
staticVTIEnabled: "{{ static_vti_enabled }}"
ikev1PreSharedKey: "{{ ikev1_pre_shared_key }}"
diffieHellmanGroup: "{{ diffie_hellman_group }}"
ikev2LocalPreSharedKey: "{{ ikev2_local_pre_shared_key }}"
ikev2RemotePeerPreSharedKey: "{{ ikev2_remote_peer_pre_shared_key }}"
ikev1Proposals: "{{ ikev1_proposals }}"
ikev2Proposals: "{{ ikev2_proposals }}"
connectionType: "{{ connection_type }}"
ipsecLifetimeInSeconds: "{{ ipsec_lifetime_in_seconds }}"
ipsecLifetimeInKiloBytes: "{{ ipsec_lifetime_in_kilo_bytes }}"
ipsecLifetimeUnlimited: "{{ ipsec_lifetime_unlimited }}"
interfaceForNatExempt: "{{ interface_for_nat_exempt }}"
type: "{{ type }}"