mktun – Creates, activates, deactivates and removes tunnels.
Synopsis
Creates a tunnel definition in the tunnel database.
Activates tunnels.
Deactivates operational tunnels and optionally removes tunnel definitions.
Exports and imports tunnel definitions.
Requirements
The below requirements are needed on the host that executes this module.
AIX >= 7.1 TL3
Python >= 3.6
Privileged user with authorizations: aix.security.network.vpn,aix.security.network.stat
Parameters
- manual (optional, dict, None)
List of manual tunnels.
- import_ipv4 (optional, str, None)
Base64 encoding of IPv4 tunnels to be imported.
- import_ipv6 (optional, str, None)
Base64 encoding of IPv6 tunnels to be imported.
- ipv4 (optional, list, None)
IPv4 tunnels.
- id (optional, int, None)
Tunnel id.
Only used to deactivate or remove an existing tunnel.
- src (optional, dict, None)
Source tunnel definition.
- address (True, str, None)
Host IP address.
A host name is also valid and the first IP address returned by name server for the host name will be used.
- ah_algo (optional, str, None)
Authentication algorithm, used for IP packet authentication.
- ah_key (optional, str, None)
AH Key String.
The input must be a hexadecimal string.
- ah_spi (optional, int, None)
Security Parameter Index for AH.
- esp_algo (optional, str, None)
Encryption algorithm, used for IP packet encryption.
- esp_key (optional, str, None)
ESP Key String.
The input must be a hexadecimal string.
- esp_spi (optional, int, None)
Security Parameter Index for ESP.
- enc_mac_algo (optional, str, None)
ESP Authentication Algorithm.
Only used when newheader=yes.
- enc_mac_key (optional, str, None)
ESP Authentication Key.
Only used when newheader=yes.
- policy (optional, str, None)
Identifies how the IP packet authentication and/or encryption is to be used by this host.
encr/auth
specifies that IP packet gets encrypted before authentication.
auth/encr
specifies that IP packet gets encrypted after authentication.
encr
specifies that IP packet gets encrypted only.
auth
specifies that IP packet gets authenticated only.- dst (optional, dict, None)
Destination tunnel definition.
- address (True, str, None)
Host IP address.
A host name is also valid and the first IP address returned by name server for the host name will be used.
- ah_algo (optional, str, None)
Authentication algorithm, used for IP packet authentication.
- ah_key (optional, str, None)
AH Key String.
The input must be a hexadecimal string.
- ah_spi (optional, int, None)
Security Parameter Index for AH.
- esp_algo (optional, str, None)
Encryption algorithm, used for IP packet encryption.
- esp_key (optional, str, None)
ESP Key String.
The input must be a hexadecimal string.
- esp_spi (optional, int, None)
Security Parameter Index for ESP.
- enc_mac_algo (optional, str, None)
ESP Authentication Algorithm.
Only used when newheader=yes.
- enc_mac_key (optional, str, None)
ESP Authentication Key.
Only used when newheader=yes.
- policy (optional, str, None)
Identifies how the IP packet authentication and/or encryption is to be used by this host.
encr/auth
specifies that IP packet gets encrypted before authentication.
auth/encr
specifies that IP packet gets encrypted after authentication.
encr
specifies that IP packet gets encrypted only.
auth
specifies that IP packet gets authenticated only.- tunnel_only (optional, bool, False)
Only create the tunnel definition. Do not automatically generate two filter rules for the tunnel.
- key_lifetime (optional, int, None)
Key Lifetime, specified in minutes.
Value 0 indicates that the manual tunnel will never expire.
The default value is 480.
- newheader (optional, bool, None)
New header format.
The new header format preserves a field in the ESP and AH headers for replay prevention and also allows ESP authentication.
- replay (optional, bool, False)
Replay prevention.
Only used when newheader=yes.
- tunnel_mode (optional, bool, True)
Tunnel mode will encapsulate the entire IP packet, while the transport mode only encapsulates the data portion of the IP packet.
- fw_address (optional, str, None)
IP address of the firewall that is between the source and destination hosts. A tunnel will be established between this host and the firewall. Therefore the corresponding tunnel definition must be made on the firewall host.
A host name may also be used and the first IP address returned by the name server for that host name will be used.
- dst_mask (optional, str, None)
Network mask for the secure network behind a firewall.
Only used when fw_address is specified.
- state (optional, str, active)
Tunnel state.
active
specifies that the tunnel(s) will be created.
defined
specifies the tunnel(s) that are to be deactivated.
absent
specifies the tunnel(s) that needs to be removed.- export (optional, bool, False)
Export tunnel and associated filter rule definitions.
- ipv6 (optional, list, None)
IPv6 tunnels.
- id (optional, int, None)
Tunnel id.
Only used to deactivate or remove an existing tunnel.
- src (optional, dict, None)
Source tunnel definition.
- address (True, str, None)
Host IP address.
A host name is also valid and the first IP address returned by name server for the host name will be used.
- ah_algo (optional, str, None)
Authentication algorithm, used for IP packet authentication.
- ah_key (optional, str, None)
AH Key String.
The input must be a hexadecimal string.
- ah_spi (optional, int, None)
Security Parameter Index for AH.
- esp_algo (optional, str, None)
Encryption algorithm, used for IP packet encryption.
- esp_key (optional, str, None)
ESP Key String.
The input must be a hexadecimal string.
- esp_spi (optional, int, None)
Security Parameter Index for ESP.
- enc_mac_algo (optional, str, None)
ESP Authentication Algorithm.
Only used when newheader=yes.
- enc_mac_key (optional, str, None)
ESP Authentication Key.
Only used when newheader=yes.
- policy (optional, str, None)
Identifies how the IP packet authentication and/or encryption is to be used by this host.
encr/auth
specifies that IP packet gets encrypted before authentication.
auth/encr
specifies that IP packet gets encrypted after authentication.
encr
specifies that IP packet gets encrypted only.
auth
specifies that IP packet gets authenticated only.- dst (optional, dict, None)
Destination tunnel definition.
- address (True, str, None)
Host IP address.
A host name is also valid and the first IP address returned by name server for the host name will be used.
- ah_algo (optional, str, None)
Authentication algorithm, used for IP packet authentication.
- ah_key (optional, str, None)
AH Key String.
The input must be a hexadecimal string.
- ah_spi (optional, int, None)
Security Parameter Index for AH.
- esp_algo (optional, str, None)
Encryption algorithm, used for IP packet encryption.
- esp_key (optional, str, None)
ESP Key String.
The input must be a hexadecimal string.
- esp_spi (optional, int, None)
Security Parameter Index for ESP.
- enc_mac_algo (optional, str, None)
ESP Authentication Algorithm.
Only used when newheader=yes.
- enc_mac_key (optional, str, None)
ESP Authentication Key.
Only used when newheader=yes.
- policy (optional, str, None)
Identifies how the IP packet authentication and/or encryption is to be used by this host.
encr/auth
specifies that IP packet gets encrypted before authentication.
auth/encr
specifies that IP packet gets encrypted after authentication.
encr
specifies that IP packet gets encrypted only.
auth
specifies that IP packet gets authenticated only.- tunnel_only (optional, bool, False)
Only create the tunnel definition. Do not automatically generate two filter rules for the tunnel.
- key_lifetime (optional, int, None)
Key Lifetime, specified in minutes.
Value 0 indicates that the manual tunnel will never expire.
The default value is 480.
- newheader (optional, bool, None)
New header format.
The new header format preserves a field in the ESP and AH headers for replay prevention and also allows ESP authentication.
- replay (optional, bool, False)
Replay prevention.
Only used when newheader=yes.
- tunnel_mode (optional, bool, True)
Tunnel mode will encapsulate the entire IP packet, while the transport mode only encapsulates the data portion of the IP packet.
- fw_address (optional, str, None)
IP address of the firewall that is between the source and destination hosts. A tunnel will be established between this host and the firewall. Therefore the corresponding tunnel definition must be made on the firewall host.
A host name may also be used and the first IP address returned by the name server for that host name will be used.
- dst_mask (optional, str, None)
Network mask for the secure network behind a firewall.
Only used when fw_address is specified.
- state (optional, str, active)
Tunnel state.
active
specifies that the tunnel(s) will be created.
defined
specifies the tunnel(s) that are to be deactivated.
absent
specifies the tunnel(s) that needs to be removed.- export (optional, bool, False)
Export tunnel and associated filter rule definitions.
Examples
- name: Create and activate a manual IPv4 tunnel
mktun:
manual:
ipv4:
- src:
address: 10.10.11.72
ah_algo: HMAC_MD5
esp_algo: DES_CBC_8
dst:
address: 10.10.11.98
esp_spi: 12345
- name: Export IPv4 tunnel definition for tunnel id 3 on srchost
mktun:
manual:
ipv4:
- id: 3
export: true
register: export_result
when: 'inventory_hostname == srchost'
- name: Import IPv4 tunnel definition on dsthost
mktun:
manual:
import_ipv4: '{{ export_result.export_ipv4 }}'
when: 'inventory_hostname == dsthost'
- name: Remove manual IPv4 tunnel with id 3 from tunnel database
mktun:
manual:
ipv4:
- id: 3
state: absent
- name: Deactivate manual IPv4 tunnel with id 4
mktun:
manual:
ipv4:
- id: 4
state: defined
- name: Activate manual IPv4 tunnel with id 5
mktun:
manual:
ipv4:
- id: 5
state: active
- name: Gather the tunnel facts
mktun:
- name: Print the tunnel facts
debug:
var: ansible_facts.tunnels
Return Values
- msg (always, str, Successfully imported the tunnle(s))
The execution message.
- stdout (always, str, )
The standard output
- stderr (always, str, )
The standard error
- export_ipv4 (when export is true, str, )
Base64 encoding of exported IPv4 tunnel definitions.
- export_ipv6 (when export is true, str, )
Base64 encoding of exported IPv6 tunnel definitions.
- ansible_facts (always, complex, )
Facts to add to ansible_facts about tunnels.
- tunnels (always, dict, )
Tunnel definitions.
- auth_algos (always, list, )
List of installed authentication algorithms.
- encr_algos (always, list, )
List of installed encryption algorithms.
- manual (always, list, )
Manual tunnel definitions.
Status
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by community.