mktun – Creates, activates, deactivates and removes tunnels.

Synopsis

Creates a tunnel definition in the tunnel database.

Activates tunnels.

Deactivates operational tunnels and optionally removes tunnel definitions.

Exports and imports tunnel definitions.

Requirements

The below requirements are needed on the host that executes this module.

  • AIX >= 7.1 TL3

  • Python >= 3.6

  • Privileged user with authorizations: aix.security.network.vpn,aix.security.network.stat

Parameters

manual (optional, dict, None)

List of manual tunnels.

import_ipv4 (optional, str, None)

Base64 encoding of IPv4 tunnels to be imported.

import_ipv6 (optional, str, None)

Base64 encoding of IPv6 tunnels to be imported.

ipv4 (optional, list, None)

IPv4 tunnels.

id (optional, int, None)

Tunnel id.

Only used to deactivate or remove an existing tunnel.

src (optional, dict, None)

Source tunnel definition.

address (True, str, None)

Host IP address.

A host name is also valid and the first IP address returned by name server for the host name will be used.

ah_algo (optional, str, None)

Authentication algorithm, used for IP packet authentication.

ah_key (optional, str, None)

AH Key String.

The input must be a hexadecimal string.

ah_spi (optional, int, None)

Security Parameter Index for AH.

esp_algo (optional, str, None)

Encryption algorithm, used for IP packet encryption.

esp_key (optional, str, None)

ESP Key String.

The input must be a hexadecimal string.

esp_spi (optional, int, None)

Security Parameter Index for ESP.

enc_mac_algo (optional, str, None)

ESP Authentication Algorithm.

Only used when newheader=yes.

enc_mac_key (optional, str, None)

ESP Authentication Key.

Only used when newheader=yes.

policy (optional, str, None)

Identifies how the IP packet authentication and/or encryption is to be used by this host.

encr/auth specifies that IP packet gets encrypted before authentication.

auth/encr specifies that IP packet gets encrypted after authentication.

encr specifies that IP packet gets encrypted only.

auth specifies that IP packet gets authenticated only.

dst (optional, dict, None)

Destination tunnel definition.

address (True, str, None)

Host IP address.

A host name is also valid and the first IP address returned by name server for the host name will be used.

ah_algo (optional, str, None)

Authentication algorithm, used for IP packet authentication.

ah_key (optional, str, None)

AH Key String.

The input must be a hexadecimal string.

ah_spi (optional, int, None)

Security Parameter Index for AH.

esp_algo (optional, str, None)

Encryption algorithm, used for IP packet encryption.

esp_key (optional, str, None)

ESP Key String.

The input must be a hexadecimal string.

esp_spi (optional, int, None)

Security Parameter Index for ESP.

enc_mac_algo (optional, str, None)

ESP Authentication Algorithm.

Only used when newheader=yes.

enc_mac_key (optional, str, None)

ESP Authentication Key.

Only used when newheader=yes.

policy (optional, str, None)

Identifies how the IP packet authentication and/or encryption is to be used by this host.

encr/auth specifies that IP packet gets encrypted before authentication.

auth/encr specifies that IP packet gets encrypted after authentication.

encr specifies that IP packet gets encrypted only.

auth specifies that IP packet gets authenticated only.

tunnel_only (optional, bool, False)

Only create the tunnel definition. Do not automatically generate two filter rules for the tunnel.

key_lifetime (optional, int, None)

Key Lifetime, specified in minutes.

Value 0 indicates that the manual tunnel will never expire.

The default value is 480.

newheader (optional, bool, None)

New header format.

The new header format preserves a field in the ESP and AH headers for replay prevention and also allows ESP authentication.

replay (optional, bool, False)

Replay prevention.

Only used when newheader=yes.

tunnel_mode (optional, bool, True)

Tunnel mode will encapsulate the entire IP packet, while the transport mode only encapsulates the data portion of the IP packet.

fw_address (optional, str, None)

IP address of the firewall that is between the source and destination hosts. A tunnel will be established between this host and the firewall. Therefore the corresponding tunnel definition must be made on the firewall host.

A host name may also be used and the first IP address returned by the name server for that host name will be used.

dst_mask (optional, str, None)

Network mask for the secure network behind a firewall.

Only used when fw_address is specified.

state (optional, str, active)

Tunnel state.

active specifies that the tunnel(s) will be created.

defined specifies the tunnel(s) that are to be deactivated.

absent specifies the tunnel(s) that needs to be removed.

export (optional, bool, False)

Export tunnel and associated filter rule definitions.

ipv6 (optional, list, None)

IPv6 tunnels.

id (optional, int, None)

Tunnel id.

Only used to deactivate or remove an existing tunnel.

src (optional, dict, None)

Source tunnel definition.

address (True, str, None)

Host IP address.

A host name is also valid and the first IP address returned by name server for the host name will be used.

ah_algo (optional, str, None)

Authentication algorithm, used for IP packet authentication.

ah_key (optional, str, None)

AH Key String.

The input must be a hexadecimal string.

ah_spi (optional, int, None)

Security Parameter Index for AH.

esp_algo (optional, str, None)

Encryption algorithm, used for IP packet encryption.

esp_key (optional, str, None)

ESP Key String.

The input must be a hexadecimal string.

esp_spi (optional, int, None)

Security Parameter Index for ESP.

enc_mac_algo (optional, str, None)

ESP Authentication Algorithm.

Only used when newheader=yes.

enc_mac_key (optional, str, None)

ESP Authentication Key.

Only used when newheader=yes.

policy (optional, str, None)

Identifies how the IP packet authentication and/or encryption is to be used by this host.

encr/auth specifies that IP packet gets encrypted before authentication.

auth/encr specifies that IP packet gets encrypted after authentication.

encr specifies that IP packet gets encrypted only.

auth specifies that IP packet gets authenticated only.

dst (optional, dict, None)

Destination tunnel definition.

address (True, str, None)

Host IP address.

A host name is also valid and the first IP address returned by name server for the host name will be used.

ah_algo (optional, str, None)

Authentication algorithm, used for IP packet authentication.

ah_key (optional, str, None)

AH Key String.

The input must be a hexadecimal string.

ah_spi (optional, int, None)

Security Parameter Index for AH.

esp_algo (optional, str, None)

Encryption algorithm, used for IP packet encryption.

esp_key (optional, str, None)

ESP Key String.

The input must be a hexadecimal string.

esp_spi (optional, int, None)

Security Parameter Index for ESP.

enc_mac_algo (optional, str, None)

ESP Authentication Algorithm.

Only used when newheader=yes.

enc_mac_key (optional, str, None)

ESP Authentication Key.

Only used when newheader=yes.

policy (optional, str, None)

Identifies how the IP packet authentication and/or encryption is to be used by this host.

encr/auth specifies that IP packet gets encrypted before authentication.

auth/encr specifies that IP packet gets encrypted after authentication.

encr specifies that IP packet gets encrypted only.

auth specifies that IP packet gets authenticated only.

tunnel_only (optional, bool, False)

Only create the tunnel definition. Do not automatically generate two filter rules for the tunnel.

key_lifetime (optional, int, None)

Key Lifetime, specified in minutes.

Value 0 indicates that the manual tunnel will never expire.

The default value is 480.

newheader (optional, bool, None)

New header format.

The new header format preserves a field in the ESP and AH headers for replay prevention and also allows ESP authentication.

replay (optional, bool, False)

Replay prevention.

Only used when newheader=yes.

tunnel_mode (optional, bool, True)

Tunnel mode will encapsulate the entire IP packet, while the transport mode only encapsulates the data portion of the IP packet.

fw_address (optional, str, None)

IP address of the firewall that is between the source and destination hosts. A tunnel will be established between this host and the firewall. Therefore the corresponding tunnel definition must be made on the firewall host.

A host name may also be used and the first IP address returned by the name server for that host name will be used.

dst_mask (optional, str, None)

Network mask for the secure network behind a firewall.

Only used when fw_address is specified.

state (optional, str, active)

Tunnel state.

active specifies that the tunnel(s) will be created.

defined specifies the tunnel(s) that are to be deactivated.

absent specifies the tunnel(s) that needs to be removed.

export (optional, bool, False)

Export tunnel and associated filter rule definitions.

Examples

- name: Create and activate a manual IPv4 tunnel
  mktun:
    manual:
      ipv4:
        - src:
            address: 10.10.11.72
            ah_algo: HMAC_MD5
            esp_algo: DES_CBC_8
          dst:
            address: 10.10.11.98
            esp_spi: 12345

- name: Export IPv4 tunnel definition for tunnel id 3 on srchost
  mktun:
    manual:
      ipv4:
        - id: 3
          export: true
  register: export_result
  when: 'inventory_hostname == srchost'
- name: Import IPv4 tunnel definition on dsthost
  mktun:
    manual:
      import_ipv4: '{{ export_result.export_ipv4 }}'
  when: 'inventory_hostname == dsthost'

- name: Remove manual IPv4 tunnel with id 3 from tunnel database
  mktun:
    manual:
      ipv4:
        - id: 3
          state: absent

- name: Deactivate manual IPv4 tunnel with id 4
  mktun:
    manual:
      ipv4:
        - id: 4
          state: defined

- name: Activate manual IPv4 tunnel with id 5
  mktun:
    manual:
      ipv4:
        - id: 5
          state: active

- name: Gather the tunnel facts
  mktun:
- name: Print the tunnel facts
  debug:
    var: ansible_facts.tunnels

Return Values

msg (always, str, Successfully imported the tunnle(s))

The execution message.

stdout (always, str, )

The standard output

stderr (always, str, )

The standard error

export_ipv4 (when export is true, str, )

Base64 encoding of exported IPv4 tunnel definitions.

export_ipv6 (when export is true, str, )

Base64 encoding of exported IPv6 tunnel definitions.

ansible_facts (always, complex, )

Facts to add to ansible_facts about tunnels.

tunnels (always, dict, )

Tunnel definitions.

auth_algos (always, list, )

List of installed authentication algorithms.

encr_algos (always, list, )

List of installed encryption algorithms.

manual (always, list, )

Manual tunnel definitions.

Status

  • This module is not guaranteed to have a backwards compatible interface. [preview]

  • This module is maintained by community.

Authors

  • AIX Development Team (@pbfinley1911)