 
    New in version 2.8.
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| host 
                    -
                     / required                     | FortiOS or FortiGate ip address. | |||
| https 
                    boolean
                                         | 
 | Indicates if the requests towards FortiGate must use HTTPS protocol | ||
| password 
                    -
                                         | Default: "" | FortiOS or FortiGate password. | ||
| username 
                    -
                     / required                     | FortiOS or FortiGate username. | |||
| vdom 
                    -
                                         | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
| vpn_ipsec_phase1 
                    -
                                         | Default: null | Configure VPN remote gateway. | ||
| acct-verify 
                    -
                                         | 
 | Enable/disable verification of RADIUS accounting record. | ||
| add-gw-route 
                    -
                                         | 
 | Enable/disable automatically add a route to the remote gateway. | ||
| add-route 
                    -
                                         | 
 | Enable/disable control addition of a route to peer destination selector. | ||
| assign-ip 
                    -
                                         | 
 | Enable/disable assignment of IP to IPsec interface via configuration method. | ||
| assign-ip-from 
                    -
                                         | 
 | Method by which the IP address will be assigned. | ||
| authmethod 
                    -
                                         | 
 | Authentication method. | ||
| authmethod-remote 
                    -
                                         | 
 | Authentication method (remote side). | ||
| authpasswd 
                    -
                                         | XAuth password (max 35 characters). | |||
| authusr 
                    -
                                         | XAuth user name. | |||
| authusrgrp 
                    -
                                         | Authentication user group. Source user.group.name. | |||
| auto-negotiate 
                    -
                                         | 
 | Enable/disable automatic initiation of IKE SA negotiation. | ||
| backup-gateway 
                    -
                                         | Instruct unity clients about the backup gateway address(es). | |||
| address 
                    -
                     / required                     | Address of backup gateway. | |||
| banner 
                    -
                                         | Message that unity client should display after connecting. | |||
| cert-id-validation 
                    -
                                         | 
 | Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. | ||
| certificate 
                    -
                                         | Names of up to 4 signed personal certificates. | |||
| name 
                    -
                     / required                     | Certificate name. Source vpn.certificate.local.name. | |||
| childless-ike 
                    -
                                         | 
 | Enable/disable childless IKEv2 initiation (RFC 6023). | ||
| client-auto-negotiate 
                    -
                                         | 
 | Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. | ||
| client-keep-alive 
                    -
                                         | 
 | Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. | ||
| comments 
                    -
                                         | Comment. | |||
| dhgrp 
                    -
                                         | 
 | DH group. | ||
| digital-signature-auth 
                    -
                                         | 
 | Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). | ||
| distance 
                    -
                                         | Distance for routes added by IKE (1 - 255). | |||
| dns-mode 
                    -
                                         | 
 | DNS server mode. | ||
| domain 
                    -
                                         | Instruct unity clients about the default DNS domain. | |||
| dpd 
                    -
                                         | 
 | Dead Peer Detection mode. | ||
| dpd-retrycount 
                    -
                                         | Number of DPD retry attempts. | |||
| dpd-retryinterval 
                    -
                                         | DPD retry interval. | |||
| eap 
                    -
                                         | 
 | Enable/disable IKEv2 EAP authentication. | ||
| eap-identity 
                    -
                                         | 
 | IKEv2 EAP peer identity type. | ||
| enforce-unique-id 
                    -
                                         | 
 | Enable/disable peer ID uniqueness check. | ||
| forticlient-enforcement 
                    -
                                         | 
 | Enable/disable FortiClient enforcement. | ||
| fragmentation 
                    -
                                         | 
 | Enable/disable fragment IKE message on re-transmission. | ||
| fragmentation-mtu 
                    -
                                         | IKE fragmentation MTU (500 - 16000). | |||
| group-authentication 
                    -
                                         | 
 | Enable/disable IKEv2 IDi group authentication. | ||
| group-authentication-secret 
                    -
                                         | Password for IKEv2 IDi group authentication.  (ASCII string or hexadecimal indicated by a leading 0x.) | |||
| ha-sync-esp-seqno 
                    -
                                         | 
 | Enable/disable sequence number jump ahead for IPsec HA. | ||
| idle-timeout 
                    -
                                         | 
 | Enable/disable IPsec tunnel idle timeout. | ||
| idle-timeoutinterval 
                    -
                                         | IPsec tunnel idle timeout in minutes (5 - 43200). | |||
| ike-version 
                    -
                                         | 
 | IKE protocol version. | ||
| include-local-lan 
                    -
                                         | 
 | Enable/disable allow local LAN access on unity clients. | ||
| interface 
                    -
                                         | Local physical, aggregate, or VLAN outgoing interface. Source system.interface.name. | |||
| ipv4-dns-server1 
                    -
                                         | IPv4 DNS server 1. | |||
| ipv4-dns-server2 
                    -
                                         | IPv4 DNS server 2. | |||
| ipv4-dns-server3 
                    -
                                         | IPv4 DNS server 3. | |||
| ipv4-end-ip 
                    -
                                         | End of IPv4 range. | |||
| ipv4-exclude-range 
                    -
                                         | Configuration Method IPv4 exclude ranges. | |||
| end-ip 
                    -
                                         | End of IPv4 exclusive range. | |||
| id 
                    -
                     / required                     | ID. | |||
| start-ip 
                    -
                                         | Start of IPv4 exclusive range. | |||
| ipv4-name 
                    -
                                         | IPv4 address name. Source firewall.address.name firewall.addrgrp.name. | |||
| ipv4-netmask 
                    -
                                         | IPv4 Netmask. | |||
| ipv4-split-exclude 
                    -
                                         | IPv4 subnets that should not be sent over the IPsec tunnel. Source firewall.address.name firewall.addrgrp.name. | |||
| ipv4-split-include 
                    -
                                         | IPv4 split-include subnets. Source firewall.address.name firewall.addrgrp.name. | |||
| ipv4-start-ip 
                    -
                                         | Start of IPv4 range. | |||
| ipv4-wins-server1 
                    -
                                         | WINS server 1. | |||
| ipv4-wins-server2 
                    -
                                         | WINS server 2. | |||
| ipv6-dns-server1 
                    -
                                         | IPv6 DNS server 1. | |||
| ipv6-dns-server2 
                    -
                                         | IPv6 DNS server 2. | |||
| ipv6-dns-server3 
                    -
                                         | IPv6 DNS server 3. | |||
| ipv6-end-ip 
                    -
                                         | End of IPv6 range. | |||
| ipv6-exclude-range 
                    -
                                         | Configuration method IPv6 exclude ranges. | |||
| end-ip 
                    -
                                         | End of IPv6 exclusive range. | |||
| id 
                    -
                     / required                     | ID. | |||
| start-ip 
                    -
                                         | Start of IPv6 exclusive range. | |||
| ipv6-name 
                    -
                                         | IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. | |||
| ipv6-prefix 
                    -
                                         | IPv6 prefix. | |||
| ipv6-split-exclude 
                    -
                                         | IPv6 subnets that should not be sent over the IPsec tunnel. Source firewall.address6.name firewall.addrgrp6.name. | |||
| ipv6-split-include 
                    -
                                         | IPv6 split-include subnets. Source firewall.address6.name firewall.addrgrp6.name. | |||
| ipv6-start-ip 
                    -
                                         | Start of IPv6 range. | |||
| keepalive 
                    -
                                         | NAT-T keep alive interval. | |||
| keylife 
                    -
                                         | Time to wait in seconds before phase 1 encryption key expires. | |||
| local-gw 
                    -
                                         | Local VPN gateway. | |||
| localid 
                    -
                                         | Local ID. | |||
| localid-type 
                    -
                                         | 
 | Local ID type. | ||
| mesh-selector-type 
                    -
                                         | 
 | Add selectors containing subsets of the configuration depending on traffic. | ||
| mode 
                    -
                                         | 
 | ID protection mode used to establish a secure channel. | ||
| mode-cfg 
                    -
                                         | 
 | Enable/disable configuration method. | ||
| name 
                    -
                     / required                     | IPsec remote gateway name. | |||
| nattraversal 
                    -
                                         | 
 | Enable/disable NAT traversal. | ||
| negotiate-timeout 
                    -
                                         | IKE SA negotiation timeout in seconds (1 - 300). | |||
| npu-offload 
                    -
                                         | 
 | Enable/disable offloading NPU. | ||
| peer 
                    -
                                         | Accept this peer certificate. Source user.peer.name. | |||
| peergrp 
                    -
                                         | Accept this peer certificate group. Source user.peergrp.name. | |||
| peerid 
                    -
                                         | Accept this peer identity. | |||
| peertype 
                    -
                                         | 
 | Accept this peer type. | ||
| ppk 
                    -
                                         | 
 | Enable/disable IKEv2 Postquantum Preshared Key (PPK). | ||
| ppk-identity 
                    -
                                         | IKEv2 Postquantum Preshared Key Identity. | |||
| ppk-secret 
                    -
                                         | IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). | |||
| priority 
                    -
                                         | Priority for routes added by IKE (0 - 4294967295). | |||
| proposal 
                    -
                                         | 
 | Phase1 proposal. | ||
| psksecret 
                    -
                                         | Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). | |||
| psksecret-remote 
                    -
                                         | Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). | |||
| reauth 
                    -
                                         | 
 | Enable/disable re-authentication upon IKE SA lifetime expiration. | ||
| rekey 
                    -
                                         | 
 | Enable/disable phase1 rekey. | ||
| remote-gw 
                    -
                                         | Remote VPN gateway. | |||
| remotegw-ddns 
                    -
                                         | Domain name of remote gateway (eg. name.DDNS.com). | |||
| rsa-signature-format 
                    -
                                         | 
 | Digital Signature Authentication RSA signature format. | ||
| save-password 
                    -
                                         | 
 | Enable/disable saving XAuth username and password on VPN clients. | ||
| send-cert-chain 
                    -
                                         | 
 | Enable/disable sending certificate chain. | ||
| signature-hash-alg 
                    -
                                         | 
 | Digital Signature Authentication hash algorithms. | ||
| split-include-service 
                    -
                                         | Split-include services. Source firewall.service.group.name firewall.service.custom.name. | |||
| state 
                    -
                                         | 
 | Indicates whether to create or remove the object | ||
| suite-b 
                    -
                                         | 
 | Use Suite-B. | ||
| type 
                    -
                                         | 
 | Remote gateway type. | ||
| unity-support 
                    -
                                         | 
 | Enable/disable support for Cisco UNITY Configuration Method extensions. | ||
| usrgrp 
                    -
                                         | User group name for dialup peers. Source user.group.name. | |||
| wizard-type 
                    -
                                         | 
 | GUI VPN Wizard Type. | ||
| xauthtype 
                    -
                                         | 
 | XAuth type. | ||
Note
- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure VPN remote gateway.
    fortios_vpn_ipsec_phase1:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      vpn_ipsec_phase1:
        state: "present"
        acct-verify: "enable"
        add-gw-route: "enable"
        add-route: "disable"
        assign-ip: "disable"
        assign-ip-from: "range"
        authmethod: "psk"
        authmethod-remote: "psk"
        authpasswd: "<your_own_value>"
        authusr: "<your_own_value>"
        authusrgrp: "<your_own_value> (source user.group.name)"
        auto-negotiate: "enable"
        backup-gateway:
         -
            address: "<your_own_value>"
        banner: "<your_own_value>"
        cert-id-validation: "enable"
        certificate:
         -
            name: "default_name_19 (source vpn.certificate.local.name)"
        childless-ike: "enable"
        client-auto-negotiate: "disable"
        client-keep-alive: "disable"
        comments: "<your_own_value>"
        dhgrp: "1"
        digital-signature-auth: "enable"
        distance: "26"
        dns-mode: "manual"
        domain: "<your_own_value>"
        dpd: "disable"
        dpd-retrycount: "30"
        dpd-retryinterval: "<your_own_value>"
        eap: "enable"
        eap-identity: "use-id-payload"
        enforce-unique-id: "disable"
        forticlient-enforcement: "enable"
        fragmentation: "enable"
        fragmentation-mtu: "37"
        group-authentication: "enable"
        group-authentication-secret: "<your_own_value>"
        ha-sync-esp-seqno: "enable"
        idle-timeout: "enable"
        idle-timeoutinterval: "42"
        ike-version: "1"
        include-local-lan: "disable"
        interface: "<your_own_value> (source system.interface.name)"
        ipv4-dns-server1: "<your_own_value>"
        ipv4-dns-server2: "<your_own_value>"
        ipv4-dns-server3: "<your_own_value>"
        ipv4-end-ip: "<your_own_value>"
        ipv4-exclude-range:
         -
            end-ip: "<your_own_value>"
            id:  "52"
            start-ip: "<your_own_value>"
        ipv4-name: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
        ipv4-netmask: "<your_own_value>"
        ipv4-split-exclude: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
        ipv4-split-include: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
        ipv4-start-ip: "<your_own_value>"
        ipv4-wins-server1: "<your_own_value>"
        ipv4-wins-server2: "<your_own_value>"
        ipv6-dns-server1: "<your_own_value>"
        ipv6-dns-server2: "<your_own_value>"
        ipv6-dns-server3: "<your_own_value>"
        ipv6-end-ip: "<your_own_value>"
        ipv6-exclude-range:
         -
            end-ip: "<your_own_value>"
            id:  "67"
            start-ip: "<your_own_value>"
        ipv6-name: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6-prefix: "70"
        ipv6-split-exclude: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6-split-include: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6-start-ip: "<your_own_value>"
        keepalive: "74"
        keylife: "75"
        local-gw: "<your_own_value>"
        localid: "<your_own_value>"
        localid-type: "auto"
        mesh-selector-type: "disable"
        mode: "aggressive"
        mode-cfg: "disable"
        name: "default_name_82"
        nattraversal: "enable"
        negotiate-timeout: "84"
        npu-offload: "enable"
        peer: "<your_own_value> (source user.peer.name)"
        peergrp: "<your_own_value> (source user.peergrp.name)"
        peerid: "<your_own_value>"
        peertype: "any"
        ppk: "disable"
        ppk-identity: "<your_own_value>"
        ppk-secret: "<your_own_value>"
        priority: "93"
        proposal: "des-md5"
        psksecret: "<your_own_value>"
        psksecret-remote: "<your_own_value>"
        reauth: "disable"
        rekey: "enable"
        remote-gw: "<your_own_value>"
        remotegw-ddns: "<your_own_value>"
        rsa-signature-format: "pkcs1"
        save-password: "disable"
        send-cert-chain: "enable"
        signature-hash-alg: "sha1"
        split-include-service: "<your_own_value> (source firewall.service.group.name firewall.service.custom.name)"
        suite-b: "disable"
        type: "static"
        unity-support: "disable"
        usrgrp: "<your_own_value> (source user.group.name)"
        wizard-type: "custom"
        xauthtype: "disable"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | 
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 | 
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT | 
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 | 
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id | 
| name string | always | Name of the table used to fulfill the request Sample: urlfilter | 
| path string | always | Path of the table used to fulfill the request Sample: webfilter | 
| revision string | always | Internal revision number Sample: 17.0.2.10658 | 
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 | 
| status string | always | Indication of the operation's result Sample: success | 
| vdom string | always | Virtual domain used Sample: root | 
| version string | always | Version of the FortiGate Sample: v5.6.3 | 
Hint
If you notice any issues in this documentation you can edit this document to improve it.