Forum Discussion

VincentP's avatar
VincentP
Icon for Joining the Conversation rankJoining the Conversation
27 days ago

Issue creating IPsec tunnel with identification_type FQDN

Hi Cato community,

I have encountered an issue where it is not possible to create a IPSec tunnel using the following configurations

Site type: IPSecV2

connectionMode: RESPONDER_ONLY

identificationType: FQDN

 

Since the IPsec is responder only with FQDN identification, the updateIpsecIkeV2SiteTunnels  mutation cannot be used to create such tunnels as it will require a public site ip, but FQDN will give local ID.

When I tried to enter a dummy ip to test it out, it shows a "GraphQL error: Required"; leaving it blank will produce Required field 'primary_public_site_ip' is missing or empty.

 

Are there any solutions/workarounds for this?

 

Let me know if more information is required.

Cheers,

VincentP

5 Replies

  • RobertG's avatar
    RobertG
    Icon for Cato Professional Services rankCato Professional Services
    15 days ago

    Hi Vincent,

    I have already raised this with our internal team to remove the requirement for "primary_cato_pop_ip" but in the meantime you can follow the below to get this working.

    Here is a working example of a module to achieve what you require.
    Currently it seems we need to update the provider as it requires us to give a value for "primary_cato_pop_ip" when in this example it is not actually needed. If you just use any allocated IP from your account it should suffice. 

     

    module "ipsec-generic-ha-fully-customized" {

    source = "catonetworks/ipsec-generic/cato"

    ha_tunnels = false

    site_name = "My-Cato-IPSec-Site-ha"

    site_description = "IPSec Example Site"

    native_network_range = "172.100.0.0/24"

    primary_cato_pop_ip = "216.252.178.46" # Currently required but will be removed in a future version of the module, you can use the IP of any Cato IP address in your accounts Allocation.

    primary_pop_location_id = "19" # Primary POP Location ID (e.g., 19 for London)

    cato_local_networks = ["10.41.0.0/16", "10.254.254.0/24"]

    peer_networks = ["servers:172.100.0.0/24", "desktops:172.100.1.0/24"]

    peer_primary_public_ip = null

    peer_secondary_public_ip = null

    cato_connectionMode = "RESPONDER_ONLY"

    primary_destination_type = "FQDN"

    cato_identificationType = "FQDN"

    downstream_bw = 100

    upstream_bw = 100

    site_location = {

    city = "New York City"

    country_code = "US"

    state_code = "US-NY"

    timezone = "America/New_York"

    }

    }

    Any other questions or issues please let me know.

    Thanks,

    Rob

  • RobertG's avatar
    RobertG
    Icon for Cato Professional Services rankCato Professional Services
    2 days ago

    Hi Vincent,

    This workaround is no longer required the module has been updated to accommodate the IPsec in this configuration.

    Thanks,

    Rob