Terraform: IPsec site creation with Responder-only and destination type FQDN possible?

Question

Hi,see subject.When trying to setup an ipsec site (IKEv2) in responder only mode and with destination type FQDN for primary and secondary tunnel, terraform (in fact opentofu), gives this error:&nbsp;│ Error: Cato API error in SiteAddIpsecIkeV2SiteTunnels││ &nbsp; with cato_ipsec_site.Vienna,│ &nbsp; on main.tf line 73, in resource "cato_ipsec_site" "Vienna":│ &nbsp; 73: resource "cato_ipsec_site" "Vienna" {││ {"networkErrors":{"code":422,"message":"Response body {\"errors\":[{\"message\":\"input:│ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId &nbsp;is not a valid│ IPSecV2InterfaceId\",\"path\":[\"variable\",\"updateIpsecIkeV2SiteTunnelsInput\",\"primary\",\"tunnels\",0,\"tunnelId\"]}],\"data\":null}"},"graphqlErrors":[{"message":"input:│ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId &nbsp;is not a valid│ IPSecV2InterfaceId","path":["variable","updateIpsecIkeV2SiteTunnelsInput","primary","tunnels",0,"tunnelId"]}]}╵That appears when adding the&nbsp; "tunnels" section.Without that section, a deployment if possible.Obviously, the tunnels section is required.--------------------snip--------------------&nbsp;connection_mode &nbsp; &nbsp; = "RESPONDER_ONLY"&nbsp; &nbsp; identification_type = "IPV4"&nbsp; &nbsp; primary &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = {&nbsp; &nbsp; &nbsp; destination_type = "FQDN"&nbsp; &nbsp; &nbsp; &nbsp;tunnels = [&nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; public_site_ip = "10.10.10.10"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; psk = "abcABC1234567!!"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //last_mile_bw = {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //downstream = 10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //upstream &nbsp; = 10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; ] &nbsp;&nbsp; &nbsp; }---------------snap-------------------------------------Is that supported with the terraform provider currently?&nbsp;Thanks,Christian&nbsp;

robertg · Answer

Hi Christian,
I hope the info is still useful as it has been a while since you asked.Here is a working example of a module to achieve what you require.Currently it seems we need to update the provider as it requires us to give a value for "primary_cato_pop_ip" when in this example it is not actually needed. If you just use any allocated IP from your account it should suffice.&nbsp;
&nbsp;
module "ipsec-generic-ha-fully-customized" {
source = "catonetworks/ipsec-generic/cato"
ha_tunnels = false
site_name = "My-Cato-IPSec-Site-ha"
site_description = "IPSec Example Site"
native_network_range = "172.100.0.0/24"
primary_cato_pop_ip = "216.252.178.46" # Currently required but will be removed in a future version of the module, you can use the IP of any Cato IP address in your accounts Allocation.
primary_pop_location_id = "19" # Primary POP Location ID (e.g., 19 for London)
cato_local_networks = ["10.41.0.0/16", "10.254.254.0/24"]
peer_networks = ["servers:172.100.0.0/24", "desktops:172.100.1.0/24"]
peer_primary_public_ip = null
peer_secondary_public_ip = null
cato_connectionMode = "RESPONDER_ONLY"
primary_destination_type = "FQDN"
cato_identificationType = "FQDN"
downstream_bw = 100
upstream_bw = 100
site_location = {
city = "New York City"
country_code = "US"
state_code = "US-NY"
timezone = "America/New_York"
}
}

michaelsaw · Answer

Hi&nbsp;Deckel,
Form the error message, it seems to indicate that the tunnel ID is not valid.Just to check, you have referenced the API Configuration (Mutation) details: https://api.catonetworks.com/documentation/#mutation-sites.updateIpsecIkeV2SiteGeneralDetails , right? ___Would you like to review the tunnelId details? ___Here is a reference: https://api.catonetworks.com/documentation/#mutation-sites.updateIpsecIkeV2SiteTunnels
Cheers

deckel · Answer

Hi,not sure I follow.I am not using the API direct.The Cato Terraform provider is being used.cato_ipsec_site | Resources | catonetworks/cato | Terraform | Terraform Registry"tunnel_id" is listed there as a read-only item.In my understanding, the tunnel_id will be provided after deployment.This is the output of what will be changes by terraform:  # cato_ipsec_site.Vienna will be updated in-place
  ~ resource "cato_ipsec_site" "Vienna" {
        id                      = "170369"
      ~ ipsec                   = {
          ~ primary             = {
              + tunnels          = [
                  + {
                      + psk       = "abcABC1234567!!"
                      + tunnel_id = (known after apply)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
            # (6 unchanged attributes hidden)&nbsp;It seems to me that the terraform provider isn´t supporting ipsec tunnels with destination type FQDN.I can nowhere find an example for that&nbsp; type of setup.All I can find is with destination_type set to IPv4. Which then requires selecting a POP.Thanks,Christian

michaelsaw · Answer

Hi&nbsp;Deckel,&nbsp;
Got it.Would this help? https://api.catonetworks.com/documentation/#definition-DestinationType&nbsp;

Cheers

Forum Discussion

Terraform: IPsec site creation with Responder-only and destination type FQDN possible?

4 Replies

Recent Discussions

Recording: API/DevOps Live - May 2026

Issue creating IPsec tunnel with identification_type FQDN

Is there a way to monitor CATO IPSec degraded status

I could use some help with a Powershell script for the events feed.

Terraform: IPsec site creation with Responder-only and destination type FQDN possible?