Forum Discussion

Deckel's avatar
Deckel
Icon for Joining the Conversation rankJoining the Conversation
5 months ago
Solved

Terraform: IPsec site creation with Responder-only and destination type FQDN possible?

Hi,

see subject.

When trying to setup an ipsec site (IKEv2) in responder only mode and with destination type FQDN for primary and secondary tunnel, terraform (in fact opentofu), gives this error:

 

│ Error: Cato API error in SiteAddIpsecIkeV2SiteTunnels

│   with cato_ipsec_site.Vienna,
│   on main.tf line 73, in resource "cato_ipsec_site" "Vienna":
│   73: resource "cato_ipsec_site" "Vienna" {

│ {"networkErrors":{"code":422,"message":"Response body {\"errors\":[{\"message\":\"input:
│ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId  is not a valid
│ IPSecV2InterfaceId\",\"path\":[\"variable\",\"updateIpsecIkeV2SiteTunnelsInput\",\"primary\",\"tunnels\",0,\"tunnelId\"]}],\"data\":null}"},"graphqlErrors":[{"message":"input:
│ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId  is not a valid
│ IPSecV2InterfaceId","path":["variable","updateIpsecIkeV2SiteTunnelsInput","primary","tunnels",0,"tunnelId"]}]}

That appears when adding the  "tunnels" section.

Without that section, a deployment if possible.

Obviously, the tunnels section is required.

--------------------snip--------------------

 connection_mode     = "RESPONDER_ONLY"

    identification_type = "IPV4"

    primary             = {

      destination_type = "FQDN"

       tunnels = [

        {

          public_site_ip = "10.10.10.10"

          psk = "abcABC1234567!!"

          //last_mile_bw = {

            //downstream = 10

            //upstream   = 10

          }

      ]  

    }

---------------snap-------------------------------------

Is that supported with the terraform provider currently?

 

Thanks,

Christian

 

  • RobertG's avatar
    RobertG
    1 month ago

    Hi Christian,

    I hope the info is still useful as it has been a while since you asked.

    Here is a working example of a module to achieve what you require.
    Currently it seems we need to update the provider as it requires us to give a value for "primary_cato_pop_ip" when in this example it is not actually needed. If you just use any allocated IP from your account it should suffice. 

     

    module "ipsec-generic-ha-fully-customized" {

    source = "catonetworks/ipsec-generic/cato"

    ha_tunnels = false

    site_name = "My-Cato-IPSec-Site-ha"

    site_description = "IPSec Example Site"

    native_network_range = "172.100.0.0/24"

    primary_cato_pop_ip = "216.252.178.46" # Currently required but will be removed in a future version of the module, you can use the IP of any Cato IP address in your accounts Allocation.

    primary_pop_location_id = "19" # Primary POP Location ID (e.g., 19 for London)

    cato_local_networks = ["10.41.0.0/16", "10.254.254.0/24"]

    peer_networks = ["servers:172.100.0.0/24", "desktops:172.100.1.0/24"]

    peer_primary_public_ip = null

    peer_secondary_public_ip = null

    cato_connectionMode = "RESPONDER_ONLY"

    primary_destination_type = "FQDN"

    cato_identificationType = "FQDN"

    downstream_bw = 100

    upstream_bw = 100

    site_location = {

    city = "New York City"

    country_code = "US"

    state_code = "US-NY"

    timezone = "America/New_York"

    }

    }

4 Replies

  • RobertG's avatar
    RobertG
    Icon for Cato Professional Services rankCato Professional Services
    1 month ago

    Hi Christian,

    I hope the info is still useful as it has been a while since you asked.

    Here is a working example of a module to achieve what you require.
    Currently it seems we need to update the provider as it requires us to give a value for "primary_cato_pop_ip" when in this example it is not actually needed. If you just use any allocated IP from your account it should suffice. 

     

    module "ipsec-generic-ha-fully-customized" {

    source = "catonetworks/ipsec-generic/cato"

    ha_tunnels = false

    site_name = "My-Cato-IPSec-Site-ha"

    site_description = "IPSec Example Site"

    native_network_range = "172.100.0.0/24"

    primary_cato_pop_ip = "216.252.178.46" # Currently required but will be removed in a future version of the module, you can use the IP of any Cato IP address in your accounts Allocation.

    primary_pop_location_id = "19" # Primary POP Location ID (e.g., 19 for London)

    cato_local_networks = ["10.41.0.0/16", "10.254.254.0/24"]

    peer_networks = ["servers:172.100.0.0/24", "desktops:172.100.1.0/24"]

    peer_primary_public_ip = null

    peer_secondary_public_ip = null

    cato_connectionMode = "RESPONDER_ONLY"

    primary_destination_type = "FQDN"

    cato_identificationType = "FQDN"

    downstream_bw = 100

    upstream_bw = 100

    site_location = {

    city = "New York City"

    country_code = "US"

    state_code = "US-NY"

    timezone = "America/New_York"

    }

    }

    • Deckel's avatar
      Deckel
      Icon for Joining the Conversation rankJoining the Conversation
      4 months ago

      Hi,

      not sure I follow.

      I am not using the API direct.

      The Cato Terraform provider is being used.

      cato_ipsec_site | Resources | catonetworks/cato | Terraform | Terraform Registry

      "tunnel_id" is listed there as a read-only item.

      In my understanding, the tunnel_id will be provided after deployment.

      This is the output of what will be changes by terraform:

        # cato_ipsec_site.Vienna will be updated in-place
  ~ resource "cato_ipsec_site" "Vienna" {
        id                      = "170369"
      ~ ipsec                   = {
          ~ primary             = {
              + tunnels          = [
                  + {
                      + psk       = "abcABC1234567!!"
                      + tunnel_id = (known after apply)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
            # (6 unchanged attributes hidden)

       

      It seems to me that the terraform provider isn´t supporting ipsec tunnels with destination type FQDN.

      I can nowhere find an example for that  type of setup.

      All I can find is with destination_type set to IPv4. Which then requires selecting a POP.

      Thanks,

      Christian