routeros 1.83.1, Apr 28 25

routeros 1.83.1 published on Monday, Apr 28, 2025 by terraform-routeros

terraform-routeros/terraform-provider-routeros

routeros.IpIpsecIdentity

Explore with Pulumi AI

routeros 1.83.1 published on Monday, Apr 28, 2025 by terraform-routeros

terraform-routeros/terraform-provider-routeros

Example Usage

Coming soon!

Coming soon!

Coming soon!

Coming soon!

Coming soon!

resources:
  testIpIpsecModeConfig:
    type: routeros:IpIpsecModeConfig
    properties:
      responder: false
  testIpIpsecPeer:
    type: routeros:IpIpsecPeer
    properties:
      address: lv20.nordvpn.com
      exchangeMode: ike2
  testIpIpsecIdentity:
    type: routeros:IpIpsecIdentity
    properties:
      auth-method: eap
      certificate: ""
      eap-methods: eap-mschapv2
      generate-policy: port-strict
      mode-config: ${testIpIpsecModeConfig.name}
      peer: ${testIpIpsecPeer.name}
      username: support@mikrotik.com
      password: secret

Create IpIpsecIdentity Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new IpIpsecIdentity(name: string, args: IpIpsecIdentityArgs, opts?: CustomResourceOptions);

@overload
def IpIpsecIdentity(resource_name: str,
                    args: IpIpsecIdentityArgs,
                    opts: Optional[ResourceOptions] = None)

@overload
def IpIpsecIdentity(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    peer: Optional[str] = None,
                    disabled: Optional[bool] = None,
                    my_id: Optional[str] = None,
                    certificate: Optional[str] = None,
                    comment: Optional[str] = None,
                    ___id_: Optional[float] = None,
                    eap_methods: Optional[str] = None,
                    generate_policy: Optional[str] = None,
                    ip_ipsec_identity_id: Optional[str] = None,
                    key: Optional[str] = None,
                    match_by: Optional[str] = None,
                    auth_method: Optional[str] = None,
                    notrack_chain: Optional[str] = None,
                    mode_config: Optional[str] = None,
                    password: Optional[str] = None,
                    ___path_: Optional[str] = None,
                    policy_template_group: Optional[str] = None,
                    remote_certificate: Optional[str] = None,
                    remote_id: Optional[str] = None,
                    remote_key: Optional[str] = None,
                    secret: Optional[str] = None,
                    username: Optional[str] = None)

func NewIpIpsecIdentity(ctx *Context, name string, args IpIpsecIdentityArgs, opts ...ResourceOption) (*IpIpsecIdentity, error)

public IpIpsecIdentity(string name, IpIpsecIdentityArgs args, CustomResourceOptions? opts = null)

public IpIpsecIdentity(String name, IpIpsecIdentityArgs args)
public IpIpsecIdentity(String name, IpIpsecIdentityArgs args, CustomResourceOptions options)

type: routeros:IpIpsecIdentity
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args IpIpsecIdentityArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args IpIpsecIdentityArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args IpIpsecIdentityArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args IpIpsecIdentityArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args IpIpsecIdentityArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

IpIpsecIdentity Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The IpIpsecIdentity resource accepts the following input properties:

Peer string: Name of the peer on which the identity applies.
AuthMethod string: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
Certificate string: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
Comment string
Disabled bool
EapMethods string: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
GeneratePolicy string: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
IpIpsecIdentityId string
Key string: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
MatchBy string: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
ModeConfig string: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
MyId string: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
NotrackChain string: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
Password string: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
PolicyTemplateGroup string: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
RemoteCertificate string: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
RemoteId string: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
RemoteKey string: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
Secret string: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
Username string: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
___id_ double: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.

Peer string: Name of the peer on which the identity applies.
AuthMethod string: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
Certificate string: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
Comment string
Disabled bool
EapMethods string: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
GeneratePolicy string: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
IpIpsecIdentityId string
Key string: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
MatchBy string: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
ModeConfig string: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
MyId string: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
NotrackChain string: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
Password string: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
PolicyTemplateGroup string: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
RemoteCertificate string: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
RemoteId string: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
RemoteKey string: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
Secret string: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
Username string: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
___id_ float64: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.

peer String: Name of the peer on which the identity applies.
___id_ Double: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ String: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
authMethod String: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
certificate String: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
comment String
disabled Boolean
eapMethods String: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
generatePolicy String: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
ipIpsecIdentityId String
key String: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
matchBy String: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
modeConfig String: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
myId String: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
notrackChain String: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
password String: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
policyTemplateGroup String: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
remoteCertificate String: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
remoteId String: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
remoteKey String: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
secret String: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
username String: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.

peer string: Name of the peer on which the identity applies.
___id_ number: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
authMethod string: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
certificate string: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
comment string
disabled boolean
eapMethods string: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
generatePolicy string: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
ipIpsecIdentityId string
key string: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
matchBy string: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
modeConfig string: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
myId string: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
notrackChain string: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
password string: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
policyTemplateGroup string: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
remoteCertificate string: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
remoteId string: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
remoteKey string: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
secret string: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
username string: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.

peer str: Name of the peer on which the identity applies.
___id_ float: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ str: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
auth_method str: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
certificate str: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
comment str
disabled bool
eap_methods str: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
generate_policy str: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
ip_ipsec_identity_id str
key str: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
match_by str: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
mode_config str: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
my_id str: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
notrack_chain str: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
password str: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
policy_template_group str: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
remote_certificate str: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
remote_id str: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
remote_key str: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
secret str: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
username str: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.

peer String: Name of the peer on which the identity applies.
___id_ Number: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ String: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
authMethod String: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
certificate String: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
comment String
disabled Boolean
eapMethods String: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
generatePolicy String: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
ipIpsecIdentityId String
key String: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
matchBy String: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
modeConfig String: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
myId String: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
notrackChain String: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
password String: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
policyTemplateGroup String: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
remoteCertificate String: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
remoteId String: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
remoteKey String: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
secret String: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
username String: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the IpIpsecIdentity resource produces the following output properties:

Dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
Id string: The provider-assigned unique ID for this managed resource.

Dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
Id string: The provider-assigned unique ID for this managed resource.

dynamic Boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
id String: The provider-assigned unique ID for this managed resource.

dynamic boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
id string: The provider-assigned unique ID for this managed resource.

dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
id str: The provider-assigned unique ID for this managed resource.

dynamic Boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
id String: The provider-assigned unique ID for this managed resource.

Look up Existing IpIpsecIdentity Resource

Get an existing IpIpsecIdentity resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: IpIpsecIdentityState, opts?: CustomResourceOptions): IpIpsecIdentity

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        ___id_: Optional[float] = None,
        ___path_: Optional[str] = None,
        auth_method: Optional[str] = None,
        certificate: Optional[str] = None,
        comment: Optional[str] = None,
        disabled: Optional[bool] = None,
        dynamic: Optional[bool] = None,
        eap_methods: Optional[str] = None,
        generate_policy: Optional[str] = None,
        ip_ipsec_identity_id: Optional[str] = None,
        key: Optional[str] = None,
        match_by: Optional[str] = None,
        mode_config: Optional[str] = None,
        my_id: Optional[str] = None,
        notrack_chain: Optional[str] = None,
        password: Optional[str] = None,
        peer: Optional[str] = None,
        policy_template_group: Optional[str] = None,
        remote_certificate: Optional[str] = None,
        remote_id: Optional[str] = None,
        remote_key: Optional[str] = None,
        secret: Optional[str] = None,
        username: Optional[str] = None) -> IpIpsecIdentity

func GetIpIpsecIdentity(ctx *Context, name string, id IDInput, state *IpIpsecIdentityState, opts ...ResourceOption) (*IpIpsecIdentity, error)

public static IpIpsecIdentity Get(string name, Input<string> id, IpIpsecIdentityState? state, CustomResourceOptions? opts = null)

public static IpIpsecIdentity get(String name, Output<String> id, IpIpsecIdentityState state, CustomResourceOptions options)

resources:  _:    type: routeros:IpIpsecIdentity    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AuthMethod string: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
Certificate string: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
Comment string
Disabled bool
Dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
EapMethods string: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
GeneratePolicy string: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
IpIpsecIdentityId string
Key string: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
MatchBy string: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
ModeConfig string: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
MyId string: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
NotrackChain string: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
Password string: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
Peer string: Name of the peer on which the identity applies.
PolicyTemplateGroup string: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
RemoteCertificate string: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
RemoteId string: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
RemoteKey string: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
Secret string: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
Username string: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
___id_ double: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.

AuthMethod string: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
Certificate string: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
Comment string
Disabled bool
Dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
EapMethods string: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
GeneratePolicy string: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
IpIpsecIdentityId string
Key string: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
MatchBy string: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
ModeConfig string: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
MyId string: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
NotrackChain string: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
Password string: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
Peer string: Name of the peer on which the identity applies.
PolicyTemplateGroup string: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
RemoteCertificate string: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
RemoteId string: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
RemoteKey string: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
Secret string: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
Username string: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
___id_ float64: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.

___id_ Double: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ String: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
authMethod String: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
certificate String: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
comment String
disabled Boolean
dynamic Boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
eapMethods String: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
generatePolicy String: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
ipIpsecIdentityId String
key String: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
matchBy String: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
modeConfig String: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
myId String: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
notrackChain String: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
password String: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
peer String: Name of the peer on which the identity applies.
policyTemplateGroup String: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
remoteCertificate String: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
remoteId String: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
remoteKey String: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
secret String: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
username String: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.

___id_ number: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
authMethod string: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
certificate string: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
comment string
disabled boolean
dynamic boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
eapMethods string: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
generatePolicy string: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
ipIpsecIdentityId string
key string: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
matchBy string: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
modeConfig string: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
myId string: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
notrackChain string: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
password string: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
peer string: Name of the peer on which the identity applies.
policyTemplateGroup string: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
remoteCertificate string: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
remoteId string: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
remoteKey string: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
secret string: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
username string: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.

___id_ float: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ str: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
auth_method str: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
certificate str: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
comment str
disabled bool
dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
eap_methods str: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
generate_policy str: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
ip_ipsec_identity_id str
key str: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
match_by str: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
mode_config str: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
my_id str: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
notrack_chain str: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
password str: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
peer str: Name of the peer on which the identity applies.
policy_template_group str: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
remote_certificate str: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
remote_id str: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
remote_key str: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
secret str: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
username str: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.

___id_ Number: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ String: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
authMethod String: Authentication method: * digital-signature - authenticate using a pair of RSA certificates; * eap - IKEv2 EAP authentication for initiator (peer with a netmask of /32). Must be used together with eap-methods; * eap-radius - IKEv2 EAP RADIUS passthrough authentication for the responder (RFC 3579). A server certificate in this case is required. If a server certificate is not specified then only clients supporting EAP-only (RFC 5998) will be able to connect. Note that the EAP method should be compatible with EAP-only; * pre-shared-key - authenticate by a password (pre-shared secret) string shared between the peers (not recommended since an offline attack on the pre-shared key is possible); * rsa-key - authenticate using an RSA key imported in keys menu. Only supported in IKEv1; * pre-shared-key-xauth - authenticate by a password (pre-shared secret) string shared between the peers + XAuth username and password. Only supported in IKEv1; * rsa-signature-hybrid - responder certificate authentication with initiator XAuth. Only supported in IKEv1.
certificate String: Name of a certificate listed in System/Certificates (signing packets; the certificate must have the private key). Applicable if digital signature authentication method (auth-method=digital-signature) or EAP (auth-method=eap) is used.
comment String
disabled Boolean
dynamic Boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
eapMethods String: All EAP methods requires whole certificate chain including intermediate and root CA certificates to be present in System/Certificates menu. Also, the username and password (if required by the authentication server) must be specified. Multiple EAP methods may be specified and will be used in a specified order. Currently supported EAP methods: * eap-mschapv2; * eap-peap - also known as PEAPv0/EAP-MSCHAPv2; * eap-tls - requires additional client certificate specified under certificate parameter; * eap-ttls.
generatePolicy String: Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. no - do not generate policies; port-override - generate policies and force policy to use any port (old behavior); port-strict - use ports from peer's proposal, which should match peer's policy.
ipIpsecIdentityId String
key String: Name of the private key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
matchBy String: Defines the logic used for peer's identity validation. remote-id - will verify the peer's ID according to remote-id setting. certificate will verify the peer's certificate with what is specified under remote-certificate setting.
modeConfig String: Name of the configuration parameters from mode-config menu. When parameter is set mode-config is enabled.
myId String: On initiator, this controls what ID_i is sent to the responder. On responder, this controls what ID_r is sent to the initiator. In IKEv2, responder also expects this ID in received ID_r from initiator. auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections; address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name; key-id - use the specified key ID for the identity; user-fqdn - specifies a fully-qualified username string, for example, user@domain.com.
notrackChain String: Adds IP/Firewall/Raw rules matching IPsec policy to a specified chain. Use together with generate-policy.
password String: XAuth or EAP password. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.
peer String: Name of the peer on which the identity applies.
policyTemplateGroup String: If generate-policy is enabled, traffic selectors are checked against templates from the same group. If none of the templates match, Phase 2 SA will not be established.
remoteCertificate String: Name of a certificate (listed in System/Certificates) for authenticating the remote side (validating packets; no private key required). If a remote-certificate is not specified then the received certificate from a remote peer is used and checked against CA in the certificate menu. Proper CA must be imported in a certificate store. If remote-certificate and match-by=certificate is specified, only the specific client certificate will be matched. Applicable if digital signature authentication method (auth-method=digital-signature) is used.
remoteId String: This parameter controls what ID value to expect from the remote peer. Note that all types except for ignoring will verify remote peer's ID with a received certificate. In case when the peer sends the certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name. auto - accept all ID's;address - IP address is used as ID;dn - the binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name; fqdn - fully qualified domain name. Only supported in IKEv2; user-fqdn - a fully-qualified username string, for example, user@domain.com. Only supported in IKEv2; key-id - specific key ID for the identity. Only supported in IKEv2; ignore - do not verify received ID with certificate (dangerous). * Wildcard key ID matching is not supported, for example remote-id=key-id:CN=*.domain.com`.
remoteKey String: Name of the public key from keys menu. Applicable if RSA key authentication method (auth-method=rsa-key) is used.
secret String: Secret string. If it starts with '0x', it is parsed as a hexadecimal value. Applicable if pre-shared key authentication method (auth-method=pre-shared-key and auth-method=pre-shared-key-xauth) is used.
username String: XAuth or EAP username. Applicable if pre-shared key with XAuth authentication method (auth-method=pre-shared-key-xauth) or EAP (auth-method=eap) is used.

Import

#The ID can be found via API or the terminal

#The command for the terminal is -> :put [/ip/ipsec/identity get [print show-ids]]

$ pulumi import routeros:index/ipIpsecIdentity:IpIpsecIdentity test *3

#Or you can import a resource using one of its attributes

$ pulumi import routeros:index/ipIpsecIdentity:IpIpsecIdentity test "peer=NordVPN"

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: routeros terraform-routeros/terraform-provider-routeros
License
Notes: This Pulumi package is based on the routeros Terraform Provider.

routeros 1.83.1 published on Monday, Apr 28, 2025 by terraform-routeros

terraform-routeros/terraform-provider-routeros

routeros.IpIpsecIdentity

On this page

On this page

Example Usage

Create IpIpsecIdentity Resource

Constructor syntax

Parameters

IpIpsecIdentity Resource Properties

Inputs

Outputs

Look up Existing IpIpsecIdentity Resource

Import

Package Details

On this page

On this page