routeros 1.83.1, Apr 28 25

routeros 1.83.1 published on Monday, Apr 28, 2025 by terraform-routeros

terraform-routeros/terraform-provider-routeros

routeros.IpIpsecPolicy

Explore with Pulumi AI

routeros 1.83.1 published on Monday, Apr 28, 2025 by terraform-routeros

terraform-routeros/terraform-provider-routeros

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as routeros from "@pulumi/routeros";

const group_for_policy = new routeros.IpIpsecPolicyGroup("group-for-policy", {});
const policy = new routeros.IpIpsecPolicy("policy", {
    dstAddress: "0.0.0.0/0",
    group: group_for_policy.name,
    proposal: "NordVPN",
    srcAddress: "0.0.0.0/0",
    template: true,
});

import pulumi
import pulumi_routeros as routeros

group_for_policy = routeros.IpIpsecPolicyGroup("group-for-policy")
policy = routeros.IpIpsecPolicy("policy",
    dst_address="0.0.0.0/0",
    group=group_for_policy.name,
    proposal="NordVPN",
    src_address="0.0.0.0/0",
    template=True)

package main

import (
	"github.com/pulumi/pulumi-terraform-provider/sdks/go/routeros/routeros"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		group_for_policy, err := routeros.NewIpIpsecPolicyGroup(ctx, "group-for-policy", nil)
		if err != nil {
			return err
		}
		_, err = routeros.NewIpIpsecPolicy(ctx, "policy", &routeros.IpIpsecPolicyArgs{
			DstAddress: pulumi.String("0.0.0.0/0"),
			Group:      group_for_policy.Name,
			Proposal:   pulumi.String("NordVPN"),
			SrcAddress: pulumi.String("0.0.0.0/0"),
			Template:   pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Routeros = Pulumi.Routeros;

return await Deployment.RunAsync(() => 
{
    var group_for_policy = new Routeros.IpIpsecPolicyGroup("group-for-policy");

    var policy = new Routeros.IpIpsecPolicy("policy", new()
    {
        DstAddress = "0.0.0.0/0",
        Group = group_for_policy.Name,
        Proposal = "NordVPN",
        SrcAddress = "0.0.0.0/0",
        Template = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.routeros.IpIpsecPolicyGroup;
import com.pulumi.routeros.IpIpsecPolicy;
import com.pulumi.routeros.IpIpsecPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var group_for_policy = new IpIpsecPolicyGroup("group-for-policy");

        var policy = new IpIpsecPolicy("policy", IpIpsecPolicyArgs.builder()
            .dstAddress("0.0.0.0/0")
            .group(group_for_policy.name())
            .proposal("NordVPN")
            .srcAddress("0.0.0.0/0")
            .template(true)
            .build());

    }
}

resources:
  group-for-policy:
    type: routeros:IpIpsecPolicyGroup
  policy:
    type: routeros:IpIpsecPolicy
    properties:
      dstAddress: 0.0.0.0/0
      group: ${["group-for-policy"].name}
      proposal: NordVPN
      srcAddress: 0.0.0.0/0
      template: true

Create IpIpsecPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new IpIpsecPolicy(name: string, args?: IpIpsecPolicyArgs, opts?: CustomResourceOptions);

@overload
def IpIpsecPolicy(resource_name: str,
                  args: Optional[IpIpsecPolicyArgs] = None,
                  opts: Optional[ResourceOptions] = None)

@overload
def IpIpsecPolicy(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  ___id_: Optional[float] = None,
                  ___path_: Optional[str] = None,
                  ___skip_: Optional[str] = None,
                  action: Optional[str] = None,
                  comment: Optional[str] = None,
                  disabled: Optional[bool] = None,
                  dst_address: Optional[str] = None,
                  dst_port: Optional[str] = None,
                  group: Optional[str] = None,
                  ip_ipsec_policy_id: Optional[str] = None,
                  ipsec_protocols: Optional[str] = None,
                  level: Optional[str] = None,
                  peer: Optional[str] = None,
                  proposal: Optional[str] = None,
                  protocol: Optional[str] = None,
                  src_address: Optional[str] = None,
                  src_port: Optional[str] = None,
                  template: Optional[bool] = None,
                  tunnel: Optional[bool] = None)

func NewIpIpsecPolicy(ctx *Context, name string, args *IpIpsecPolicyArgs, opts ...ResourceOption) (*IpIpsecPolicy, error)

public IpIpsecPolicy(string name, IpIpsecPolicyArgs? args = null, CustomResourceOptions? opts = null)

public IpIpsecPolicy(String name, IpIpsecPolicyArgs args)
public IpIpsecPolicy(String name, IpIpsecPolicyArgs args, CustomResourceOptions options)

type: routeros:IpIpsecPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args IpIpsecPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args IpIpsecPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args IpIpsecPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args IpIpsecPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args IpIpsecPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

IpIpsecPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The IpIpsecPolicy resource accepts the following input properties:

Action string: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
Comment string
Disabled bool
DstAddress string: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
DstPort string: Destination port to be matched in packets. If set to any all ports will be matched.
Group string: Name of the policy group to which this template is assigned.
IpIpsecPolicyId string
IpsecProtocols string: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
Level string: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
Peer string: Name of the peer on which the policy applies.
Proposal string: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
Protocol string: IP packet protocol to match.
SrcAddress string: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
SrcPort string: Source port to be matched in packets. If set to any all ports will be matched.
Template bool: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
Tunnel bool: Specifies whether to use tunnel mode.
___id_ double: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ string: A set of transformations for field names. This is an internal service field, setting a value is not required.

Action string: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
Comment string
Disabled bool
DstAddress string: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
DstPort string: Destination port to be matched in packets. If set to any all ports will be matched.
Group string: Name of the policy group to which this template is assigned.
IpIpsecPolicyId string
IpsecProtocols string: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
Level string: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
Peer string: Name of the peer on which the policy applies.
Proposal string: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
Protocol string: IP packet protocol to match.
SrcAddress string: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
SrcPort string: Source port to be matched in packets. If set to any all ports will be matched.
Template bool: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
Tunnel bool: Specifies whether to use tunnel mode.
___id_ float64: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ string: A set of transformations for field names. This is an internal service field, setting a value is not required.

___id_ Double: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ String: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ String: A set of transformations for field names. This is an internal service field, setting a value is not required.
action String: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
comment String
disabled Boolean
dstAddress String: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
dstPort String: Destination port to be matched in packets. If set to any all ports will be matched.
group String: Name of the policy group to which this template is assigned.
ipIpsecPolicyId String
ipsecProtocols String: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
level String: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
peer String: Name of the peer on which the policy applies.
proposal String: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
protocol String: IP packet protocol to match.
srcAddress String: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
srcPort String: Source port to be matched in packets. If set to any all ports will be matched.
template Boolean: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
tunnel Boolean: Specifies whether to use tunnel mode.

___id_ number: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ string: A set of transformations for field names. This is an internal service field, setting a value is not required.
action string: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
comment string
disabled boolean
dstAddress string: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
dstPort string: Destination port to be matched in packets. If set to any all ports will be matched.
group string: Name of the policy group to which this template is assigned.
ipIpsecPolicyId string
ipsecProtocols string: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
level string: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
peer string: Name of the peer on which the policy applies.
proposal string: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
protocol string: IP packet protocol to match.
srcAddress string: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
srcPort string: Source port to be matched in packets. If set to any all ports will be matched.
template boolean: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
tunnel boolean: Specifies whether to use tunnel mode.

___id_ float: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ str: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ str: A set of transformations for field names. This is an internal service field, setting a value is not required.
action str: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
comment str
disabled bool
dst_address str: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
dst_port str: Destination port to be matched in packets. If set to any all ports will be matched.
group str: Name of the policy group to which this template is assigned.
ip_ipsec_policy_id str
ipsec_protocols str: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
level str: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
peer str: Name of the peer on which the policy applies.
proposal str: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
protocol str: IP packet protocol to match.
src_address str: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
src_port str: Source port to be matched in packets. If set to any all ports will be matched.
template bool: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
tunnel bool: Specifies whether to use tunnel mode.

___id_ Number: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ String: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ String: A set of transformations for field names. This is an internal service field, setting a value is not required.
action String: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
comment String
disabled Boolean
dstAddress String: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
dstPort String: Destination port to be matched in packets. If set to any all ports will be matched.
group String: Name of the policy group to which this template is assigned.
ipIpsecPolicyId String
ipsecProtocols String: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
level String: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
peer String: Name of the peer on which the policy applies.
proposal String: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
protocol String: IP packet protocol to match.
srcAddress String: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
srcPort String: Source port to be matched in packets. If set to any all ports will be matched.
template Boolean: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
tunnel Boolean: Specifies whether to use tunnel mode.

Outputs

All input properties are implicitly available as output properties. Additionally, the IpIpsecPolicy resource produces the following output properties:

Active bool
Dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
Id string: The provider-assigned unique ID for this managed resource.
Invalid bool

Active bool
Dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
Id string: The provider-assigned unique ID for this managed resource.
Invalid bool

active Boolean
dynamic Boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
id String: The provider-assigned unique ID for this managed resource.
invalid Boolean

active boolean
dynamic boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
id string: The provider-assigned unique ID for this managed resource.
invalid boolean

active bool
dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
id str: The provider-assigned unique ID for this managed resource.
invalid bool

active Boolean
dynamic Boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
id String: The provider-assigned unique ID for this managed resource.
invalid Boolean

Look up Existing IpIpsecPolicy Resource

Get an existing IpIpsecPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: IpIpsecPolicyState, opts?: CustomResourceOptions): IpIpsecPolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        ___id_: Optional[float] = None,
        ___path_: Optional[str] = None,
        ___skip_: Optional[str] = None,
        action: Optional[str] = None,
        active: Optional[bool] = None,
        comment: Optional[str] = None,
        disabled: Optional[bool] = None,
        dst_address: Optional[str] = None,
        dst_port: Optional[str] = None,
        dynamic: Optional[bool] = None,
        group: Optional[str] = None,
        invalid: Optional[bool] = None,
        ip_ipsec_policy_id: Optional[str] = None,
        ipsec_protocols: Optional[str] = None,
        level: Optional[str] = None,
        peer: Optional[str] = None,
        proposal: Optional[str] = None,
        protocol: Optional[str] = None,
        src_address: Optional[str] = None,
        src_port: Optional[str] = None,
        template: Optional[bool] = None,
        tunnel: Optional[bool] = None) -> IpIpsecPolicy

func GetIpIpsecPolicy(ctx *Context, name string, id IDInput, state *IpIpsecPolicyState, opts ...ResourceOption) (*IpIpsecPolicy, error)

public static IpIpsecPolicy Get(string name, Input<string> id, IpIpsecPolicyState? state, CustomResourceOptions? opts = null)

public static IpIpsecPolicy get(String name, Output<String> id, IpIpsecPolicyState state, CustomResourceOptions options)

resources:  _:    type: routeros:IpIpsecPolicy    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Action string: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
Active bool
Comment string
Disabled bool
DstAddress string: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
DstPort string: Destination port to be matched in packets. If set to any all ports will be matched.
Dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
Group string: Name of the policy group to which this template is assigned.
Invalid bool
IpIpsecPolicyId string
IpsecProtocols string: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
Level string: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
Peer string: Name of the peer on which the policy applies.
Proposal string: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
Protocol string: IP packet protocol to match.
SrcAddress string: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
SrcPort string: Source port to be matched in packets. If set to any all ports will be matched.
Template bool: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
Tunnel bool: Specifies whether to use tunnel mode.
___id_ double: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ string: A set of transformations for field names. This is an internal service field, setting a value is not required.

Action string: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
Active bool
Comment string
Disabled bool
DstAddress string: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
DstPort string: Destination port to be matched in packets. If set to any all ports will be matched.
Dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
Group string: Name of the policy group to which this template is assigned.
Invalid bool
IpIpsecPolicyId string
IpsecProtocols string: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
Level string: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
Peer string: Name of the peer on which the policy applies.
Proposal string: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
Protocol string: IP packet protocol to match.
SrcAddress string: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
SrcPort string: Source port to be matched in packets. If set to any all ports will be matched.
Template bool: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
Tunnel bool: Specifies whether to use tunnel mode.
___id_ float64: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ string: A set of transformations for field names. This is an internal service field, setting a value is not required.

___id_ Double: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ String: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ String: A set of transformations for field names. This is an internal service field, setting a value is not required.
action String: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
active Boolean
comment String
disabled Boolean
dstAddress String: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
dstPort String: Destination port to be matched in packets. If set to any all ports will be matched.
dynamic Boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
group String: Name of the policy group to which this template is assigned.
invalid Boolean
ipIpsecPolicyId String
ipsecProtocols String: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
level String: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
peer String: Name of the peer on which the policy applies.
proposal String: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
protocol String: IP packet protocol to match.
srcAddress String: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
srcPort String: Source port to be matched in packets. If set to any all ports will be matched.
template Boolean: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
tunnel Boolean: Specifies whether to use tunnel mode.

___id_ number: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ string: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ string: A set of transformations for field names. This is an internal service field, setting a value is not required.
action string: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
active boolean
comment string
disabled boolean
dstAddress string: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
dstPort string: Destination port to be matched in packets. If set to any all ports will be matched.
dynamic boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
group string: Name of the policy group to which this template is assigned.
invalid boolean
ipIpsecPolicyId string
ipsecProtocols string: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
level string: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
peer string: Name of the peer on which the policy applies.
proposal string: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
protocol string: IP packet protocol to match.
srcAddress string: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
srcPort string: Source port to be matched in packets. If set to any all ports will be matched.
template boolean: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
tunnel boolean: Specifies whether to use tunnel mode.

___id_ float: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ str: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ str: A set of transformations for field names. This is an internal service field, setting a value is not required.
action str: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
active bool
comment str
disabled bool
dst_address str: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
dst_port str: Destination port to be matched in packets. If set to any all ports will be matched.
dynamic bool: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
group str: Name of the policy group to which this template is assigned.
invalid bool
ip_ipsec_policy_id str
ipsec_protocols str: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
level str: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
peer str: Name of the peer on which the policy applies.
proposal str: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
protocol str: IP packet protocol to match.
src_address str: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
src_port str: Source port to be matched in packets. If set to any all ports will be matched.
template bool: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
tunnel bool: Specifies whether to use tunnel mode.

___id_ Number: Resource ID type (.id / name). This is an internal service field, setting a value is not required.
___path_ String: Resource path for CRUD operations. This is an internal service field, setting a value is not required.
___skip_ String: A set of transformations for field names. This is an internal service field, setting a value is not required.
action String: Specifies what to do with the packet matched by the policy.none - pass the packet unchanged.discard - drop the packet.encrypt - apply transformations specified in this policy and it's SA.
active Boolean
comment String
disabled Boolean
dstAddress String: Destination address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
dstPort String: Destination port to be matched in packets. If set to any all ports will be matched.
dynamic Boolean: Configuration item created by software, not by management interface. It is not exported, and cannot be directly modified.
group String: Name of the policy group to which this template is assigned.
invalid Boolean
ipIpsecPolicyId String
ipsecProtocols String: Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic.
level String: Specifies what to do if some of the SAs for this policy cannot be found: * use - skip this transform, do not drop the packet, and do not acquire SA from IKE daemon; * require - drop the packet and acquire SA; * unique - drop the packet and acquire a unique SA that is only used with this particular policy. It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).
peer String: Name of the peer on which the policy applies.
proposal String: Name of the proposal template that will be sent by IKE daemon to establish SAs for this policy.
protocol String: IP packet protocol to match.
srcAddress String: Source address to be matched in packets. Applicable when tunnel mode (tunnel=yes) or template (template=yes) is used.
srcPort String: Source port to be matched in packets. If set to any all ports will be matched.
template Boolean: Creates a template and assigns it to a specified policy group.Following parameters are used by template: * group - name of the policy group to which this template is assigned; * src-address, * dst-address - Requested subnet must match in both directions (for example 0.0.0.0/0 to allow all); * protocol - protocol to match, if set to all, then any protocol is accepted; * proposal - SA parameters used for this template; * level - useful when unique is required in setups with multiple clients behind NAT.
tunnel Boolean: Specifies whether to use tunnel mode.

Import

#The ID can be found via API or the terminal

#The command for the terminal is -> :put [/ip/ipsec/policy get [print show-ids]]

$ pulumi import routeros:index/ipIpsecPolicy:IpIpsecPolicy test *3

#Or you can import a resource using one of its attributes

$ pulumi import routeros:index/ipIpsecPolicy:IpIpsecPolicy test "group=test-group"

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: routeros terraform-routeros/terraform-provider-routeros
License
Notes: This Pulumi package is based on the routeros Terraform Provider.

routeros 1.83.1 published on Monday, Apr 28, 2025 by terraform-routeros

terraform-routeros/terraform-provider-routeros

routeros.IpIpsecPolicy

On this page

On this page

Example Usage

Create IpIpsecPolicy Resource

Constructor syntax

Parameters

IpIpsecPolicy Resource Properties

Inputs

Outputs

Look up Existing IpIpsecPolicy Resource

Import

Package Details

On this page

On this page