Overview
The IKE Gateway models provide a structured way to manage Internet Key Exchange (IKE) gateway configurations in Palo Alto Networks' Strata Cloud Manager. These models support defining IKE configurations for establishing secure VPN connections with peer devices. The models handle validation of inputs and outputs when interacting with the SCM API.
Models
The module provides the following Pydantic models:
IKEGatewayBaseModel: Base model with fields common to all IKE gateway operationsIKEGatewayCreateModel: Model for creating new IKE gatewaysIKEGatewayUpdateModel: Model for updating existing IKE gatewaysIKEGatewayResponseModel: Response model for IKE gateway operationsAuthentication: Authentication configuration modelPreSharedKey: Pre-shared key authentication modelCertificateAuth: Certificate-based authentication modelPeerId: Peer identification modelLocalId: Local identification modelProtocol: IKE protocol configuration modelIKEv1: IKEv1 protocol settings modelIKEv2: IKEv2 protocol settings modelDeadPeerDetection: DPD configuration modelProtocolCommon: Common protocol settings modelNatTraversal: NAT traversal configuration modelFragmentation: IKE fragmentation configuration modelPeerAddress: Peer address configuration modelPeerIdType: Enum for peer ID typesLocalIdType: Enum for local ID typesProtocolVersion: Enum for IKE protocol versions
All models use extra="forbid" configuration, which rejects any fields not explicitly defined in the model.
Model Attributes
| Attribute | Type | Required | Default | Description |
|---|
name | str | Yes | None | Name of IKE gateway. Max 63 chars. Pattern: ^[0-9a-zA-Z._\-]+$ |
id | UUID | Yes* | None | Unique identifier (*response/update only) |
authentication | Authentication | Yes | None | Authentication configuration |
peer_id | PeerId | No | None | Peer identification configuration |
local_id | LocalId | No | None | Local identification configuration |
protocol | Protocol | Yes | None | IKE protocol configuration |
protocol_common | ProtocolCommon | No | None | Common protocol settings |
peer_address | PeerAddress | Yes | None | Peer address configuration |
folder | str | No** | None | Folder location. Max 64 chars |
snippet | str | No** | None | Snippet location. Max 64 chars |
device | str | No** | None | Device location. Max 64 chars |
* Only required for update and response models
** Exactly one container (folder/snippet/device) must be provided for create operations
Enum Types
PeerIdType
Defines the types of peer IDs supported for IKE Gateway authentication:
| Value | Description |
|---|
ipaddr | IP address |
keyid | Key ID |
fqdn | Fully Qualified Domain Name |
ufqdn | User FQDN (email format) |
LocalIdType
Defines the types of local IDs supported for IKE Gateway authentication:
| Value | Description |
|---|
ipaddr | IP address |
keyid | Key ID |
fqdn | Fully Qualified Domain Name |
ufqdn | User FQDN (email format) |
ProtocolVersion
Defines the IKE protocol versions supported:
| Value | Description |
|---|
ikev2-preferred | Prefer IKEv2, fall back to IKEv1 (default) |
ikev1 | IKEv1 only |
ikev2 | IKEv2 only |
Supporting Models
Authentication Model
| Attribute | Type | Required | Default | Description |
|---|
pre_shared_key | PreSharedKey | No* | None | Pre-shared key authentication |
certificate | CertificateAuth | No* | None | Certificate-based authentication |
* Exactly one authentication type must be provided
PreSharedKey Model
| Attribute | Type | Required | Default | Description |
|---|
key | str | Yes | None | Pre-shared key value |
CertificateAuth Model
| Attribute | Type | Required | Default | Description |
|---|
allow_id_payload_mismatch | bool | No | None | Allow ID payload mismatch |
certificate_profile | str | No | None | Certificate profile name |
local_certificate | Dict[str,Any] | No | None | Local certificate configuration |
strict_validation_revocation | bool | No | None | Enable strict validation revocation |
use_management_as_source | bool | No | None | Use management interface as source |
PeerId Model
| Attribute | Type | Required | Default | Description |
|---|
type | PeerIdType | Yes | None | Type of peer ID |
id | str | Yes | None | Peer ID string. Max 1024 chars |
LocalId Model
| Attribute | Type | Required | Default | Description |
|---|
type | LocalIdType | Yes | None | Type of local ID |
id | str | Yes | None | Local ID string. Max 1024 chars |
Protocol Model
| Attribute | Type | Required | Default | Description |
|---|
version | ProtocolVersion | No | ikev2-preferred | IKE protocol version preference |
ikev1 | IKEv1 | No | None | IKEv1 configuration |
ikev2 | IKEv2 | No | None | IKEv2 configuration |
IKEv1 Model
| Attribute | Type | Required | Default | Description |
|---|
ike_crypto_profile | str | No | None | IKE Crypto Profile name |
dpd | DeadPeerDetection | No | None | Dead Peer Detection config |
IKEv2 Model
| Attribute | Type | Required | Default | Description |
|---|
ike_crypto_profile | str | No | None | IKE Crypto Profile name |
dpd | DeadPeerDetection | No | None | Dead Peer Detection config |
DeadPeerDetection Model
| Attribute | Type | Required | Default | Description |
|---|
enable | bool | No | None | Enable Dead Peer Detection |
ProtocolCommon Model
| Attribute | Type | Required | Default | Description |
|---|
nat_traversal | NatTraversal | No | None | NAT traversal configuration |
passive_mode | bool | No | None | Enable passive mode |
fragmentation | Fragmentation | No | None | IKE fragmentation config |
NatTraversal Model
| Attribute | Type | Required | Default | Description |
|---|
enable | bool | No | None | Enable NAT traversal |
Fragmentation Model
| Attribute | Type | Required | Default | Description |
|---|
enable | bool | No | False | Enable IKE fragmentation |
PeerAddress Model
| Attribute | Type | Required | Default | Description |
|---|
ip | str | No* | None | Static IP address of peer gateway |
fqdn | str | No* | None | FQDN of peer gateway. Max 255 chars |
dynamic | Dict[str,Any] | No* | None | Dynamic peer address configuration |
* Exactly one peer address type (ip/fqdn/dynamic) must be provided
Exceptions
The IKE Gateway models can raise the following exceptions during validation:
- ValueError: Raised in several scenarios:
- When neither or both authentication types (pre_shared_key/certificate) are provided
- When neither or multiple peer address types (ip/fqdn/dynamic) are provided
- When multiple container types (folder/snippet/device) are specified for create operations
- When no container type is specified for create operations
- When protocol version is set but required config (ikev1/ikev2) is missing
- When name pattern validation fails
- When field length limits are exceeded
Model Validators
Authentication Type Validation
The models enforce that exactly one authentication type must be specified:
from scm.models.network.ike_gateway import Authentication, PreSharedKey
try:
auth = Authentication(
pre_shared_key=PreSharedKey(key="secure-key"),
certificate={"certificate_profile": "default"}
)
except ValueError as e:
print(e)
try:
auth = Authentication()
except ValueError as e:
print(e)
Peer Address Type Validation
Exactly one peer address type must be specified:
from scm.models.network.ike_gateway import PeerAddress
try:
peer_addr = PeerAddress(
ip="192.168.1.1",
fqdn="example.com"
)
except ValueError as e:
print(e)
Protocol Configuration Validation
The protocol model validates that appropriate config is provided for the version:
from scm.models.network.ike_gateway import Protocol
try:
protocol = Protocol(
version="ikev2"
)
except ValueError as e:
print(e)
Container Type Validation
For create operations, exactly one container type must be specified:
from scm.models.network.ike_gateway import IKEGatewayCreateModel
try:
ike_gateway = IKEGatewayCreateModel(
name="gateway1",
authentication={"pre_shared_key": {"key": "secure-key"}},
protocol={"version": "ikev2", "ikev2": {"ike_crypto_profile": "default"}},
peer_address={"ip": "192.168.1.1"},
folder="Texas",
device="fw01"
)
except ValueError as e:
print(e)
Usage Examples
Creating an IKE Gateway with Pre-shared Key
from scm.client import Scm
client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
psk_config = {
"name": "site-a-gateway",
"authentication": {
"pre_shared_key": {
"key": "your-secure-key"
}
},
"peer_id": {
"type": "ipaddr",
"id": "203.0.113.1"
},
"protocol": {
"version": "ikev2",
"ikev2": {
"ike_crypto_profile": "default",
"dpd": {
"enable": True
}
}
},
"peer_address": {
"ip": "203.0.113.1"
},
"folder": "VPN"
}
response = client.ike_gateway.create(psk_config)
print(f"Created gateway: {response.name} (ID: {response.id})")
Creating an IKE Gateway with Certificate Authentication
from scm.client import Scm
client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
cert_config = {
"name": "site-b-gateway",
"authentication": {
"certificate": {
"certificate_profile": "default-profile",
"local_certificate": {
"local_certificate_name": "cert-name"
}
}
},
"protocol": {
"version": "ikev2-preferred",
"ikev1": {
"ike_crypto_profile": "default"
},
"ikev2": {
"ike_crypto_profile": "default"
}
},
"peer_address": {
"fqdn": "vpn.example.com"
},
"folder": "VPN"
}
response = client.ike_gateway.create(cert_config)
print(f"Created gateway: {response.name}")
Creating an IKE Gateway with Dynamic Peer Address
from scm.client import Scm
client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
dynamic_config = {
"name": "dynamic-gateway",
"authentication": {
"pre_shared_key": {
"key": "your-secure-key"
}
},
"protocol": {
"version": "ikev2",
"ikev2": {
"ike_crypto_profile": "default"
}
},
"peer_address": {
"dynamic": {}
},
"folder": "VPN"
}
response = client.ike_gateway.create(dynamic_config)
print(f"Created dynamic gateway: {response.name}")
Updating an IKE Gateway
from scm.client import Scm
client = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
existing = client.ike_gateway.fetch(name="site-a-gateway", folder="VPN")
existing.peer_id = {
"type": "ipaddr",
"id": "203.0.113.2"
}
existing.protocol_common = {
"nat_traversal": {
"enable": True
}
}
updated = client.ike_gateway.update(existing)
print(f"Updated gateway: {updated.name}")