config vpn ipsec phase1-interface

Configure VPN remote gateway.

Syntax

config vpn ipsec phase1-interface
    edit <name>
        set add-route [disable|enable]
        set authmethod [psk|signature]
        set auto-negotiate [enable|disable]
        set certificate <name1>, <name2>, ...
        set dhgrp {option1}, {option2}, ...
        set dpd [disable|on-idle|...]
        set dpd-retrycount {integer}
        set dpd-retryinterval {integer}
        set fragmentation [enable|disable]
        set fragmentation-mtu {integer}
        set interface {string}
        set keepalive {integer}
        set keylife {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set mode-cfg [disable|enable]
        set peer {string}
        set peergrp {string}
        set peertype [any|one|...]
        set proposal {option1}, {option2}, ...
        set psksecret {password-3}
        set reauth [disable|enable]
        set rekey [enable|disable]
        set remote-gw {ipv4-address}
        set type [static|dynamic|...]
    next
end

config vpn ipsec phase1-interface

Parameter

Description

Type

Size

Default

add-route

Enable/disable control addition of a route to peer destination selector.

option

enable

Option	Description
disable	Do not add a route to destination of peer selector.
enable	Add route to destination of peer selector.

authmethod

Authentication method.

option

psk

Option	Description
psk	PSK authentication method.
signature	Signature authentication method.

auto-negotiate

Enable/disable automatic initiation of IKE SA negotiation.

option

enable

Option	Description
enable	Enable automatic initiation of IKE SA negotiation.
disable	Disable automatic initiation of IKE SA negotiation.

certificate <name>

The names of up to 4 signed personal certificates.

Certificate name.

string

Maximum length: 79

dhgrp

DH group.

option

Option	Description
2	DH Group 2.
5	DH Group 5.
14	DH Group 14.
15	DH Group 15.
16	DH Group 16.
17	DH Group 17.
18	DH Group 18.
19	DH Group 19.
20	DH Group 20.
21	DH Group 21.

dpd

Dead Peer Detection mode.

option

on-demand

Option	Description
disable	Disable Dead Peer Detection.
on-idle	Trigger Dead Peer Detection when IPsec is idle.
on-demand	Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

dpd-retrycount

Number of DPD retry attempts.

integer

Minimum value: 0 Maximum value: 10

dpd-retryinterval

DPD retry interval.

integer

Minimum value: 0 Maximum value: 3600

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

enable

Option	Description
enable	Enable intra-IKE fragmentation support on re-transmission.
disable	Disable intra-IKE fragmentation support.

fragmentation-mtu

IKE fragmentation MTU.

integer

Minimum value: 500 Maximum value: 16000

1200

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

86400

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

auto

Option	Description
auto	Select ID type automatically.
fqdn	Use fully qualified domain name.
user-fqdn	Use user fully qualified domain name.
keyid	Use key-id string.
address	Use local IP address.
asn1dn	Use ASN.1 distinguished name.

mode-cfg

Enable/disable configuration method.

option

disable

Option	Description
disable	Disable Configuration Method.
enable	Enable Configuration Method.

peer

Accept this peer certificate.

string

Maximum length: 35

peergrp

Accept this peer certificate group.

string

Maximum length: 35

peertype

Accept this peer type.

option

any

Option	Description
any	Accept any peer ID.
one	Accept this peer ID.
dialup	Accept peer ID in dialup group.
peer	Accept this peer certificate.
peergrp	Accept this peer certificate group.

proposal

Phase1 proposal.

option

aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

Option	Description
aes128-sha1	aes128-sha1
aes128-sha256	aes128-sha256
aes128-sha384	aes128-sha384
aes128-sha512	aes128-sha512
aes128gcm-prfsha1	aes128gcm-prfsha1
aes128gcm-prfsha256	aes128gcm-prfsha256
aes128gcm-prfsha384	aes128gcm-prfsha384
aes128gcm-prfsha512	aes128gcm-prfsha512
aes192-sha1	aes192-sha1
aes192-sha256	aes192-sha256
aes192-sha384	aes192-sha384
aes192-sha512	aes192-sha512
aes256-sha1	aes256-sha1
aes256-sha256	aes256-sha256
aes256-sha384	aes256-sha384
aes256-sha512	aes256-sha512
aes256gcm-prfsha1	aes256gcm-prfsha1
aes256gcm-prfsha256	aes256gcm-prfsha256
aes256gcm-prfsha384	aes256gcm-prfsha384
aes256gcm-prfsha512	aes256gcm-prfsha512
chacha20poly1305-prfsha1	chacha20poly1305-prfsha1
chacha20poly1305-prfsha256	chacha20poly1305-prfsha256
chacha20poly1305-prfsha384	chacha20poly1305-prfsha384
chacha20poly1305-prfsha512	chacha20poly1305-prfsha512

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

disable

Option	Description
disable	Disable IKE SA re-authentication.
enable	Enable IKE SA re-authentication.

rekey

Enable/disable phase1 rekey.

option

enable

Option	Description
enable	Enable phase1 rekey.
disable	Disable phase1 rekey.

remote-gw

IPv4 address of the remote gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

type

Remote gateway type.

option

static

Option	Description
static	Remote VPN gateway has fixed IP address.
dynamic	Remote VPN gateway has dynamic IP address.
ddns	Remote VPN gateway has dynamic IP address and is a dynamic DNS client.

config vpn ipsec phase1-interface

Configure VPN remote gateway.

Syntax

config vpn ipsec phase1-interface
    edit <name>
        set add-route [disable|enable]
        set authmethod [psk|signature]
        set auto-negotiate [enable|disable]
        set certificate <name1>, <name2>, ...
        set dhgrp {option1}, {option2}, ...
        set dpd [disable|on-idle|...]
        set dpd-retrycount {integer}
        set dpd-retryinterval {integer}
        set fragmentation [enable|disable]
        set fragmentation-mtu {integer}
        set interface {string}
        set keepalive {integer}
        set keylife {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set mode-cfg [disable|enable]
        set peer {string}
        set peergrp {string}
        set peertype [any|one|...]
        set proposal {option1}, {option2}, ...
        set psksecret {password-3}
        set reauth [disable|enable]
        set rekey [enable|disable]
        set remote-gw {ipv4-address}
        set type [static|dynamic|...]
    next
end

config vpn ipsec phase1-interface

Parameter

Description

Type

Size

Default

add-route

Enable/disable control addition of a route to peer destination selector.

option

enable

Option	Description
disable	Do not add a route to destination of peer selector.
enable	Add route to destination of peer selector.

authmethod

Authentication method.

option

psk

Option	Description
psk	PSK authentication method.
signature	Signature authentication method.

auto-negotiate

Enable/disable automatic initiation of IKE SA negotiation.

option

enable

Option	Description
enable	Enable automatic initiation of IKE SA negotiation.
disable	Disable automatic initiation of IKE SA negotiation.

certificate <name>

The names of up to 4 signed personal certificates.

Certificate name.

string

Maximum length: 79

dhgrp

DH group.

option

Option	Description
2	DH Group 2.
5	DH Group 5.
14	DH Group 14.
15	DH Group 15.
16	DH Group 16.
17	DH Group 17.
18	DH Group 18.
19	DH Group 19.
20	DH Group 20.
21	DH Group 21.

dpd

Dead Peer Detection mode.

option

on-demand

Option	Description
disable	Disable Dead Peer Detection.
on-idle	Trigger Dead Peer Detection when IPsec is idle.
on-demand	Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

dpd-retrycount

Number of DPD retry attempts.

integer

Minimum value: 0 Maximum value: 10

dpd-retryinterval

DPD retry interval.

integer

Minimum value: 0 Maximum value: 3600

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

enable

Option	Description
enable	Enable intra-IKE fragmentation support on re-transmission.
disable	Disable intra-IKE fragmentation support.

fragmentation-mtu

IKE fragmentation MTU.

integer

Minimum value: 500 Maximum value: 16000

1200

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

86400

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

auto

Option	Description
auto	Select ID type automatically.
fqdn	Use fully qualified domain name.
user-fqdn	Use user fully qualified domain name.
keyid	Use key-id string.
address	Use local IP address.
asn1dn	Use ASN.1 distinguished name.

mode-cfg

Enable/disable configuration method.

option

disable

Option	Description
disable	Disable Configuration Method.
enable	Enable Configuration Method.

peer

Accept this peer certificate.

string

Maximum length: 35

peergrp

Accept this peer certificate group.

string

Maximum length: 35

peertype

Accept this peer type.

option

any

Option	Description
any	Accept any peer ID.
one	Accept this peer ID.
dialup	Accept peer ID in dialup group.
peer	Accept this peer certificate.
peergrp	Accept this peer certificate group.

proposal

Phase1 proposal.

option

aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

Option	Description
aes128-sha1	aes128-sha1
aes128-sha256	aes128-sha256
aes128-sha384	aes128-sha384
aes128-sha512	aes128-sha512
aes128gcm-prfsha1	aes128gcm-prfsha1
aes128gcm-prfsha256	aes128gcm-prfsha256
aes128gcm-prfsha384	aes128gcm-prfsha384
aes128gcm-prfsha512	aes128gcm-prfsha512
aes192-sha1	aes192-sha1
aes192-sha256	aes192-sha256
aes192-sha384	aes192-sha384
aes192-sha512	aes192-sha512
aes256-sha1	aes256-sha1
aes256-sha256	aes256-sha256
aes256-sha384	aes256-sha384
aes256-sha512	aes256-sha512
aes256gcm-prfsha1	aes256gcm-prfsha1
aes256gcm-prfsha256	aes256gcm-prfsha256
aes256gcm-prfsha384	aes256gcm-prfsha384
aes256gcm-prfsha512	aes256gcm-prfsha512
chacha20poly1305-prfsha1	chacha20poly1305-prfsha1
chacha20poly1305-prfsha256	chacha20poly1305-prfsha256
chacha20poly1305-prfsha384	chacha20poly1305-prfsha384
chacha20poly1305-prfsha512	chacha20poly1305-prfsha512

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

disable

Option	Description
disable	Disable IKE SA re-authentication.
enable	Enable IKE SA re-authentication.

rekey

Enable/disable phase1 rekey.

option

enable

Option	Description
enable	Enable phase1 rekey.
disable	Disable phase1 rekey.

remote-gw

IPv4 address of the remote gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

type

Remote gateway type.

option

static

Option	Description
static	Remote VPN gateway has fixed IP address.
dynamic	Remote VPN gateway has dynamic IP address.
ddns	Remote VPN gateway has dynamic IP address and is a dynamic DNS client.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

Syntax

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

Syntax

config vpn ipsec phase1-interface