Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

IPsec settings

The following table provides the XML tags for IPsec settings, as well as the descriptions and default values where applicable.

XML tag Description Default value

<remote_networks> elements

<network>

Specifies a network address <addr> with subnet mask <mask>.

<addr>

Network IP address.

<mask>

Subnet mask to apply to network address <addr>.

<dhgroup>

A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons.

<key_life_type>

Phase 2 key re-key duration type. Select one of the following:

  • seconds
  • kbytes
  • both

<key_life_seconds>

Phase 2 key maximum life in seconds. 1800

<key_life_Kbytes>

Phase 2 key maximum life in KB. 5120

<replay_detection>

Detect an attempt to replay a previous VPN session.

<pfs>

Enable or disable Perfect Forward Secrecy (PFS).

Boolean value: [0 | 1]

<use_vip>

Use virtual IP.

Boolean value: [0 | 1]

<virtualip> elements

<type>

Enter the virtual IP address type.

[modeconfig | dhcpoveripsec]

<ip>

IP address.

<mask>

Network mask.

<dnsserver>

DNS server IP address.

<dnsserver_secondary>

The secondary DNS server IP address.

<winserver>

Microsoft Windows server IP address.

<proposals> elements

<proposal>

Encryption and authentication types to use, separated by a pipe.

Example:

<proposal>3DES|MD5<proposal>

Multiple elements accepted.

First setting: Encryption type: DES, 3DES, AES128, AES192, AES256

Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512

The on_connect and on_disconnect structure and scripting format are similar to that described in the section titled: SSL VPN earlier.

IPsec settings

The following table provides the XML tags for IPsec settings, as well as the descriptions and default values where applicable.

XML tag Description Default value

<remote_networks> elements

<network>

Specifies a network address <addr> with subnet mask <mask>.

<addr>

Network IP address.

<mask>

Subnet mask to apply to network address <addr>.

<dhgroup>

A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons.

<key_life_type>

Phase 2 key re-key duration type. Select one of the following:

  • seconds
  • kbytes
  • both

<key_life_seconds>

Phase 2 key maximum life in seconds. 1800

<key_life_Kbytes>

Phase 2 key maximum life in KB. 5120

<replay_detection>

Detect an attempt to replay a previous VPN session.

<pfs>

Enable or disable Perfect Forward Secrecy (PFS).

Boolean value: [0 | 1]

<use_vip>

Use virtual IP.

Boolean value: [0 | 1]

<virtualip> elements

<type>

Enter the virtual IP address type.

[modeconfig | dhcpoveripsec]

<ip>

IP address.

<mask>

Network mask.

<dnsserver>

DNS server IP address.

<dnsserver_secondary>

The secondary DNS server IP address.

<winserver>

Microsoft Windows server IP address.

<proposals> elements

<proposal>

Encryption and authentication types to use, separated by a pipe.

Example:

<proposal>3DES|MD5<proposal>

Multiple elements accepted.

First setting: Encryption type: DES, 3DES, AES128, AES192, AES256

Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512

The on_connect and on_disconnect structure and scripting format are similar to that described in the section titled: SSL VPN earlier.