vpn ipsec {phase2-interface | phase2}
Use phase2-interface to add or edit a phase 2 configuration on a route-based (interface mode) IPsec tunnel. This command is only available in NAT mode.
You can also use phase2 to add or edit IPsec tunnel-mode phase 2 configurations to create and maintain IPsec VPN tunnels with a remote VPN gateway or client peer.
Note: The following entries are not available under the phase2 command:
auto-discovery-senderauto-discovery-forwarder
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
| Command | Description |
|---|---|
|
N/A |
Changed the initial proposal list when new phase2s are created. |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
| Command | Description |
|---|---|
|
set dhgrp {31 | ...} |
FortiOS uses OpenSSL 1.1, which now supports Curve25519, granting support for DH group 31. |
|
set proposal {chacha20poly1305 | ...} |
In order to support RFC 7634, kernel implementations for crypto algorithms ChaCha20 and Poly1305 are added. These two algorithms are used together as a combined mode AEAD cipher (like aes-gcm) in the new |
config vpn ipsec phase2-interface
edit {name}
# Configure VPN autokey tunnel.
set name {string} IPsec tunnel name. size[35]
set phase1name {string} Phase 1 determines the options required for phase 2. size[15] - datasource(s): vpn.ipsec.phase1-interface.name
set dhcp-ipsec {enable | disable} Enable/disable DHCP-IPsec.
set proposal {option} Phase2 proposal.
null-md5 null-md5
null-sha1 null-sha1
null-sha256 null-sha256
null-sha384 null-sha384
null-sha512 null-sha512
des-null des-null
des-md5 des-md5
des-sha1 des-sha1
des-sha256 des-sha256
des-sha384 des-sha384
des-sha512 des-sha512
3des-null 3des-null
3des-md5 3des-md5
3des-sha1 3des-sha1
3des-sha256 3des-sha256
3des-sha384 3des-sha384
3des-sha512 3des-sha512
aes128-null aes128-null
aes128-md5 aes128-md5
aes128-sha1 aes128-sha1
aes128-sha256 aes128-sha256
aes128-sha384 aes128-sha384
aes128-sha512 aes128-sha512
aes128gcm aes128gcm
aes192-null aes192-null
aes192-md5 aes192-md5
aes192-sha1 aes192-sha1
aes192-sha256 aes192-sha256
aes192-sha384 aes192-sha384
aes192-sha512 aes192-sha512
aes256-null aes256-null
aes256-md5 aes256-md5
aes256-sha1 aes256-sha1
aes256-sha256 aes256-sha256
aes256-sha384 aes256-sha384
aes256-sha512 aes256-sha512
aes256gcm aes256gcm
chacha20poly1305 chacha20poly1305
aria128-null aria128-null
aria128-md5 aria128-md5
aria128-sha1 aria128-sha1
aria128-sha256 aria128-sha256
aria128-sha384 aria128-sha384
aria128-sha512 aria128-sha512
aria192-null aria192-null
aria192-md5 aria192-md5
aria192-sha1 aria192-sha1
aria192-sha256 aria192-sha256
aria192-sha384 aria192-sha384
aria192-sha512 aria192-sha512
aria256-null aria256-null
aria256-md5 aria256-md5
aria256-sha1 aria256-sha1
aria256-sha256 aria256-sha256
aria256-sha384 aria256-sha384
aria256-sha512 aria256-sha512
seed-null seed-null
seed-md5 seed-md5
seed-sha1 seed-sha1
seed-sha256 seed-sha256
seed-sha384 seed-sha384
seed-sha512 seed-sha512
set pfs {enable | disable} Enable/disable PFS feature.
set dhgrp {option} Phase2 DH group.
1 DH Group 1.
2 DH Group 2.
5 DH Group 5.
14 DH Group 14.
15 DH Group 15.
16 DH Group 16.
17 DH Group 17.
18 DH Group 18.
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
27 DH Group 27.
28 DH Group 28.
29 DH Group 29.
30 DH Group 30.
31 DH Group 31.
set replay {enable | disable} Enable/disable replay detection.
set keepalive {enable | disable} Enable/disable keep alive.
set auto-negotiate {enable | disable} Enable/disable IPsec SA auto-negotiation.
set add-route {phase1 | enable | disable} Enable/disable automatic route addition.
set auto-discovery-sender {phase1 | enable | disable} Enable/disable sending short-cut messages.
set auto-discovery-forwarder {phase1 | enable | disable} Enable/disable forwarding short-cut messages.
set keylifeseconds {integer} Phase2 key life in time in seconds (120 - 172800). range[120-172800]
set keylifekbs {integer} Phase2 key life in number of bytes of traffic (5120 - 4294967295). range[5120-4294967295]
set keylife-type {seconds | kbs | both} Keylife type.
seconds Key life in seconds.
kbs Key life in kilobytes.
both Key life both.
set single-source {enable | disable} Enable/disable single source IP restriction.
set route-overlap {use-old | use-new | allow} Action for overlapping routes.
use-old Use the old route and do not add the new route.
use-new Delete the old route and add the new route.
allow Allow overlapping routes.
set encapsulation {tunnel-mode | transport-mode} ESP encapsulation mode.
tunnel-mode Use tunnel mode encapsulation.
transport-mode Use transport mode encapsulation.
set l2tp {enable | disable} Enable/disable L2TP over IPsec.
set comments {string} Comment. size[255]
set protocol {integer} Quick mode protocol selector (1 - 255 or 0 for all). range[0-255]
set src-name {string} Local proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
set src-name6 {string} Local proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
set src-addr-type {option} Local proxy ID type.
subnet IPv4 subnet.
range IPv4 range.
ip IPv4 IP.
name IPv4 firewall address or group name.
subnet6 IPv6 subnet.
range6 IPv6 range.
ip6 IPv6 IP.
name6 IPv6 firewall address or group name.
set src-start-ip {ipv4 address any} Local proxy ID start.
set src-start-ip6 {ipv6 address} Local proxy ID IPv6 start.
set src-end-ip {ipv4 address any} Local proxy ID end.
set src-end-ip6 {ipv6 address} Local proxy ID IPv6 end.
set src-subnet {ipv4 classnet any} Local proxy ID subnet.
set src-subnet6 {ipv6 prefix} Local proxy ID IPv6 subnet.
set src-port {integer} Quick mode source port (1 - 65535 or 0 for all). range[0-65535]
set dst-name {string} Remote proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
set dst-name6 {string} Remote proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
set dst-addr-type {option} Remote proxy ID type.
subnet IPv4 subnet.
range IPv4 range.
ip IPv4 IP.
name IPv4 firewall address or group name.
subnet6 IPv6 subnet.
range6 IPv6 range.
ip6 IPv6 IP.
name6 IPv6 firewall address or group name.
set dst-start-ip {ipv4 address any} Remote proxy ID IPv4 start.
set dst-start-ip6 {ipv6 address} Remote proxy ID IPv6 start.
set dst-end-ip {ipv4 address any} Remote proxy ID IPv4 end.
set dst-end-ip6 {ipv6 address} Remote proxy ID IPv6 end.
set dst-subnet {ipv4 classnet any} Remote proxy ID IPv4 subnet.
set dst-subnet6 {ipv6 prefix} Remote proxy ID IPv6 subnet.
set dst-port {integer} Quick mode destination port (1 - 65535 or 0 for all). range[0-65535]
next
end
config vpn ipsec phase2
edit {name}
# Configure VPN autokey tunnel.
set name {string} IPsec tunnel name. size[35]
set phase1name {string} Phase 1 determines the options required for phase 2. size[35] - datasource(s): vpn.ipsec.phase1.name
set dhcp-ipsec {enable | disable} Enable/disable DHCP-IPsec.
set use-natip {enable | disable} Enable to use the FortiGate public IP as the source selector when outbound NAT is used.
set selector-match {exact | subset | auto} Match type to use when comparing selectors.
exact Match selectors exactly.
subset Match selectors by subset.
auto Use subset or exact match depending on selector address type.
set proposal {option} Phase2 proposal.
null-md5 null-md5
null-sha1 null-sha1
null-sha256 null-sha256
null-sha384 null-sha384
null-sha512 null-sha512
des-null des-null
des-md5 des-md5
des-sha1 des-sha1
des-sha256 des-sha256
des-sha384 des-sha384
des-sha512 des-sha512
3des-null 3des-null
3des-md5 3des-md5
3des-sha1 3des-sha1
3des-sha256 3des-sha256
3des-sha384 3des-sha384
3des-sha512 3des-sha512
aes128-null aes128-null
aes128-md5 aes128-md5
aes128-sha1 aes128-sha1
aes128-sha256 aes128-sha256
aes128-sha384 aes128-sha384
aes128-sha512 aes128-sha512
aes128gcm aes128gcm
aes192-null aes192-null
aes192-md5 aes192-md5
aes192-sha1 aes192-sha1
aes192-sha256 aes192-sha256
aes192-sha384 aes192-sha384
aes192-sha512 aes192-sha512
aes256-null aes256-null
aes256-md5 aes256-md5
aes256-sha1 aes256-sha1
aes256-sha256 aes256-sha256
aes256-sha384 aes256-sha384
aes256-sha512 aes256-sha512
aes256gcm aes256gcm
chacha20poly1305 chacha20poly1305
aria128-null aria128-null
aria128-md5 aria128-md5
aria128-sha1 aria128-sha1
aria128-sha256 aria128-sha256
aria128-sha384 aria128-sha384
aria128-sha512 aria128-sha512
aria192-null aria192-null
aria192-md5 aria192-md5
aria192-sha1 aria192-sha1
aria192-sha256 aria192-sha256
aria192-sha384 aria192-sha384
aria192-sha512 aria192-sha512
aria256-null aria256-null
aria256-md5 aria256-md5
aria256-sha1 aria256-sha1
aria256-sha256 aria256-sha256
aria256-sha384 aria256-sha384
aria256-sha512 aria256-sha512
seed-null seed-null
seed-md5 seed-md5
seed-sha1 seed-sha1
seed-sha256 seed-sha256
seed-sha384 seed-sha384
seed-sha512 seed-sha512
set pfs {enable | disable} Enable/disable PFS feature.
set dhgrp {option} Phase2 DH group.
1 DH Group 1.
2 DH Group 2.
5 DH Group 5.
14 DH Group 14.
15 DH Group 15.
16 DH Group 16.
17 DH Group 17.
18 DH Group 18.
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
27 DH Group 27.
28 DH Group 28.
29 DH Group 29.
30 DH Group 30.
31 DH Group 31.
set replay {enable | disable} Enable/disable replay detection.
set keepalive {enable | disable} Enable/disable keep alive.
set auto-negotiate {enable | disable} Enable/disable IPsec SA auto-negotiation.
set add-route {phase1 | enable | disable} Enable/disable automatic route addition.
set keylifeseconds {integer} Phase2 key life in time in seconds (120 - 172800). range[120-172800]
set keylifekbs {integer} Phase2 key life in number of bytes of traffic (5120 - 4294967295). range[5120-4294967295]
set keylife-type {seconds | kbs | both} Keylife type.
seconds Key life in seconds.
kbs Key life in kilobytes.
both Key life both.
set single-source {enable | disable} Enable/disable single source IP restriction.
set route-overlap {use-old | use-new | allow} Action for overlapping routes.
use-old Use the old route and do not add the new route.
use-new Delete the old route and add the new route.
allow Allow overlapping routes.
set encapsulation {tunnel-mode | transport-mode} ESP encapsulation mode.
tunnel-mode Use tunnel mode encapsulation.
transport-mode Use transport mode encapsulation.
set l2tp {enable | disable} Enable/disable L2TP over IPsec.
set comments {string} Comment. size[255]
set protocol {integer} Quick mode protocol selector (1 - 255 or 0 for all). range[0-255]
set src-name {string} Local proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
set src-name6 {string} Local proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
set src-addr-type {subnet | range | ip | name} Local proxy ID type.
subnet IPv4 subnet.
range IPv4 range.
ip IPv4 IP.
name IPv4 firewall address or group name.
set src-start-ip {ipv4 address any} Local proxy ID start.
set src-start-ip6 {ipv6 address} Local proxy ID IPv6 start.
set src-end-ip {ipv4 address any} Local proxy ID end.
set src-end-ip6 {ipv6 address} Local proxy ID IPv6 end.
set src-subnet {ipv4 classnet any} Local proxy ID subnet.
set src-subnet6 {ipv6 prefix} Local proxy ID IPv6 subnet.
set src-port {integer} Quick mode source port (1 - 65535 or 0 for all). range[0-65535]
set dst-name {string} Remote proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
set dst-name6 {string} Remote proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
set dst-addr-type {subnet | range | ip | name} Remote proxy ID type.
subnet IPv4 subnet.
range IPv4 range.
ip IPv4 IP.
name IPv4 firewall address or group name.
set dst-start-ip {ipv4 address any} Remote proxy ID IPv4 start.
set dst-start-ip6 {ipv6 address} Remote proxy ID IPv6 start.
set dst-end-ip {ipv4 address any} Remote proxy ID IPv4 end.
set dst-end-ip6 {ipv6 address} Remote proxy ID IPv6 end.
set dst-subnet {ipv4 classnet any} Remote proxy ID IPv4 subnet.
set dst-subnet6 {ipv6 prefix} Remote proxy ID IPv6 subnet.
set dst-port {integer} Quick mode destination port (1 - 65535 or 0 for all). range[0-65535]
next
end
Additional information
The following section is for those options that require additional explanation.
phase1name <gateway_name>
The name of the phase 1 gateway configuration, most commonly created using the IPsec Wizard. You must have already added the phase 1 gateway definition to the FortiGate configuration before it can be added here.
dhcp-ipsec {enable | disable}
Enable or disable (by default) DHCP-IPsec.
use-natip {enable | disable}
Enable (by default) or disable the FortiGate to use its public interface IP address as the source selector when outbound NAT is used.
selector-match {exact | subset | auto}
The match-type to use when comparing selectors.
- Use
exactto match selectors exactly. - Use
subsetto match selectors by subset. - Use
auto(by default) to use subset or exact match depending on the selector address type.
proposal <phase2_proposal>
A minimum of one and maximum of ten encryption-message combinations for the phase 2 proposal, for example aes128-sha256.
Use a space to separate the combinations. Make sure that the remote peer is configured to use at least one of the proposals defined.
Use any of the following key encryption algorithms:
des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.3des: Triple-DES, in which plain text is encrypted three times by three keys.aes128: A 128-bit block algorithm that uses a 128-bit key.aes192: A 128-bit block algorithm that uses a 192-bit key.aes256: A 128-bit block algorithm that uses a 256-bit key.aria128: A 128-bit Korean block algorithm that uses a 128-bit key.aris192: A 128-bit Korean block algorithm that uses a 192-bit key.aria256: A 128-bit Korean block algorithm that uses a 256-bit key.seed: A 128-bit Korean block algorithm that uses a 128-bit key.
The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session: The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session:
md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.sha256: SHA 2 producing a 256-bit message digest.sha384: SHA 2 producing a 384-bit message digest.sha512: SHA 2 producing a 512-bit message digest.
pfs {enable | disable}
Enable (by default) or disable perfect forward secrecy (PFS). When enabled, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted, should long-term secret keys or passwords be compromised in the future.
dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30 | 31}
Apply one or more Diffie-Hellman (DH) group numbers, in order of preference, separated by spaces. DH groups determine the strength of the key used in the key exchange process, with higher group numbers being more secure, but requiring additional time to compute the key.
Set the value to any one (or more) of the following: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, and 31. The default is set to 14 5.
Note that at least one of the group numbers set on the remote peer or client must be identical to one of the selections on the FortiGate unit.
replay {enable | disable}
Enable (by default) or disable replay attack detection. When enabled, replay detection discards received packets if they contain a sequence number before the current window, in which case they are seen as being too old, or if they contain a sequence number which has already been received by the FortiGate unit.
keepalive {enable | disable}
Enable or disdable (by default) the NAT traversal keepalive frequency, a period of time that specifies how frequently empty UDP packets are sent through the NAT device to make sure that the NAT mapping does not change until phase 1 and 2 security associations (SAs) expire.
add-route {phase1 | enable | disable}
Enable, disable, or set to phase1 (by default) to add route according to phase add-route settings.
auto-negotiate {enable | disable}
Enable to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established. This is set to
Enable to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established. This is set to disable by default.
auto-discovery-sender {phase1 | enable | disable}
Auto Discovery VPN (ADVPN) allows a shortcut to be created between two VPN peers, establishing dynamic on-demand tunnels between each other to avoid routing through the topology’s hub device.
Enable or disable sending auto-discovery short-cut messages, or set to phase1 (by default) to forward short-cut messages according to the phase1 auto-discovery-sender setting.
auto-discovery-forwarder {phase1 | enable | disable}
Enable or disable forwarding auto-discovery short-cut messages (see the auto-discovery-sender entry above about Auto Discovery), or set to phase1 (by default) to forward short-cut messages according to the phase1 auto-discovery-forwarder setting.
keylifeseconds <seconds>
The amount of time in seconds before the phase 2 encryption key expires, at which time a new encryption key is generated without service interruption. Set the value between 120-172800 seconds (or two minutes to two days). The default is set to 86400.
keylifekbs <bytes>
The number of bytes before the phase 2 encryption key expires, at which point a new encryption key is generated without service interruption. Set the value between 5120-4294967295 bytes (or 5.12KB to 4.29GB). The default is set to 5120. While it is possible to set the value to lower than the default, it is not recommended.
keylife-type {seconds | kbs | both}
The phase 2 encryption key expiration type, used to determine when/how a new encryption key is generated without service interruption.
Use seconds to then set the key life in seconds, or kbs to set the key life in kilobytes (see keylife entries above). Use both to be able to set both parameters.
single-source {enable | disable}
Note: This entry is not available when l2tp is set to enable.
Enable or disable (by default) single source IP restrictions.
enableonly accepts single source IPs.disableaccepts source IP range.
route-overlap {use-old | use-new | allow}
Note: This entry is not available when l2tp is set to enable.
The action taken for overlapping routes.
use-olduses the old route and does not add the new route.use-newdeletes the old route and adds the new route.allowpermits overlapping routes.
encapsulation {tunnel-mode | transport-mode}
The Encapsulating Security Payload (ESP) encapsulation mode.
- Use
tunnel-modeto protect the entire inner IP packet, including the inner IP header. - Use
transport-modeto insert ESP after the IP header and before a next layer protocol, e.g. TCP, UDP, ICMP, and so on.
l2tp {enable | disable}
Enable or disable (by default) L2TP over IPsec.
comments [string]
Optional comments.
protocol <integer>
The quick mode protocol selector. Set the value between 1-255, or 0 (by default) for all.
src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
Note: This entry is only available when encapsulation is set to tunnel-mode.
The local proxy ID type. The default is set to subnet. Use name to set type to firewall address or group name.
Entries with 6 appended to them allow you to set IPv6 options; the other entries allow you to set IPv4 options (see entries below).
{src-subnet | src-subnet6} <ip_netmask>
Note: This entry is only available when encapsulation is set to tunnel-mode. The entry with 6 appended is only available when src-addr-type is set to subnet6.
The local proxy ID subnet, either IPv4 or IPv6.
src-port <integer>
The quick mode source port. Set the value between 1-65535, or 0 (by default) for all.
{src-start-ip | src-start-ip6} <start_ip>
Note: This entry is only available when src-addr-type is set to either range/range6 or ip/ip6.
The local proxy ID start, either IPv4 or IPv6.
{src-end-ip | src-end-ip6} <end_ip>
Note: This entry is only available when src-addr-type is set to range.
The local proxy ID end, either IPv4 or IPv6.
{src-name | src-name6} <name>
Note: This entry is only available when src-addr-type is set to name.
The local proxy ID name, either IPv4 or IPv6.
dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
Note: This entry is only available when encapsulation is set to tunnel-mode.
The remote proxy ID type. The default is set to subnet. Use name to set type to firewall address or group name.
Entries with 6 appended to them allow you to set IPv6 options; the other entries allow you to set IPv4 options (see entries below).
{dst-subnet | dst-subnet6} <ip_netmask>
Note: This entry is only available when encapsulation is set to tunnel-mode. The entry with 6 appended is only available when dst-addr-type is set to subnet6.
The remote proxy ID subnet, either IPv4 or IPv6.
dst-port <integer>
The quick mode destination port. Set the value between 1-65535, or 0 (by default) for all.
{dst-start-ip | dst-start-ip6} <start_ip>
Note: This entry is only available when dst-addr-type is set to either range or ip.
The remote proxy ID start, either IPv4 or IPv6.
{dst-end-ip | dst-end-ip6} <end_ip>
Note: This entry is only available when dst-addr-type is set to range.
The remote proxy ID end, either IPv4 or IPv6.
{dst-name | dst-name6} <name>
Note: This entry is only available when dst-addr-type is set to name.
The remote proxy ID name, either IPv4 or IPv6.