Fortinet black logo

CLI Reference

vpn ipsec {phase2-interface | phase2}

vpn ipsec {phase2-interface | phase2}

Use phase2-interface to add or edit a phase 2 configuration on a route-based (interface mode) IPsec tunnel. This command is only available in NAT mode. You can also use phase2 to add or edit IPsec tunnel-mode phase 2 configurations to create and maintain IPsec VPN tunnels with a remote VPN gateway or client peer.

Note: The following entries are not available under the phase2 command:

  • auto-discovery-sender
  • auto-discovery-forwarder

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

N/A

Changed the initial proposal list when new phase2s are created.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set dhgrp {31 | ...}

FortiOS uses OpenSSL 1.1, which now supports Curve25519, granting support for DH group 31.

set proposal {chacha20poly1305 | ...}

In order to support RFC 7634, kernel implementations for crypto algorithms ChaCha20 and Poly1305 are added. These two algorithms are used together as a combined mode AEAD cipher (like aes-gcm) in the new crypto_ftnt cipher in cipher_chacha20poly1305.c.

config vpn ipsec phase2-interface
    edit {name}
    # Configure VPN autokey tunnel.
        set name {string}   IPsec tunnel name. size[35]
        set phase1name {string}   Phase 1 determines the options required for phase 2. size[15] - datasource(s): vpn.ipsec.phase1-interface.name
        set dhcp-ipsec {enable | disable}   Enable/disable DHCP-IPsec.
        set proposal {option}   Phase2 proposal.
                null-md5          null-md5
                null-sha1         null-sha1
                null-sha256       null-sha256
                null-sha384       null-sha384
                null-sha512       null-sha512
                des-null          des-null
                des-md5           des-md5
                des-sha1          des-sha1
                des-sha256        des-sha256
                des-sha384        des-sha384
                des-sha512        des-sha512
                3des-null         3des-null
                3des-md5          3des-md5
                3des-sha1         3des-sha1
                3des-sha256       3des-sha256
                3des-sha384       3des-sha384
                3des-sha512       3des-sha512
                aes128-null       aes128-null
                aes128-md5        aes128-md5
                aes128-sha1       aes128-sha1
                aes128-sha256     aes128-sha256
                aes128-sha384     aes128-sha384
                aes128-sha512     aes128-sha512
                aes128gcm         aes128gcm
                aes192-null       aes192-null
                aes192-md5        aes192-md5
                aes192-sha1       aes192-sha1
                aes192-sha256     aes192-sha256
                aes192-sha384     aes192-sha384
                aes192-sha512     aes192-sha512
                aes256-null       aes256-null
                aes256-md5        aes256-md5
                aes256-sha1       aes256-sha1
                aes256-sha256     aes256-sha256
                aes256-sha384     aes256-sha384
                aes256-sha512     aes256-sha512
                aes256gcm         aes256gcm
                chacha20poly1305  chacha20poly1305
                aria128-null      aria128-null
                aria128-md5       aria128-md5
                aria128-sha1      aria128-sha1
                aria128-sha256    aria128-sha256
                aria128-sha384    aria128-sha384
                aria128-sha512    aria128-sha512
                aria192-null      aria192-null
                aria192-md5       aria192-md5
                aria192-sha1      aria192-sha1
                aria192-sha256    aria192-sha256
                aria192-sha384    aria192-sha384
                aria192-sha512    aria192-sha512
                aria256-null      aria256-null
                aria256-md5       aria256-md5
                aria256-sha1      aria256-sha1
                aria256-sha256    aria256-sha256
                aria256-sha384    aria256-sha384
                aria256-sha512    aria256-sha512
                seed-null         seed-null
                seed-md5          seed-md5
                seed-sha1         seed-sha1
                seed-sha256       seed-sha256
                seed-sha384       seed-sha384
                seed-sha512       seed-sha512
        set pfs {enable | disable}   Enable/disable PFS feature.
        set dhgrp {option}   Phase2 DH group.
                1   DH Group 1.
                2   DH Group 2.
                5   DH Group 5.
                14  DH Group 14.
                15  DH Group 15.
                16  DH Group 16.
                17  DH Group 17.
                18  DH Group 18.
                19  DH Group 19.
                20  DH Group 20.
                21  DH Group 21.
                27  DH Group 27.
                28  DH Group 28.
                29  DH Group 29.
                30  DH Group 30.
                31  DH Group 31.
        set replay {enable | disable}   Enable/disable replay detection.
        set keepalive {enable | disable}   Enable/disable keep alive.
        set auto-negotiate {enable | disable}   Enable/disable IPsec SA auto-negotiation.
        set add-route {phase1 | enable | disable}   Enable/disable automatic route addition.
        set auto-discovery-sender {phase1 | enable | disable}   Enable/disable sending short-cut messages.
        set auto-discovery-forwarder {phase1 | enable | disable}   Enable/disable forwarding short-cut messages.
        set keylifeseconds {integer}   Phase2 key life in time in seconds (120 - 172800). range[120-172800]
        set keylifekbs {integer}   Phase2 key life in number of bytes of traffic (5120 - 4294967295). range[5120-4294967295]
        set keylife-type {seconds | kbs | both}   Keylife type.
                seconds  Key life in seconds.
                kbs      Key life in kilobytes.
                both     Key life both.
        set single-source {enable | disable}   Enable/disable single source IP restriction.
        set route-overlap {use-old | use-new | allow}   Action for overlapping routes.
                use-old  Use the old route and do not add the new route.
                use-new  Delete the old route and add the new route.
                allow    Allow overlapping routes.
        set encapsulation {tunnel-mode | transport-mode}   ESP encapsulation mode.
                tunnel-mode     Use tunnel mode encapsulation.
                transport-mode  Use transport mode encapsulation.
        set l2tp {enable | disable}   Enable/disable L2TP over IPsec.
        set comments {string}   Comment. size[255]
        set protocol {integer}   Quick mode protocol selector (1 - 255 or 0 for all). range[0-255]
        set src-name {string}   Local proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set src-name6 {string}   Local proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set src-addr-type {option}   Local proxy ID type.
                subnet   IPv4 subnet.
                range    IPv4 range.
                ip       IPv4 IP.
                name     IPv4 firewall address or group name.
                subnet6  IPv6 subnet.
                range6   IPv6 range.
                ip6      IPv6 IP.
                name6    IPv6 firewall address or group name.
        set src-start-ip {ipv4 address any}   Local proxy ID start.
        set src-start-ip6 {ipv6 address}   Local proxy ID IPv6 start.
        set src-end-ip {ipv4 address any}   Local proxy ID end.
        set src-end-ip6 {ipv6 address}   Local proxy ID IPv6 end.
        set src-subnet {ipv4 classnet any}   Local proxy ID subnet.
        set src-subnet6 {ipv6 prefix}   Local proxy ID IPv6 subnet.
        set src-port {integer}   Quick mode source port (1 - 65535 or 0 for all). range[0-65535]
        set dst-name {string}   Remote proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set dst-name6 {string}   Remote proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set dst-addr-type {option}   Remote proxy ID type.
                subnet   IPv4 subnet.
                range    IPv4 range.
                ip       IPv4 IP.
                name     IPv4 firewall address or group name.
                subnet6  IPv6 subnet.
                range6   IPv6 range.
                ip6      IPv6 IP.
                name6    IPv6 firewall address or group name.
        set dst-start-ip {ipv4 address any}   Remote proxy ID IPv4 start.
        set dst-start-ip6 {ipv6 address}   Remote proxy ID IPv6 start.
        set dst-end-ip {ipv4 address any}   Remote proxy ID IPv4 end.
        set dst-end-ip6 {ipv6 address}   Remote proxy ID IPv6 end.
        set dst-subnet {ipv4 classnet any}   Remote proxy ID IPv4 subnet.
        set dst-subnet6 {ipv6 prefix}   Remote proxy ID IPv6 subnet.
        set dst-port {integer}   Quick mode destination port (1 - 65535 or 0 for all). range[0-65535]
    next
end
config vpn ipsec phase2
    edit {name}
    # Configure VPN autokey tunnel.
        set name {string}   IPsec tunnel name. size[35]
        set phase1name {string}   Phase 1 determines the options required for phase 2. size[35] - datasource(s): vpn.ipsec.phase1.name
        set dhcp-ipsec {enable | disable}   Enable/disable DHCP-IPsec.
        set use-natip {enable | disable}   Enable to use the FortiGate public IP as the source selector when outbound NAT is used.
        set selector-match {exact | subset | auto}   Match type to use when comparing selectors.
                exact   Match selectors exactly.
                subset  Match selectors by subset.
                auto    Use subset or exact match depending on selector address type.
        set proposal {option}   Phase2 proposal.
                null-md5          null-md5
                null-sha1         null-sha1
                null-sha256       null-sha256
                null-sha384       null-sha384
                null-sha512       null-sha512
                des-null          des-null
                des-md5           des-md5
                des-sha1          des-sha1
                des-sha256        des-sha256
                des-sha384        des-sha384
                des-sha512        des-sha512
                3des-null         3des-null
                3des-md5          3des-md5
                3des-sha1         3des-sha1
                3des-sha256       3des-sha256
                3des-sha384       3des-sha384
                3des-sha512       3des-sha512
                aes128-null       aes128-null
                aes128-md5        aes128-md5
                aes128-sha1       aes128-sha1
                aes128-sha256     aes128-sha256
                aes128-sha384     aes128-sha384
                aes128-sha512     aes128-sha512
                aes128gcm         aes128gcm
                aes192-null       aes192-null
                aes192-md5        aes192-md5
                aes192-sha1       aes192-sha1
                aes192-sha256     aes192-sha256
                aes192-sha384     aes192-sha384
                aes192-sha512     aes192-sha512
                aes256-null       aes256-null
                aes256-md5        aes256-md5
                aes256-sha1       aes256-sha1
                aes256-sha256     aes256-sha256
                aes256-sha384     aes256-sha384
                aes256-sha512     aes256-sha512
                aes256gcm         aes256gcm
                chacha20poly1305  chacha20poly1305
                aria128-null      aria128-null
                aria128-md5       aria128-md5
                aria128-sha1      aria128-sha1
                aria128-sha256    aria128-sha256
                aria128-sha384    aria128-sha384
                aria128-sha512    aria128-sha512
                aria192-null      aria192-null
                aria192-md5       aria192-md5
                aria192-sha1      aria192-sha1
                aria192-sha256    aria192-sha256
                aria192-sha384    aria192-sha384
                aria192-sha512    aria192-sha512
                aria256-null      aria256-null
                aria256-md5       aria256-md5
                aria256-sha1      aria256-sha1
                aria256-sha256    aria256-sha256
                aria256-sha384    aria256-sha384
                aria256-sha512    aria256-sha512
                seed-null         seed-null
                seed-md5          seed-md5
                seed-sha1         seed-sha1
                seed-sha256       seed-sha256
                seed-sha384       seed-sha384
                seed-sha512       seed-sha512
        set pfs {enable | disable}   Enable/disable PFS feature.
        set dhgrp {option}   Phase2 DH group.
                1   DH Group 1.
                2   DH Group 2.
                5   DH Group 5.
                14  DH Group 14.
                15  DH Group 15.
                16  DH Group 16.
                17  DH Group 17.
                18  DH Group 18.
                19  DH Group 19.
                20  DH Group 20.
                21  DH Group 21.
                27  DH Group 27.
                28  DH Group 28.
                29  DH Group 29.
                30  DH Group 30.
                31  DH Group 31.
        set replay {enable | disable}   Enable/disable replay detection.
        set keepalive {enable | disable}   Enable/disable keep alive.
        set auto-negotiate {enable | disable}   Enable/disable IPsec SA auto-negotiation.
        set add-route {phase1 | enable | disable}   Enable/disable automatic route addition.
        set keylifeseconds {integer}   Phase2 key life in time in seconds (120 - 172800). range[120-172800]
        set keylifekbs {integer}   Phase2 key life in number of bytes of traffic (5120 - 4294967295). range[5120-4294967295]
        set keylife-type {seconds | kbs | both}   Keylife type.
                seconds  Key life in seconds.
                kbs      Key life in kilobytes.
                both     Key life both.
        set single-source {enable | disable}   Enable/disable single source IP restriction.
        set route-overlap {use-old | use-new | allow}   Action for overlapping routes.
                use-old  Use the old route and do not add the new route.
                use-new  Delete the old route and add the new route.
                allow    Allow overlapping routes.
        set encapsulation {tunnel-mode | transport-mode}   ESP encapsulation mode.
                tunnel-mode     Use tunnel mode encapsulation.
                transport-mode  Use transport mode encapsulation.
        set l2tp {enable | disable}   Enable/disable L2TP over IPsec.
        set comments {string}   Comment. size[255]
        set protocol {integer}   Quick mode protocol selector (1 - 255 or 0 for all). range[0-255]
        set src-name {string}   Local proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set src-name6 {string}   Local proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set src-addr-type {subnet | range | ip | name}   Local proxy ID type.
                subnet  IPv4 subnet.
                range   IPv4 range.
                ip      IPv4 IP.
                name    IPv4 firewall address or group name.
        set src-start-ip {ipv4 address any}   Local proxy ID start.
        set src-start-ip6 {ipv6 address}   Local proxy ID IPv6 start.
        set src-end-ip {ipv4 address any}   Local proxy ID end.
        set src-end-ip6 {ipv6 address}   Local proxy ID IPv6 end.
        set src-subnet {ipv4 classnet any}   Local proxy ID subnet.
        set src-subnet6 {ipv6 prefix}   Local proxy ID IPv6 subnet.
        set src-port {integer}   Quick mode source port (1 - 65535 or 0 for all). range[0-65535]
        set dst-name {string}   Remote proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set dst-name6 {string}   Remote proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set dst-addr-type {subnet | range | ip | name}   Remote proxy ID type.
                subnet  IPv4 subnet.
                range   IPv4 range.
                ip      IPv4 IP.
                name    IPv4 firewall address or group name.
        set dst-start-ip {ipv4 address any}   Remote proxy ID IPv4 start.
        set dst-start-ip6 {ipv6 address}   Remote proxy ID IPv6 start.
        set dst-end-ip {ipv4 address any}   Remote proxy ID IPv4 end.
        set dst-end-ip6 {ipv6 address}   Remote proxy ID IPv6 end.
        set dst-subnet {ipv4 classnet any}   Remote proxy ID IPv4 subnet.
        set dst-subnet6 {ipv6 prefix}   Remote proxy ID IPv6 subnet.
        set dst-port {integer}   Quick mode destination port (1 - 65535 or 0 for all). range[0-65535]
    next
end

Additional information

The following section is for those options that require additional explanation.

phase1name <gateway_name>

The name of the phase 1 gateway configuration, most commonly created using the IPsec Wizard. You must have already added the phase 1 gateway definition to the FortiGate configuration before it can be added here.

dhcp-ipsec {enable | disable}

Enable or disable (by default) DHCP-IPsec.

use-natip {enable | disable}

Enable (by default) or disable the FortiGate to use its public interface IP address as the source selector when outbound NAT is used.

selector-match {exact | subset | auto}

The match-type to use when comparing selectors.

  • Use exact to match selectors exactly.
  • Use subset to match selectors by subset.
  • Use auto (by default) to use subset or exact match depending on the selector address type.

proposal <phase2_proposal>

A minimum of one and maximum of ten encryption-message combinations for the phase 2 proposal, for example aes128-sha256. Use a space to separate the combinations. Make sure that the remote peer is configured to use at least one of the proposals defined. Use any of the following key encryption algorithms:

  • des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.
  • 3des: Triple-DES, in which plain text is encrypted three times by three keys.
  • aes128: A 128-bit block algorithm that uses a 128-bit key.
  • aes192: A 128-bit block algorithm that uses a 192-bit key.
  • aes256: A 128-bit block algorithm that uses a 256-bit key.
  • aria128: A 128-bit Korean block algorithm that uses a 128-bit key.
  • aris192: A 128-bit Korean block algorithm that uses a 192-bit key.
  • aria256: A 128-bit Korean block algorithm that uses a 256-bit key.
  • seed: A 128-bit Korean block algorithm that uses a 128-bit key.

The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session: The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session:

  • md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.
  • sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.
  • sha256: SHA 2 producing a 256-bit message digest.
  • sha384: SHA 2 producing a 384-bit message digest.
  • sha512: SHA 2 producing a 512-bit message digest.

pfs {enable | disable}

Enable (by default) or disable perfect forward secrecy (PFS). When enabled, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted, should long-term secret keys or passwords be compromised in the future.

dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30 | 31}

Apply one or more Diffie-Hellman (DH) group numbers, in order of preference, separated by spaces. DH groups determine the strength of the key used in the key exchange process, with higher group numbers being more secure, but requiring additional time to compute the key. Set the value to any one (or more) of the following: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, and 31. The default is set to 14 5.

Note that at least one of the group numbers set on the remote peer or client must be identical to one of the selections on the FortiGate unit.

replay {enable | disable}

Enable (by default) or disable replay attack detection. When enabled, replay detection discards received packets if they contain a sequence number before the current window, in which case they are seen as being too old, or if they contain a sequence number which has already been received by the FortiGate unit.

keepalive {enable | disable}

Enable or disdable (by default) the NAT traversal keepalive frequency, a period of time that specifies how frequently empty UDP packets are sent through the NAT device to make sure that the NAT mapping does not change until phase 1 and 2 security associations (SAs) expire.

add-route {phase1 | enable | disable}

Enable, disable, or set to phase1 (by default) to add route according to phase add-route settings.

auto-negotiate {enable | disable}

Enable to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established. This is set to Enable to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established. This is set to disable by default.

auto-discovery-sender {phase1 | enable | disable}

Auto Discovery VPN (ADVPN) allows a shortcut to be created between two VPN peers, establishing dynamic on-demand tunnels between each other to avoid routing through the topology’s hub device. Enable or disable sending auto-discovery short-cut messages, or set to phase1 (by default) to forward short-cut messages according to the phase1 auto-discovery-sender setting.

auto-discovery-forwarder {phase1 | enable | disable}

Enable or disable forwarding auto-discovery short-cut messages (see the auto-discovery-sender entry above about Auto Discovery), or set to phase1 (by default) to forward short-cut messages according to the phase1 auto-discovery-forwarder setting.

keylifeseconds <seconds>

The amount of time in seconds before the phase 2 encryption key expires, at which time a new encryption key is generated without service interruption. Set the value between 120-172800 seconds (or two minutes to two days). The default is set to 86400.

keylifekbs <bytes>

The number of bytes before the phase 2 encryption key expires, at which point a new encryption key is generated without service interruption. Set the value between 5120-4294967295 bytes (or 5.12KB to 4.29GB). The default is set to 5120. While it is possible to set the value to lower than the default, it is not recommended.

keylife-type {seconds | kbs | both}

The phase 2 encryption key expiration type, used to determine when/how a new encryption key is generated without service interruption. Use seconds to then set the key life in seconds, or kbs to set the key life in kilobytes (see keylife entries above). Use both to be able to set both parameters.

single-source {enable | disable}

Note: This entry is not available when l2tp is set to enable. Enable or disable (by default) single source IP restrictions.

  • enable only accepts single source IPs.
  • disable accepts source IP range.

route-overlap {use-old | use-new | allow}

Note: This entry is not available when l2tp is set to enable. The action taken for overlapping routes.

  • use-old uses the old route and does not add the new route.
  • use-new deletes the old route and adds the new route.
  • allow permits overlapping routes.

encapsulation {tunnel-mode | transport-mode}

The Encapsulating Security Payload (ESP) encapsulation mode.

  • Use tunnel-mode to protect the entire inner IP packet, including the inner IP header.
  • Use transport-mode to insert ESP after the IP header and before a next layer protocol, e.g. TCP, UDP, ICMP, and so on.

l2tp {enable | disable}

Enable or disable (by default) L2TP over IPsec.

comments [string]

Optional comments.

protocol <integer>

The quick mode protocol selector. Set the value between 1-255, or 0 (by default) for all.

src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}

Note: This entry is only available when encapsulation is set to tunnel-mode. The local proxy ID type. The default is set to subnet. Use name to set type to firewall address or group name. Entries with 6 appended to them allow you to set IPv6 options; the other entries allow you to set IPv4 options (see entries below).

{src-subnet | src-subnet6} <ip_netmask>

Note: This entry is only available when encapsulation is set to tunnel-mode. The entry with 6 appended is only available when src-addr-type is set to subnet6. The local proxy ID subnet, either IPv4 or IPv6.

src-port <integer>

The quick mode source port. Set the value between 1-65535, or 0 (by default) for all.

{src-start-ip | src-start-ip6} <start_ip>

Note: This entry is only available when src-addr-type is set to either range/range6 or ip/ip6. The local proxy ID start, either IPv4 or IPv6.

{src-end-ip | src-end-ip6} <end_ip>

Note: This entry is only available when src-addr-type is set to range. The local proxy ID end, either IPv4 or IPv6.

{src-name | src-name6} <name>

Note: This entry is only available when src-addr-type is set to name. The local proxy ID name, either IPv4 or IPv6.

dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}

Note: This entry is only available when encapsulation is set to tunnel-mode. The remote proxy ID type. The default is set to subnet. Use name to set type to firewall address or group name. Entries with 6 appended to them allow you to set IPv6 options; the other entries allow you to set IPv4 options (see entries below).

{dst-subnet | dst-subnet6} <ip_netmask>

Note: This entry is only available when encapsulation is set to tunnel-mode. The entry with 6 appended is only available when dst-addr-type is set to subnet6. The remote proxy ID subnet, either IPv4 or IPv6.

dst-port <integer>

The quick mode destination port. Set the value between 1-65535, or 0 (by default) for all.

{dst-start-ip | dst-start-ip6} <start_ip>

Note: This entry is only available when dst-addr-type is set to either range or ip. The remote proxy ID start, either IPv4 or IPv6.

{dst-end-ip | dst-end-ip6} <end_ip>

Note: This entry is only available when dst-addr-type is set to range. The remote proxy ID end, either IPv4 or IPv6.

{dst-name | dst-name6} <name>

Note: This entry is only available when dst-addr-type is set to name. The remote proxy ID name, either IPv4 or IPv6.

vpn ipsec {phase2-interface | phase2}

Use phase2-interface to add or edit a phase 2 configuration on a route-based (interface mode) IPsec tunnel. This command is only available in NAT mode. You can also use phase2 to add or edit IPsec tunnel-mode phase 2 configurations to create and maintain IPsec VPN tunnels with a remote VPN gateway or client peer.

Note: The following entries are not available under the phase2 command:

  • auto-discovery-sender
  • auto-discovery-forwarder

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

N/A

Changed the initial proposal list when new phase2s are created.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set dhgrp {31 | ...}

FortiOS uses OpenSSL 1.1, which now supports Curve25519, granting support for DH group 31.

set proposal {chacha20poly1305 | ...}

In order to support RFC 7634, kernel implementations for crypto algorithms ChaCha20 and Poly1305 are added. These two algorithms are used together as a combined mode AEAD cipher (like aes-gcm) in the new crypto_ftnt cipher in cipher_chacha20poly1305.c.

config vpn ipsec phase2-interface
    edit {name}
    # Configure VPN autokey tunnel.
        set name {string}   IPsec tunnel name. size[35]
        set phase1name {string}   Phase 1 determines the options required for phase 2. size[15] - datasource(s): vpn.ipsec.phase1-interface.name
        set dhcp-ipsec {enable | disable}   Enable/disable DHCP-IPsec.
        set proposal {option}   Phase2 proposal.
                null-md5          null-md5
                null-sha1         null-sha1
                null-sha256       null-sha256
                null-sha384       null-sha384
                null-sha512       null-sha512
                des-null          des-null
                des-md5           des-md5
                des-sha1          des-sha1
                des-sha256        des-sha256
                des-sha384        des-sha384
                des-sha512        des-sha512
                3des-null         3des-null
                3des-md5          3des-md5
                3des-sha1         3des-sha1
                3des-sha256       3des-sha256
                3des-sha384       3des-sha384
                3des-sha512       3des-sha512
                aes128-null       aes128-null
                aes128-md5        aes128-md5
                aes128-sha1       aes128-sha1
                aes128-sha256     aes128-sha256
                aes128-sha384     aes128-sha384
                aes128-sha512     aes128-sha512
                aes128gcm         aes128gcm
                aes192-null       aes192-null
                aes192-md5        aes192-md5
                aes192-sha1       aes192-sha1
                aes192-sha256     aes192-sha256
                aes192-sha384     aes192-sha384
                aes192-sha512     aes192-sha512
                aes256-null       aes256-null
                aes256-md5        aes256-md5
                aes256-sha1       aes256-sha1
                aes256-sha256     aes256-sha256
                aes256-sha384     aes256-sha384
                aes256-sha512     aes256-sha512
                aes256gcm         aes256gcm
                chacha20poly1305  chacha20poly1305
                aria128-null      aria128-null
                aria128-md5       aria128-md5
                aria128-sha1      aria128-sha1
                aria128-sha256    aria128-sha256
                aria128-sha384    aria128-sha384
                aria128-sha512    aria128-sha512
                aria192-null      aria192-null
                aria192-md5       aria192-md5
                aria192-sha1      aria192-sha1
                aria192-sha256    aria192-sha256
                aria192-sha384    aria192-sha384
                aria192-sha512    aria192-sha512
                aria256-null      aria256-null
                aria256-md5       aria256-md5
                aria256-sha1      aria256-sha1
                aria256-sha256    aria256-sha256
                aria256-sha384    aria256-sha384
                aria256-sha512    aria256-sha512
                seed-null         seed-null
                seed-md5          seed-md5
                seed-sha1         seed-sha1
                seed-sha256       seed-sha256
                seed-sha384       seed-sha384
                seed-sha512       seed-sha512
        set pfs {enable | disable}   Enable/disable PFS feature.
        set dhgrp {option}   Phase2 DH group.
                1   DH Group 1.
                2   DH Group 2.
                5   DH Group 5.
                14  DH Group 14.
                15  DH Group 15.
                16  DH Group 16.
                17  DH Group 17.
                18  DH Group 18.
                19  DH Group 19.
                20  DH Group 20.
                21  DH Group 21.
                27  DH Group 27.
                28  DH Group 28.
                29  DH Group 29.
                30  DH Group 30.
                31  DH Group 31.
        set replay {enable | disable}   Enable/disable replay detection.
        set keepalive {enable | disable}   Enable/disable keep alive.
        set auto-negotiate {enable | disable}   Enable/disable IPsec SA auto-negotiation.
        set add-route {phase1 | enable | disable}   Enable/disable automatic route addition.
        set auto-discovery-sender {phase1 | enable | disable}   Enable/disable sending short-cut messages.
        set auto-discovery-forwarder {phase1 | enable | disable}   Enable/disable forwarding short-cut messages.
        set keylifeseconds {integer}   Phase2 key life in time in seconds (120 - 172800). range[120-172800]
        set keylifekbs {integer}   Phase2 key life in number of bytes of traffic (5120 - 4294967295). range[5120-4294967295]
        set keylife-type {seconds | kbs | both}   Keylife type.
                seconds  Key life in seconds.
                kbs      Key life in kilobytes.
                both     Key life both.
        set single-source {enable | disable}   Enable/disable single source IP restriction.
        set route-overlap {use-old | use-new | allow}   Action for overlapping routes.
                use-old  Use the old route and do not add the new route.
                use-new  Delete the old route and add the new route.
                allow    Allow overlapping routes.
        set encapsulation {tunnel-mode | transport-mode}   ESP encapsulation mode.
                tunnel-mode     Use tunnel mode encapsulation.
                transport-mode  Use transport mode encapsulation.
        set l2tp {enable | disable}   Enable/disable L2TP over IPsec.
        set comments {string}   Comment. size[255]
        set protocol {integer}   Quick mode protocol selector (1 - 255 or 0 for all). range[0-255]
        set src-name {string}   Local proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set src-name6 {string}   Local proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set src-addr-type {option}   Local proxy ID type.
                subnet   IPv4 subnet.
                range    IPv4 range.
                ip       IPv4 IP.
                name     IPv4 firewall address or group name.
                subnet6  IPv6 subnet.
                range6   IPv6 range.
                ip6      IPv6 IP.
                name6    IPv6 firewall address or group name.
        set src-start-ip {ipv4 address any}   Local proxy ID start.
        set src-start-ip6 {ipv6 address}   Local proxy ID IPv6 start.
        set src-end-ip {ipv4 address any}   Local proxy ID end.
        set src-end-ip6 {ipv6 address}   Local proxy ID IPv6 end.
        set src-subnet {ipv4 classnet any}   Local proxy ID subnet.
        set src-subnet6 {ipv6 prefix}   Local proxy ID IPv6 subnet.
        set src-port {integer}   Quick mode source port (1 - 65535 or 0 for all). range[0-65535]
        set dst-name {string}   Remote proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set dst-name6 {string}   Remote proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set dst-addr-type {option}   Remote proxy ID type.
                subnet   IPv4 subnet.
                range    IPv4 range.
                ip       IPv4 IP.
                name     IPv4 firewall address or group name.
                subnet6  IPv6 subnet.
                range6   IPv6 range.
                ip6      IPv6 IP.
                name6    IPv6 firewall address or group name.
        set dst-start-ip {ipv4 address any}   Remote proxy ID IPv4 start.
        set dst-start-ip6 {ipv6 address}   Remote proxy ID IPv6 start.
        set dst-end-ip {ipv4 address any}   Remote proxy ID IPv4 end.
        set dst-end-ip6 {ipv6 address}   Remote proxy ID IPv6 end.
        set dst-subnet {ipv4 classnet any}   Remote proxy ID IPv4 subnet.
        set dst-subnet6 {ipv6 prefix}   Remote proxy ID IPv6 subnet.
        set dst-port {integer}   Quick mode destination port (1 - 65535 or 0 for all). range[0-65535]
    next
end
config vpn ipsec phase2
    edit {name}
    # Configure VPN autokey tunnel.
        set name {string}   IPsec tunnel name. size[35]
        set phase1name {string}   Phase 1 determines the options required for phase 2. size[35] - datasource(s): vpn.ipsec.phase1.name
        set dhcp-ipsec {enable | disable}   Enable/disable DHCP-IPsec.
        set use-natip {enable | disable}   Enable to use the FortiGate public IP as the source selector when outbound NAT is used.
        set selector-match {exact | subset | auto}   Match type to use when comparing selectors.
                exact   Match selectors exactly.
                subset  Match selectors by subset.
                auto    Use subset or exact match depending on selector address type.
        set proposal {option}   Phase2 proposal.
                null-md5          null-md5
                null-sha1         null-sha1
                null-sha256       null-sha256
                null-sha384       null-sha384
                null-sha512       null-sha512
                des-null          des-null
                des-md5           des-md5
                des-sha1          des-sha1
                des-sha256        des-sha256
                des-sha384        des-sha384
                des-sha512        des-sha512
                3des-null         3des-null
                3des-md5          3des-md5
                3des-sha1         3des-sha1
                3des-sha256       3des-sha256
                3des-sha384       3des-sha384
                3des-sha512       3des-sha512
                aes128-null       aes128-null
                aes128-md5        aes128-md5
                aes128-sha1       aes128-sha1
                aes128-sha256     aes128-sha256
                aes128-sha384     aes128-sha384
                aes128-sha512     aes128-sha512
                aes128gcm         aes128gcm
                aes192-null       aes192-null
                aes192-md5        aes192-md5
                aes192-sha1       aes192-sha1
                aes192-sha256     aes192-sha256
                aes192-sha384     aes192-sha384
                aes192-sha512     aes192-sha512
                aes256-null       aes256-null
                aes256-md5        aes256-md5
                aes256-sha1       aes256-sha1
                aes256-sha256     aes256-sha256
                aes256-sha384     aes256-sha384
                aes256-sha512     aes256-sha512
                aes256gcm         aes256gcm
                chacha20poly1305  chacha20poly1305
                aria128-null      aria128-null
                aria128-md5       aria128-md5
                aria128-sha1      aria128-sha1
                aria128-sha256    aria128-sha256
                aria128-sha384    aria128-sha384
                aria128-sha512    aria128-sha512
                aria192-null      aria192-null
                aria192-md5       aria192-md5
                aria192-sha1      aria192-sha1
                aria192-sha256    aria192-sha256
                aria192-sha384    aria192-sha384
                aria192-sha512    aria192-sha512
                aria256-null      aria256-null
                aria256-md5       aria256-md5
                aria256-sha1      aria256-sha1
                aria256-sha256    aria256-sha256
                aria256-sha384    aria256-sha384
                aria256-sha512    aria256-sha512
                seed-null         seed-null
                seed-md5          seed-md5
                seed-sha1         seed-sha1
                seed-sha256       seed-sha256
                seed-sha384       seed-sha384
                seed-sha512       seed-sha512
        set pfs {enable | disable}   Enable/disable PFS feature.
        set dhgrp {option}   Phase2 DH group.
                1   DH Group 1.
                2   DH Group 2.
                5   DH Group 5.
                14  DH Group 14.
                15  DH Group 15.
                16  DH Group 16.
                17  DH Group 17.
                18  DH Group 18.
                19  DH Group 19.
                20  DH Group 20.
                21  DH Group 21.
                27  DH Group 27.
                28  DH Group 28.
                29  DH Group 29.
                30  DH Group 30.
                31  DH Group 31.
        set replay {enable | disable}   Enable/disable replay detection.
        set keepalive {enable | disable}   Enable/disable keep alive.
        set auto-negotiate {enable | disable}   Enable/disable IPsec SA auto-negotiation.
        set add-route {phase1 | enable | disable}   Enable/disable automatic route addition.
        set keylifeseconds {integer}   Phase2 key life in time in seconds (120 - 172800). range[120-172800]
        set keylifekbs {integer}   Phase2 key life in number of bytes of traffic (5120 - 4294967295). range[5120-4294967295]
        set keylife-type {seconds | kbs | both}   Keylife type.
                seconds  Key life in seconds.
                kbs      Key life in kilobytes.
                both     Key life both.
        set single-source {enable | disable}   Enable/disable single source IP restriction.
        set route-overlap {use-old | use-new | allow}   Action for overlapping routes.
                use-old  Use the old route and do not add the new route.
                use-new  Delete the old route and add the new route.
                allow    Allow overlapping routes.
        set encapsulation {tunnel-mode | transport-mode}   ESP encapsulation mode.
                tunnel-mode     Use tunnel mode encapsulation.
                transport-mode  Use transport mode encapsulation.
        set l2tp {enable | disable}   Enable/disable L2TP over IPsec.
        set comments {string}   Comment. size[255]
        set protocol {integer}   Quick mode protocol selector (1 - 255 or 0 for all). range[0-255]
        set src-name {string}   Local proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set src-name6 {string}   Local proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set src-addr-type {subnet | range | ip | name}   Local proxy ID type.
                subnet  IPv4 subnet.
                range   IPv4 range.
                ip      IPv4 IP.
                name    IPv4 firewall address or group name.
        set src-start-ip {ipv4 address any}   Local proxy ID start.
        set src-start-ip6 {ipv6 address}   Local proxy ID IPv6 start.
        set src-end-ip {ipv4 address any}   Local proxy ID end.
        set src-end-ip6 {ipv6 address}   Local proxy ID IPv6 end.
        set src-subnet {ipv4 classnet any}   Local proxy ID subnet.
        set src-subnet6 {ipv6 prefix}   Local proxy ID IPv6 subnet.
        set src-port {integer}   Quick mode source port (1 - 65535 or 0 for all). range[0-65535]
        set dst-name {string}   Remote proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set dst-name6 {string}   Remote proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set dst-addr-type {subnet | range | ip | name}   Remote proxy ID type.
                subnet  IPv4 subnet.
                range   IPv4 range.
                ip      IPv4 IP.
                name    IPv4 firewall address or group name.
        set dst-start-ip {ipv4 address any}   Remote proxy ID IPv4 start.
        set dst-start-ip6 {ipv6 address}   Remote proxy ID IPv6 start.
        set dst-end-ip {ipv4 address any}   Remote proxy ID IPv4 end.
        set dst-end-ip6 {ipv6 address}   Remote proxy ID IPv6 end.
        set dst-subnet {ipv4 classnet any}   Remote proxy ID IPv4 subnet.
        set dst-subnet6 {ipv6 prefix}   Remote proxy ID IPv6 subnet.
        set dst-port {integer}   Quick mode destination port (1 - 65535 or 0 for all). range[0-65535]
    next
end

Additional information

The following section is for those options that require additional explanation.

phase1name <gateway_name>

The name of the phase 1 gateway configuration, most commonly created using the IPsec Wizard. You must have already added the phase 1 gateway definition to the FortiGate configuration before it can be added here.

dhcp-ipsec {enable | disable}

Enable or disable (by default) DHCP-IPsec.

use-natip {enable | disable}

Enable (by default) or disable the FortiGate to use its public interface IP address as the source selector when outbound NAT is used.

selector-match {exact | subset | auto}

The match-type to use when comparing selectors.

  • Use exact to match selectors exactly.
  • Use subset to match selectors by subset.
  • Use auto (by default) to use subset or exact match depending on the selector address type.

proposal <phase2_proposal>

A minimum of one and maximum of ten encryption-message combinations for the phase 2 proposal, for example aes128-sha256. Use a space to separate the combinations. Make sure that the remote peer is configured to use at least one of the proposals defined. Use any of the following key encryption algorithms:

  • des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.
  • 3des: Triple-DES, in which plain text is encrypted three times by three keys.
  • aes128: A 128-bit block algorithm that uses a 128-bit key.
  • aes192: A 128-bit block algorithm that uses a 192-bit key.
  • aes256: A 128-bit block algorithm that uses a 256-bit key.
  • aria128: A 128-bit Korean block algorithm that uses a 128-bit key.
  • aris192: A 128-bit Korean block algorithm that uses a 192-bit key.
  • aria256: A 128-bit Korean block algorithm that uses a 256-bit key.
  • seed: A 128-bit Korean block algorithm that uses a 128-bit key.

The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session: The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session:

  • md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.
  • sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.
  • sha256: SHA 2 producing a 256-bit message digest.
  • sha384: SHA 2 producing a 384-bit message digest.
  • sha512: SHA 2 producing a 512-bit message digest.

pfs {enable | disable}

Enable (by default) or disable perfect forward secrecy (PFS). When enabled, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted, should long-term secret keys or passwords be compromised in the future.

dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30 | 31}

Apply one or more Diffie-Hellman (DH) group numbers, in order of preference, separated by spaces. DH groups determine the strength of the key used in the key exchange process, with higher group numbers being more secure, but requiring additional time to compute the key. Set the value to any one (or more) of the following: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, and 31. The default is set to 14 5.

Note that at least one of the group numbers set on the remote peer or client must be identical to one of the selections on the FortiGate unit.

replay {enable | disable}

Enable (by default) or disable replay attack detection. When enabled, replay detection discards received packets if they contain a sequence number before the current window, in which case they are seen as being too old, or if they contain a sequence number which has already been received by the FortiGate unit.

keepalive {enable | disable}

Enable or disdable (by default) the NAT traversal keepalive frequency, a period of time that specifies how frequently empty UDP packets are sent through the NAT device to make sure that the NAT mapping does not change until phase 1 and 2 security associations (SAs) expire.

add-route {phase1 | enable | disable}

Enable, disable, or set to phase1 (by default) to add route according to phase add-route settings.

auto-negotiate {enable | disable}

Enable to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established. This is set to Enable to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established. This is set to disable by default.

auto-discovery-sender {phase1 | enable | disable}

Auto Discovery VPN (ADVPN) allows a shortcut to be created between two VPN peers, establishing dynamic on-demand tunnels between each other to avoid routing through the topology’s hub device. Enable or disable sending auto-discovery short-cut messages, or set to phase1 (by default) to forward short-cut messages according to the phase1 auto-discovery-sender setting.

auto-discovery-forwarder {phase1 | enable | disable}

Enable or disable forwarding auto-discovery short-cut messages (see the auto-discovery-sender entry above about Auto Discovery), or set to phase1 (by default) to forward short-cut messages according to the phase1 auto-discovery-forwarder setting.

keylifeseconds <seconds>

The amount of time in seconds before the phase 2 encryption key expires, at which time a new encryption key is generated without service interruption. Set the value between 120-172800 seconds (or two minutes to two days). The default is set to 86400.

keylifekbs <bytes>

The number of bytes before the phase 2 encryption key expires, at which point a new encryption key is generated without service interruption. Set the value between 5120-4294967295 bytes (or 5.12KB to 4.29GB). The default is set to 5120. While it is possible to set the value to lower than the default, it is not recommended.

keylife-type {seconds | kbs | both}

The phase 2 encryption key expiration type, used to determine when/how a new encryption key is generated without service interruption. Use seconds to then set the key life in seconds, or kbs to set the key life in kilobytes (see keylife entries above). Use both to be able to set both parameters.

single-source {enable | disable}

Note: This entry is not available when l2tp is set to enable. Enable or disable (by default) single source IP restrictions.

  • enable only accepts single source IPs.
  • disable accepts source IP range.

route-overlap {use-old | use-new | allow}

Note: This entry is not available when l2tp is set to enable. The action taken for overlapping routes.

  • use-old uses the old route and does not add the new route.
  • use-new deletes the old route and adds the new route.
  • allow permits overlapping routes.

encapsulation {tunnel-mode | transport-mode}

The Encapsulating Security Payload (ESP) encapsulation mode.

  • Use tunnel-mode to protect the entire inner IP packet, including the inner IP header.
  • Use transport-mode to insert ESP after the IP header and before a next layer protocol, e.g. TCP, UDP, ICMP, and so on.

l2tp {enable | disable}

Enable or disable (by default) L2TP over IPsec.

comments [string]

Optional comments.

protocol <integer>

The quick mode protocol selector. Set the value between 1-255, or 0 (by default) for all.

src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}

Note: This entry is only available when encapsulation is set to tunnel-mode. The local proxy ID type. The default is set to subnet. Use name to set type to firewall address or group name. Entries with 6 appended to them allow you to set IPv6 options; the other entries allow you to set IPv4 options (see entries below).

{src-subnet | src-subnet6} <ip_netmask>

Note: This entry is only available when encapsulation is set to tunnel-mode. The entry with 6 appended is only available when src-addr-type is set to subnet6. The local proxy ID subnet, either IPv4 or IPv6.

src-port <integer>

The quick mode source port. Set the value between 1-65535, or 0 (by default) for all.

{src-start-ip | src-start-ip6} <start_ip>

Note: This entry is only available when src-addr-type is set to either range/range6 or ip/ip6. The local proxy ID start, either IPv4 or IPv6.

{src-end-ip | src-end-ip6} <end_ip>

Note: This entry is only available when src-addr-type is set to range. The local proxy ID end, either IPv4 or IPv6.

{src-name | src-name6} <name>

Note: This entry is only available when src-addr-type is set to name. The local proxy ID name, either IPv4 or IPv6.

dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}

Note: This entry is only available when encapsulation is set to tunnel-mode. The remote proxy ID type. The default is set to subnet. Use name to set type to firewall address or group name. Entries with 6 appended to them allow you to set IPv6 options; the other entries allow you to set IPv4 options (see entries below).

{dst-subnet | dst-subnet6} <ip_netmask>

Note: This entry is only available when encapsulation is set to tunnel-mode. The entry with 6 appended is only available when dst-addr-type is set to subnet6. The remote proxy ID subnet, either IPv4 or IPv6.

dst-port <integer>

The quick mode destination port. Set the value between 1-65535, or 0 (by default) for all.

{dst-start-ip | dst-start-ip6} <start_ip>

Note: This entry is only available when dst-addr-type is set to either range or ip. The remote proxy ID start, either IPv4 or IPv6.

{dst-end-ip | dst-end-ip6} <end_ip>

Note: This entry is only available when dst-addr-type is set to range. The remote proxy ID end, either IPv4 or IPv6.

{dst-name | dst-name6} <name>

Note: This entry is only available when dst-addr-type is set to name. The remote proxy ID name, either IPv4 or IPv6.