vpn ipsec {phase2-interface | phase2}
Use phase2-interface
to add or edit a phase 2 configuration on a route-based (interface mode) IPsec tunnel. This command is only available in NAT mode.
You can also use phase2
to add or edit IPsec tunnel-mode phase 2 configurations to create and maintain IPsec VPN tunnels with a remote VPN gateway or client peer.
Note: The following entries are not available under the phase2
command:
auto-discovery-sender
auto-discovery-forwarder
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
Command | Description |
---|---|
N/A |
Changed the initial proposal list when new phase2s are created. |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set dhgrp {31 | ...} |
FortiOS uses OpenSSL 1.1, which now supports Curve25519, granting support for DH group 31. |
set proposal {chacha20poly1305 | ...} |
In order to support RFC 7634, kernel implementations for crypto algorithms ChaCha20 and Poly1305 are added. These two algorithms are used together as a combined mode AEAD cipher (like aes-gcm) in the new |
config vpn ipsec phase2-interface edit {name} # Configure VPN autokey tunnel. set name {string} IPsec tunnel name. size[35] set phase1name {string} Phase 1 determines the options required for phase 2. size[15] - datasource(s): vpn.ipsec.phase1-interface.name set dhcp-ipsec {enable | disable} Enable/disable DHCP-IPsec. set proposal {option} Phase2 proposal. null-md5 null-md5 null-sha1 null-sha1 null-sha256 null-sha256 null-sha384 null-sha384 null-sha512 null-sha512 des-null des-null des-md5 des-md5 des-sha1 des-sha1 des-sha256 des-sha256 des-sha384 des-sha384 des-sha512 des-sha512 3des-null 3des-null 3des-md5 3des-md5 3des-sha1 3des-sha1 3des-sha256 3des-sha256 3des-sha384 3des-sha384 3des-sha512 3des-sha512 aes128-null aes128-null aes128-md5 aes128-md5 aes128-sha1 aes128-sha1 aes128-sha256 aes128-sha256 aes128-sha384 aes128-sha384 aes128-sha512 aes128-sha512 aes128gcm aes128gcm aes192-null aes192-null aes192-md5 aes192-md5 aes192-sha1 aes192-sha1 aes192-sha256 aes192-sha256 aes192-sha384 aes192-sha384 aes192-sha512 aes192-sha512 aes256-null aes256-null aes256-md5 aes256-md5 aes256-sha1 aes256-sha1 aes256-sha256 aes256-sha256 aes256-sha384 aes256-sha384 aes256-sha512 aes256-sha512 aes256gcm aes256gcm chacha20poly1305 chacha20poly1305 aria128-null aria128-null aria128-md5 aria128-md5 aria128-sha1 aria128-sha1 aria128-sha256 aria128-sha256 aria128-sha384 aria128-sha384 aria128-sha512 aria128-sha512 aria192-null aria192-null aria192-md5 aria192-md5 aria192-sha1 aria192-sha1 aria192-sha256 aria192-sha256 aria192-sha384 aria192-sha384 aria192-sha512 aria192-sha512 aria256-null aria256-null aria256-md5 aria256-md5 aria256-sha1 aria256-sha1 aria256-sha256 aria256-sha256 aria256-sha384 aria256-sha384 aria256-sha512 aria256-sha512 seed-null seed-null seed-md5 seed-md5 seed-sha1 seed-sha1 seed-sha256 seed-sha256 seed-sha384 seed-sha384 seed-sha512 seed-sha512 set pfs {enable | disable} Enable/disable PFS feature. set dhgrp {option} Phase2 DH group. 1 DH Group 1. 2 DH Group 2. 5 DH Group 5. 14 DH Group 14. 15 DH Group 15. 16 DH Group 16. 17 DH Group 17. 18 DH Group 18. 19 DH Group 19. 20 DH Group 20. 21 DH Group 21. 27 DH Group 27. 28 DH Group 28. 29 DH Group 29. 30 DH Group 30. 31 DH Group 31. set replay {enable | disable} Enable/disable replay detection. set keepalive {enable | disable} Enable/disable keep alive. set auto-negotiate {enable | disable} Enable/disable IPsec SA auto-negotiation. set add-route {phase1 | enable | disable} Enable/disable automatic route addition. set auto-discovery-sender {phase1 | enable | disable} Enable/disable sending short-cut messages. set auto-discovery-forwarder {phase1 | enable | disable} Enable/disable forwarding short-cut messages. set keylifeseconds {integer} Phase2 key life in time in seconds (120 - 172800). range[120-172800] set keylifekbs {integer} Phase2 key life in number of bytes of traffic (5120 - 4294967295). range[5120-4294967295] set keylife-type {seconds | kbs | both} Keylife type. seconds Key life in seconds. kbs Key life in kilobytes. both Key life both. set single-source {enable | disable} Enable/disable single source IP restriction. set route-overlap {use-old | use-new | allow} Action for overlapping routes. use-old Use the old route and do not add the new route. use-new Delete the old route and add the new route. allow Allow overlapping routes. set encapsulation {tunnel-mode | transport-mode} ESP encapsulation mode. tunnel-mode Use tunnel mode encapsulation. transport-mode Use transport mode encapsulation. set l2tp {enable | disable} Enable/disable L2TP over IPsec. set comments {string} Comment. size[255] set protocol {integer} Quick mode protocol selector (1 - 255 or 0 for all). range[0-255] set src-name {string} Local proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set src-name6 {string} Local proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name set src-addr-type {option} Local proxy ID type. subnet IPv4 subnet. range IPv4 range. ip IPv4 IP. name IPv4 firewall address or group name. subnet6 IPv6 subnet. range6 IPv6 range. ip6 IPv6 IP. name6 IPv6 firewall address or group name. set src-start-ip {ipv4 address any} Local proxy ID start. set src-start-ip6 {ipv6 address} Local proxy ID IPv6 start. set src-end-ip {ipv4 address any} Local proxy ID end. set src-end-ip6 {ipv6 address} Local proxy ID IPv6 end. set src-subnet {ipv4 classnet any} Local proxy ID subnet. set src-subnet6 {ipv6 prefix} Local proxy ID IPv6 subnet. set src-port {integer} Quick mode source port (1 - 65535 or 0 for all). range[0-65535] set dst-name {string} Remote proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set dst-name6 {string} Remote proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name set dst-addr-type {option} Remote proxy ID type. subnet IPv4 subnet. range IPv4 range. ip IPv4 IP. name IPv4 firewall address or group name. subnet6 IPv6 subnet. range6 IPv6 range. ip6 IPv6 IP. name6 IPv6 firewall address or group name. set dst-start-ip {ipv4 address any} Remote proxy ID IPv4 start. set dst-start-ip6 {ipv6 address} Remote proxy ID IPv6 start. set dst-end-ip {ipv4 address any} Remote proxy ID IPv4 end. set dst-end-ip6 {ipv6 address} Remote proxy ID IPv6 end. set dst-subnet {ipv4 classnet any} Remote proxy ID IPv4 subnet. set dst-subnet6 {ipv6 prefix} Remote proxy ID IPv6 subnet. set dst-port {integer} Quick mode destination port (1 - 65535 or 0 for all). range[0-65535] next end
config vpn ipsec phase2 edit {name} # Configure VPN autokey tunnel. set name {string} IPsec tunnel name. size[35] set phase1name {string} Phase 1 determines the options required for phase 2. size[35] - datasource(s): vpn.ipsec.phase1.name set dhcp-ipsec {enable | disable} Enable/disable DHCP-IPsec. set use-natip {enable | disable} Enable to use the FortiGate public IP as the source selector when outbound NAT is used. set selector-match {exact | subset | auto} Match type to use when comparing selectors. exact Match selectors exactly. subset Match selectors by subset. auto Use subset or exact match depending on selector address type. set proposal {option} Phase2 proposal. null-md5 null-md5 null-sha1 null-sha1 null-sha256 null-sha256 null-sha384 null-sha384 null-sha512 null-sha512 des-null des-null des-md5 des-md5 des-sha1 des-sha1 des-sha256 des-sha256 des-sha384 des-sha384 des-sha512 des-sha512 3des-null 3des-null 3des-md5 3des-md5 3des-sha1 3des-sha1 3des-sha256 3des-sha256 3des-sha384 3des-sha384 3des-sha512 3des-sha512 aes128-null aes128-null aes128-md5 aes128-md5 aes128-sha1 aes128-sha1 aes128-sha256 aes128-sha256 aes128-sha384 aes128-sha384 aes128-sha512 aes128-sha512 aes128gcm aes128gcm aes192-null aes192-null aes192-md5 aes192-md5 aes192-sha1 aes192-sha1 aes192-sha256 aes192-sha256 aes192-sha384 aes192-sha384 aes192-sha512 aes192-sha512 aes256-null aes256-null aes256-md5 aes256-md5 aes256-sha1 aes256-sha1 aes256-sha256 aes256-sha256 aes256-sha384 aes256-sha384 aes256-sha512 aes256-sha512 aes256gcm aes256gcm chacha20poly1305 chacha20poly1305 aria128-null aria128-null aria128-md5 aria128-md5 aria128-sha1 aria128-sha1 aria128-sha256 aria128-sha256 aria128-sha384 aria128-sha384 aria128-sha512 aria128-sha512 aria192-null aria192-null aria192-md5 aria192-md5 aria192-sha1 aria192-sha1 aria192-sha256 aria192-sha256 aria192-sha384 aria192-sha384 aria192-sha512 aria192-sha512 aria256-null aria256-null aria256-md5 aria256-md5 aria256-sha1 aria256-sha1 aria256-sha256 aria256-sha256 aria256-sha384 aria256-sha384 aria256-sha512 aria256-sha512 seed-null seed-null seed-md5 seed-md5 seed-sha1 seed-sha1 seed-sha256 seed-sha256 seed-sha384 seed-sha384 seed-sha512 seed-sha512 set pfs {enable | disable} Enable/disable PFS feature. set dhgrp {option} Phase2 DH group. 1 DH Group 1. 2 DH Group 2. 5 DH Group 5. 14 DH Group 14. 15 DH Group 15. 16 DH Group 16. 17 DH Group 17. 18 DH Group 18. 19 DH Group 19. 20 DH Group 20. 21 DH Group 21. 27 DH Group 27. 28 DH Group 28. 29 DH Group 29. 30 DH Group 30. 31 DH Group 31. set replay {enable | disable} Enable/disable replay detection. set keepalive {enable | disable} Enable/disable keep alive. set auto-negotiate {enable | disable} Enable/disable IPsec SA auto-negotiation. set add-route {phase1 | enable | disable} Enable/disable automatic route addition. set keylifeseconds {integer} Phase2 key life in time in seconds (120 - 172800). range[120-172800] set keylifekbs {integer} Phase2 key life in number of bytes of traffic (5120 - 4294967295). range[5120-4294967295] set keylife-type {seconds | kbs | both} Keylife type. seconds Key life in seconds. kbs Key life in kilobytes. both Key life both. set single-source {enable | disable} Enable/disable single source IP restriction. set route-overlap {use-old | use-new | allow} Action for overlapping routes. use-old Use the old route and do not add the new route. use-new Delete the old route and add the new route. allow Allow overlapping routes. set encapsulation {tunnel-mode | transport-mode} ESP encapsulation mode. tunnel-mode Use tunnel mode encapsulation. transport-mode Use transport mode encapsulation. set l2tp {enable | disable} Enable/disable L2TP over IPsec. set comments {string} Comment. size[255] set protocol {integer} Quick mode protocol selector (1 - 255 or 0 for all). range[0-255] set src-name {string} Local proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set src-name6 {string} Local proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name set src-addr-type {subnet | range | ip | name} Local proxy ID type. subnet IPv4 subnet. range IPv4 range. ip IPv4 IP. name IPv4 firewall address or group name. set src-start-ip {ipv4 address any} Local proxy ID start. set src-start-ip6 {ipv6 address} Local proxy ID IPv6 start. set src-end-ip {ipv4 address any} Local proxy ID end. set src-end-ip6 {ipv6 address} Local proxy ID IPv6 end. set src-subnet {ipv4 classnet any} Local proxy ID subnet. set src-subnet6 {ipv6 prefix} Local proxy ID IPv6 subnet. set src-port {integer} Quick mode source port (1 - 65535 or 0 for all). range[0-65535] set dst-name {string} Remote proxy ID name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set dst-name6 {string} Remote proxy ID name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name set dst-addr-type {subnet | range | ip | name} Remote proxy ID type. subnet IPv4 subnet. range IPv4 range. ip IPv4 IP. name IPv4 firewall address or group name. set dst-start-ip {ipv4 address any} Remote proxy ID IPv4 start. set dst-start-ip6 {ipv6 address} Remote proxy ID IPv6 start. set dst-end-ip {ipv4 address any} Remote proxy ID IPv4 end. set dst-end-ip6 {ipv6 address} Remote proxy ID IPv6 end. set dst-subnet {ipv4 classnet any} Remote proxy ID IPv4 subnet. set dst-subnet6 {ipv6 prefix} Remote proxy ID IPv6 subnet. set dst-port {integer} Quick mode destination port (1 - 65535 or 0 for all). range[0-65535] next end
Additional information
The following section is for those options that require additional explanation.
phase1name <gateway_name>
The name of the phase 1 gateway configuration, most commonly created using the IPsec Wizard. You must have already added the phase 1 gateway definition to the FortiGate configuration before it can be added here.
dhcp-ipsec {enable | disable}
Enable or disable (by default) DHCP-IPsec.
use-natip {enable | disable}
Enable (by default) or disable the FortiGate to use its public interface IP address as the source selector when outbound NAT is used.
selector-match {exact | subset | auto}
The match-type to use when comparing selectors.
- Use
exact
to match selectors exactly. - Use
subset
to match selectors by subset. - Use
auto
(by default) to use subset or exact match depending on the selector address type.
proposal <phase2_proposal>
A minimum of one and maximum of ten encryption-message combinations for the phase 2 proposal, for example aes128-sha256
.
Use a space to separate the combinations. Make sure that the remote peer is configured to use at least one of the proposals defined.
Use any of the following key encryption algorithms:
des
: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.3des
: Triple-DES, in which plain text is encrypted three times by three keys.aes128
: A 128-bit block algorithm that uses a 128-bit key.aes192
: A 128-bit block algorithm that uses a 192-bit key.aes256
: A 128-bit block algorithm that uses a 256-bit key.aria128
: A 128-bit Korean block algorithm that uses a 128-bit key.aris192
: A 128-bit Korean block algorithm that uses a 192-bit key.aria256
: A 128-bit Korean block algorithm that uses a 256-bit key.seed
: A 128-bit Korean block algorithm that uses a 128-bit key.
The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session: The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session:
md5
: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.sha1
: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.sha256
: SHA 2 producing a 256-bit message digest.sha384
: SHA 2 producing a 384-bit message digest.sha512
: SHA 2 producing a 512-bit message digest.
pfs {enable | disable}
Enable (by default) or disable perfect forward secrecy (PFS). When enabled, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted, should long-term secret keys or passwords be compromised in the future.
dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30 | 31}
Apply one or more Diffie-Hellman (DH) group numbers, in order of preference, separated by spaces. DH groups determine the strength of the key used in the key exchange process, with higher group numbers being more secure, but requiring additional time to compute the key.
Set the value to any one (or more) of the following: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, and 31. The default is set to 14 5
.
Note that at least one of the group numbers set on the remote peer or client must be identical to one of the selections on the FortiGate unit.
replay {enable | disable}
Enable (by default) or disable replay attack detection. When enabled, replay detection discards received packets if they contain a sequence number before the current window, in which case they are seen as being too old, or if they contain a sequence number which has already been received by the FortiGate unit.
keepalive {enable | disable}
Enable or disdable (by default) the NAT traversal keepalive frequency, a period of time that specifies how frequently empty UDP packets are sent through the NAT device to make sure that the NAT mapping does not change until phase 1 and 2 security associations (SAs) expire.
add-route {phase1 | enable | disable}
Enable, disable, or set to phase1
(by default) to add route according to phase add-route settings.
auto-negotiate {enable | disable}
Enable to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established. This is set to
Enable to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established. This is set to disable
by default.
auto-discovery-sender {phase1 | enable | disable}
Auto Discovery VPN (ADVPN) allows a shortcut to be created between two VPN peers, establishing dynamic on-demand tunnels between each other to avoid routing through the topology’s hub device.
Enable or disable sending auto-discovery short-cut messages, or set to phase1
(by default) to forward short-cut messages according to the phase1 auto-discovery-sender setting.
auto-discovery-forwarder {phase1 | enable | disable}
Enable or disable forwarding auto-discovery short-cut messages (see the auto-discovery-sender
entry above about Auto Discovery), or set to phase1
(by default) to forward short-cut messages according to the phase1 auto-discovery-forwarder setting.
keylifeseconds <seconds>
The amount of time in seconds before the phase 2 encryption key expires, at which time a new encryption key is generated without service interruption. Set the value between 120-172800 seconds (or two minutes to two days). The default is set to 86400.
keylifekbs <bytes>
The number of bytes before the phase 2 encryption key expires, at which point a new encryption key is generated without service interruption. Set the value between 5120-4294967295 bytes (or 5.12KB to 4.29GB). The default is set to 5120. While it is possible to set the value to lower than the default, it is not recommended.
keylife-type {seconds | kbs | both}
The phase 2 encryption key expiration type, used to determine when/how a new encryption key is generated without service interruption.
Use seconds
to then set the key life in seconds, or kbs
to set the key life in kilobytes (see keylife entries above). Use both
to be able to set both parameters.
single-source {enable | disable}
Note: This entry is not available when l2tp
is set to enable
.
Enable or disable (by default) single source IP restrictions.
enable
only accepts single source IPs.disable
accepts source IP range.
route-overlap {use-old | use-new | allow}
Note: This entry is not available when l2tp
is set to enable
.
The action taken for overlapping routes.
use-old
uses the old route and does not add the new route.use-new
deletes the old route and adds the new route.allow
permits overlapping routes.
encapsulation {tunnel-mode | transport-mode}
The Encapsulating Security Payload (ESP) encapsulation mode.
- Use
tunnel-mode
to protect the entire inner IP packet, including the inner IP header. - Use
transport-mode
to insert ESP after the IP header and before a next layer protocol, e.g. TCP, UDP, ICMP, and so on.
l2tp {enable | disable}
Enable or disable (by default) L2TP over IPsec.
comments [string]
Optional comments.
protocol <integer>
The quick mode protocol selector. Set the value between 1-255, or 0 (by default) for all.
src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
Note: This entry is only available when encapsulation
is set to tunnel-mode
.
The local proxy ID type. The default is set to subnet
. Use name
to set type to firewall address or group name.
Entries with 6
appended to them allow you to set IPv6 options; the other entries allow you to set IPv4 options (see entries below).
{src-subnet | src-subnet6} <ip_netmask>
Note: This entry is only available when encapsulation
is set to tunnel-mode
. The entry with 6
appended is only available when src-addr-type
is set to subnet6
.
The local proxy ID subnet, either IPv4 or IPv6.
src-port <integer>
The quick mode source port. Set the value between 1-65535, or 0 (by default) for all.
{src-start-ip | src-start-ip6} <start_ip>
Note: This entry is only available when src-addr-type
is set to either range
/range6
or ip
/ip6
.
The local proxy ID start, either IPv4 or IPv6.
{src-end-ip | src-end-ip6} <end_ip>
Note: This entry is only available when src-addr-type
is set to range
.
The local proxy ID end, either IPv4 or IPv6.
{src-name | src-name6} <name>
Note: This entry is only available when src-addr-type
is set to name
.
The local proxy ID name, either IPv4 or IPv6.
dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
Note: This entry is only available when encapsulation
is set to tunnel-mode
.
The remote proxy ID type. The default is set to subnet
. Use name
to set type to firewall address or group name.
Entries with 6
appended to them allow you to set IPv6 options; the other entries allow you to set IPv4 options (see entries below).
{dst-subnet | dst-subnet6} <ip_netmask>
Note: This entry is only available when encapsulation
is set to tunnel-mode
. The entry with 6
appended is only available when dst-addr-type
is set to subnet6
.
The remote proxy ID subnet, either IPv4 or IPv6.
dst-port <integer>
The quick mode destination port. Set the value between 1-65535, or 0 (by default) for all.
{dst-start-ip | dst-start-ip6} <start_ip>
Note: This entry is only available when dst-addr-type
is set to either range
or ip
.
The remote proxy ID start, either IPv4 or IPv6.
{dst-end-ip | dst-end-ip6} <end_ip>
Note: This entry is only available when dst-addr-type
is set to range
.
The remote proxy ID end, either IPv4 or IPv6.
{dst-name | dst-name6} <name>
Note: This entry is only available when dst-addr-type
is set to name
.
The remote proxy ID name, either IPv4 or IPv6.