Fortinet black logo

CLI Reference

vpn ipsec {phase1-interface | phase1}

vpn ipsec {phase1-interface | phase1}

Use phase1-interface to define a phase 1 definition for a route-based (interface mode) IPsec VPN tunnel that generates authentication and encryption keys automatically. Optionally, you can create a route-based phase 1 definition to act as a backup for another IPsec interface; this is achieved with the set monitor <phase1> entry below.

You can also use phase1 to add or edit IPsec tunnel-mode phase 1 configurations, which define how the FortiGate unit and a remote VPN peer (gateway or client) authenticate themselves to each other as part of establishing the IPsec VPN tunnel.

Note: Some entries are not available under the phase1 command, including the following:

  • ip-version
  • local-gw6
  • remote-gw6
  • monitor (and all other monitor related entries)
  • add-gw-route
  • auto-discovery-sender (and all other auto discovery related entries)
  • encapsulation (and all other encapsulation related entries)
  • childless-ike

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set cert-id-validation {enable | disable}

Enable (by default) or disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

Note that this entry is only available when authmethod is set to signature.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set proposal {aes128gcm-prfsha1 | aes128gcm-prfsha256 | aes128gcm-prfsha384 | aes128gcm-prfsha512 | aes256gcm-prfsha1 | aes256gcm-prfsha256 | aes256gcm-prfsha384 | aes256gcm-prfsha512 | chacha20poly1305-prfsha1 | chacha20poly1305-prfsha256 | chacha20poly1305-prfsha384 | chacha20poly1305-prfsha512| ...}

Authenticated encryption with associated data (AEAD) algorithms (aesgcm and chachapoly) are now supported. Note that these algorithms are only available when ike-version is set to 2.

In addition, changed the initial proposal list when new phase1s are created, with different proposals set by default depending whether ike-version is set to either 1 or 2.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set net-device {enable | disable}

set tunnel-search {selectors | nexthop}

FortiOS 6.0 now supports changing the net-device and tunnel-search configuration after creating a phase 1 configuration.

set dhgrp {31 | ...}

FortiOS uses OpenSSL 1.1, which now supports Curve25519, granting support for DH group 31.

set dpd-retryinterval <seconds>

When type is set to dynamic:

  • dpd is set to on-idle
  • dpd-retrycount is set to 3
  • dpd-retryinterval is set to 60

When type is set to anything other than dynamic:

  • dpd is set to on-idle
  • dpd-retrycount is set to 3
  • dpd-retryinterval is set to 60

In addition, the maximum-range has been changed to 3600 seconds, and can no longer be set to both seconds and milliseconds.

set ppk {disable | allow | require}

set ppk-secret <ascii-string-or-hex>

set ppk-identity <string>

Post-quantum Preshared Key (PPK) options for IKEv2.

Even if a quantum computer can break the Diffie-Hellman calculation to derive the DH-generated secret key, the inclusion of the PPK in the key generation algorithm means that the attacker is still unable to derive the keys used to authenticate the IKE SA negotiation (and so cannot impersonate either party in the negotiation), nor the keys used in negotiating an IPsec SA (or IKE SA).

Note that this option is only available when ike-version is set to 2 and type is set to dynamic.

set ipv4-split-exclude {all | none | address}

set ipv6-split-exclude {all | none | address}

Specify, when using IKEv1, that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of the supported split-include feature which allows the administrator to specify that default traffic should not flow over the IPsec tunnel except for specified subnets.

Note that the split-exclude options are only available when ike-version is set to 1, type is set to dynamic, and mode-cfg is set to enable.

config vpn ipsec phase1-interface
    edit {name}
    # Configure VPN remote gateway.
        set name {string}   IPsec remote gateway name. size[15]
        set type {static | dynamic | ddns}   Remote gateway type.
                static   Remote VPN gateway has fixed IP address.
                dynamic  Remote VPN gateway has dynamic IP address.
                ddns     Remote VPN gateway has dynamic IP address and is a dynamic DNS client.
        set interface {string}   Local physical, aggregate, or VLAN outgoing interface. size[35] - datasource(s): system.interface.name
        set ip-version {4 | 6}   IP version to use for VPN interface.
                4  Use IPv4 addressing for gateways.
                6  Use IPv6 addressing for gateways.
        set ike-version {1 | 2}   IKE protocol version.
                1  Use IKEv1 protocol.
                2  Use IKEv2 protocol.
        set local-gw {ipv4 address}   IPv4 address of the local gateway's external interface.
        set local-gw6 {ipv6 address}   IPv6 address of the local gateway's external interface.
        set remote-gw {ipv4 address}   IPv4 address of the remote gateway's external interface.
        set remote-gw6 {ipv6 address}   IPv6 address of the remote gateway's external interface.
        set remotegw-ddns {string}   Domain name of remote gateway (eg. name.DDNS.com). size[63]
        set keylife {integer}   Time to wait in seconds before phase 1 encryption key expires. range[120-172800]
        config certificate
            edit {name}
            # The names of up to 4 signed personal certificates.
                set name {string}   Certificate name. size[64] - datasource(s): vpn.certificate.local.name
            next
        set authmethod {psk | signature}   Authentication method.
                psk        PSK authentication method.
                signature  Signature authentication method.
        set authmethod-remote {psk | signature}   Authentication method (remote side).
                psk        PSK authentication method.
                signature  Signature authentication method.
        set mode {aggressive | main}   The ID protection mode used to establish a secure channel.
                aggressive  Aggressive mode.
                main        Main mode.
        set peertype {option}   Accept this peer type.
                any      Accept any peer ID.
                one      Accept this peer ID.
                dialup   Accept peer ID in dialup group.
                peer     Accept this peer certificate.
                peergrp  Accept this peer certificate group.
        set peerid {string}   Accept this peer identity. size[255]
        set default-gw {ipv4 address}   IPv4 address of default route gateway to use for traffic exiting the interface.
        set default-gw-priority {integer}   Priority for default gateway route. A higher priority number signifies a less preferred route. range[0-4294967295]
        set usrgrp {string}   User group name for dialup peers. size[35] - datasource(s): user.group.name
        set peer {string}   Accept this peer certificate. size[35] - datasource(s): user.peer.name
        set peergrp {string}   Accept this peer certificate group. size[35] - datasource(s): user.peergrp.name
        set monitor {string}   IPsec interface as backup for primary interface. size[35] - datasource(s): vpn.ipsec.phase1-interface.name
        set monitor-hold-down-type {immediate | delay | time}   Recovery time method when primary interface re-establishes.
                immediate  Fail back immediately after primary recovers.
                delay      Number of seconds to delay fail back after primary recovers.
                time       Specify a time at which to fail back after primary recovers.
        set monitor-hold-down-delay {integer}   Time to wait in seconds before recovery once primary re-establishes. range[0-31536000]
        set monitor-hold-down-weekday {option}   Day of the week to recover once primary re-establishes.
                everyday   Every Day.
                sunday     Sunday.
                monday     Monday.
                tuesday    Tuesday.
                wednesday  Wednesday.
                thursday   Thursday.
                friday     Friday.
                saturday   Saturday.
        set monitor-hold-down-time {string}   Time of day at which to fail back to primary after it re-establishes.
        set net-device {enable | disable}   Enable/disable kernel device creation for dialup instances.
        set tunnel-search {selectors | nexthop}   Tunnel search method for when the interface is shared.
                selectors  Search for tunnel in selectors.
                nexthop    Search for tunnel using nexthop.
        set passive-mode {enable | disable}   Enable/disable IPsec passive mode for static tunnels.
        set exchange-interface-ip {enable | disable}   Enable/disable exchange of IPsec interface IP address.
        set exchange-ip-addr4 {ipv4 address}   IPv4 address to exchange with peers.
        set exchange-ip-addr6 {ipv6 address}   IPv6 address to exchange with peers
        set mode-cfg {disable | enable}   Enable/disable configuration method.
        set assign-ip {disable | enable}   Enable/disable assignment of IP to IPsec interface via configuration method.
        set assign-ip-from {range | usrgrp | dhcp | name}   Method by which the IP address will be assigned.
                range   Assign IP address from locally defined range.
                usrgrp  Assign IP address via user group.
                dhcp    Assign IP address via DHCP.
                name    Assign IP address from firewall address or group.
        set ipv4-start-ip {ipv4 address}   Start of IPv4 range.
        set ipv4-end-ip {ipv4 address}   End of IPv4 range.
        set ipv4-netmask {ipv4 netmask}   IPv4 Netmask.
        set dns-mode {manual | auto}   DNS server mode.
                manual  Manually configure DNS servers.
                auto    Use default DNS servers.
        set ipv4-dns-server1 {ipv4 address}   IPv4 DNS server 1.
        set ipv4-dns-server2 {ipv4 address}   IPv4 DNS server 2.
        set ipv4-dns-server3 {ipv4 address}   IPv4 DNS server 3.
        set ipv4-wins-server1 {ipv4 address}   WINS server 1.
        set ipv4-wins-server2 {ipv4 address}   WINS server 2.
        config ipv4-exclude-range
            edit {id}
            # Configuration Method IPv4 exclude ranges.
                set id {integer}   ID. range[0-4294967295]
                set start-ip {ipv4 address}   Start of IPv4 exclusive range.
                set end-ip {ipv4 address}   End of IPv4 exclusive range.
            next
        set ipv4-split-include {string}   IPv4 split-include subnets. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set split-include-service {string}   Split-include services. size[63] - datasource(s): firewall.service.group.name,firewall.service.custom.name
        set ipv4-name {string}   IPv4 address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set ipv6-start-ip {ipv6 address}   Start of IPv6 range.
        set ipv6-end-ip {ipv6 address}   End of IPv6 range.
        set ipv6-prefix {integer}   IPv6 prefix. range[1-128]
        set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
        set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
        set ipv6-dns-server3 {ipv6 address}   IPv6 DNS server 3.
        config ipv6-exclude-range
            edit {id}
            # Configuration method IPv6 exclude ranges.
                set id {integer}   ID. range[0-4294967295]
                set start-ip {ipv6 address}   Start of IPv6 exclusive range.
                set end-ip {ipv6 address}   End of IPv6 exclusive range.
            next
        set ipv6-split-include {string}   IPv6 split-include subnets. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set ipv6-name {string}   IPv6 address name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set unity-support {disable | enable}   Enable/disable support for Cisco UNITY Configuration Method extensions.
        set domain {string}   Instruct unity clients about the default DNS domain. size[63]
        set banner {string}   Message that unity client should display after connecting. size[1024]
        set include-local-lan {disable | enable}   Enable/disable allow local LAN access on unity clients.
        set ipv4-split-exclude {string}   IPv4 subnets that should not be sent over the IPsec tunnel. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set ipv6-split-exclude {string}   IPv6 subnets that should not be sent over the IPsec tunnel. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set save-password {disable | enable}   Enable/disable saving XAuth username and password on VPN clients.
        set client-auto-negotiate {disable | enable}   Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
        set client-keep-alive {disable | enable}   Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
        config backup-gateway
            edit {address}
            # Instruct unity clients about the backup gateway address(es).
                set address {string}   Address of backup gateway. size[64]
            next
        set proposal {option}   Phase1 proposal.
                des-md5                     des-md5
                des-sha1                    des-sha1
                des-sha256                  des-sha256
                des-sha384                  des-sha384
                des-sha512                  des-sha512
                3des-md5                    3des-md5
                3des-sha1                   3des-sha1
                3des-sha256                 3des-sha256
                3des-sha384                 3des-sha384
                3des-sha512                 3des-sha512
                aes128-md5                  aes128-md5
                aes128-sha1                 aes128-sha1
                aes128-sha256               aes128-sha256
                aes128-sha384               aes128-sha384
                aes128-sha512               aes128-sha512
                aes128gcm-prfsha1           aes128gcm-prfsha1
                aes128gcm-prfsha256         aes128gcm-prfsha256
                aes128gcm-prfsha384         aes128gcm-prfsha384
                aes128gcm-prfsha512         aes128gcm-prfsha512
                aes192-md5                  aes192-md5
                aes192-sha1                 aes192-sha1
                aes192-sha256               aes192-sha256
                aes192-sha384               aes192-sha384
                aes192-sha512               aes192-sha512
                aes256-md5                  aes256-md5
                aes256-sha1                 aes256-sha1
                aes256-sha256               aes256-sha256
                aes256-sha384               aes256-sha384
                aes256-sha512               aes256-sha512
                aes256gcm-prfsha1           aes256gcm-prfsha1
                aes256gcm-prfsha256         aes256gcm-prfsha256
                aes256gcm-prfsha384         aes256gcm-prfsha384
                aes256gcm-prfsha512         aes256gcm-prfsha512
                chacha20poly1305-prfsha1    chacha20poly1305-prfsha1
                chacha20poly1305-prfsha256  chacha20poly1305-prfsha256
                chacha20poly1305-prfsha384  chacha20poly1305-prfsha384
                chacha20poly1305-prfsha512  chacha20poly1305-prfsha512
                aria128-md5                 aria128-md5
                aria128-sha1                aria128-sha1
                aria128-sha256              aria128-sha256
                aria128-sha384              aria128-sha384
                aria128-sha512              aria128-sha512
                aria192-md5                 aria192-md5
                aria192-sha1                aria192-sha1
                aria192-sha256              aria192-sha256
                aria192-sha384              aria192-sha384
                aria192-sha512              aria192-sha512
                aria256-md5                 aria256-md5
                aria256-sha1                aria256-sha1
                aria256-sha256              aria256-sha256
                aria256-sha384              aria256-sha384
                aria256-sha512              aria256-sha512
                seed-md5                    seed-md5
                seed-sha1                   seed-sha1
                seed-sha256                 seed-sha256
                seed-sha384                 seed-sha384
                seed-sha512                 seed-sha512
        set add-route {disable | enable}   Enable/disable control addition of a route to peer destination selector.
        set add-gw-route {enable | disable}   Enable/disable automatically add a route to the remote gateway.
        set psksecret {password_string}   Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
        set psksecret-remote {password_string}   Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
        set keepalive {integer}   NAT-T keep alive interval. range[10-900]
        set distance {integer}   Distance for routes added by IKE (1 - 255). range[1-255]
        set priority {integer}   Priority for routes added by IKE (0 - 4294967295). range[0-4294967295]
        set localid {string}   Local ID. size[63]
        set localid-type {option}   Local ID type.
                auto       Select ID type automatically.
                fqdn       Use fully qualified domain name.
                user-fqdn  Use user fully qualified domain name.
                keyid      Use key-id string.
                address    Use local IP address.
                asn1dn     Use ASN.1 distinguished name.
        set auto-negotiate {enable | disable}   Enable/disable automatic initiation of IKE SA negotiation.
        set negotiate-timeout {integer}   IKE SA negotiation timeout in seconds (1 - 300). range[1-300]
        set fragmentation {enable | disable}   Enable/disable fragment IKE message on re-transmission.
        set dpd {disable | on-idle | on-demand}   Dead Peer Detection mode.
                disable    Disable Dead Peer Detection.
                on-idle    Trigger Dead Peer Detection when IPsec is idle.
                on-demand  Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.
        set dpd-retrycount {integer}   Number of DPD retry attempts. range[0-10]
        set dpd-retryinterval {string}   DPD retry interval.
        set forticlient-enforcement {enable | disable}   Enable/disable FortiClient enforcement.
        set comments {string}   Comment. size[255]
        set npu-offload {enable | disable}   Enable/disable offloading NPU.
        set send-cert-chain {enable | disable}   Enable/disable sending certificate chain.
        set dhgrp {option}   DH group.
                1   DH Group 1.
                2   DH Group 2.
                5   DH Group 5.
                14  DH Group 14.
                15  DH Group 15.
                16  DH Group 16.
                17  DH Group 17.
                18  DH Group 18.
                19  DH Group 19.
                20  DH Group 20.
                21  DH Group 21.
                27  DH Group 27.
                28  DH Group 28.
                29  DH Group 29.
                30  DH Group 30.
                31  DH Group 31.
        set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}   Use Suite-B.
                disable          Do not use UI suite.
                suite-b-gcm-128  Use Suite-B-GCM-128.
                suite-b-gcm-256  Use Suite-B-GCM-256.
        set eap {enable | disable}   Enable/disable IKEv2 EAP authentication.
        set eap-identity {use-id-payload | send-request}   IKEv2 EAP peer identity type.
                use-id-payload  Use IKEv2 IDi payload to resolve peer identity.
                send-request    Use EAP identity request to resolve peer identity.
        set acct-verify {enable | disable}   Enable/disable verification of RADIUS accounting record.
        set ppk {disable | allow | require}   Enable/disable IKEv2 Postquantum Preshared Key (PPK).
                disable  Disable use of IKEv2 Postquantum Preshared Key (PPK).
                allow    Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
                require  Require use of IKEv2 Postquantum Preshared Key (PPK).
        set ppk-secret {password_string}   IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
        set ppk-identity {string}   IKEv2 Postquantum Preshared Key Identity. size[35]
        set wizard-type {option}   GUI VPN Wizard Type.
                custom              Custom VPN configuration.
                dialup-forticlient  Dial Up - FortiClient Windows, Mac and Android.
                dialup-ios          Dial Up - iPhone / iPad Native IPsec Client.
                dialup-android      Dial Up - Android Native IPsec Client.
                dialup-windows      Dial Up - Windows Native IPsec Client.
                dialup-cisco        Dial Up - Cisco IPsec Client.
                static-fortigate    Site to Site - FortiGate.
                dialup-fortigate    Dial Up - FortiGate.
                static-cisco        Site to Site - Cisco.
                dialup-cisco-fw     Dialup Up - Cisco Firewall.
        set xauthtype {option}   XAuth type.
                disable  Disable.
                client   Enable as client.
                pap      Enable as server PAP.
                chap     Enable as server CHAP.
                auto     Enable as server auto.
        set reauth {disable | enable}   Enable/disable re-authentication upon IKE SA lifetime expiration.
        set authusr {string}   XAuth user name. size[64]
        set authpasswd {password_string}   XAuth password (max 35 characters). size[128]
        set group-authentication {enable | disable}   Enable/disable IKEv2 IDi group authentication.
        set group-authentication-secret {password_string}   Password for IKEv2 IDi group authentication.  (ASCII string or hexadecimal indicated by a leading 0x.)
        set authusrgrp {string}   Authentication user group. size[35] - datasource(s): user.group.name
        set mesh-selector-type {disable | subnet | host}   Add selectors containing subsets of the configuration depending on traffic.
                disable  Disable.
                subnet   Enable addition of matching subnet selector.
                host     Enable addition of host to host selector.
        set idle-timeout {enable | disable}   Enable/disable IPsec tunnel idle timeout.
        set idle-timeoutinterval {integer}   IPsec tunnel idle timeout in minutes (5 - 43200). range[5-43200]
        set ha-sync-esp-seqno {enable | disable}   Enable/disable sequence number jump ahead for IPsec HA.
        set auto-discovery-sender {enable | disable}   Enable/disable sending auto-discovery short-cut messages.
        set auto-discovery-receiver {enable | disable}   Enable/disable accepting auto-discovery short-cut messages.
        set auto-discovery-forwarder {enable | disable}   Enable/disable forwarding auto-discovery short-cut messages.
        set auto-discovery-psk {enable | disable}   Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.
        set encapsulation {none | gre | vxlan}   Enable/disable GRE/VXLAN encapsulation.
                none   No additional encapsulation.
                gre    GRE encapsulation.
                vxlan  VXLAN encapsulation.
        set encapsulation-address {ike | ipv4 | ipv6}   Source for GRE/VXLAN tunnel address.
                ike   Use IKE/IPsec gateway addresses.
                ipv4  Specify separate GRE/VXLAN tunnel address.
                ipv6  Specify separate GRE/VXLAN tunnel address.
        set encap-local-gw4 {ipv4 address}   Local IPv4 address of GRE/VXLAN tunnel.
        set encap-local-gw6 {ipv6 address}   Local IPv6 address of GRE/VXLAN tunnel.
        set encap-remote-gw4 {ipv4 address}   Remote IPv4 address of GRE/VXLAN tunnel.
        set encap-remote-gw6 {ipv6 address}   Remote IPv6 address of GRE/VXLAN tunnel.
        set vni {integer}   VNI of VXLAN tunnel. range[1-16777215]
        set nattraversal {enable | disable | forced}   Enable/disable NAT traversal.
        set esn {require | allow | disable}   Extended sequence number (ESN) negotiation.
                require  Require extended sequence number.
                allow    Allow extended sequence number.
                disable  Disable extended sequence number.
        set fragmentation-mtu {integer}   IKE fragmentation MTU (500 - 16000). range[500-16000]
        set childless-ike {enable | disable}   Enable/disable childless IKEv2 initiation (RFC 6023).
        set rekey {enable | disable}   Enable/disable phase1 rekey.
        set digital-signature-auth {enable | disable}   Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
        set signature-hash-alg {sha1 | sha2-256 | sha2-384 | sha2-512}   Digital Signature Authentication hash algorithms.
                sha1      SHA1.
                sha2-256  SHA2-256.
                sha2-384  SHA2-384.
                sha2-512  SHA2-512.
        set rsa-signature-format {pkcs1 | pss}   Digital Signature Authentication RSA signature format.
                pkcs1  RSASSA PKCS#1 v1.5.
                pss    RSASSA Probabilistic Signature Scheme (PSS).
        set enforce-unique-id {disable | keep-new | keep-old}   Enable/disable peer ID uniqueness check.
                disable   Disable peer ID uniqueness enforcement.
                keep-new  Enforce peer ID uniqueness, keep new connection if collision found.
                keep-old  Enforce peer ID uniqueness, keep old connection if collision found.
        set cert-id-validation {enable | disable}   Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
    next
end
config vpn ipsec phase1
    edit {name}
    # Configure VPN remote gateway.
        set name {string}   IPsec remote gateway name. size[35]
        set type {static | dynamic | ddns}   Remote gateway type.
                static   Remote VPN gateway has fixed IP address.
                dynamic  Remote VPN gateway has dynamic IP address.
                ddns     Remote VPN gateway has dynamic IP address and is a dynamic DNS client.
        set interface {string}   Local physical, aggregate, or VLAN outgoing interface. size[35] - datasource(s): system.interface.name
        set ike-version {1 | 2}   IKE protocol version.
                1  Use IKEv1 protocol.
                2  Use IKEv2 protocol.
        set remote-gw {ipv4 address}   Remote VPN gateway.
        set local-gw {ipv4 address}   Local VPN gateway.
        set remotegw-ddns {string}   Domain name of remote gateway (eg. name.DDNS.com). size[63]
        set keylife {integer}   Time to wait in seconds before phase 1 encryption key expires. range[120-172800]
        config certificate
            edit {name}
            # Names of up to 4 signed personal certificates.
                set name {string}   Certificate name. size[64] - datasource(s): vpn.certificate.local.name
            next
        set authmethod {psk | signature}   Authentication method.
                psk        PSK authentication method.
                signature  Signature authentication method.
        set authmethod-remote {psk | signature}   Authentication method (remote side).
                psk        PSK authentication method.
                signature  Signature authentication method.
        set mode {aggressive | main}   ID protection mode used to establish a secure channel.
                aggressive  Aggressive mode.
                main        Main mode.
        set peertype {option}   Accept this peer type.
                any      Accept any peer ID.
                one      Accept this peer ID.
                dialup   Accept peer ID in dialup group.
                peer     Accept this peer certificate.
                peergrp  Accept this peer certificate group.
        set peerid {string}   Accept this peer identity. size[255]
        set usrgrp {string}   User group name for dialup peers. size[35] - datasource(s): user.group.name
        set peer {string}   Accept this peer certificate. size[35] - datasource(s): user.peer.name
        set peergrp {string}   Accept this peer certificate group. size[35] - datasource(s): user.peergrp.name
        set mode-cfg {disable | enable}   Enable/disable configuration method.
        set assign-ip {disable | enable}   Enable/disable assignment of IP to IPsec interface via configuration method.
        set assign-ip-from {range | usrgrp | dhcp | name}   Method by which the IP address will be assigned.
                range   Assign IP address from locally defined range.
                usrgrp  Assign IP address via user group.
                dhcp    Assign IP address via DHCP.
                name    Assign IP address from firewall address or group.
        set ipv4-start-ip {ipv4 address}   Start of IPv4 range.
        set ipv4-end-ip {ipv4 address}   End of IPv4 range.
        set ipv4-netmask {ipv4 netmask}   IPv4 Netmask.
        set dns-mode {manual | auto}   DNS server mode.
                manual  Manually configure DNS servers.
                auto    Use default DNS servers.
        set ipv4-dns-server1 {ipv4 address}   IPv4 DNS server 1.
        set ipv4-dns-server2 {ipv4 address}   IPv4 DNS server 2.
        set ipv4-dns-server3 {ipv4 address}   IPv4 DNS server 3.
        set ipv4-wins-server1 {ipv4 address}   WINS server 1.
        set ipv4-wins-server2 {ipv4 address}   WINS server 2.
        config ipv4-exclude-range
            edit {id}
            # Configuration Method IPv4 exclude ranges.
                set id {integer}   ID. range[0-4294967295]
                set start-ip {ipv4 address}   Start of IPv4 exclusive range.
                set end-ip {ipv4 address}   End of IPv4 exclusive range.
            next
        set ipv4-split-include {string}   IPv4 split-include subnets. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set split-include-service {string}   Split-include services. size[63] - datasource(s): firewall.service.group.name,firewall.service.custom.name
        set ipv4-name {string}   IPv4 address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set ipv6-start-ip {ipv6 address}   Start of IPv6 range.
        set ipv6-end-ip {ipv6 address}   End of IPv6 range.
        set ipv6-prefix {integer}   IPv6 prefix. range[1-128]
        set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
        set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
        set ipv6-dns-server3 {ipv6 address}   IPv6 DNS server 3.
        config ipv6-exclude-range
            edit {id}
            # Configuration method IPv6 exclude ranges.
                set id {integer}   ID. range[0-4294967295]
                set start-ip {ipv6 address}   Start of IPv6 exclusive range.
                set end-ip {ipv6 address}   End of IPv6 exclusive range.
            next
        set ipv6-split-include {string}   IPv6 split-include subnets. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set ipv6-name {string}   IPv6 address name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set unity-support {disable | enable}   Enable/disable support for Cisco UNITY Configuration Method extensions.
        set domain {string}   Instruct unity clients about the default DNS domain. size[63]
        set banner {string}   Message that unity client should display after connecting. size[1024]
        set include-local-lan {disable | enable}   Enable/disable allow local LAN access on unity clients.
        set ipv4-split-exclude {string}   IPv4 subnets that should not be sent over the IPsec tunnel. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set ipv6-split-exclude {string}   IPv6 subnets that should not be sent over the IPsec tunnel. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set save-password {disable | enable}   Enable/disable saving XAuth username and password on VPN clients.
        set client-auto-negotiate {disable | enable}   Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
        set client-keep-alive {disable | enable}   Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
        config backup-gateway
            edit {address}
            # Instruct unity clients about the backup gateway address(es).
                set address {string}   Address of backup gateway. size[64]
            next
        set proposal {option}   Phase1 proposal.
                des-md5                     des-md5
                des-sha1                    des-sha1
                des-sha256                  des-sha256
                des-sha384                  des-sha384
                des-sha512                  des-sha512
                3des-md5                    3des-md5
                3des-sha1                   3des-sha1
                3des-sha256                 3des-sha256
                3des-sha384                 3des-sha384
                3des-sha512                 3des-sha512
                aes128-md5                  aes128-md5
                aes128-sha1                 aes128-sha1
                aes128-sha256               aes128-sha256
                aes128-sha384               aes128-sha384
                aes128-sha512               aes128-sha512
                aes128gcm-prfsha1           aes128gcm-prfsha1
                aes128gcm-prfsha256         aes128gcm-prfsha256
                aes128gcm-prfsha384         aes128gcm-prfsha384
                aes128gcm-prfsha512         aes128gcm-prfsha512
                aes192-md5                  aes192-md5
                aes192-sha1                 aes192-sha1
                aes192-sha256               aes192-sha256
                aes192-sha384               aes192-sha384
                aes192-sha512               aes192-sha512
                aes256-md5                  aes256-md5
                aes256-sha1                 aes256-sha1
                aes256-sha256               aes256-sha256
                aes256-sha384               aes256-sha384
                aes256-sha512               aes256-sha512
                aes256gcm-prfsha1           aes256gcm-prfsha1
                aes256gcm-prfsha256         aes256gcm-prfsha256
                aes256gcm-prfsha384         aes256gcm-prfsha384
                aes256gcm-prfsha512         aes256gcm-prfsha512
                chacha20poly1305-prfsha1    chacha20poly1305-prfsha1
                chacha20poly1305-prfsha256  chacha20poly1305-prfsha256
                chacha20poly1305-prfsha384  chacha20poly1305-prfsha384
                chacha20poly1305-prfsha512  chacha20poly1305-prfsha512
                aria128-md5                 aria128-md5
                aria128-sha1                aria128-sha1
                aria128-sha256              aria128-sha256
                aria128-sha384              aria128-sha384
                aria128-sha512              aria128-sha512
                aria192-md5                 aria192-md5
                aria192-sha1                aria192-sha1
                aria192-sha256              aria192-sha256
                aria192-sha384              aria192-sha384
                aria192-sha512              aria192-sha512
                aria256-md5                 aria256-md5
                aria256-sha1                aria256-sha1
                aria256-sha256              aria256-sha256
                aria256-sha384              aria256-sha384
                aria256-sha512              aria256-sha512
                seed-md5                    seed-md5
                seed-sha1                   seed-sha1
                seed-sha256                 seed-sha256
                seed-sha384                 seed-sha384
                seed-sha512                 seed-sha512
        set add-route {disable | enable}   Enable/disable control addition of a route to peer destination selector.
        set add-gw-route {enable | disable}   Enable/disable automatically add a route to the remote gateway.
        set psksecret {password_string}   Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
        set psksecret-remote {password_string}   Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
        set keepalive {integer}   NAT-T keep alive interval. range[10-900]
        set distance {integer}   Distance for routes added by IKE (1 - 255). range[1-255]
        set priority {integer}   Priority for routes added by IKE (0 - 4294967295). range[0-4294967295]
        set localid {string}   Local ID. size[63]
        set localid-type {option}   Local ID type.
                auto       Select ID type automatically.
                fqdn       Use fully qualified domain name.
                user-fqdn  Use user fully qualified domain name.
                keyid      Use key-id string.
                address    Use local IP address.
                asn1dn     Use ASN.1 distinguished name.
        set auto-negotiate {enable | disable}   Enable/disable automatic initiation of IKE SA negotiation.
        set negotiate-timeout {integer}   IKE SA negotiation timeout in seconds (1 - 300). range[1-300]
        set fragmentation {enable | disable}   Enable/disable fragment IKE message on re-transmission.
        set dpd {disable | on-idle | on-demand}   Dead Peer Detection mode.
                disable    Disable Dead Peer Detection.
                on-idle    Trigger Dead Peer Detection when IPsec is idle.
                on-demand  Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.
        set dpd-retrycount {integer}   Number of DPD retry attempts. range[0-10]
        set dpd-retryinterval {string}   DPD retry interval.
        set forticlient-enforcement {enable | disable}   Enable/disable FortiClient enforcement.
        set comments {string}   Comment. size[255]
        set npu-offload {enable | disable}   Enable/disable offloading NPU.
        set send-cert-chain {enable | disable}   Enable/disable sending certificate chain.
        set dhgrp {option}   DH group.
                1   DH Group 1.
                2   DH Group 2.
                5   DH Group 5.
                14  DH Group 14.
                15  DH Group 15.
                16  DH Group 16.
                17  DH Group 17.
                18  DH Group 18.
                19  DH Group 19.
                20  DH Group 20.
                21  DH Group 21.
                27  DH Group 27.
                28  DH Group 28.
                29  DH Group 29.
                30  DH Group 30.
                31  DH Group 31.
        set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}   Use Suite-B.
                disable          Do not use UI suite.
                suite-b-gcm-128  Use Suite-B-GCM-128.
                suite-b-gcm-256  Use Suite-B-GCM-256.
        set eap {enable | disable}   Enable/disable IKEv2 EAP authentication.
        set eap-identity {use-id-payload | send-request}   IKEv2 EAP peer identity type.
                use-id-payload  Use IKEv2 IDi payload to resolve peer identity.
                send-request    Use EAP identity request to resolve peer identity.
        set acct-verify {enable | disable}   Enable/disable verification of RADIUS accounting record.
        set ppk {disable | allow | require}   Enable/disable IKEv2 Postquantum Preshared Key (PPK).
                disable  Disable use of IKEv2 Postquantum Preshared Key (PPK).
                allow    Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
                require  Require use of IKEv2 Postquantum Preshared Key (PPK).
        set ppk-secret {password_string}   IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
        set ppk-identity {string}   IKEv2 Postquantum Preshared Key Identity. size[35]
        set wizard-type {option}   GUI VPN Wizard Type.
                custom              Custom VPN configuration.
                dialup-forticlient  Dial Up - FortiClient Windows, Mac and Android.
                dialup-ios          Dial Up - iPhone / iPad Native IPsec Client.
                dialup-android      Dial Up - Android Native IPsec Client.
                dialup-windows      Dial Up - Windows Native IPsec Client.
                dialup-cisco        Dial Up - Cisco IPsec Client.
                static-fortigate    Site to Site - FortiGate.
                dialup-fortigate    Dial Up - FortiGate.
                static-cisco        Site to Site - Cisco.
                dialup-cisco-fw     Dialup Up - Cisco Firewall.
        set xauthtype {option}   XAuth type.
                disable  Disable.
                client   Enable as client.
                pap      Enable as server PAP.
                chap     Enable as server CHAP.
                auto     Enable as server auto.
        set reauth {disable | enable}   Enable/disable re-authentication upon IKE SA lifetime expiration.
        set authusr {string}   XAuth user name. size[64]
        set authpasswd {password_string}   XAuth password (max 35 characters). size[128]
        set group-authentication {enable | disable}   Enable/disable IKEv2 IDi group authentication.
        set group-authentication-secret {password_string}   Password for IKEv2 IDi group authentication.  (ASCII string or hexadecimal indicated by a leading 0x.)
        set authusrgrp {string}   Authentication user group. size[35] - datasource(s): user.group.name
        set mesh-selector-type {disable | subnet | host}   Add selectors containing subsets of the configuration depending on traffic.
                disable  Disable.
                subnet   Enable addition of matching subnet selector.
                host     Enable addition of host to host selector.
        set idle-timeout {enable | disable}   Enable/disable IPsec tunnel idle timeout.
        set idle-timeoutinterval {integer}   IPsec tunnel idle timeout in minutes (5 - 43200). range[5-43200]
        set ha-sync-esp-seqno {enable | disable}   Enable/disable sequence number jump ahead for IPsec HA.
        set nattraversal {enable | disable | forced}   Enable/disable NAT traversal.
        set esn {require | allow | disable}   Extended sequence number (ESN) negotiation.
                require  Require extended sequence number.
                allow    Allow extended sequence number.
                disable  Disable extended sequence number.
        set fragmentation-mtu {integer}   IKE fragmentation MTU (500 - 16000). range[500-16000]
        set childless-ike {enable | disable}   Enable/disable childless IKEv2 initiation (RFC 6023).
        set rekey {enable | disable}   Enable/disable phase1 rekey.
        set digital-signature-auth {enable | disable}   Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
        set signature-hash-alg {sha1 | sha2-256 | sha2-384 | sha2-512}   Digital Signature Authentication hash algorithms.
                sha1      SHA1.
                sha2-256  SHA2-256.
                sha2-384  SHA2-384.
                sha2-512  SHA2-512.
        set rsa-signature-format {pkcs1 | pss}   Digital Signature Authentication RSA signature format.
                pkcs1  RSASSA PKCS#1 v1.5.
                pss    RSASSA Probabilistic Signature Scheme (PSS).
        set enforce-unique-id {disable | keep-new | keep-old}   Enable/disable peer ID uniqueness check.
                disable   Disable peer ID uniqueness enforcement.
                keep-new  Enforce peer ID uniqueness, keep new connection if collision found.
                keep-old  Enforce peer ID uniqueness, keep old connection if collision found.
        set cert-id-validation {enable | disable}   Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
    next
end

Additional information

The following section is for those options that require additional explanation.

type {static | dynamic | ddns}

The connection type of the remote gateway:

  • Use static if the remote VPN peer has a static IP address. Once set, use the remote-gw entry to specify the IP address.
  • Use dynamic if the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE).
  • Use ddns if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service. Once set, use the remotegw-ddns entry to enter the domain name of the remote VPN peer.
    Note:
    ddns is not available when ip-version is set to 6.

interface <out-interface>

Enter the name of the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

ip-version {4 | 6}

Enter 4 (by default) for IPv4 or 6 for IPv6 encapsulation for gateways.

ike-version {1 | 2}

Enter 1 (by default) for IKEv1 or 2 for IKEv2 protocol version.

local-gw [sec-addr-ipv4]

An optional secondary IPv4 IP address of the interface selected in the interface entry used for the local end of the VPN tunnel.

local-gw6 [sec-addr-ipv6]

Note: This entry is only available when ip-version is set to 6. An optional secondary IPv6 IP address of the interface selected in the interface entry used for the local end of the VPN tunnel.

remote-gw <addr-ipv4>

Note: This entry is only available when ip-version is set to 4 and type is set to static. The IPv4 IP address of the remote gateway's external interface. Note that this entry is not available when type is set to dynamic.

remote-gw6 <addr-ipv6>

Note: This entry is only available when ip-version is set to 6. The IPv6 IP address of the remote gateway's external interface.

remotegw-ddns <domain-name>

Note: This entry is only available when ip-version is set to 4 and type is set to ddns. The identifier of the remote peer (e.g. an FQDN). This should be used when the remote peer has a static domain name and a dynamic IP address.

keylife <seconds>

The amount of time in seconds before the phase 1 encryption key expires, at which time a new encryption key is generated without service interruption. Set the value between 120-172800 seconds (or two minutes to two days). The default is set to 86400.

certificate <cert-string>

Note: This entry is only available when authmethod is set to signature. Enter the names of up to four signed personal certificates for the FortiGate unit. The certificates must have already been installed on the FortiGate before entering them here.

authmethod {psk | signature}

Enter your preferred authentication method:

  • Use psk (by default) to authenticate using a pre-shared key. Once set, use the psksecret entry to specify the pre-shared key.
  • Use signature to authenticate using a certificate. Once set, use the certificate entry to specify the name of the certificate.

mode {aggressive | main}

Note: This entry is only available when ike-version is set to 1. An ID protection mode that establishes a secure channel.

  • Use aggressive mode when a remote peer or dialup client has a dynamic IP address. If this is not set, the remote peer will be authenticated using an identifier (local ID). Identifying information is exchanged in the clear.
  • Use main mode (by default) when both peers have static IP addresses. Identifying information is hidden.

peertype <any | one | peer | peergrp | dialup>

The following peertype options are available:

  • any: Accepts any remote client or peer. Peer IDs are not used for authentication purposes. This is set by default.
  • one: Authenticates either a remote peer or client that has a dynamic IP address and connects using a unique identifier over a dedicated tunnel, or more than one dialup client that connects through the same tunnel using the same (shared) identifier. Once set, use the peerid entry to set the peer ID. If more than one dialup client will be connecting using the same identifier, set mode to aggressive.
  • peer: Authenticates one or more certificate holders based on a particular (or shared) certificate. Once set, use the peer entry to enter the certificate name. If the remote peer has a dynamic IP address, set mode to aggressive.
  • peergrp: Authenticates certificate holders that use unique certificates. In this case, you must create a group of certificate holders for authentication purposes. Once set, use the peergrp entry to set the certificate group name. If the remote peer has a dynamic IP address, set mode to aggressive.
  • dialup: Authenticates dialup VPN clients that use unique identifiers and/or preshared-keys to connect to the VPN through the same VPN tunnel. In this case, you must create a dialup user group for authentication purposes. Once set, use the usrgrp entry to set the user group name. If the dialup clients use unique identifiers and preshared-keys, set mode to aggressive. If the dialup clients use preshared-keys only, set mode to main.

Availability of these options vary depending on which remote gateway type and authmethod is used. Below is a table to show which peertypes are available under different circumstances:

type authmethod peertype
static > psk > any
signature > any, one, peer, peergrp
dynamic > psk > any, one, dialup
signature > any, one, peer, peergrp
ddns > psk > any
signature > any, one, peer, peergrp

peergrp <peer-group>

Note: This entry is only available when peertype is set to peergrp. Accepts the specified peer group.

peerid <peer-id>

Note: This entry is only available when peertype is set to one. Accepts the specified peer identity.

peer <cert-name>

Note: This entry is only available when type is configured. Accepts the specified peer certificate.

default-gw <addr-ipv4>

Note: This entry is only available when type is set to dynamic and ip-version is set to 4. The IPv4 address of the default route gateway to use for traffic exiting the interface.

default-gw-priority <priority>

Note: This entry is only available when type is set to dynamic. The priority for the default gateway router. Set the value between 0-4294967295. Default is set to 0.

usrgrp <group-name>

Note: This entry is only available when peertype is set to dialup. The user group. You must have already configured a user group on the FortiGate unit before entering the group's name here.

monitor [phase1]

Note: This entry is not available when type is set to dynamic. An optional IPsec interface that can act as a backup for another (primary) IPsec interface. Enter the name of the primary interface. Once set, use the monitor-hold-down-type entry to configure recovery timing (further configured with the monitor-hold-down-delay, monitor-hold-down-weekday, and monitor-hold-down-time entries).

The backup interface is only used when the primary interface is unavailable. For this, dpd must be enabled (set to either on-idle or on-timeout).

Note that a primary interface can only have one backup interface and cannot itself act as a backup for another interface.

monitor-hold-down-type {immediate | delay | time}

Note: This entry (and all other sub-entries) is only available once monitor is configured. Controls the recovery time method when the primary interface re-establishes.

  • Use immediate (by default) to have the primary interface be re-established immediately.
  • Use delay to configure the number of seconds to wait before recovery once the primary interface is re-established (see the monitor-hold-down-delay entry).
  • Use time to configure the day of the week and/or the time of day to recover once the primary interface is re-established (see the monitor-hold-down-weekday and monitor-hold-down-time entries).

monitor-hold-down-delay <seconds>

Note: This entry is only available when monitor-hold-down-type is set to delay. Configure the number of seconds to wait before recovery once the primary interface is re-established. Set the value between 0-31536000 (or 0 seconds to 1 year). The default is set to 0.

monitor-hold-down-weekday <day>

Note: This entry is only available when monitor-hold-down-type is set to time. Configure the day of the week to recover once the primary interface is re-established. Set the value to either everyday, sunday (by default), monday, tuesday, wednesday, thursday, friday, or saturday.

monitor-hold-down-time <time>

Note: This entry is only available when monitor-hold-down-type is set to time. Configure the time of day to recover once the primary interface is re-established. Set the hour and minute values of the day, with a colon to separate the two (between 00:00 and 23:59). The default is set to 00:00 (or midnight).

net-device {enable | disable}

Enable or disable (by default) the creation of a kernel device for every dialup instance, allowing all traffic to use a single interface for all instances that spawn via a given phase1. When enabled and with tunnel-search set to nexthop, instead of creating an interface per instance, all traffic will run over the single interface and any routes that need creating will be created on that single interface.

tunnel-search {selectors | nexthop}

Under the new single-interface scheme, instead of relying on routing to guide traffic to the specific instance as currently happens, all traffic will flow to the specific device and IPsec will need to take care of locating the correct instance for outbound traffic:

  • selectors: Selecting a peer using the IPSec selectors (proxy-ids) (set by default).
  • nexthop: All the peers use the same default selectors (0/0) while using some routing protocols such as BGP, OSPF, RIPng, etc to resolve the routing.

Disabling net-device and setting tunnel-search to nexthop changes how FortiOS creates and manages dynamic tunnels. Enabling the option can improve dialup IPsec VPN performance on newer FortiGate models that are running the most recent kernel. FortiOS 5.6.5 now also supports changing the net-device configuration after creating the tunnel. Enabling this option also allows the IPsec tunnel to learn routes from dynamic routing. The recommended configuration is:

config vpn ipsec phase1-interface

edit <name>

set type dynamic

set net-device disable

set tunnel-search nexthop

set interface "wan1"

set proposal aes128 - sha1

set add-route disable

set auto-discovery-sender enable

set exchange-interface-ip enable

set psksecret <key>

end

config vpn ipsec phase2-interface

edit <name>

set phase1name <name>

set proposal aes128-sha1

end

config system interface

edit <name>

set ip 10.10.10.1/32

set remote-ip 10.10.10.254 /24

end

mode-cfg {enable | disable}

Enable IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides. Disable (by default) to prohibit clients from configuring themselves.

assign-ip {enable | disable}

Note: This entry is only available when mode-cfg is set to enable. Enable (by default) or disable the assignment of an IP address to the IPsec interface.

assign-ip-from {range | dhcp}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The method by which the IP address will be assigned.

  • Use range (by default) to assign the IP address from a locally defined range.
  • Use dhcp to assign the IP address via DHCP.

ipv4-start-ip <ipv4-start>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The start of the IPv4 range.

ipv4-end-ip <ipv4-end>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The end of the IPv4 range.

ipv4-netmask <ipv4-netmask>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The IPv4 netmask.

dns-mode {manual | auto}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The DNS server mode.

  • Use manual (by default) to manually configure the DNS servers.
  • Use auto to use default DNS servers.

ipv4-dns-server1 <server1>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify an IPv4 DNS server, of which you may specify up to three (see entries below).

ipv4-dns-server2 <server2>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a second IPv4 DNS server.

ipv4-dns-server3 <server3>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a third IPv4 DNS server.

ipv4-wins-server1 <server1>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Windows Internet Name Service (WINS) is a central mapping of host names to network addresses. Specify a WINS server, of which you may specify up to two (see entry below).

ipv4-wins-server2 <server2>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a second WINS server.

ipv4-exclude-range

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. A configuration method to exclude IPv4 ranges. Edit to create new and specify the exclude-ranges using the start-ip and end-ip entries.

ipv4-split-include <subnet>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The IPv4 split-include subnets. The addresses must have already been configured on the FortiGate unit before entering their names here.

split-include-service <service>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The split-include services. The services must have already been configured on the FortiGate unit before entering their names here.

ipv4-name <name>

IPv4 address name used when assign-ip-from is set to name.

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable.

ipv6-start-ip <ipv6-start>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The start of the IPv6 range.

ipv6-end-ip <ipv6-end>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The end of the IPv6 range.

ipv6-prefix <ipv6-prefix>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The IPv6 address' prefix. Enter a value between 1-128. The default is set to 128.

ipv6-dns-server1 <server1>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify an IPv6 DNS server, of which you may specify up to three (see entries below).

ipv6-dns-server2 <server2>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a second IPv6 DNS server.

ipv6-dns-server3 <server3>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a third IPv6 DNS server.

ipv6-exclude-range

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. A configuration method to exclude IPv6 ranges. Edit to create new and specify the exclude-ranges using the start-ip and end-ip entries.

ipv6-split-include <subnet>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The IPv6 split-include subnets. The addresses must have already been configured on the FortiGate unit before entering their names here.

ipv6-name <name>

IPv6 address name used when assign-ip-from is set to name.

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable.

unity-support {enable | disable}

Note: This entry is only available when mode-cfg is set to enable. Enable (by default) or disable support for Cisco Unity configuration method extensions.

domain <domain>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The default DNS domain for Unity clients.

banner <message>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The message that Unity clients should display after connecting.

include-local-lan {enable | disable}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Enable or disable (by default) allowing local LAN access on Unity clients.

client-auto-negotiate {enable | disable}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Enable or disable (by default) allowing the VPN client to bring up the tunnel when there is no traffic.

client-keep-alive {enable | disable}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Enable or disable (by default) allowing the VPN client to keep the tunnel up when there is no traffic.

backup-gateway <address>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The backup gateway address(es) for Unity clients.

proposal <phase1-proposal>

A minimum of one and maximum of ten encryption-message combinations for the phase 1 proposal, for example aes128-sha256. Use a space to separate the combinations. Make sure that the remote peer is configured to use at least one of the proposals defined. Note: This entry is not available if suite-b has been configured. Use any of the following key encryption algorithms: has been configured. Use any of the following key encryption algorithms:

  • des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.
  • 3des: Triple-DES, in which plain text is encrypted three times by three keys.
  • aes128: A 128-bit block algorithm that uses a 128-bit key.
  • aes192: A 128-bit block algorithm that uses a 192-bit key.
  • aes256: A 128-bit block algorithm that uses a 256-bit key.
  • aria128: A 128-bit Korean block algorithm that uses a 128-bit key.
  • aris192: A 128-bit Korean block algorithm that uses a 192-bit key.
  • aria256: A 128-bit Korean block algorithm that uses a 256-bit key.
  • seed: A 128-bit Korean block algorithm that uses a 128-bit key.

The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session:

  • md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.
  • sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.
  • sha256: SHA 2 producing a 256-bit message digest.
  • sha384: SHA 2 producing a 384-bit message digest.
  • sha512: SHA 2 producing a 512-bit message digest.

add-route {disable | enable}

Note: This entry is only available when type is set to dynamic. Enable (by default) or disable adding a route to the destination of the peer selector.

exchange-interface-ip {enable | disable}

Enable or disable (by default) the exchange of IPsec interface IP address.

add-gw-route {enable | disable}

Enable to automatically add a route to the remote gateway specified in the remote-gw entry. This is disabled by default.

Note: This command is deprecated. Instead, use the dynamic-gateway {enable | disable} entry in the config router static command.

psksecret <preshared-key>

Note: This entry is only available when authmethod is set to psk. Enter the pre-shared key. The pre-shared key must be the same on the remote VPN gateway or client and should only be known by network administrators. The key must consist of at least six characters. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.

keepalive <seconds>

Note: This entry is only available when nattraversal is set to enable. Set the NAT traversal keepalive frequency in seconds, a period of time that specifies how frequently empty UDP packets are sent through the NAT device to make sure that the NAT mapping does not change until phase 1 and 2 security associations (SAs) expire. Set the value between 10-900 seconds (or ten seconds to 15 minutes). The default is set to 5.

distance <distance>

Note: This entry is only available when type is set to dynamic, or when mode-cfg is set to enable. The distance for routes added by IKE. Set the value between 1-255. Default is set to 15.

priority <priority>

Note: This entry is only available when type is set to dynamic, or when mode-cfg is set to enable. The priority for routes added by IKE. Set the value between 0-4294967295. Default is set to 0.

localid <local-id>

Note: If you set a local ID on a FortiGate dialup client, you must enable aggressive mode on the FortiGate dialup server and specify the identifier as a peer ID on the FortiGate dialup server. The local ID, or unique identifier, that the FortiGate uses as a VPN client for authentication purposes.

localid-type {auto | fqdn | user-fqdn | keyid | address}

Determines the type of local ID to be set:

  • auto: Selects type automatically.
  • fqdn: Uses a Fully Qualified Domain Name (FQDN).
  • user-fqdn: Uses a User FQDN.
  • keyid: Uses Key Identifier ID.
  • address: Uses IP address ID.

auto-negotiate {enable | disable}

Enable (by default) to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established.

negotiate-timeout <seconds>

The amount of time in seconds that the FortiGate unit will wait for the IKE SA to be negotiated. Set the value between 1-300 seconds (or one second to five minutes). The default is set to 5.

fragmentation {enable | disable}

Note: This entry is only available when ike-version is set to 1. Enable (by default) intra-IKE fragmentation support on re-transmission of fragmented packets.

dpd {disable | on-idle | on-demand}

Disable or set Dead Peer Detection (DPD) to either on-idle or on-demand (by default). DPD detects the status of the connection between VPN peers, cleans up dead connections, and helps establish new VPN tunnels. Note that DPD cannot be used unless both VPN peers support and enable the feature.

  • on-idle: DPD is triggered when IPsec is idle/inactive.
  • on-demand: DPD is triggered when IPsec traffic is sent but no reply is received from the peer.

dpd-retrycount <retry-integer>

Note: This entry is only available when dpd is set to enable. The number of times that the local VPN peer sends a DPD probe before it considers the link to be dead and tears down the SA. Set the value between 0-10. The default is set to 3. To avoid false negatives set the retry count to a sufficiently high value for your network.

dpd-retryinterval <seconds>

Note: This entry is only available when dpd is set to enable. The amount of time in seconds that the local VPN peer waits between sending DPD probes. Set the value between 0-3600 seconds (or 0 seconds to one hour).

forticlient-enforcement {enable | disable}

Enable to only permit FortiClient users to connect. Disable (by default) to lift this restriction.

comments [string]

Optional comments.

npu-offload {enable | disable}

Enable (by default) or disable offloading of VPN session to a network processing unit (NPU).

send-cert-chain {enable | disable}

Note: This entry is only available when authmethod is set to signature. Enable (by default) or disable sending certificate chain.

dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30 | 31}

Apply one or more Diffie-Hellman (DH) group numbers, in order of preference, separated by spaces. DH groups determine the strength of the key used in the key exchange process, with higher group numbers being more secure, but requiring additional time to compute the key. Set the value to any one (or more) of the following: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, and 31. The default is set to 14 5.

Note that at least one of the group numbers set on the remote peer or client must be identical to one of the selections on the FortiGate unit.

Note: This entry is not available if suite-b has been configured.

suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}

Disable (by default) or set Suite B to either suite-b-gcm-128 or suite-b-gcm-256. Suite B is a set of cryptographic algorithms designated by the U.S. National Security Agency to allow commercial products to protect traffic that is classified at secret or top secret levels (see RFC 6379, Suite B Cryptographic Suites for IPsec).

  • Suite-B-GCM-128 applies Advanced Encryption Standard (AES) encryption with 128-bit keys and 16-octet integrity check value (OCV) in Galois/Counter Mode (GCM), a mode of operation for symmetric key cryptographic block ciphers. Key establishment uses DH group 19.
  • Suite-B-GCM-256 applies AES encryption with 256-bit keys and 16-octet ICV in GCM. Key establishment uses DH group 20.

eap {enable | disable}

Note: This entry is only available when ike-version is set to 2. Enable or disable (by default) IKEv2 Extensible Authentication Protocol (EAP) authentication.

eap-identity {use-id-payload | send-request}

Note: This entry is only available when eap is set to enable. The IKEv2 EAP peer identity type.

  • use-id-payload uses IKEv2 identity payload to resolve peer identity. This is set by default.
  • send-request uses EAP identity request to resolve peer identity.

acct-verify {enable | disable}

Note: This entry is only available when eap is set to enable. Enable or disable (by default) the verification of RADIUS accounting record.

wizard-type <wizard-type>

Set to one of the following GUI VPN Wizard template types:

  • custom: Custom VPN configuration.
  • dialup-forticlient: Dialup for FortiClient Windows, Mac, and Android.
  • dialup-ios: Dialup for iPhone and/or iPad Native IPsec Client.
  • dialup-android: Dialup for Android Native IPsec Client.
  • dialup-windows: Dialup for Windows Native IPsec Client.
  • dialup-cisco: Dialup for Cisco IPsec Client.
  • static-fortigate: Site to Site for FortiGate.
  • dialup-fortigate: Dialup for FortiGate.
  • static-cisco: Site to Site for Cisco.
  • dialup-cisco-fw: Dialup for Cisco Firewall.

xauthtype [disable | client | pap | chap | auto]

Note: This entry is only available when ike-version is set to 1. Optionally configure XAuth (eXtended Authentication). XAuth provides the mechanism for requesting individual authentication information from the user, while a local user database or an external authentication server (such as a RADIUS server) provides a method for storing the authentication information centrally in the local network. This command is disabled by default. Use pap, chap, or auto to configure the FortiGate unit as an XAuth server. Note that these options are only available when type is set to dynamic.

  • disable: Disables XAuth.
  • client: Enable to configure the FortiGate as an XAuth client. Once set, use the authusr and authpasswd entries to add the XAuth user name and password (see entries below).
  • pap: Password Authentication Protocol (PAP). Once set, use the authusrgrp field to specify the user group containing members that will be authenticated using XAuth.
  • chap: Challenge Handshake Authentication Protocol (CHAP). Once set, use the authusrgrp field to specify the user group containing members that will be authenticated using XAuth.
  • auto: Enable as server auto. Once set, use the authusrgrp field to specify the user group containing members that will be authenticated using XAuth.

reauth {enable | disable}

Note: This entry is only available when ike-version is set to 2. Enable or disable (by default) re-authentication upon IKE SA lifetime expiration.

authusrgrp <group-name>

Note: This entry is only available when eap is set to enable. The authentication user group. You must have already configured a user group on the FortiGate unit before entering the group's name here.

authusr <name>

Note: This entry is only available when xauthtype has been configured. Enter the XAuth user name.

authpasswd <password>

Note: This entry is only available when xauthtype has been configured. Enter the XAuth user's password (maximum of 35 characters).

mesh-selector-type {disable | subnet | host}

Note: This entry is only available when ike-version is set to 1. Disable (by default) or set dynamic mesh selectors for IKEv1 VPNs to either subnet or host. Note that dynamic selectors are not saved to the configuration and will be removed when tunnels are flushed.

  • Use subnet to install selector for the address group that matches traffic packets.
  • Use host to install selector for the source and destination IP addresses of traffic packets.

idle-timeout {enable | disable}

Enable or disable (by default) IPsec tunnel to timeout when idle. Once enabled, use the idle-timeoutinterval entry to set the period of time the VPN will wait before timing out (see entry below).

idle-timeoutinterval <minutes>

Note: This entry is only available when idle-timeout is set to enable. Enter the IPsec tunnel idle timeout in minutes. Set the value between 10-43200 (or ten minutes to 30 days). The default is set to 15.

ha-sync-esp-seqno {enable | disable}

Enable (by default) or disable the Extended Sequence Number (ESP) jump ahead for IPsec HA. Enabling this feature helps to synchronize the IPsec SA replay counters between newly active HA cluster members and the peer (see RFC 6311, Protocol Support for High Availability of IKEv2/IPsec).

auto-discovery-sender {enable | disable}

Auto Discovery VPN (ADVPN) allows a shortcut to be created between two VPN peers, establishing dynamic on-demand tunnels between each other to avoid routing through the topology’s hub device. Enable or disable (by default) sending auto-discovery short-cut messages.

auto-discovery-receiver {enable | disable}

Enable or disable (by default) accepting auto-discovery short-cut messages (see the auto-discovery-sender entry above about Auto Discovery).

auto-discovery-forwarder {enable | disable}

Enable or disable (by default) forwarding auto-discovery short-cut messages (see the auto-discovery-sender entry above about Auto Discovery).

auto-discovery-psk {enable | disable}

Note: This entry is only available when authmethod is set to signature and auto-discovery-sender is set to enable. Enable or disable (by default) the use of pre-shared keys for the authentication of auto-discovery tunnels.

encapsulation {none | gre | vxlan}

Note: This entry is not available when type is set to dynamic. Disable (by default; none) or set encapsulation to either gre or vxlan. Both GRE and VXLAN segmentation scale well together as they allow overlapping subnets and IP ranges. VXLAN is encapsulated in UDP frames, resulting in efficiently distributed traffic. Once set, use the . Both GRE and VXLAN segmentation scale well together as they allow overlapping subnets and IP ranges. VXLAN is encapsulated in UDP frames, resulting in efficiently distributed traffic. Once set, use the encapsulation-address entry to configure the source for the GRE or VXLAN tunnel address.

encapsulation-address {ike | ipv4 | ipv6}

Note: This entry is only available when encapsulation is set to either gre or vxlan. Select the source for the GRE or VXLAN tunnel address.

  • Use ike (by default) to use IKE/IPsec gateway addresses.
  • Use ipv4 to specify separate IPv4 GRE/VXLAN tunnel addresses (see encap entries below).
  • Use ipv6 to specify separate IPv6 GRE/VXLAN tunnel addresses (see encap entries below).

encap-local-gw4 <addr-ipv4>

Note: This entry is only available when encapsulation-address is set to ipv4. The local IPv4 address of the GRE/VXLAN tunnel.

encap-remote-gw4 <addr-ipv4>

Note: This entry is only available when encapsulation-address is set to ipv4. The remote IPv4 address of the GRE/VXLAN tunnel.

encap-local-gw6 <addr-ipv6>

Note: This entry is only available when encapsulation-address is set to ipv6. The local IPv6 address of the GRE/VXLAN tunnel.

encap-remote-gw6 <addr-ipv6>

Note: This entry is only available when encapsulation-address is set to ipv6. The remote IPv6 address of the GRE/VXLAN tunnel.

nattraversal {enable | disable}

Enable (by default) or disable NAT traversal. This should be enabled if you expect the IPsec VPN traffic to go through a gateway that performs NAT. If not NAT device is detected, enabling NAT traversal has no effect. Once enabled, use the keepalive entry to set the NAT traversal keepalive frequency. Note that both ends of the VPN must have the same NAT traversal settings.

fragmentation-mtu <frag-integer>

Note: This entry is only available when ike-version is set to 2. The IKE fragmentation maximum transmission unit (MTU). Set the value between 500-16000. The default is set to 1200.

childless-ike {enable | disable}

Note: This entry is only available when ike-version is set to 2. Enable or disable the childless IKEv2 initiation (see RFC 6023, A Childless of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)).

group-authentication {enable | disable}

Enable or disable (by default) IKEv2 IDi group authentication.

The IDi information is extracted from the IKEv2 AUTH exchange and is sent to a RADIUS server, along with a fixed password, to perform an additional group authentication step prior to tunnel establishment.

The RADIUS server may return framed-IP-address, framed-ip-netmask, and dns-server attributes, which are then applied to the tunnel.

Note: This entry is only available when ike-version is set to 2, type is set to dynamic, and mode-cfg is set to enable.

group-authentication-secret <password>

Password for IKEv2 IDi group authentication (ASCII string or hexadecimal indicated by a leading 0x).

Note: This entry is only available when group-authentication is set to enable.

vpn ipsec {phase1-interface | phase1}

Use phase1-interface to define a phase 1 definition for a route-based (interface mode) IPsec VPN tunnel that generates authentication and encryption keys automatically. Optionally, you can create a route-based phase 1 definition to act as a backup for another IPsec interface; this is achieved with the set monitor <phase1> entry below.

You can also use phase1 to add or edit IPsec tunnel-mode phase 1 configurations, which define how the FortiGate unit and a remote VPN peer (gateway or client) authenticate themselves to each other as part of establishing the IPsec VPN tunnel.

Note: Some entries are not available under the phase1 command, including the following:

  • ip-version
  • local-gw6
  • remote-gw6
  • monitor (and all other monitor related entries)
  • add-gw-route
  • auto-discovery-sender (and all other auto discovery related entries)
  • encapsulation (and all other encapsulation related entries)
  • childless-ike

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set cert-id-validation {enable | disable}

Enable (by default) or disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

Note that this entry is only available when authmethod is set to signature.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set proposal {aes128gcm-prfsha1 | aes128gcm-prfsha256 | aes128gcm-prfsha384 | aes128gcm-prfsha512 | aes256gcm-prfsha1 | aes256gcm-prfsha256 | aes256gcm-prfsha384 | aes256gcm-prfsha512 | chacha20poly1305-prfsha1 | chacha20poly1305-prfsha256 | chacha20poly1305-prfsha384 | chacha20poly1305-prfsha512| ...}

Authenticated encryption with associated data (AEAD) algorithms (aesgcm and chachapoly) are now supported. Note that these algorithms are only available when ike-version is set to 2.

In addition, changed the initial proposal list when new phase1s are created, with different proposals set by default depending whether ike-version is set to either 1 or 2.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set net-device {enable | disable}

set tunnel-search {selectors | nexthop}

FortiOS 6.0 now supports changing the net-device and tunnel-search configuration after creating a phase 1 configuration.

set dhgrp {31 | ...}

FortiOS uses OpenSSL 1.1, which now supports Curve25519, granting support for DH group 31.

set dpd-retryinterval <seconds>

When type is set to dynamic:

  • dpd is set to on-idle
  • dpd-retrycount is set to 3
  • dpd-retryinterval is set to 60

When type is set to anything other than dynamic:

  • dpd is set to on-idle
  • dpd-retrycount is set to 3
  • dpd-retryinterval is set to 60

In addition, the maximum-range has been changed to 3600 seconds, and can no longer be set to both seconds and milliseconds.

set ppk {disable | allow | require}

set ppk-secret <ascii-string-or-hex>

set ppk-identity <string>

Post-quantum Preshared Key (PPK) options for IKEv2.

Even if a quantum computer can break the Diffie-Hellman calculation to derive the DH-generated secret key, the inclusion of the PPK in the key generation algorithm means that the attacker is still unable to derive the keys used to authenticate the IKE SA negotiation (and so cannot impersonate either party in the negotiation), nor the keys used in negotiating an IPsec SA (or IKE SA).

Note that this option is only available when ike-version is set to 2 and type is set to dynamic.

set ipv4-split-exclude {all | none | address}

set ipv6-split-exclude {all | none | address}

Specify, when using IKEv1, that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of the supported split-include feature which allows the administrator to specify that default traffic should not flow over the IPsec tunnel except for specified subnets.

Note that the split-exclude options are only available when ike-version is set to 1, type is set to dynamic, and mode-cfg is set to enable.

config vpn ipsec phase1-interface
    edit {name}
    # Configure VPN remote gateway.
        set name {string}   IPsec remote gateway name. size[15]
        set type {static | dynamic | ddns}   Remote gateway type.
                static   Remote VPN gateway has fixed IP address.
                dynamic  Remote VPN gateway has dynamic IP address.
                ddns     Remote VPN gateway has dynamic IP address and is a dynamic DNS client.
        set interface {string}   Local physical, aggregate, or VLAN outgoing interface. size[35] - datasource(s): system.interface.name
        set ip-version {4 | 6}   IP version to use for VPN interface.
                4  Use IPv4 addressing for gateways.
                6  Use IPv6 addressing for gateways.
        set ike-version {1 | 2}   IKE protocol version.
                1  Use IKEv1 protocol.
                2  Use IKEv2 protocol.
        set local-gw {ipv4 address}   IPv4 address of the local gateway's external interface.
        set local-gw6 {ipv6 address}   IPv6 address of the local gateway's external interface.
        set remote-gw {ipv4 address}   IPv4 address of the remote gateway's external interface.
        set remote-gw6 {ipv6 address}   IPv6 address of the remote gateway's external interface.
        set remotegw-ddns {string}   Domain name of remote gateway (eg. name.DDNS.com). size[63]
        set keylife {integer}   Time to wait in seconds before phase 1 encryption key expires. range[120-172800]
        config certificate
            edit {name}
            # The names of up to 4 signed personal certificates.
                set name {string}   Certificate name. size[64] - datasource(s): vpn.certificate.local.name
            next
        set authmethod {psk | signature}   Authentication method.
                psk        PSK authentication method.
                signature  Signature authentication method.
        set authmethod-remote {psk | signature}   Authentication method (remote side).
                psk        PSK authentication method.
                signature  Signature authentication method.
        set mode {aggressive | main}   The ID protection mode used to establish a secure channel.
                aggressive  Aggressive mode.
                main        Main mode.
        set peertype {option}   Accept this peer type.
                any      Accept any peer ID.
                one      Accept this peer ID.
                dialup   Accept peer ID in dialup group.
                peer     Accept this peer certificate.
                peergrp  Accept this peer certificate group.
        set peerid {string}   Accept this peer identity. size[255]
        set default-gw {ipv4 address}   IPv4 address of default route gateway to use for traffic exiting the interface.
        set default-gw-priority {integer}   Priority for default gateway route. A higher priority number signifies a less preferred route. range[0-4294967295]
        set usrgrp {string}   User group name for dialup peers. size[35] - datasource(s): user.group.name
        set peer {string}   Accept this peer certificate. size[35] - datasource(s): user.peer.name
        set peergrp {string}   Accept this peer certificate group. size[35] - datasource(s): user.peergrp.name
        set monitor {string}   IPsec interface as backup for primary interface. size[35] - datasource(s): vpn.ipsec.phase1-interface.name
        set monitor-hold-down-type {immediate | delay | time}   Recovery time method when primary interface re-establishes.
                immediate  Fail back immediately after primary recovers.
                delay      Number of seconds to delay fail back after primary recovers.
                time       Specify a time at which to fail back after primary recovers.
        set monitor-hold-down-delay {integer}   Time to wait in seconds before recovery once primary re-establishes. range[0-31536000]
        set monitor-hold-down-weekday {option}   Day of the week to recover once primary re-establishes.
                everyday   Every Day.
                sunday     Sunday.
                monday     Monday.
                tuesday    Tuesday.
                wednesday  Wednesday.
                thursday   Thursday.
                friday     Friday.
                saturday   Saturday.
        set monitor-hold-down-time {string}   Time of day at which to fail back to primary after it re-establishes.
        set net-device {enable | disable}   Enable/disable kernel device creation for dialup instances.
        set tunnel-search {selectors | nexthop}   Tunnel search method for when the interface is shared.
                selectors  Search for tunnel in selectors.
                nexthop    Search for tunnel using nexthop.
        set passive-mode {enable | disable}   Enable/disable IPsec passive mode for static tunnels.
        set exchange-interface-ip {enable | disable}   Enable/disable exchange of IPsec interface IP address.
        set exchange-ip-addr4 {ipv4 address}   IPv4 address to exchange with peers.
        set exchange-ip-addr6 {ipv6 address}   IPv6 address to exchange with peers
        set mode-cfg {disable | enable}   Enable/disable configuration method.
        set assign-ip {disable | enable}   Enable/disable assignment of IP to IPsec interface via configuration method.
        set assign-ip-from {range | usrgrp | dhcp | name}   Method by which the IP address will be assigned.
                range   Assign IP address from locally defined range.
                usrgrp  Assign IP address via user group.
                dhcp    Assign IP address via DHCP.
                name    Assign IP address from firewall address or group.
        set ipv4-start-ip {ipv4 address}   Start of IPv4 range.
        set ipv4-end-ip {ipv4 address}   End of IPv4 range.
        set ipv4-netmask {ipv4 netmask}   IPv4 Netmask.
        set dns-mode {manual | auto}   DNS server mode.
                manual  Manually configure DNS servers.
                auto    Use default DNS servers.
        set ipv4-dns-server1 {ipv4 address}   IPv4 DNS server 1.
        set ipv4-dns-server2 {ipv4 address}   IPv4 DNS server 2.
        set ipv4-dns-server3 {ipv4 address}   IPv4 DNS server 3.
        set ipv4-wins-server1 {ipv4 address}   WINS server 1.
        set ipv4-wins-server2 {ipv4 address}   WINS server 2.
        config ipv4-exclude-range
            edit {id}
            # Configuration Method IPv4 exclude ranges.
                set id {integer}   ID. range[0-4294967295]
                set start-ip {ipv4 address}   Start of IPv4 exclusive range.
                set end-ip {ipv4 address}   End of IPv4 exclusive range.
            next
        set ipv4-split-include {string}   IPv4 split-include subnets. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set split-include-service {string}   Split-include services. size[63] - datasource(s): firewall.service.group.name,firewall.service.custom.name
        set ipv4-name {string}   IPv4 address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set ipv6-start-ip {ipv6 address}   Start of IPv6 range.
        set ipv6-end-ip {ipv6 address}   End of IPv6 range.
        set ipv6-prefix {integer}   IPv6 prefix. range[1-128]
        set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
        set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
        set ipv6-dns-server3 {ipv6 address}   IPv6 DNS server 3.
        config ipv6-exclude-range
            edit {id}
            # Configuration method IPv6 exclude ranges.
                set id {integer}   ID. range[0-4294967295]
                set start-ip {ipv6 address}   Start of IPv6 exclusive range.
                set end-ip {ipv6 address}   End of IPv6 exclusive range.
            next
        set ipv6-split-include {string}   IPv6 split-include subnets. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set ipv6-name {string}   IPv6 address name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set unity-support {disable | enable}   Enable/disable support for Cisco UNITY Configuration Method extensions.
        set domain {string}   Instruct unity clients about the default DNS domain. size[63]
        set banner {string}   Message that unity client should display after connecting. size[1024]
        set include-local-lan {disable | enable}   Enable/disable allow local LAN access on unity clients.
        set ipv4-split-exclude {string}   IPv4 subnets that should not be sent over the IPsec tunnel. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set ipv6-split-exclude {string}   IPv6 subnets that should not be sent over the IPsec tunnel. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set save-password {disable | enable}   Enable/disable saving XAuth username and password on VPN clients.
        set client-auto-negotiate {disable | enable}   Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
        set client-keep-alive {disable | enable}   Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
        config backup-gateway
            edit {address}
            # Instruct unity clients about the backup gateway address(es).
                set address {string}   Address of backup gateway. size[64]
            next
        set proposal {option}   Phase1 proposal.
                des-md5                     des-md5
                des-sha1                    des-sha1
                des-sha256                  des-sha256
                des-sha384                  des-sha384
                des-sha512                  des-sha512
                3des-md5                    3des-md5
                3des-sha1                   3des-sha1
                3des-sha256                 3des-sha256
                3des-sha384                 3des-sha384
                3des-sha512                 3des-sha512
                aes128-md5                  aes128-md5
                aes128-sha1                 aes128-sha1
                aes128-sha256               aes128-sha256
                aes128-sha384               aes128-sha384
                aes128-sha512               aes128-sha512
                aes128gcm-prfsha1           aes128gcm-prfsha1
                aes128gcm-prfsha256         aes128gcm-prfsha256
                aes128gcm-prfsha384         aes128gcm-prfsha384
                aes128gcm-prfsha512         aes128gcm-prfsha512
                aes192-md5                  aes192-md5
                aes192-sha1                 aes192-sha1
                aes192-sha256               aes192-sha256
                aes192-sha384               aes192-sha384
                aes192-sha512               aes192-sha512
                aes256-md5                  aes256-md5
                aes256-sha1                 aes256-sha1
                aes256-sha256               aes256-sha256
                aes256-sha384               aes256-sha384
                aes256-sha512               aes256-sha512
                aes256gcm-prfsha1           aes256gcm-prfsha1
                aes256gcm-prfsha256         aes256gcm-prfsha256
                aes256gcm-prfsha384         aes256gcm-prfsha384
                aes256gcm-prfsha512         aes256gcm-prfsha512
                chacha20poly1305-prfsha1    chacha20poly1305-prfsha1
                chacha20poly1305-prfsha256  chacha20poly1305-prfsha256
                chacha20poly1305-prfsha384  chacha20poly1305-prfsha384
                chacha20poly1305-prfsha512  chacha20poly1305-prfsha512
                aria128-md5                 aria128-md5
                aria128-sha1                aria128-sha1
                aria128-sha256              aria128-sha256
                aria128-sha384              aria128-sha384
                aria128-sha512              aria128-sha512
                aria192-md5                 aria192-md5
                aria192-sha1                aria192-sha1
                aria192-sha256              aria192-sha256
                aria192-sha384              aria192-sha384
                aria192-sha512              aria192-sha512
                aria256-md5                 aria256-md5
                aria256-sha1                aria256-sha1
                aria256-sha256              aria256-sha256
                aria256-sha384              aria256-sha384
                aria256-sha512              aria256-sha512
                seed-md5                    seed-md5
                seed-sha1                   seed-sha1
                seed-sha256                 seed-sha256
                seed-sha384                 seed-sha384
                seed-sha512                 seed-sha512
        set add-route {disable | enable}   Enable/disable control addition of a route to peer destination selector.
        set add-gw-route {enable | disable}   Enable/disable automatically add a route to the remote gateway.
        set psksecret {password_string}   Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
        set psksecret-remote {password_string}   Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
        set keepalive {integer}   NAT-T keep alive interval. range[10-900]
        set distance {integer}   Distance for routes added by IKE (1 - 255). range[1-255]
        set priority {integer}   Priority for routes added by IKE (0 - 4294967295). range[0-4294967295]
        set localid {string}   Local ID. size[63]
        set localid-type {option}   Local ID type.
                auto       Select ID type automatically.
                fqdn       Use fully qualified domain name.
                user-fqdn  Use user fully qualified domain name.
                keyid      Use key-id string.
                address    Use local IP address.
                asn1dn     Use ASN.1 distinguished name.
        set auto-negotiate {enable | disable}   Enable/disable automatic initiation of IKE SA negotiation.
        set negotiate-timeout {integer}   IKE SA negotiation timeout in seconds (1 - 300). range[1-300]
        set fragmentation {enable | disable}   Enable/disable fragment IKE message on re-transmission.
        set dpd {disable | on-idle | on-demand}   Dead Peer Detection mode.
                disable    Disable Dead Peer Detection.
                on-idle    Trigger Dead Peer Detection when IPsec is idle.
                on-demand  Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.
        set dpd-retrycount {integer}   Number of DPD retry attempts. range[0-10]
        set dpd-retryinterval {string}   DPD retry interval.
        set forticlient-enforcement {enable | disable}   Enable/disable FortiClient enforcement.
        set comments {string}   Comment. size[255]
        set npu-offload {enable | disable}   Enable/disable offloading NPU.
        set send-cert-chain {enable | disable}   Enable/disable sending certificate chain.
        set dhgrp {option}   DH group.
                1   DH Group 1.
                2   DH Group 2.
                5   DH Group 5.
                14  DH Group 14.
                15  DH Group 15.
                16  DH Group 16.
                17  DH Group 17.
                18  DH Group 18.
                19  DH Group 19.
                20  DH Group 20.
                21  DH Group 21.
                27  DH Group 27.
                28  DH Group 28.
                29  DH Group 29.
                30  DH Group 30.
                31  DH Group 31.
        set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}   Use Suite-B.
                disable          Do not use UI suite.
                suite-b-gcm-128  Use Suite-B-GCM-128.
                suite-b-gcm-256  Use Suite-B-GCM-256.
        set eap {enable | disable}   Enable/disable IKEv2 EAP authentication.
        set eap-identity {use-id-payload | send-request}   IKEv2 EAP peer identity type.
                use-id-payload  Use IKEv2 IDi payload to resolve peer identity.
                send-request    Use EAP identity request to resolve peer identity.
        set acct-verify {enable | disable}   Enable/disable verification of RADIUS accounting record.
        set ppk {disable | allow | require}   Enable/disable IKEv2 Postquantum Preshared Key (PPK).
                disable  Disable use of IKEv2 Postquantum Preshared Key (PPK).
                allow    Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
                require  Require use of IKEv2 Postquantum Preshared Key (PPK).
        set ppk-secret {password_string}   IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
        set ppk-identity {string}   IKEv2 Postquantum Preshared Key Identity. size[35]
        set wizard-type {option}   GUI VPN Wizard Type.
                custom              Custom VPN configuration.
                dialup-forticlient  Dial Up - FortiClient Windows, Mac and Android.
                dialup-ios          Dial Up - iPhone / iPad Native IPsec Client.
                dialup-android      Dial Up - Android Native IPsec Client.
                dialup-windows      Dial Up - Windows Native IPsec Client.
                dialup-cisco        Dial Up - Cisco IPsec Client.
                static-fortigate    Site to Site - FortiGate.
                dialup-fortigate    Dial Up - FortiGate.
                static-cisco        Site to Site - Cisco.
                dialup-cisco-fw     Dialup Up - Cisco Firewall.
        set xauthtype {option}   XAuth type.
                disable  Disable.
                client   Enable as client.
                pap      Enable as server PAP.
                chap     Enable as server CHAP.
                auto     Enable as server auto.
        set reauth {disable | enable}   Enable/disable re-authentication upon IKE SA lifetime expiration.
        set authusr {string}   XAuth user name. size[64]
        set authpasswd {password_string}   XAuth password (max 35 characters). size[128]
        set group-authentication {enable | disable}   Enable/disable IKEv2 IDi group authentication.
        set group-authentication-secret {password_string}   Password for IKEv2 IDi group authentication.  (ASCII string or hexadecimal indicated by a leading 0x.)
        set authusrgrp {string}   Authentication user group. size[35] - datasource(s): user.group.name
        set mesh-selector-type {disable | subnet | host}   Add selectors containing subsets of the configuration depending on traffic.
                disable  Disable.
                subnet   Enable addition of matching subnet selector.
                host     Enable addition of host to host selector.
        set idle-timeout {enable | disable}   Enable/disable IPsec tunnel idle timeout.
        set idle-timeoutinterval {integer}   IPsec tunnel idle timeout in minutes (5 - 43200). range[5-43200]
        set ha-sync-esp-seqno {enable | disable}   Enable/disable sequence number jump ahead for IPsec HA.
        set auto-discovery-sender {enable | disable}   Enable/disable sending auto-discovery short-cut messages.
        set auto-discovery-receiver {enable | disable}   Enable/disable accepting auto-discovery short-cut messages.
        set auto-discovery-forwarder {enable | disable}   Enable/disable forwarding auto-discovery short-cut messages.
        set auto-discovery-psk {enable | disable}   Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.
        set encapsulation {none | gre | vxlan}   Enable/disable GRE/VXLAN encapsulation.
                none   No additional encapsulation.
                gre    GRE encapsulation.
                vxlan  VXLAN encapsulation.
        set encapsulation-address {ike | ipv4 | ipv6}   Source for GRE/VXLAN tunnel address.
                ike   Use IKE/IPsec gateway addresses.
                ipv4  Specify separate GRE/VXLAN tunnel address.
                ipv6  Specify separate GRE/VXLAN tunnel address.
        set encap-local-gw4 {ipv4 address}   Local IPv4 address of GRE/VXLAN tunnel.
        set encap-local-gw6 {ipv6 address}   Local IPv6 address of GRE/VXLAN tunnel.
        set encap-remote-gw4 {ipv4 address}   Remote IPv4 address of GRE/VXLAN tunnel.
        set encap-remote-gw6 {ipv6 address}   Remote IPv6 address of GRE/VXLAN tunnel.
        set vni {integer}   VNI of VXLAN tunnel. range[1-16777215]
        set nattraversal {enable | disable | forced}   Enable/disable NAT traversal.
        set esn {require | allow | disable}   Extended sequence number (ESN) negotiation.
                require  Require extended sequence number.
                allow    Allow extended sequence number.
                disable  Disable extended sequence number.
        set fragmentation-mtu {integer}   IKE fragmentation MTU (500 - 16000). range[500-16000]
        set childless-ike {enable | disable}   Enable/disable childless IKEv2 initiation (RFC 6023).
        set rekey {enable | disable}   Enable/disable phase1 rekey.
        set digital-signature-auth {enable | disable}   Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
        set signature-hash-alg {sha1 | sha2-256 | sha2-384 | sha2-512}   Digital Signature Authentication hash algorithms.
                sha1      SHA1.
                sha2-256  SHA2-256.
                sha2-384  SHA2-384.
                sha2-512  SHA2-512.
        set rsa-signature-format {pkcs1 | pss}   Digital Signature Authentication RSA signature format.
                pkcs1  RSASSA PKCS#1 v1.5.
                pss    RSASSA Probabilistic Signature Scheme (PSS).
        set enforce-unique-id {disable | keep-new | keep-old}   Enable/disable peer ID uniqueness check.
                disable   Disable peer ID uniqueness enforcement.
                keep-new  Enforce peer ID uniqueness, keep new connection if collision found.
                keep-old  Enforce peer ID uniqueness, keep old connection if collision found.
        set cert-id-validation {enable | disable}   Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
    next
end
config vpn ipsec phase1
    edit {name}
    # Configure VPN remote gateway.
        set name {string}   IPsec remote gateway name. size[35]
        set type {static | dynamic | ddns}   Remote gateway type.
                static   Remote VPN gateway has fixed IP address.
                dynamic  Remote VPN gateway has dynamic IP address.
                ddns     Remote VPN gateway has dynamic IP address and is a dynamic DNS client.
        set interface {string}   Local physical, aggregate, or VLAN outgoing interface. size[35] - datasource(s): system.interface.name
        set ike-version {1 | 2}   IKE protocol version.
                1  Use IKEv1 protocol.
                2  Use IKEv2 protocol.
        set remote-gw {ipv4 address}   Remote VPN gateway.
        set local-gw {ipv4 address}   Local VPN gateway.
        set remotegw-ddns {string}   Domain name of remote gateway (eg. name.DDNS.com). size[63]
        set keylife {integer}   Time to wait in seconds before phase 1 encryption key expires. range[120-172800]
        config certificate
            edit {name}
            # Names of up to 4 signed personal certificates.
                set name {string}   Certificate name. size[64] - datasource(s): vpn.certificate.local.name
            next
        set authmethod {psk | signature}   Authentication method.
                psk        PSK authentication method.
                signature  Signature authentication method.
        set authmethod-remote {psk | signature}   Authentication method (remote side).
                psk        PSK authentication method.
                signature  Signature authentication method.
        set mode {aggressive | main}   ID protection mode used to establish a secure channel.
                aggressive  Aggressive mode.
                main        Main mode.
        set peertype {option}   Accept this peer type.
                any      Accept any peer ID.
                one      Accept this peer ID.
                dialup   Accept peer ID in dialup group.
                peer     Accept this peer certificate.
                peergrp  Accept this peer certificate group.
        set peerid {string}   Accept this peer identity. size[255]
        set usrgrp {string}   User group name for dialup peers. size[35] - datasource(s): user.group.name
        set peer {string}   Accept this peer certificate. size[35] - datasource(s): user.peer.name
        set peergrp {string}   Accept this peer certificate group. size[35] - datasource(s): user.peergrp.name
        set mode-cfg {disable | enable}   Enable/disable configuration method.
        set assign-ip {disable | enable}   Enable/disable assignment of IP to IPsec interface via configuration method.
        set assign-ip-from {range | usrgrp | dhcp | name}   Method by which the IP address will be assigned.
                range   Assign IP address from locally defined range.
                usrgrp  Assign IP address via user group.
                dhcp    Assign IP address via DHCP.
                name    Assign IP address from firewall address or group.
        set ipv4-start-ip {ipv4 address}   Start of IPv4 range.
        set ipv4-end-ip {ipv4 address}   End of IPv4 range.
        set ipv4-netmask {ipv4 netmask}   IPv4 Netmask.
        set dns-mode {manual | auto}   DNS server mode.
                manual  Manually configure DNS servers.
                auto    Use default DNS servers.
        set ipv4-dns-server1 {ipv4 address}   IPv4 DNS server 1.
        set ipv4-dns-server2 {ipv4 address}   IPv4 DNS server 2.
        set ipv4-dns-server3 {ipv4 address}   IPv4 DNS server 3.
        set ipv4-wins-server1 {ipv4 address}   WINS server 1.
        set ipv4-wins-server2 {ipv4 address}   WINS server 2.
        config ipv4-exclude-range
            edit {id}
            # Configuration Method IPv4 exclude ranges.
                set id {integer}   ID. range[0-4294967295]
                set start-ip {ipv4 address}   Start of IPv4 exclusive range.
                set end-ip {ipv4 address}   End of IPv4 exclusive range.
            next
        set ipv4-split-include {string}   IPv4 split-include subnets. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set split-include-service {string}   Split-include services. size[63] - datasource(s): firewall.service.group.name,firewall.service.custom.name
        set ipv4-name {string}   IPv4 address name. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set ipv6-start-ip {ipv6 address}   Start of IPv6 range.
        set ipv6-end-ip {ipv6 address}   End of IPv6 range.
        set ipv6-prefix {integer}   IPv6 prefix. range[1-128]
        set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
        set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
        set ipv6-dns-server3 {ipv6 address}   IPv6 DNS server 3.
        config ipv6-exclude-range
            edit {id}
            # Configuration method IPv6 exclude ranges.
                set id {integer}   ID. range[0-4294967295]
                set start-ip {ipv6 address}   Start of IPv6 exclusive range.
                set end-ip {ipv6 address}   End of IPv6 exclusive range.
            next
        set ipv6-split-include {string}   IPv6 split-include subnets. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set ipv6-name {string}   IPv6 address name. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set unity-support {disable | enable}   Enable/disable support for Cisco UNITY Configuration Method extensions.
        set domain {string}   Instruct unity clients about the default DNS domain. size[63]
        set banner {string}   Message that unity client should display after connecting. size[1024]
        set include-local-lan {disable | enable}   Enable/disable allow local LAN access on unity clients.
        set ipv4-split-exclude {string}   IPv4 subnets that should not be sent over the IPsec tunnel. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
        set ipv6-split-exclude {string}   IPv6 subnets that should not be sent over the IPsec tunnel. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        set save-password {disable | enable}   Enable/disable saving XAuth username and password on VPN clients.
        set client-auto-negotiate {disable | enable}   Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
        set client-keep-alive {disable | enable}   Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
        config backup-gateway
            edit {address}
            # Instruct unity clients about the backup gateway address(es).
                set address {string}   Address of backup gateway. size[64]
            next
        set proposal {option}   Phase1 proposal.
                des-md5                     des-md5
                des-sha1                    des-sha1
                des-sha256                  des-sha256
                des-sha384                  des-sha384
                des-sha512                  des-sha512
                3des-md5                    3des-md5
                3des-sha1                   3des-sha1
                3des-sha256                 3des-sha256
                3des-sha384                 3des-sha384
                3des-sha512                 3des-sha512
                aes128-md5                  aes128-md5
                aes128-sha1                 aes128-sha1
                aes128-sha256               aes128-sha256
                aes128-sha384               aes128-sha384
                aes128-sha512               aes128-sha512
                aes128gcm-prfsha1           aes128gcm-prfsha1
                aes128gcm-prfsha256         aes128gcm-prfsha256
                aes128gcm-prfsha384         aes128gcm-prfsha384
                aes128gcm-prfsha512         aes128gcm-prfsha512
                aes192-md5                  aes192-md5
                aes192-sha1                 aes192-sha1
                aes192-sha256               aes192-sha256
                aes192-sha384               aes192-sha384
                aes192-sha512               aes192-sha512
                aes256-md5                  aes256-md5
                aes256-sha1                 aes256-sha1
                aes256-sha256               aes256-sha256
                aes256-sha384               aes256-sha384
                aes256-sha512               aes256-sha512
                aes256gcm-prfsha1           aes256gcm-prfsha1
                aes256gcm-prfsha256         aes256gcm-prfsha256
                aes256gcm-prfsha384         aes256gcm-prfsha384
                aes256gcm-prfsha512         aes256gcm-prfsha512
                chacha20poly1305-prfsha1    chacha20poly1305-prfsha1
                chacha20poly1305-prfsha256  chacha20poly1305-prfsha256
                chacha20poly1305-prfsha384  chacha20poly1305-prfsha384
                chacha20poly1305-prfsha512  chacha20poly1305-prfsha512
                aria128-md5                 aria128-md5
                aria128-sha1                aria128-sha1
                aria128-sha256              aria128-sha256
                aria128-sha384              aria128-sha384
                aria128-sha512              aria128-sha512
                aria192-md5                 aria192-md5
                aria192-sha1                aria192-sha1
                aria192-sha256              aria192-sha256
                aria192-sha384              aria192-sha384
                aria192-sha512              aria192-sha512
                aria256-md5                 aria256-md5
                aria256-sha1                aria256-sha1
                aria256-sha256              aria256-sha256
                aria256-sha384              aria256-sha384
                aria256-sha512              aria256-sha512
                seed-md5                    seed-md5
                seed-sha1                   seed-sha1
                seed-sha256                 seed-sha256
                seed-sha384                 seed-sha384
                seed-sha512                 seed-sha512
        set add-route {disable | enable}   Enable/disable control addition of a route to peer destination selector.
        set add-gw-route {enable | disable}   Enable/disable automatically add a route to the remote gateway.
        set psksecret {password_string}   Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
        set psksecret-remote {password_string}   Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
        set keepalive {integer}   NAT-T keep alive interval. range[10-900]
        set distance {integer}   Distance for routes added by IKE (1 - 255). range[1-255]
        set priority {integer}   Priority for routes added by IKE (0 - 4294967295). range[0-4294967295]
        set localid {string}   Local ID. size[63]
        set localid-type {option}   Local ID type.
                auto       Select ID type automatically.
                fqdn       Use fully qualified domain name.
                user-fqdn  Use user fully qualified domain name.
                keyid      Use key-id string.
                address    Use local IP address.
                asn1dn     Use ASN.1 distinguished name.
        set auto-negotiate {enable | disable}   Enable/disable automatic initiation of IKE SA negotiation.
        set negotiate-timeout {integer}   IKE SA negotiation timeout in seconds (1 - 300). range[1-300]
        set fragmentation {enable | disable}   Enable/disable fragment IKE message on re-transmission.
        set dpd {disable | on-idle | on-demand}   Dead Peer Detection mode.
                disable    Disable Dead Peer Detection.
                on-idle    Trigger Dead Peer Detection when IPsec is idle.
                on-demand  Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.
        set dpd-retrycount {integer}   Number of DPD retry attempts. range[0-10]
        set dpd-retryinterval {string}   DPD retry interval.
        set forticlient-enforcement {enable | disable}   Enable/disable FortiClient enforcement.
        set comments {string}   Comment. size[255]
        set npu-offload {enable | disable}   Enable/disable offloading NPU.
        set send-cert-chain {enable | disable}   Enable/disable sending certificate chain.
        set dhgrp {option}   DH group.
                1   DH Group 1.
                2   DH Group 2.
                5   DH Group 5.
                14  DH Group 14.
                15  DH Group 15.
                16  DH Group 16.
                17  DH Group 17.
                18  DH Group 18.
                19  DH Group 19.
                20  DH Group 20.
                21  DH Group 21.
                27  DH Group 27.
                28  DH Group 28.
                29  DH Group 29.
                30  DH Group 30.
                31  DH Group 31.
        set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}   Use Suite-B.
                disable          Do not use UI suite.
                suite-b-gcm-128  Use Suite-B-GCM-128.
                suite-b-gcm-256  Use Suite-B-GCM-256.
        set eap {enable | disable}   Enable/disable IKEv2 EAP authentication.
        set eap-identity {use-id-payload | send-request}   IKEv2 EAP peer identity type.
                use-id-payload  Use IKEv2 IDi payload to resolve peer identity.
                send-request    Use EAP identity request to resolve peer identity.
        set acct-verify {enable | disable}   Enable/disable verification of RADIUS accounting record.
        set ppk {disable | allow | require}   Enable/disable IKEv2 Postquantum Preshared Key (PPK).
                disable  Disable use of IKEv2 Postquantum Preshared Key (PPK).
                allow    Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
                require  Require use of IKEv2 Postquantum Preshared Key (PPK).
        set ppk-secret {password_string}   IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
        set ppk-identity {string}   IKEv2 Postquantum Preshared Key Identity. size[35]
        set wizard-type {option}   GUI VPN Wizard Type.
                custom              Custom VPN configuration.
                dialup-forticlient  Dial Up - FortiClient Windows, Mac and Android.
                dialup-ios          Dial Up - iPhone / iPad Native IPsec Client.
                dialup-android      Dial Up - Android Native IPsec Client.
                dialup-windows      Dial Up - Windows Native IPsec Client.
                dialup-cisco        Dial Up - Cisco IPsec Client.
                static-fortigate    Site to Site - FortiGate.
                dialup-fortigate    Dial Up - FortiGate.
                static-cisco        Site to Site - Cisco.
                dialup-cisco-fw     Dialup Up - Cisco Firewall.
        set xauthtype {option}   XAuth type.
                disable  Disable.
                client   Enable as client.
                pap      Enable as server PAP.
                chap     Enable as server CHAP.
                auto     Enable as server auto.
        set reauth {disable | enable}   Enable/disable re-authentication upon IKE SA lifetime expiration.
        set authusr {string}   XAuth user name. size[64]
        set authpasswd {password_string}   XAuth password (max 35 characters). size[128]
        set group-authentication {enable | disable}   Enable/disable IKEv2 IDi group authentication.
        set group-authentication-secret {password_string}   Password for IKEv2 IDi group authentication.  (ASCII string or hexadecimal indicated by a leading 0x.)
        set authusrgrp {string}   Authentication user group. size[35] - datasource(s): user.group.name
        set mesh-selector-type {disable | subnet | host}   Add selectors containing subsets of the configuration depending on traffic.
                disable  Disable.
                subnet   Enable addition of matching subnet selector.
                host     Enable addition of host to host selector.
        set idle-timeout {enable | disable}   Enable/disable IPsec tunnel idle timeout.
        set idle-timeoutinterval {integer}   IPsec tunnel idle timeout in minutes (5 - 43200). range[5-43200]
        set ha-sync-esp-seqno {enable | disable}   Enable/disable sequence number jump ahead for IPsec HA.
        set nattraversal {enable | disable | forced}   Enable/disable NAT traversal.
        set esn {require | allow | disable}   Extended sequence number (ESN) negotiation.
                require  Require extended sequence number.
                allow    Allow extended sequence number.
                disable  Disable extended sequence number.
        set fragmentation-mtu {integer}   IKE fragmentation MTU (500 - 16000). range[500-16000]
        set childless-ike {enable | disable}   Enable/disable childless IKEv2 initiation (RFC 6023).
        set rekey {enable | disable}   Enable/disable phase1 rekey.
        set digital-signature-auth {enable | disable}   Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
        set signature-hash-alg {sha1 | sha2-256 | sha2-384 | sha2-512}   Digital Signature Authentication hash algorithms.
                sha1      SHA1.
                sha2-256  SHA2-256.
                sha2-384  SHA2-384.
                sha2-512  SHA2-512.
        set rsa-signature-format {pkcs1 | pss}   Digital Signature Authentication RSA signature format.
                pkcs1  RSASSA PKCS#1 v1.5.
                pss    RSASSA Probabilistic Signature Scheme (PSS).
        set enforce-unique-id {disable | keep-new | keep-old}   Enable/disable peer ID uniqueness check.
                disable   Disable peer ID uniqueness enforcement.
                keep-new  Enforce peer ID uniqueness, keep new connection if collision found.
                keep-old  Enforce peer ID uniqueness, keep old connection if collision found.
        set cert-id-validation {enable | disable}   Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
    next
end

Additional information

The following section is for those options that require additional explanation.

type {static | dynamic | ddns}

The connection type of the remote gateway:

  • Use static if the remote VPN peer has a static IP address. Once set, use the remote-gw entry to specify the IP address.
  • Use dynamic if the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE).
  • Use ddns if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service. Once set, use the remotegw-ddns entry to enter the domain name of the remote VPN peer.
    Note:
    ddns is not available when ip-version is set to 6.

interface <out-interface>

Enter the name of the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

ip-version {4 | 6}

Enter 4 (by default) for IPv4 or 6 for IPv6 encapsulation for gateways.

ike-version {1 | 2}

Enter 1 (by default) for IKEv1 or 2 for IKEv2 protocol version.

local-gw [sec-addr-ipv4]

An optional secondary IPv4 IP address of the interface selected in the interface entry used for the local end of the VPN tunnel.

local-gw6 [sec-addr-ipv6]

Note: This entry is only available when ip-version is set to 6. An optional secondary IPv6 IP address of the interface selected in the interface entry used for the local end of the VPN tunnel.

remote-gw <addr-ipv4>

Note: This entry is only available when ip-version is set to 4 and type is set to static. The IPv4 IP address of the remote gateway's external interface. Note that this entry is not available when type is set to dynamic.

remote-gw6 <addr-ipv6>

Note: This entry is only available when ip-version is set to 6. The IPv6 IP address of the remote gateway's external interface.

remotegw-ddns <domain-name>

Note: This entry is only available when ip-version is set to 4 and type is set to ddns. The identifier of the remote peer (e.g. an FQDN). This should be used when the remote peer has a static domain name and a dynamic IP address.

keylife <seconds>

The amount of time in seconds before the phase 1 encryption key expires, at which time a new encryption key is generated without service interruption. Set the value between 120-172800 seconds (or two minutes to two days). The default is set to 86400.

certificate <cert-string>

Note: This entry is only available when authmethod is set to signature. Enter the names of up to four signed personal certificates for the FortiGate unit. The certificates must have already been installed on the FortiGate before entering them here.

authmethod {psk | signature}

Enter your preferred authentication method:

  • Use psk (by default) to authenticate using a pre-shared key. Once set, use the psksecret entry to specify the pre-shared key.
  • Use signature to authenticate using a certificate. Once set, use the certificate entry to specify the name of the certificate.

mode {aggressive | main}

Note: This entry is only available when ike-version is set to 1. An ID protection mode that establishes a secure channel.

  • Use aggressive mode when a remote peer or dialup client has a dynamic IP address. If this is not set, the remote peer will be authenticated using an identifier (local ID). Identifying information is exchanged in the clear.
  • Use main mode (by default) when both peers have static IP addresses. Identifying information is hidden.

peertype <any | one | peer | peergrp | dialup>

The following peertype options are available:

  • any: Accepts any remote client or peer. Peer IDs are not used for authentication purposes. This is set by default.
  • one: Authenticates either a remote peer or client that has a dynamic IP address and connects using a unique identifier over a dedicated tunnel, or more than one dialup client that connects through the same tunnel using the same (shared) identifier. Once set, use the peerid entry to set the peer ID. If more than one dialup client will be connecting using the same identifier, set mode to aggressive.
  • peer: Authenticates one or more certificate holders based on a particular (or shared) certificate. Once set, use the peer entry to enter the certificate name. If the remote peer has a dynamic IP address, set mode to aggressive.
  • peergrp: Authenticates certificate holders that use unique certificates. In this case, you must create a group of certificate holders for authentication purposes. Once set, use the peergrp entry to set the certificate group name. If the remote peer has a dynamic IP address, set mode to aggressive.
  • dialup: Authenticates dialup VPN clients that use unique identifiers and/or preshared-keys to connect to the VPN through the same VPN tunnel. In this case, you must create a dialup user group for authentication purposes. Once set, use the usrgrp entry to set the user group name. If the dialup clients use unique identifiers and preshared-keys, set mode to aggressive. If the dialup clients use preshared-keys only, set mode to main.

Availability of these options vary depending on which remote gateway type and authmethod is used. Below is a table to show which peertypes are available under different circumstances:

type authmethod peertype
static > psk > any
signature > any, one, peer, peergrp
dynamic > psk > any, one, dialup
signature > any, one, peer, peergrp
ddns > psk > any
signature > any, one, peer, peergrp

peergrp <peer-group>

Note: This entry is only available when peertype is set to peergrp. Accepts the specified peer group.

peerid <peer-id>

Note: This entry is only available when peertype is set to one. Accepts the specified peer identity.

peer <cert-name>

Note: This entry is only available when type is configured. Accepts the specified peer certificate.

default-gw <addr-ipv4>

Note: This entry is only available when type is set to dynamic and ip-version is set to 4. The IPv4 address of the default route gateway to use for traffic exiting the interface.

default-gw-priority <priority>

Note: This entry is only available when type is set to dynamic. The priority for the default gateway router. Set the value between 0-4294967295. Default is set to 0.

usrgrp <group-name>

Note: This entry is only available when peertype is set to dialup. The user group. You must have already configured a user group on the FortiGate unit before entering the group's name here.

monitor [phase1]

Note: This entry is not available when type is set to dynamic. An optional IPsec interface that can act as a backup for another (primary) IPsec interface. Enter the name of the primary interface. Once set, use the monitor-hold-down-type entry to configure recovery timing (further configured with the monitor-hold-down-delay, monitor-hold-down-weekday, and monitor-hold-down-time entries).

The backup interface is only used when the primary interface is unavailable. For this, dpd must be enabled (set to either on-idle or on-timeout).

Note that a primary interface can only have one backup interface and cannot itself act as a backup for another interface.

monitor-hold-down-type {immediate | delay | time}

Note: This entry (and all other sub-entries) is only available once monitor is configured. Controls the recovery time method when the primary interface re-establishes.

  • Use immediate (by default) to have the primary interface be re-established immediately.
  • Use delay to configure the number of seconds to wait before recovery once the primary interface is re-established (see the monitor-hold-down-delay entry).
  • Use time to configure the day of the week and/or the time of day to recover once the primary interface is re-established (see the monitor-hold-down-weekday and monitor-hold-down-time entries).

monitor-hold-down-delay <seconds>

Note: This entry is only available when monitor-hold-down-type is set to delay. Configure the number of seconds to wait before recovery once the primary interface is re-established. Set the value between 0-31536000 (or 0 seconds to 1 year). The default is set to 0.

monitor-hold-down-weekday <day>

Note: This entry is only available when monitor-hold-down-type is set to time. Configure the day of the week to recover once the primary interface is re-established. Set the value to either everyday, sunday (by default), monday, tuesday, wednesday, thursday, friday, or saturday.

monitor-hold-down-time <time>

Note: This entry is only available when monitor-hold-down-type is set to time. Configure the time of day to recover once the primary interface is re-established. Set the hour and minute values of the day, with a colon to separate the two (between 00:00 and 23:59). The default is set to 00:00 (or midnight).

net-device {enable | disable}

Enable or disable (by default) the creation of a kernel device for every dialup instance, allowing all traffic to use a single interface for all instances that spawn via a given phase1. When enabled and with tunnel-search set to nexthop, instead of creating an interface per instance, all traffic will run over the single interface and any routes that need creating will be created on that single interface.

tunnel-search {selectors | nexthop}

Under the new single-interface scheme, instead of relying on routing to guide traffic to the specific instance as currently happens, all traffic will flow to the specific device and IPsec will need to take care of locating the correct instance for outbound traffic:

  • selectors: Selecting a peer using the IPSec selectors (proxy-ids) (set by default).
  • nexthop: All the peers use the same default selectors (0/0) while using some routing protocols such as BGP, OSPF, RIPng, etc to resolve the routing.

Disabling net-device and setting tunnel-search to nexthop changes how FortiOS creates and manages dynamic tunnels. Enabling the option can improve dialup IPsec VPN performance on newer FortiGate models that are running the most recent kernel. FortiOS 5.6.5 now also supports changing the net-device configuration after creating the tunnel. Enabling this option also allows the IPsec tunnel to learn routes from dynamic routing. The recommended configuration is:

config vpn ipsec phase1-interface

edit <name>

set type dynamic

set net-device disable

set tunnel-search nexthop

set interface "wan1"

set proposal aes128 - sha1

set add-route disable

set auto-discovery-sender enable

set exchange-interface-ip enable

set psksecret <key>

end

config vpn ipsec phase2-interface

edit <name>

set phase1name <name>

set proposal aes128-sha1

end

config system interface

edit <name>

set ip 10.10.10.1/32

set remote-ip 10.10.10.254 /24

end

mode-cfg {enable | disable}

Enable IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides. Disable (by default) to prohibit clients from configuring themselves.

assign-ip {enable | disable}

Note: This entry is only available when mode-cfg is set to enable. Enable (by default) or disable the assignment of an IP address to the IPsec interface.

assign-ip-from {range | dhcp}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The method by which the IP address will be assigned.

  • Use range (by default) to assign the IP address from a locally defined range.
  • Use dhcp to assign the IP address via DHCP.

ipv4-start-ip <ipv4-start>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The start of the IPv4 range.

ipv4-end-ip <ipv4-end>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The end of the IPv4 range.

ipv4-netmask <ipv4-netmask>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The IPv4 netmask.

dns-mode {manual | auto}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The DNS server mode.

  • Use manual (by default) to manually configure the DNS servers.
  • Use auto to use default DNS servers.

ipv4-dns-server1 <server1>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify an IPv4 DNS server, of which you may specify up to three (see entries below).

ipv4-dns-server2 <server2>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a second IPv4 DNS server.

ipv4-dns-server3 <server3>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a third IPv4 DNS server.

ipv4-wins-server1 <server1>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Windows Internet Name Service (WINS) is a central mapping of host names to network addresses. Specify a WINS server, of which you may specify up to two (see entry below).

ipv4-wins-server2 <server2>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a second WINS server.

ipv4-exclude-range

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. A configuration method to exclude IPv4 ranges. Edit to create new and specify the exclude-ranges using the start-ip and end-ip entries.

ipv4-split-include <subnet>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The IPv4 split-include subnets. The addresses must have already been configured on the FortiGate unit before entering their names here.

split-include-service <service>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The split-include services. The services must have already been configured on the FortiGate unit before entering their names here.

ipv4-name <name>

IPv4 address name used when assign-ip-from is set to name.

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable.

ipv6-start-ip <ipv6-start>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The start of the IPv6 range.

ipv6-end-ip <ipv6-end>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The end of the IPv6 range.

ipv6-prefix <ipv6-prefix>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The IPv6 address' prefix. Enter a value between 1-128. The default is set to 128.

ipv6-dns-server1 <server1>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify an IPv6 DNS server, of which you may specify up to three (see entries below).

ipv6-dns-server2 <server2>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a second IPv6 DNS server.

ipv6-dns-server3 <server3>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Specify a third IPv6 DNS server.

ipv6-exclude-range

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. A configuration method to exclude IPv6 ranges. Edit to create new and specify the exclude-ranges using the start-ip and end-ip entries.

ipv6-split-include <subnet>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The IPv6 split-include subnets. The addresses must have already been configured on the FortiGate unit before entering their names here.

ipv6-name <name>

IPv6 address name used when assign-ip-from is set to name.

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable.

unity-support {enable | disable}

Note: This entry is only available when mode-cfg is set to enable. Enable (by default) or disable support for Cisco Unity configuration method extensions.

domain <domain>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The default DNS domain for Unity clients.

banner <message>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The message that Unity clients should display after connecting.

include-local-lan {enable | disable}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Enable or disable (by default) allowing local LAN access on Unity clients.

client-auto-negotiate {enable | disable}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Enable or disable (by default) allowing the VPN client to bring up the tunnel when there is no traffic.

client-keep-alive {enable | disable}

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. Enable or disable (by default) allowing the VPN client to keep the tunnel up when there is no traffic.

backup-gateway <address>

Note: This entry is only available when type is set to dynamic and mode-cfg is set to enable. The backup gateway address(es) for Unity clients.

proposal <phase1-proposal>

A minimum of one and maximum of ten encryption-message combinations for the phase 1 proposal, for example aes128-sha256. Use a space to separate the combinations. Make sure that the remote peer is configured to use at least one of the proposals defined. Note: This entry is not available if suite-b has been configured. Use any of the following key encryption algorithms: has been configured. Use any of the following key encryption algorithms:

  • des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.
  • 3des: Triple-DES, in which plain text is encrypted three times by three keys.
  • aes128: A 128-bit block algorithm that uses a 128-bit key.
  • aes192: A 128-bit block algorithm that uses a 192-bit key.
  • aes256: A 128-bit block algorithm that uses a 256-bit key.
  • aria128: A 128-bit Korean block algorithm that uses a 128-bit key.
  • aris192: A 128-bit Korean block algorithm that uses a 192-bit key.
  • aria256: A 128-bit Korean block algorithm that uses a 256-bit key.
  • seed: A 128-bit Korean block algorithm that uses a 128-bit key.

The ARIA and seed algorithms may not be available on some FortiGate models. Combine key encryptions with any one of the following message digests, to check the authenticity of messages during an encrypted session:

  • md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.
  • sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.
  • sha256: SHA 2 producing a 256-bit message digest.
  • sha384: SHA 2 producing a 384-bit message digest.
  • sha512: SHA 2 producing a 512-bit message digest.

add-route {disable | enable}

Note: This entry is only available when type is set to dynamic. Enable (by default) or disable adding a route to the destination of the peer selector.

exchange-interface-ip {enable | disable}

Enable or disable (by default) the exchange of IPsec interface IP address.

add-gw-route {enable | disable}

Enable to automatically add a route to the remote gateway specified in the remote-gw entry. This is disabled by default.

Note: This command is deprecated. Instead, use the dynamic-gateway {enable | disable} entry in the config router static command.

psksecret <preshared-key>

Note: This entry is only available when authmethod is set to psk. Enter the pre-shared key. The pre-shared key must be the same on the remote VPN gateway or client and should only be known by network administrators. The key must consist of at least six characters. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.

keepalive <seconds>

Note: This entry is only available when nattraversal is set to enable. Set the NAT traversal keepalive frequency in seconds, a period of time that specifies how frequently empty UDP packets are sent through the NAT device to make sure that the NAT mapping does not change until phase 1 and 2 security associations (SAs) expire. Set the value between 10-900 seconds (or ten seconds to 15 minutes). The default is set to 5.

distance <distance>

Note: This entry is only available when type is set to dynamic, or when mode-cfg is set to enable. The distance for routes added by IKE. Set the value between 1-255. Default is set to 15.

priority <priority>

Note: This entry is only available when type is set to dynamic, or when mode-cfg is set to enable. The priority for routes added by IKE. Set the value between 0-4294967295. Default is set to 0.

localid <local-id>

Note: If you set a local ID on a FortiGate dialup client, you must enable aggressive mode on the FortiGate dialup server and specify the identifier as a peer ID on the FortiGate dialup server. The local ID, or unique identifier, that the FortiGate uses as a VPN client for authentication purposes.

localid-type {auto | fqdn | user-fqdn | keyid | address}

Determines the type of local ID to be set:

  • auto: Selects type automatically.
  • fqdn: Uses a Fully Qualified Domain Name (FQDN).
  • user-fqdn: Uses a User FQDN.
  • keyid: Uses Key Identifier ID.
  • address: Uses IP address ID.

auto-negotiate {enable | disable}

Enable (by default) to keep attempting IKE SA negotiation even if the link is down. This feature is useful in cases where there are multiple redundant tunnels but you prefer the primary connection if it can be established.

negotiate-timeout <seconds>

The amount of time in seconds that the FortiGate unit will wait for the IKE SA to be negotiated. Set the value between 1-300 seconds (or one second to five minutes). The default is set to 5.

fragmentation {enable | disable}

Note: This entry is only available when ike-version is set to 1. Enable (by default) intra-IKE fragmentation support on re-transmission of fragmented packets.

dpd {disable | on-idle | on-demand}

Disable or set Dead Peer Detection (DPD) to either on-idle or on-demand (by default). DPD detects the status of the connection between VPN peers, cleans up dead connections, and helps establish new VPN tunnels. Note that DPD cannot be used unless both VPN peers support and enable the feature.

  • on-idle: DPD is triggered when IPsec is idle/inactive.
  • on-demand: DPD is triggered when IPsec traffic is sent but no reply is received from the peer.

dpd-retrycount <retry-integer>

Note: This entry is only available when dpd is set to enable. The number of times that the local VPN peer sends a DPD probe before it considers the link to be dead and tears down the SA. Set the value between 0-10. The default is set to 3. To avoid false negatives set the retry count to a sufficiently high value for your network.

dpd-retryinterval <seconds>

Note: This entry is only available when dpd is set to enable. The amount of time in seconds that the local VPN peer waits between sending DPD probes. Set the value between 0-3600 seconds (or 0 seconds to one hour).

forticlient-enforcement {enable | disable}

Enable to only permit FortiClient users to connect. Disable (by default) to lift this restriction.

comments [string]

Optional comments.

npu-offload {enable | disable}

Enable (by default) or disable offloading of VPN session to a network processing unit (NPU).

send-cert-chain {enable | disable}

Note: This entry is only available when authmethod is set to signature. Enable (by default) or disable sending certificate chain.

dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30 | 31}

Apply one or more Diffie-Hellman (DH) group numbers, in order of preference, separated by spaces. DH groups determine the strength of the key used in the key exchange process, with higher group numbers being more secure, but requiring additional time to compute the key. Set the value to any one (or more) of the following: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, and 31. The default is set to 14 5.

Note that at least one of the group numbers set on the remote peer or client must be identical to one of the selections on the FortiGate unit.

Note: This entry is not available if suite-b has been configured.

suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}

Disable (by default) or set Suite B to either suite-b-gcm-128 or suite-b-gcm-256. Suite B is a set of cryptographic algorithms designated by the U.S. National Security Agency to allow commercial products to protect traffic that is classified at secret or top secret levels (see RFC 6379, Suite B Cryptographic Suites for IPsec).

  • Suite-B-GCM-128 applies Advanced Encryption Standard (AES) encryption with 128-bit keys and 16-octet integrity check value (OCV) in Galois/Counter Mode (GCM), a mode of operation for symmetric key cryptographic block ciphers. Key establishment uses DH group 19.
  • Suite-B-GCM-256 applies AES encryption with 256-bit keys and 16-octet ICV in GCM. Key establishment uses DH group 20.

eap {enable | disable}

Note: This entry is only available when ike-version is set to 2. Enable or disable (by default) IKEv2 Extensible Authentication Protocol (EAP) authentication.

eap-identity {use-id-payload | send-request}

Note: This entry is only available when eap is set to enable. The IKEv2 EAP peer identity type.

  • use-id-payload uses IKEv2 identity payload to resolve peer identity. This is set by default.
  • send-request uses EAP identity request to resolve peer identity.

acct-verify {enable | disable}

Note: This entry is only available when eap is set to enable. Enable or disable (by default) the verification of RADIUS accounting record.

wizard-type <wizard-type>

Set to one of the following GUI VPN Wizard template types:

  • custom: Custom VPN configuration.
  • dialup-forticlient: Dialup for FortiClient Windows, Mac, and Android.
  • dialup-ios: Dialup for iPhone and/or iPad Native IPsec Client.
  • dialup-android: Dialup for Android Native IPsec Client.
  • dialup-windows: Dialup for Windows Native IPsec Client.
  • dialup-cisco: Dialup for Cisco IPsec Client.
  • static-fortigate: Site to Site for FortiGate.
  • dialup-fortigate: Dialup for FortiGate.
  • static-cisco: Site to Site for Cisco.
  • dialup-cisco-fw: Dialup for Cisco Firewall.

xauthtype [disable | client | pap | chap | auto]

Note: This entry is only available when ike-version is set to 1. Optionally configure XAuth (eXtended Authentication). XAuth provides the mechanism for requesting individual authentication information from the user, while a local user database or an external authentication server (such as a RADIUS server) provides a method for storing the authentication information centrally in the local network. This command is disabled by default. Use pap, chap, or auto to configure the FortiGate unit as an XAuth server. Note that these options are only available when type is set to dynamic.

  • disable: Disables XAuth.
  • client: Enable to configure the FortiGate as an XAuth client. Once set, use the authusr and authpasswd entries to add the XAuth user name and password (see entries below).
  • pap: Password Authentication Protocol (PAP). Once set, use the authusrgrp field to specify the user group containing members that will be authenticated using XAuth.
  • chap: Challenge Handshake Authentication Protocol (CHAP). Once set, use the authusrgrp field to specify the user group containing members that will be authenticated using XAuth.
  • auto: Enable as server auto. Once set, use the authusrgrp field to specify the user group containing members that will be authenticated using XAuth.

reauth {enable | disable}

Note: This entry is only available when ike-version is set to 2. Enable or disable (by default) re-authentication upon IKE SA lifetime expiration.

authusrgrp <group-name>

Note: This entry is only available when eap is set to enable. The authentication user group. You must have already configured a user group on the FortiGate unit before entering the group's name here.

authusr <name>

Note: This entry is only available when xauthtype has been configured. Enter the XAuth user name.

authpasswd <password>

Note: This entry is only available when xauthtype has been configured. Enter the XAuth user's password (maximum of 35 characters).

mesh-selector-type {disable | subnet | host}

Note: This entry is only available when ike-version is set to 1. Disable (by default) or set dynamic mesh selectors for IKEv1 VPNs to either subnet or host. Note that dynamic selectors are not saved to the configuration and will be removed when tunnels are flushed.

  • Use subnet to install selector for the address group that matches traffic packets.
  • Use host to install selector for the source and destination IP addresses of traffic packets.

idle-timeout {enable | disable}

Enable or disable (by default) IPsec tunnel to timeout when idle. Once enabled, use the idle-timeoutinterval entry to set the period of time the VPN will wait before timing out (see entry below).

idle-timeoutinterval <minutes>

Note: This entry is only available when idle-timeout is set to enable. Enter the IPsec tunnel idle timeout in minutes. Set the value between 10-43200 (or ten minutes to 30 days). The default is set to 15.

ha-sync-esp-seqno {enable | disable}

Enable (by default) or disable the Extended Sequence Number (ESP) jump ahead for IPsec HA. Enabling this feature helps to synchronize the IPsec SA replay counters between newly active HA cluster members and the peer (see RFC 6311, Protocol Support for High Availability of IKEv2/IPsec).

auto-discovery-sender {enable | disable}

Auto Discovery VPN (ADVPN) allows a shortcut to be created between two VPN peers, establishing dynamic on-demand tunnels between each other to avoid routing through the topology’s hub device. Enable or disable (by default) sending auto-discovery short-cut messages.

auto-discovery-receiver {enable | disable}

Enable or disable (by default) accepting auto-discovery short-cut messages (see the auto-discovery-sender entry above about Auto Discovery).

auto-discovery-forwarder {enable | disable}

Enable or disable (by default) forwarding auto-discovery short-cut messages (see the auto-discovery-sender entry above about Auto Discovery).

auto-discovery-psk {enable | disable}

Note: This entry is only available when authmethod is set to signature and auto-discovery-sender is set to enable. Enable or disable (by default) the use of pre-shared keys for the authentication of auto-discovery tunnels.

encapsulation {none | gre | vxlan}

Note: This entry is not available when type is set to dynamic. Disable (by default; none) or set encapsulation to either gre or vxlan. Both GRE and VXLAN segmentation scale well together as they allow overlapping subnets and IP ranges. VXLAN is encapsulated in UDP frames, resulting in efficiently distributed traffic. Once set, use the . Both GRE and VXLAN segmentation scale well together as they allow overlapping subnets and IP ranges. VXLAN is encapsulated in UDP frames, resulting in efficiently distributed traffic. Once set, use the encapsulation-address entry to configure the source for the GRE or VXLAN tunnel address.

encapsulation-address {ike | ipv4 | ipv6}

Note: This entry is only available when encapsulation is set to either gre or vxlan. Select the source for the GRE or VXLAN tunnel address.

  • Use ike (by default) to use IKE/IPsec gateway addresses.
  • Use ipv4 to specify separate IPv4 GRE/VXLAN tunnel addresses (see encap entries below).
  • Use ipv6 to specify separate IPv6 GRE/VXLAN tunnel addresses (see encap entries below).

encap-local-gw4 <addr-ipv4>

Note: This entry is only available when encapsulation-address is set to ipv4. The local IPv4 address of the GRE/VXLAN tunnel.

encap-remote-gw4 <addr-ipv4>

Note: This entry is only available when encapsulation-address is set to ipv4. The remote IPv4 address of the GRE/VXLAN tunnel.

encap-local-gw6 <addr-ipv6>

Note: This entry is only available when encapsulation-address is set to ipv6. The local IPv6 address of the GRE/VXLAN tunnel.

encap-remote-gw6 <addr-ipv6>

Note: This entry is only available when encapsulation-address is set to ipv6. The remote IPv6 address of the GRE/VXLAN tunnel.

nattraversal {enable | disable}

Enable (by default) or disable NAT traversal. This should be enabled if you expect the IPsec VPN traffic to go through a gateway that performs NAT. If not NAT device is detected, enabling NAT traversal has no effect. Once enabled, use the keepalive entry to set the NAT traversal keepalive frequency. Note that both ends of the VPN must have the same NAT traversal settings.

fragmentation-mtu <frag-integer>

Note: This entry is only available when ike-version is set to 2. The IKE fragmentation maximum transmission unit (MTU). Set the value between 500-16000. The default is set to 1200.

childless-ike {enable | disable}

Note: This entry is only available when ike-version is set to 2. Enable or disable the childless IKEv2 initiation (see RFC 6023, A Childless of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)).

group-authentication {enable | disable}

Enable or disable (by default) IKEv2 IDi group authentication.

The IDi information is extracted from the IKEv2 AUTH exchange and is sent to a RADIUS server, along with a fixed password, to perform an additional group authentication step prior to tunnel establishment.

The RADIUS server may return framed-IP-address, framed-ip-netmask, and dns-server attributes, which are then applied to the tunnel.

Note: This entry is only available when ike-version is set to 2, type is set to dynamic, and mode-cfg is set to enable.

group-authentication-secret <password>

Password for IKEv2 IDi group authentication (ASCII string or hexadecimal indicated by a leading 0x).

Note: This entry is only available when group-authentication is set to enable.