Fortinet black logo

CLI Reference

config vpn ipsec phase2

config vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2

Description: Configure VPN autokey tunnel.

edit <name>

set phase1name {string}

set dhcp-ipsec [enable|disable]

set use-natip [enable|disable]

set selector-match [exact|subset|...]

set proposal {option1}, {option2}, ...

set pfs [enable|disable]

set ipv4-df [enable|disable]

set dhgrp {option1}, {option2}, ...

set replay [enable|disable]

set keepalive [enable|disable]

set auto-negotiate [enable|disable]

set add-route [phase1|enable|...]

set keylifeseconds {integer}

set keylifekbs {integer}

set keylife-type [seconds|kbs|...]

set single-source [enable|disable]

set route-overlap [use-old|use-new|...]

set encapsulation [tunnel-mode|transport-mode]

set l2tp [enable|disable]

set comments {var-string}

set protocol {integer}

set src-name {string}

set src-name6 {string}

set src-addr-type [subnet|range|...]

set src-start-ip {ipv4-address-any}

set src-start-ip6 {ipv6-address}

set src-end-ip {ipv4-address-any}

set src-end-ip6 {ipv6-address}

set src-subnet {ipv4-classnet-any}

set src-subnet6 {ipv6-prefix}

set src-port {integer}

set dst-name {string}

set dst-name6 {string}

set dst-addr-type [subnet|range|...]

set dst-start-ip {ipv4-address-any}

set dst-start-ip6 {ipv6-address}

set dst-end-ip {ipv4-address-any}

set dst-end-ip6 {ipv6-address}

set dst-subnet {ipv4-classnet-any}

set dst-subnet6 {ipv6-prefix}

set dst-port {integer}

next

end

config vpn ipsec phase2

Parameter

Description

Type

Size

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 35

dhcp-ipsec

Enable/disable DHCP-IPsec.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

use-natip

Enable to use the FortiGate public IP as the source selector when outbound NAT is used.

option

-

Option

Description

enable

Replace source selector with interface IP when using outbound NAT.

disable

Do not modify source selector when using outbound NAT.

selector-match

Match type to use when comparing selectors.

option

-

Option

Description

exact

Match selectors exactly.

subset

Match selectors by subset.

auto

Use subset or exact match depending on selector address type.

proposal

Phase2 proposal.

option

-

Option

Description

null-md5

null-md5

null-sha1

null-sha1

null-sha256

null-sha256

null-sha384

null-sha384

null-sha512

null-sha512

des-null

des-null

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-null

3des-null

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-null

aes128-null

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm

aes128gcm

aes192-null

aes192-null

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-null

aes256-null

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

pfs

Enable/disable PFS feature.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv4-df

Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.

option

-

Option

Description

enable

Set IPv4 DF.

disable

Reset IPv4 DF.

dhgrp

Phase2 DH group.

option

-

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

replay

Enable/disable replay detection.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

keepalive

Enable/disable keep alive.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

add-route

Enable/disable automatic route addition.

option

-

Option

Description

phase1

Add route according to phase1 add-route setting.

enable

Add route for remote proxy ID.

disable

Do not add route for remote proxy ID.

keylifeseconds

Phase2 key life in time in seconds .

integer

Minimum value: 120 Maximum value: 172800

keylifekbs

Phase2 key life in number of kilobytes of traffic .

integer

Minimum value: 5120 Maximum value: 4294967295

keylife-type

Keylife type.

option

-

Option

Description

seconds

Key life in seconds.

kbs

Key life in kilobytes.

both

Key life both.

single-source

Enable/disable single source IP restriction.

option

-

Option

Description

enable

Only single source IP will be accepted.

disable

Source IP range will be accepted.

route-overlap

Action for overlapping routes.

option

-

Option

Description

use-old

Use the old route and do not add the new route.

use-new

Delete the old route and add the new route.

allow

Allow overlapping routes.

encapsulation

ESP encapsulation mode.

option

-

Option

Description

tunnel-mode

Use tunnel mode encapsulation.

transport-mode

Use transport mode encapsulation.

l2tp

Enable/disable L2TP over IPsec.

option

-

Option

Description

enable

Enable L2TP over IPsec.

disable

Disable L2TP over IPsec.

comments

Comment.

var-string

Maximum length: 255

protocol

Quick mode protocol selector .

integer

Minimum value: 0 Maximum value: 255

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-addr-type

Local proxy ID type.

option

-

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

src-port

Quick mode source port .

integer

Minimum value: 0 Maximum value: 65535

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-addr-type

Remote proxy ID type.

option

-

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

dst-port

Quick mode destination port .

integer

Minimum value: 0 Maximum value: 65535

config vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2

Description: Configure VPN autokey tunnel.

edit <name>

set phase1name {string}

set dhcp-ipsec [enable|disable]

set use-natip [enable|disable]

set selector-match [exact|subset|...]

set proposal {option1}, {option2}, ...

set pfs [enable|disable]

set ipv4-df [enable|disable]

set dhgrp {option1}, {option2}, ...

set replay [enable|disable]

set keepalive [enable|disable]

set auto-negotiate [enable|disable]

set add-route [phase1|enable|...]

set keylifeseconds {integer}

set keylifekbs {integer}

set keylife-type [seconds|kbs|...]

set single-source [enable|disable]

set route-overlap [use-old|use-new|...]

set encapsulation [tunnel-mode|transport-mode]

set l2tp [enable|disable]

set comments {var-string}

set protocol {integer}

set src-name {string}

set src-name6 {string}

set src-addr-type [subnet|range|...]

set src-start-ip {ipv4-address-any}

set src-start-ip6 {ipv6-address}

set src-end-ip {ipv4-address-any}

set src-end-ip6 {ipv6-address}

set src-subnet {ipv4-classnet-any}

set src-subnet6 {ipv6-prefix}

set src-port {integer}

set dst-name {string}

set dst-name6 {string}

set dst-addr-type [subnet|range|...]

set dst-start-ip {ipv4-address-any}

set dst-start-ip6 {ipv6-address}

set dst-end-ip {ipv4-address-any}

set dst-end-ip6 {ipv6-address}

set dst-subnet {ipv4-classnet-any}

set dst-subnet6 {ipv6-prefix}

set dst-port {integer}

next

end

config vpn ipsec phase2

Parameter

Description

Type

Size

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 35

dhcp-ipsec

Enable/disable DHCP-IPsec.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

use-natip

Enable to use the FortiGate public IP as the source selector when outbound NAT is used.

option

-

Option

Description

enable

Replace source selector with interface IP when using outbound NAT.

disable

Do not modify source selector when using outbound NAT.

selector-match

Match type to use when comparing selectors.

option

-

Option

Description

exact

Match selectors exactly.

subset

Match selectors by subset.

auto

Use subset or exact match depending on selector address type.

proposal

Phase2 proposal.

option

-

Option

Description

null-md5

null-md5

null-sha1

null-sha1

null-sha256

null-sha256

null-sha384

null-sha384

null-sha512

null-sha512

des-null

des-null

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-null

3des-null

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-null

aes128-null

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm

aes128gcm

aes192-null

aes192-null

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-null

aes256-null

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

pfs

Enable/disable PFS feature.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv4-df

Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.

option

-

Option

Description

enable

Set IPv4 DF.

disable

Reset IPv4 DF.

dhgrp

Phase2 DH group.

option

-

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

replay

Enable/disable replay detection.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

keepalive

Enable/disable keep alive.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

add-route

Enable/disable automatic route addition.

option

-

Option

Description

phase1

Add route according to phase1 add-route setting.

enable

Add route for remote proxy ID.

disable

Do not add route for remote proxy ID.

keylifeseconds

Phase2 key life in time in seconds .

integer

Minimum value: 120 Maximum value: 172800

keylifekbs

Phase2 key life in number of kilobytes of traffic .

integer

Minimum value: 5120 Maximum value: 4294967295

keylife-type

Keylife type.

option

-

Option

Description

seconds

Key life in seconds.

kbs

Key life in kilobytes.

both

Key life both.

single-source

Enable/disable single source IP restriction.

option

-

Option

Description

enable

Only single source IP will be accepted.

disable

Source IP range will be accepted.

route-overlap

Action for overlapping routes.

option

-

Option

Description

use-old

Use the old route and do not add the new route.

use-new

Delete the old route and add the new route.

allow

Allow overlapping routes.

encapsulation

ESP encapsulation mode.

option

-

Option

Description

tunnel-mode

Use tunnel mode encapsulation.

transport-mode

Use transport mode encapsulation.

l2tp

Enable/disable L2TP over IPsec.

option

-

Option

Description

enable

Enable L2TP over IPsec.

disable

Disable L2TP over IPsec.

comments

Comment.

var-string

Maximum length: 255

protocol

Quick mode protocol selector .

integer

Minimum value: 0 Maximum value: 255

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-addr-type

Local proxy ID type.

option

-

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

src-port

Quick mode source port .

integer

Minimum value: 0 Maximum value: 65535

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-addr-type

Remote proxy ID type.

option

-

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

dst-port

Quick mode destination port .

integer

Minimum value: 0 Maximum value: 65535