CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
cifs
- cifs domain-controller
- cifs profile
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control client
- endpoint-control fctems
- endpoint-control settings
extender-controller
- extender-controller extender
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall consolidated policy
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ipv6-eh-filter
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy6
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller 802-1X-settings
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller flow-tracking
- switch-controller global
- switch-controller igmp-snooping
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller mac-sync-settings
- switch-controller managed-switch
- switch-controller network-monitor-settings
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller quarantine
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy captive-portal
- switch-controller security-policy local-access
- switch-controller sflow
- switch-controller snmp-community
- switch-controller snmp-sysinfo
- switch-controller snmp-trap-threshold
- switch-controller snmp-user
- switch-controller storm-control
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-log
- switch-controller switch-profile
- switch-controller system
- switch-controller traffic-policy
- switch-controller traffic-sniffer
- switch-controller virtual-port-pool
- switch-controller vlan
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fm
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system management-tunnel
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg device-detection-portal
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg nntp
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wan-link
- system virtual-wire-pair
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user device
- user device-group
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user password-policy
- user peer
- user peergrp
- user pop3
- user quarantine
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.2.2 CLI Reference

6.2.2

vpn ipsec phase2

Configure VPN autokey tunnel.

  config vpn ipsec phase2
      Description: Configure VPN autokey tunnel.
      edit <name>
          set phase1name {string}
          set dhcp-ipsec [enable|disable]
          set use-natip [enable|disable]
          set selector-match [exact|subset|...]
          set proposal {option1}, {option2}, ...
          set pfs [enable|disable]
          set ipv4-df [enable|disable]
          set dhgrp {option1}, {option2}, ...
          set replay [enable|disable]
          set keepalive [enable|disable]
          set auto-negotiate [enable|disable]
          set add-route [phase1|enable|...]
          set keylifeseconds {integer}
          set keylifekbs {integer}
          set keylife-type [seconds|kbs|...]
          set single-source [enable|disable]
          set route-overlap [use-old|use-new|...]
          set encapsulation [tunnel-mode|transport-mode]
          set l2tp [enable|disable]
          set comments {var-string}
          set protocol {integer}
          set src-name {string}
          set src-name6 {string}
          set src-addr-type [subnet|range|...]
          set src-start-ip {ipv4-address-any}
          set src-start-ip6 {ipv6-address}
          set src-end-ip {ipv4-address-any}
          set src-end-ip6 {ipv6-address}
          set src-subnet {ipv4-classnet-any}
          set src-subnet6 {ipv6-prefix}
          set src-port {integer}
          set dst-name {string}
          set dst-name6 {string}
          set dst-addr-type [subnet|range|...]
          set dst-start-ip {ipv4-address-any}
          set dst-start-ip6 {ipv6-address}
          set dst-end-ip {ipv4-address-any}
          set dst-end-ip6 {ipv6-address}
          set dst-subnet {ipv4-classnet-any}
          set dst-subnet6 {ipv6-prefix}
          set dst-port {integer}
      next
  end

config vpn ipsec phase2

Parameter Name	Description	Type	Size
phase1name	Phase 1 determines the options required for phase 2.	string	Maximum length: 35
dhcp-ipsec	Enable/disable DHCP-IPsec. enable: Enable setting. disable: Disable setting.	option	-
use-natip	Enable to use the FortiGate public IP as the source selector when outbound NAT is used. enable: Replace source selector with interface IP when using outbound NAT. disable: Do not modify source selector when using outbound NAT.	option	-
selector-match	Match type to use when comparing selectors. exact: Match selectors exactly. subset: Match selectors by subset. auto: Use subset or exact match depending on selector address type.	option	-
proposal	Phase2 proposal. null-md5: null-md5 null-sha1: null-sha1 null-sha256: null-sha256 null-sha384: null-sha384 null-sha512: null-sha512 des-null: des-null des-md5: des-md5 des-sha1: des-sha1 des-sha256: des-sha256 des-sha384: des-sha384 des-sha512: des-sha512 3des-null: 3des-null 3des-md5: 3des-md5 3des-sha1: 3des-sha1 3des-sha256: 3des-sha256 3des-sha384: 3des-sha384 3des-sha512: 3des-sha512 aes128-null: aes128-null aes128-md5: aes128-md5 aes128-sha1: aes128-sha1 aes128-sha256: aes128-sha256 aes128-sha384: aes128-sha384 aes128-sha512: aes128-sha512 aes128gcm: aes128gcm aes192-null: aes192-null aes192-md5: aes192-md5 aes192-sha1: aes192-sha1 aes192-sha256: aes192-sha256 aes192-sha384: aes192-sha384 aes192-sha512: aes192-sha512 aes256-null: aes256-null aes256-md5: aes256-md5 aes256-sha1: aes256-sha1 aes256-sha256: aes256-sha256 aes256-sha384: aes256-sha384 aes256-sha512: aes256-sha512 aes256gcm: aes256gcm chacha20poly1305: chacha20poly1305 aria128-null: aria128-null aria128-md5: aria128-md5 aria128-sha1: aria128-sha1 aria128-sha256: aria128-sha256 aria128-sha384: aria128-sha384 aria128-sha512: aria128-sha512 aria192-null: aria192-null aria192-md5: aria192-md5 aria192-sha1: aria192-sha1 aria192-sha256: aria192-sha256 aria192-sha384: aria192-sha384 aria192-sha512: aria192-sha512 aria256-null: aria256-null aria256-md5: aria256-md5 aria256-sha1: aria256-sha1 aria256-sha256: aria256-sha256 aria256-sha384: aria256-sha384 aria256-sha512: aria256-sha512 seed-null: seed-null seed-md5: seed-md5 seed-sha1: seed-sha1 seed-sha256: seed-sha256 seed-sha384: seed-sha384 seed-sha512: seed-sha512	option	-
pfs	Enable/disable PFS feature. enable: Enable setting. disable: Disable setting.	option	-
ipv4-df	Enable/disable setting and resetting of IPv4 'Don't Fragment' bit. enable: Set IPv4 DF. disable: Reset IPv4 DF.	option	-
dhgrp	Phase2 DH group. 1: DH Group 1. 2: DH Group 2. 5: DH Group 5. 14: DH Group 14. 15: DH Group 15. 16: DH Group 16. 17: DH Group 17. 18: DH Group 18. 19: DH Group 19. 20: DH Group 20. 21: DH Group 21. 27: DH Group 27. 28: DH Group 28. 29: DH Group 29. 30: DH Group 30. 31: DH Group 31. 32: DH Group 32.	option	-
replay	Enable/disable replay detection. enable: Enable setting. disable: Disable setting.	option	-
keepalive	Enable/disable keep alive. enable: Enable setting. disable: Disable setting.	option	-
auto-negotiate	Enable/disable IPsec SA auto-negotiation. enable: Enable setting. disable: Disable setting.	option	-
add-route	Enable/disable automatic route addition. phase1: Add route according to phase1 add-route setting. enable: Add route for remote proxy ID. disable: Do not add route for remote proxy ID.	option	-
keylifeseconds	Phase2 key life in time in seconds (120 - 172800).	integer	Minimum value: 120 Maximum value: 172800
keylifekbs	Phase2 key life in number of bytes of traffic (5120 - 4294967295).	integer	Minimum value: 5120 Maximum value: 4294967295
keylife-type	Keylife type. seconds: Key life in seconds. kbs: Key life in kilobytes. both: Key life both.	option	-
single-source	Enable/disable single source IP restriction. enable: Only single source IP will be accepted. disable: Source IP range will be accepted.	option	-
route-overlap	Action for overlapping routes. use-old: Use the old route and do not add the new route. use-new: Delete the old route and add the new route. allow: Allow overlapping routes.	option	-
encapsulation	ESP encapsulation mode. tunnel-mode: Use tunnel mode encapsulation. transport-mode: Use transport mode encapsulation.	option	-
l2tp	Enable/disable L2TP over IPsec. enable: Enable L2TP over IPsec. disable: Disable L2TP over IPsec.	option	-
comments	Comment.	var-string	Maximum length: 255
protocol	Quick mode protocol selector (1 - 255 or 0 for all).	integer	Minimum value: 0 Maximum value: 255
src-name	Local proxy ID name.	string	Maximum length: 79
src-name6	Local proxy ID name.	string	Maximum length: 79
src-addr-type	Local proxy ID type. subnet: IPv4 subnet. range: IPv4 range. ip: IPv4 IP. name: IPv4 firewall address or group name.	option	-
src-start-ip	Local proxy ID start.	ipv4-address-any	Not Specified
src-start-ip6	Local proxy ID IPv6 start.	ipv6-address	Not Specified
src-end-ip	Local proxy ID end.	ipv4-address-any	Not Specified
src-end-ip6	Local proxy ID IPv6 end.	ipv6-address	Not Specified
src-subnet	Local proxy ID subnet.	ipv4-classnet-any	Not Specified
src-subnet6	Local proxy ID IPv6 subnet.	ipv6-prefix	Not Specified
src-port	Quick mode source port (1 - 65535 or 0 for all).	integer	Minimum value: 0 Maximum value: 65535
dst-name	Remote proxy ID name.	string	Maximum length: 79
dst-name6	Remote proxy ID name.	string	Maximum length: 79
dst-addr-type	Remote proxy ID type. subnet: IPv4 subnet. range: IPv4 range. ip: IPv4 IP. name: IPv4 firewall address or group name.	option	-
dst-start-ip	Remote proxy ID IPv4 start.	ipv4-address-any	Not Specified
dst-start-ip6	Remote proxy ID IPv6 start.	ipv6-address	Not Specified
dst-end-ip	Remote proxy ID IPv4 end.	ipv4-address-any	Not Specified
dst-end-ip6	Remote proxy ID IPv6 end.	ipv6-address	Not Specified
dst-subnet	Remote proxy ID IPv4 subnet.	ipv4-classnet-any	Not Specified
dst-subnet6	Remote proxy ID IPv6 subnet.	ipv6-prefix	Not Specified
dst-port	Quick mode destination port (1 - 65535 or 0 for all).	integer	Minimum value: 0 Maximum value: 65535

Configure VPN autokey tunnel.

config vpn ipsec phase2 Description: Configure VPN autokey tunnel. edit <name> set phase1name {string} set dhcp-ipsec [enable|disable] set use-natip [enable|disable] set selector-match [exact|subset|...] set proposal {option1}, {option2}, ... set pfs [enable|disable] set ipv4-df [enable|disable] set dhgrp {option1}, {option2}, ... set replay [enable|disable] set keepalive [enable|disable] set auto-negotiate [enable|disable] set add-route [phase1|enable|...] set keylifeseconds {integer} set keylifekbs {integer} set keylife-type [seconds|kbs|...] set single-source [enable|disable] set route-overlap [use-old|use-new|...] set encapsulation [tunnel-mode|transport-mode] set l2tp [enable|disable] set comments {var-string} set protocol {integer} set src-name {string} set src-name6 {string} set src-addr-type [subnet|range|...] set src-start-ip {ipv4-address-any} set src-start-ip6 {ipv6-address} set src-end-ip {ipv4-address-any} set src-end-ip6 {ipv6-address} set src-subnet {ipv4-classnet-any} set src-subnet6 {ipv6-prefix} set src-port {integer} set dst-name {string} set dst-name6 {string} set dst-addr-type [subnet|range|...] set dst-start-ip {ipv4-address-any} set dst-start-ip6 {ipv6-address} set dst-end-ip {ipv4-address-any} set dst-end-ip6 {ipv6-address} set dst-subnet {ipv4-classnet-any} set dst-subnet6 {ipv6-prefix} set dst-port {integer} next end

config vpn ipsec phase2

Parameter Name

Description

Type

Size

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 35

dhcp-ipsec

Enable/disable DHCP-IPsec.
enable: Enable setting.
disable: Disable setting.

option

use-natip

Enable to use the FortiGate public IP as the source selector when outbound NAT is used.
enable: Replace source selector with interface IP when using outbound NAT.
disable: Do not modify source selector when using outbound NAT.

option

selector-match

Match type to use when comparing selectors.
exact: Match selectors exactly.
subset: Match selectors by subset.
auto: Use subset or exact match depending on selector address type.

option

proposal

Phase2 proposal.
null-md5: null-md5
null-sha1: null-sha1
null-sha256: null-sha256
null-sha384: null-sha384
null-sha512: null-sha512
des-null: des-null
des-md5: des-md5
des-sha1: des-sha1
des-sha256: des-sha256
des-sha384: des-sha384
des-sha512: des-sha512
3des-null: 3des-null
3des-md5: 3des-md5
3des-sha1: 3des-sha1
3des-sha256: 3des-sha256
3des-sha384: 3des-sha384
3des-sha512: 3des-sha512
aes128-null: aes128-null
aes128-md5: aes128-md5
aes128-sha1: aes128-sha1
aes128-sha256: aes128-sha256
aes128-sha384: aes128-sha384
aes128-sha512: aes128-sha512
aes128gcm: aes128gcm
aes192-null: aes192-null
aes192-md5: aes192-md5
aes192-sha1: aes192-sha1
aes192-sha256: aes192-sha256
aes192-sha384: aes192-sha384
aes192-sha512: aes192-sha512
aes256-null: aes256-null
aes256-md5: aes256-md5
aes256-sha1: aes256-sha1
aes256-sha256: aes256-sha256
aes256-sha384: aes256-sha384
aes256-sha512: aes256-sha512
aes256gcm: aes256gcm
chacha20poly1305: chacha20poly1305
aria128-null: aria128-null
aria128-md5: aria128-md5
aria128-sha1: aria128-sha1
aria128-sha256: aria128-sha256
aria128-sha384: aria128-sha384
aria128-sha512: aria128-sha512
aria192-null: aria192-null
aria192-md5: aria192-md5
aria192-sha1: aria192-sha1
aria192-sha256: aria192-sha256
aria192-sha384: aria192-sha384
aria192-sha512: aria192-sha512
aria256-null: aria256-null
aria256-md5: aria256-md5
aria256-sha1: aria256-sha1
aria256-sha256: aria256-sha256
aria256-sha384: aria256-sha384
aria256-sha512: aria256-sha512
seed-null: seed-null
seed-md5: seed-md5
seed-sha1: seed-sha1
seed-sha256: seed-sha256
seed-sha384: seed-sha384
seed-sha512: seed-sha512

option

pfs

Enable/disable PFS feature.
enable: Enable setting.
disable: Disable setting.

option

ipv4-df

Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.
enable: Set IPv4 DF.
disable: Reset IPv4 DF.

option

dhgrp

Phase2 DH group.
1: DH Group 1.
2: DH Group 2.
5: DH Group 5.
14: DH Group 14.
15: DH Group 15.
16: DH Group 16.
17: DH Group 17.
18: DH Group 18.
19: DH Group 19.
20: DH Group 20.
21: DH Group 21.
27: DH Group 27.
28: DH Group 28.
29: DH Group 29.
30: DH Group 30.
31: DH Group 31.
32: DH Group 32.

option

replay

Enable/disable replay detection.
enable: Enable setting.
disable: Disable setting.

option

keepalive

Enable/disable keep alive.
enable: Enable setting.
disable: Disable setting.

option

auto-negotiate

Enable/disable IPsec SA auto-negotiation.
enable: Enable setting.
disable: Disable setting.

option

add-route

Enable/disable automatic route addition.
phase1: Add route according to phase1 add-route setting.
enable: Add route for remote proxy ID.
disable: Do not add route for remote proxy ID.

option

keylifeseconds

Phase2 key life in time in seconds (120 - 172800).

integer

Minimum value: 120 Maximum value: 172800

keylifekbs

Phase2 key life in number of bytes of traffic (5120 - 4294967295).

integer

Minimum value: 5120 Maximum value: 4294967295

keylife-type

Keylife type.
seconds: Key life in seconds.
kbs: Key life in kilobytes.
both: Key life both.

option

single-source

Enable/disable single source IP restriction.
enable: Only single source IP will be accepted.
disable: Source IP range will be accepted.

option

route-overlap

Action for overlapping routes.
use-old: Use the old route and do not add the new route.
use-new: Delete the old route and add the new route.
allow: Allow overlapping routes.

option

encapsulation

ESP encapsulation mode.
tunnel-mode: Use tunnel mode encapsulation.
transport-mode: Use transport mode encapsulation.

option

l2tp

Enable/disable L2TP over IPsec.
enable: Enable L2TP over IPsec.
disable: Disable L2TP over IPsec.

option

comments

Comment.

var-string

Maximum length: 255

protocol

Quick mode protocol selector (1 - 255 or 0 for all).

integer

Minimum value: 0 Maximum value: 255

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-addr-type

Local proxy ID type.
subnet: IPv4 subnet.
range: IPv4 range.
ip: IPv4 IP.
name: IPv4 firewall address or group name.

option

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

src-port

Quick mode source port (1 - 65535 or 0 for all).

integer

Minimum value: 0 Maximum value: 65535

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-addr-type

Remote proxy ID type.
subnet: IPv4 subnet.
range: IPv4 range.
ip: IPv4 IP.
name: IPv4 firewall address or group name.

option

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

dst-port

Quick mode destination port (1 - 65535 or 0 for all).

integer

Minimum value: 0 Maximum value: 65535

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2

vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2