config vpn ipsec phase1-interface
Description: Configure VPN remote gateway.
edit <name>
set type [static|dynamic|...]
set interface {string}
set ip-version [4|6]
set ike-version [1|2]
set local-gw {ipv4-address}
set local-gw6 {ipv6-address}
set remote-gw {ipv4-address}
set remote-gw6 {ipv6-address}
set remotegw-ddns {string}
set keylife {integer}
set certificate <name1>, <name2>, ...
set authmethod [psk|signature]
set authmethod-remote [psk|signature]
set mode [aggressive|main]
set peertype [any|one|...]
set peerid {string}
set default-gw {ipv4-address}
set default-gw-priority {integer}
set usrgrp {string}
set peer {string}
set peergrp {string}
set monitor {string}
set monitor-hold-down-type [immediate|delay|...]
set monitor-hold-down-delay {integer}
set monitor-hold-down-weekday [everyday|sunday|...]
set monitor-hold-down-time {user}
set net-device [enable|disable]
set tunnel-search [selectors|nexthop]
set passive-mode [enable|disable]
set exchange-interface-ip [enable|disable]
set exchange-ip-addr4 {ipv4-address}
set exchange-ip-addr6 {ipv6-address}
set aggregate-member [enable|disable]
set mode-cfg [disable|enable]
set assign-ip [disable|enable]
set assign-ip-from [range|usrgrp|...]
set ipv4-start-ip {ipv4-address}
set ipv4-end-ip {ipv4-address}
set ipv4-netmask {ipv4-netmask}
set dhcp-ra-giaddr {ipv4-address}
set dhcp6-ra-linkaddr {ipv6-address}
set dns-mode [manual|auto]
set ipv4-dns-server1 {ipv4-address}
set ipv4-dns-server2 {ipv4-address}
set ipv4-dns-server3 {ipv4-address}
set ipv4-wins-server1 {ipv4-address}
set ipv4-wins-server2 {ipv4-address}
config ipv4-exclude-range
Description: Configuration Method IPv4 exclude ranges.
edit <id>
set start-ip {ipv4-address}
set end-ip {ipv4-address}
next
end
set ipv4-split-include {string}
set split-include-service {string}
set ipv4-name {string}
set ipv6-start-ip {ipv6-address}
set ipv6-end-ip {ipv6-address}
set ipv6-prefix {integer}
set ipv6-dns-server1 {ipv6-address}
set ipv6-dns-server2 {ipv6-address}
set ipv6-dns-server3 {ipv6-address}
config ipv6-exclude-range
Description: Configuration method IPv6 exclude ranges.
edit <id>
set start-ip {ipv6-address}
set end-ip {ipv6-address}
next
end
set ipv6-split-include {string}
set ipv6-name {string}
set unity-support [disable|enable]
set domain {string}
set banner {var-string}
set include-local-lan [disable|enable]
set ipv4-split-exclude {string}
set ipv6-split-exclude {string}
set save-password [disable|enable]
set client-auto-negotiate [disable|enable]
set client-keep-alive [disable|enable]
set backup-gateway <address1>, <address2>, ...
set proposal {option1}, {option2}, ...
set add-route [disable|enable]
set add-gw-route [enable|disable]
set psksecret {password-3}
set psksecret-remote {password-3}
set keepalive {integer}
set distance {integer}
set priority {integer}
set localid {string}
set localid-type [auto|fqdn|...]
set auto-negotiate [enable|disable]
set negotiate-timeout {integer}
set fragmentation [enable|disable]
set ip-fragmentation [pre-encapsulation|post-encapsulation]
set dpd [disable|on-idle|...]
set dpd-retrycount {integer}
set dpd-retryinterval {user}
set forticlient-enforcement [enable|disable]
set comments {var-string}
set npu-offload [enable|disable]
set send-cert-chain [enable|disable]
set dhgrp {option1}, {option2}, ...
set suite-b [disable|suite-b-gcm-128|...]
set eap [enable|disable]
set eap-identity [use-id-payload|send-request]
set eap-exclude-peergrp {string}
set acct-verify [enable|disable]
set ppk [disable|allow|...]
set ppk-secret {password-3}
set ppk-identity {string}
set wizard-type [custom|dialup-forticlient|...]
set xauthtype [disable|client|...]
set reauth [disable|enable]
set authusr {string}
set authpasswd {password}
set group-authentication [enable|disable]
set group-authentication-secret {password-3}
set authusrgrp {string}
set mesh-selector-type [disable|subnet|...]
set idle-timeout [enable|disable]
set idle-timeoutinterval {integer}
set ha-sync-esp-seqno [enable|disable]
set auto-discovery-sender [enable|disable]
set auto-discovery-receiver [enable|disable]
set auto-discovery-forwarder [enable|disable]
set auto-discovery-psk [enable|disable]
set encapsulation [none|gre|...]
set encapsulation-address [ike|ipv4|...]
set encap-local-gw4 {ipv4-address}
set encap-local-gw6 {ipv6-address}
set encap-remote-gw4 {ipv4-address}
set encap-remote-gw6 {ipv6-address}
set vni {integer}
set nattraversal [enable|disable|...]
set esn [require|allow|...]
set fragmentation-mtu {integer}
set childless-ike [enable|disable]
set rekey [enable|disable]
set digital-signature-auth [enable|disable]
set signature-hash-alg {option1}, {option2}, ...
set rsa-signature-format [pkcs1|pss]
set enforce-unique-id [disable|keep-new|...]
set cert-id-validation [enable|disable]
set fec-egress [enable|disable]
set fec-send-timeout {integer}
set fec-base {integer}
set fec-redundant {integer}
set fec-ingress [enable|disable]
set fec-receive-timeout {integer}
set network-overlay [disable|enable]
set network-id {integer}
next
end| Parameter Name | Description | Type | Size |
|---|---|---|---|
| type | Remote gateway type. static: Remote VPN gateway has fixed IP address. dynamic: Remote VPN gateway has dynamic IP address. ddns: Remote VPN gateway has dynamic IP address and is a dynamic DNS client. |
option | - |
| interface | Local physical, aggregate, or VLAN outgoing interface. | string | Maximum length: 35 |
| ip-version | IP version to use for VPN interface. 4: Use IPv4 addressing for gateways. 6: Use IPv6 addressing for gateways. |
option | - |
| ike-version | IKE protocol version. 1: Use IKEv1 protocol. 2: Use IKEv2 protocol. |
option | - |
| local-gw | IPv4 address of the local gateway's external interface. | ipv4-address | Not Specified |
| local-gw6 | IPv6 address of the local gateway's external interface. | ipv6-address | Not Specified |
| remote-gw | IPv4 address of the remote gateway's external interface. | ipv4-address | Not Specified |
| remote-gw6 | IPv6 address of the remote gateway's external interface. | ipv6-address | Not Specified |
| remotegw-ddns | Domain name of remote gateway (eg. name.DDNS.com). | string | Maximum length: 63 |
| keylife | Time to wait in seconds before phase 1 encryption key expires. | integer | Minimum value: 120 Maximum value: 172800 |
certificate <name> |
The names of up to 4 signed personal certificates. Certificate name. |
string | Maximum length: 79 |
| authmethod | Authentication method. psk: PSK authentication method. signature: Signature authentication method. |
option | - |
| authmethod-remote | Authentication method (remote side). psk: PSK authentication method. signature: Signature authentication method. |
option | - |
| mode | The ID protection mode used to establish a secure channel. aggressive: Aggressive mode. main: Main mode. |
option | - |
| peertype | Accept this peer type. any: Accept any peer ID. one: Accept this peer ID. dialup: Accept peer ID in dialup group. peer: Accept this peer certificate. peergrp: Accept this peer certificate group. |
option | - |
| peerid | Accept this peer identity. | string | Maximum length: 255 |
| default-gw | IPv4 address of default route gateway to use for traffic exiting the interface. | ipv4-address | Not Specified |
| default-gw-priority | Priority for default gateway route. A higher priority number signifies a less preferred route. | integer | Minimum value: 0 Maximum value: 4294967295 |
| usrgrp | User group name for dialup peers. | string | Maximum length: 35 |
| peer | Accept this peer certificate. | string | Maximum length: 35 |
| peergrp | Accept this peer certificate group. | string | Maximum length: 35 |
| monitor | IPsec interface as backup for primary interface. | string | Maximum length: 35 |
| monitor-hold-down-type | Recovery time method when primary interface re-establishes. immediate: Fail back immediately after primary recovers. delay: Number of seconds to delay fail back after primary recovers. time: Specify a time at which to fail back after primary recovers. |
option | - |
| monitor-hold-down-delay | Time to wait in seconds before recovery once primary re-establishes. | integer | Minimum value: 0 Maximum value: 31536000 |
| monitor-hold-down-weekday | Day of the week to recover once primary re-establishes. everyday: Every Day. sunday: Sunday. monday: Monday. tuesday: Tuesday. wednesday: Wednesday. thursday: Thursday. friday: Friday. saturday: Saturday. |
option | - |
| monitor-hold-down-time | Time of day at which to fail back to primary after it re-establishes. | user | Not Specified |
| net-device | Enable/disable kernel device creation. enable: Create a kernel device for every tunnel. disable: Do not create a kernel device for tunnels. |
option | - |
| tunnel-search | Tunnel search method for when the interface is shared. selectors: Search for tunnel in selectors. nexthop: Search for tunnel using nexthop. |
option | - |
| passive-mode | Enable/disable IPsec passive mode for static tunnels. enable: Enable IPsec passive mode. disable: Disable IPsec passive mode. |
option | - |
| exchange-interface-ip | Enable/disable exchange of IPsec interface IP address. enable: Enable exchange of IPsec interface IP address. disable: Disable exchange of IPsec interface IP address. |
option | - |
| exchange-ip-addr4 | IPv4 address to exchange with peers. | ipv4-address | Not Specified |
| exchange-ip-addr6 | IPv6 address to exchange with peers | ipv6-address | Not Specified |
| aggregate-member | Enable/disable use as an aggregate member. enable: Enable use as an aggregate member. disable: Disable use as an aggregate member. |
option | - |
| mode-cfg | Enable/disable configuration method. disable: Disable Configuration Method. enable: Enable Configuration Method. |
option | - |
| assign-ip | Enable/disable assignment of IP to IPsec interface via configuration method. disable: Do not assign an IP address to the IPsec interface. enable: Assign an IP address to the IPsec interface. |
option | - |
| assign-ip-from | Method by which the IP address will be assigned. range: Assign IP address from locally defined range. usrgrp: Assign IP address via user group. dhcp: Assign IP address via DHCP. name: Assign IP address from firewall address or group. |
option | - |
| ipv4-start-ip | Start of IPv4 range. | ipv4-address | Not Specified |
| ipv4-end-ip | End of IPv4 range. | ipv4-address | Not Specified |
| ipv4-netmask | IPv4 Netmask. | ipv4-netmask | Not Specified |
| dhcp-ra-giaddr | Relay agent gateway IP address to use in the giaddr field of DHCP requests. | ipv4-address | Not Specified |
| dhcp6-ra-linkaddr | Relay agent IPv6 link address to use in DHCP6 requests. | ipv6-address | Not Specified |
| dns-mode | DNS server mode. manual: Manually configure DNS servers. auto: Use default DNS servers. |
option | - |
| ipv4-dns-server1 | IPv4 DNS server 1. | ipv4-address | Not Specified |
| ipv4-dns-server2 | IPv4 DNS server 2. | ipv4-address | Not Specified |
| ipv4-dns-server3 | IPv4 DNS server 3. | ipv4-address | Not Specified |
| ipv4-wins-server1 | WINS server 1. | ipv4-address | Not Specified |
| ipv4-wins-server2 | WINS server 2. | ipv4-address | Not Specified |
| ipv4-split-include | IPv4 split-include subnets. | string | Maximum length: 79 |
| split-include-service | Split-include services. | string | Maximum length: 79 |
| ipv4-name | IPv4 address name. | string | Maximum length: 79 |
| ipv6-start-ip | Start of IPv6 range. | ipv6-address | Not Specified |
| ipv6-end-ip | End of IPv6 range. | ipv6-address | Not Specified |
| ipv6-prefix | IPv6 prefix. | integer | Minimum value: 1 Maximum value: 128 |
| ipv6-dns-server1 | IPv6 DNS server 1. | ipv6-address | Not Specified |
| ipv6-dns-server2 | IPv6 DNS server 2. | ipv6-address | Not Specified |
| ipv6-dns-server3 | IPv6 DNS server 3. | ipv6-address | Not Specified |
| ipv6-split-include | IPv6 split-include subnets. | string | Maximum length: 79 |
| ipv6-name | IPv6 address name. | string | Maximum length: 79 |
| unity-support | Enable/disable support for Cisco UNITY Configuration Method extensions. disable: Disable Cisco Unity Configuration Method Extensions. enable: Enable Cisco Unity Configuration Method Extensions. |
option | - |
| domain | Instruct unity clients about the default DNS domain. | string | Maximum length: 63 |
| banner | Message that unity client should display after connecting. | var-string | Maximum length: 1024 |
| include-local-lan | Enable/disable allow local LAN access on unity clients. disable: Disable local LAN access on Unity clients. enable: Enable local LAN access on Unity clients. |
option | - |
| ipv4-split-exclude | IPv4 subnets that should not be sent over the IPsec tunnel. | string | Maximum length: 79 |
| ipv6-split-exclude | IPv6 subnets that should not be sent over the IPsec tunnel. | string | Maximum length: 79 |
| save-password | Enable/disable saving XAuth username and password on VPN clients. disable: Disable saving XAuth username and password on VPN clients. enable: Enable saving XAuth username and password on VPN clients. |
option | - |
| client-auto-negotiate | Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. disable: Disable allowing the VPN client to bring up the tunnel when there is no traffic. enable: Enable allowing the VPN client to bring up the tunnel when there is no traffic. |
option | - |
| client-keep-alive | Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. disable: Disable allowing the VPN client to keep the tunnel up when there is no traffic. enable: Enable allowing the VPN client to keep the tunnel up when there is no traffic. |
option | - |
backup-gateway <address> |
Instruct unity clients about the backup gateway address(es). Address of backup gateway. |
string | Maximum length: 79 |
| proposal | Phase1 proposal. des-md5: des-md5 des-sha1: des-sha1 des-sha256: des-sha256 des-sha384: des-sha384 des-sha512: des-sha512 3des-md5: 3des-md5 3des-sha1: 3des-sha1 3des-sha256: 3des-sha256 3des-sha384: 3des-sha384 3des-sha512: 3des-sha512 aes128-md5: aes128-md5 aes128-sha1: aes128-sha1 aes128-sha256: aes128-sha256 aes128-sha384: aes128-sha384 aes128-sha512: aes128-sha512 aes128gcm-prfsha1: aes128gcm-prfsha1 aes128gcm-prfsha256: aes128gcm-prfsha256 aes128gcm-prfsha384: aes128gcm-prfsha384 aes128gcm-prfsha512: aes128gcm-prfsha512 aes192-md5: aes192-md5 aes192-sha1: aes192-sha1 aes192-sha256: aes192-sha256 aes192-sha384: aes192-sha384 aes192-sha512: aes192-sha512 aes256-md5: aes256-md5 aes256-sha1: aes256-sha1 aes256-sha256: aes256-sha256 aes256-sha384: aes256-sha384 aes256-sha512: aes256-sha512 aes256gcm-prfsha1: aes256gcm-prfsha1 aes256gcm-prfsha256: aes256gcm-prfsha256 aes256gcm-prfsha384: aes256gcm-prfsha384 aes256gcm-prfsha512: aes256gcm-prfsha512 chacha20poly1305-prfsha1: chacha20poly1305-prfsha1 chacha20poly1305-prfsha256: chacha20poly1305-prfsha256 chacha20poly1305-prfsha384: chacha20poly1305-prfsha384 chacha20poly1305-prfsha512: chacha20poly1305-prfsha512 aria128-md5: aria128-md5 aria128-sha1: aria128-sha1 aria128-sha256: aria128-sha256 aria128-sha384: aria128-sha384 aria128-sha512: aria128-sha512 aria192-md5: aria192-md5 aria192-sha1: aria192-sha1 aria192-sha256: aria192-sha256 aria192-sha384: aria192-sha384 aria192-sha512: aria192-sha512 aria256-md5: aria256-md5 aria256-sha1: aria256-sha1 aria256-sha256: aria256-sha256 aria256-sha384: aria256-sha384 aria256-sha512: aria256-sha512 seed-md5: seed-md5 seed-sha1: seed-sha1 seed-sha256: seed-sha256 seed-sha384: seed-sha384 seed-sha512: seed-sha512 |
option | - |
| add-route | Enable/disable control addition of a route to peer destination selector. disable: Do not add a route to destination of peer selector. enable: Add route to destination of peer selector. |
option | - |
| add-gw-route | Enable/disable automatically add a route to the remote gateway. enable: Automatically add a route to the remote gateway. disable: Do not automatically add a route to the remote gateway. |
option | - |
| psksecret | Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). | password-3 | Not Specified |
| psksecret-remote | Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). | password-3 | Not Specified |
| keepalive | NAT-T keep alive interval. | integer | Minimum value: 10 Maximum value: 900 |
| distance | Distance for routes added by IKE (1 - 255). | integer | Minimum value: 1 Maximum value: 255 |
| priority | Priority for routes added by IKE (0 - 4294967295). | integer | Minimum value: 0 Maximum value: 4294967295 |
| localid | Local ID. | string | Maximum length: 63 |
| localid-type | Local ID type. auto: Select ID type automatically. fqdn: Use fully qualified domain name. user-fqdn: Use user fully qualified domain name. keyid: Use key-id string. address: Use local IP address. asn1dn: Use ASN.1 distinguished name. |
option | - |
| auto-negotiate | Enable/disable automatic initiation of IKE SA negotiation. enable: Enable automatic initiation of IKE SA negotiation. disable: Disable automatic initiation of IKE SA negotiation. |
option | - |
| negotiate-timeout | IKE SA negotiation timeout in seconds (1 - 300). | integer | Minimum value: 1 Maximum value: 300 |
| fragmentation | Enable/disable fragment IKE message on re-transmission. enable: Enable intra-IKE fragmentation support on re-transmission. disable: Disable intra-IKE fragmentation support. |
option | - |
| ip-fragmentation | Determine whether IP packets are fragmented before or after IPsec encapsulation. pre-encapsulation: Fragment before IPsec encapsulation. post-encapsulation: Fragment after IPsec encapsulation (RFC compliant). |
option | - |
| dpd | Dead Peer Detection mode. disable: Disable Dead Peer Detection. on-idle: Trigger Dead Peer Detection when IPsec is idle. on-demand: Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer. |
option | - |
| dpd-retrycount | Number of DPD retry attempts. | integer | Minimum value: 0 Maximum value: 10 |
| dpd-retryinterval | DPD retry interval. | user | Not Specified |
| forticlient-enforcement | Enable/disable FortiClient enforcement. enable: Enable FortiClient enforcement. disable: Disable FortiClient enforcement. |
option | - |
| comments | Comment. | var-string | Maximum length: 255 |
| npu-offload | Enable/disable offloading NPU. enable: Enable NPU offloading. disable: Disable NPU offloading. |
option | - |
| send-cert-chain | Enable/disable sending certificate chain. enable: Enable sending certificate chain. disable: Disable sending certificate chain. |
option | - |
| dhgrp | DH group. 1: DH Group 1. 2: DH Group 2. 5: DH Group 5. 14: DH Group 14. 15: DH Group 15. 16: DH Group 16. 17: DH Group 17. 18: DH Group 18. 19: DH Group 19. 20: DH Group 20. 21: DH Group 21. 27: DH Group 27. 28: DH Group 28. 29: DH Group 29. 30: DH Group 30. 31: DH Group 31. 32: DH Group 32. |
option | - |
| suite-b | Use Suite-B. disable: Do not use UI suite. suite-b-gcm-128: Use Suite-B-GCM-128. suite-b-gcm-256: Use Suite-B-GCM-256. |
option | - |
| eap | Enable/disable IKEv2 EAP authentication. enable: Enable IKEv2 EAP authentication. disable: Disable IKEv2 EAP authentication. |
option | - |
| eap-identity | IKEv2 EAP peer identity type. use-id-payload: Use IKEv2 IDi payload to resolve peer identity. send-request: Use EAP identity request to resolve peer identity. |
option | - |
| eap-exclude-peergrp | Peer group excluded from EAP authentication. | string | Maximum length: 35 |
| acct-verify | Enable/disable verification of RADIUS accounting record. enable: Enable verification of RADIUS accounting record. disable: Disable verification of RADIUS accounting record. |
option | - |
| ppk | Enable/disable IKEv2 Postquantum Preshared Key (PPK). disable: Disable use of IKEv2 Postquantum Preshared Key (PPK). allow: Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK). require: Require use of IKEv2 Postquantum Preshared Key (PPK). |
option | - |
| ppk-secret | IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). | password-3 | Not Specified |
| ppk-identity | IKEv2 Postquantum Preshared Key Identity. | string | Maximum length: 35 |
| wizard-type | GUI VPN Wizard Type. custom: Custom VPN configuration. dialup-forticlient: Dial Up - FortiClient Windows, Mac and Android. dialup-ios: Dial Up - iPhone / iPad Native IPsec Client. dialup-android: Dial Up - Android Native IPsec Client. dialup-windows: Dial Up - Windows Native IPsec Client. dialup-cisco: Dial Up - Cisco IPsec Client. static-fortigate: Site to Site - FortiGate. dialup-fortigate: Dial Up - FortiGate. static-cisco: Site to Site - Cisco. dialup-cisco-fw: Dialup Up - Cisco Firewall. simplified-static-fortigate: Site to Site - FortiGate (SD-WAN). hub-fortigate-auto-discovery: Hub role in a Hub-and-Spoke auto-discovery VPN. spoke-fortigate-auto-discovery: Spoke role in a Hub-and-Spoke auto-discovery VPN. |
option | - |
| xauthtype | XAuth type. disable: Disable. client: Enable as client. pap: Enable as server PAP. chap: Enable as server CHAP. auto: Enable as server auto. |
option | - |
| reauth | Enable/disable re-authentication upon IKE SA lifetime expiration. disable: Disable IKE SA re-authentication. enable: Enable IKE SA re-authentication. |
option | - |
| authusr | XAuth user name. | string | Maximum length: 64 |
| authpasswd | XAuth password (max 35 characters). | password | Not Specified |
| group-authentication | Enable/disable IKEv2 IDi group authentication. enable: Enable IKEv2 IDi group authentication. disable: Disable IKEv2 IDi group authentication. |
option | - |
| group-authentication-secret | Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.) | password-3 | Not Specified |
| authusrgrp | Authentication user group. | string | Maximum length: 35 |
| mesh-selector-type | Add selectors containing subsets of the configuration depending on traffic. disable: Disable. subnet: Enable addition of matching subnet selector. host: Enable addition of host to host selector. |
option | - |
| idle-timeout | Enable/disable IPsec tunnel idle timeout. enable: Enable IPsec tunnel idle timeout. disable: Disable IPsec tunnel idle timeout. |
option | - |
| idle-timeoutinterval | IPsec tunnel idle timeout in minutes (5 - 43200). | integer | Minimum value: 5 Maximum value: 43200 |
| ha-sync-esp-seqno | Enable/disable sequence number jump ahead for IPsec HA. enable: Enable HA syncing of ESP sequence numbers. disable: Disable HA syncing of ESP sequence numbers. |
option | - |
| auto-discovery-sender | Enable/disable sending auto-discovery short-cut messages. enable: Enable sending auto-discovery short-cut messages. disable: Disable sending auto-discovery short-cut messages. |
option | - |
| auto-discovery-receiver | Enable/disable accepting auto-discovery short-cut messages. enable: Enable receiving auto-discovery short-cut messages. disable: Disable receiving auto-discovery short-cut messages. |
option | - |
| auto-discovery-forwarder | Enable/disable forwarding auto-discovery short-cut messages. enable: Enable forwarding auto-discovery short-cut messages. disable: Disable forwarding auto-discovery short-cut messages. |
option | - |
| auto-discovery-psk | Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. enable: Enable use of pre-shared-secret authentication for auto-discovery tunnels. disable: Disable use of authentication defined by 'authmethod' for auto-discovery tunnels. |
option | - |
| encapsulation | Enable/disable GRE/VXLAN encapsulation. none: No additional encapsulation. gre: GRE encapsulation. vxlan: VXLAN encapsulation. |
option | - |
| encapsulation-address | Source for GRE/VXLAN tunnel address. ike: Use IKE/IPsec gateway addresses. ipv4: Specify separate GRE/VXLAN tunnel address. ipv6: Specify separate GRE/VXLAN tunnel address. |
option | - |
| encap-local-gw4 | Local IPv4 address of GRE/VXLAN tunnel. | ipv4-address | Not Specified |
| encap-local-gw6 | Local IPv6 address of GRE/VXLAN tunnel. | ipv6-address | Not Specified |
| encap-remote-gw4 | Remote IPv4 address of GRE/VXLAN tunnel. | ipv4-address | Not Specified |
| encap-remote-gw6 | Remote IPv6 address of GRE/VXLAN tunnel. | ipv6-address | Not Specified |
| vni | VNI of VXLAN tunnel. | integer | Minimum value: 1 Maximum value: 16777215 |
| nattraversal | Enable/disable NAT traversal. enable: Enable IPsec NAT traversal. disable: Disable IPsec NAT traversal. forced: Force IPsec NAT traversal on. |
option | - |
| esn | Extended sequence number (ESN) negotiation. require: Require extended sequence number. allow: Allow extended sequence number. disable: Disable extended sequence number. |
option | - |
| fragmentation-mtu | IKE fragmentation MTU (500 - 16000). | integer | Minimum value: 500 Maximum value: 16000 |
| childless-ike | Enable/disable childless IKEv2 initiation (RFC 6023). enable: Enable childless IKEv2 initiation (RFC 6023). disable: Disable childless IKEv2 initiation (RFC 6023). |
option | - |
| rekey | Enable/disable phase1 rekey. enable: Enable phase1 rekey. disable: Disable phase1 rekey. |
option | - |
| digital-signature-auth | Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). enable: Enable IKEv2 Digital Signature Authentication (RFC 7427). disable: Disable IKEv2 Digital Signature Authentication (RFC 7427). |
option | - |
| signature-hash-alg | Digital Signature Authentication hash algorithms. sha1: SHA1. sha2-256: SHA2-256. sha2-384: SHA2-384. sha2-512: SHA2-512. |
option | - |
| rsa-signature-format | Digital Signature Authentication RSA signature format. pkcs1: RSASSA PKCS#1 v1.5. pss: RSASSA Probabilistic Signature Scheme (PSS). |
option | - |
| enforce-unique-id | Enable/disable peer ID uniqueness check. disable: Disable peer ID uniqueness enforcement. keep-new: Enforce peer ID uniqueness, keep new connection if collision found. keep-old: Enforce peer ID uniqueness, keep old connection if collision found. |
option | - |
| cert-id-validation | Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. enable: Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. disable: Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. |
option | - |
| fec-egress | Enable/disable Forward Error Correction for egress IPsec traffic. enable: Enable Forward Error Correction for egress IPsec traffic. disable: Disable Forward Error Correction for egress IPsec traffic. |
option | - |
| fec-send-timeout | Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). | integer | Minimum value: 1 Maximum value: 1000 |
| fec-base | Number of base Forward Error Correction packets (1 - 100). | integer | Minimum value: 1 Maximum value: 100 |
| fec-redundant | Number of redundant Forward Error Correction packets (1 - 100). | integer | Minimum value: 1 Maximum value: 100 |
| fec-ingress | Enable/disable Forward Error Correction for ingress IPsec traffic. enable: Enable Forward Error Correction for ingress IPsec traffic. disable: Disable Forward Error Correction for ingress IPsec traffic. |
option | - |
| fec-receive-timeout | Timeout in milliseconds before dropping Forward Error Correction packets (1 - 10000). | integer | Minimum value: 1 Maximum value: 10000 |
| network-overlay | Enable/disable network overlays. disable: Disable network overlays. enable: Enable network overlays. |
option | - |
| network-id | VPN gateway network ID. | integer | Minimum value: 0 Maximum value: 255 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| start-ip | Start of IPv4 exclusive range. | ipv4-address | Not Specified |
| end-ip | End of IPv4 exclusive range. | ipv4-address | Not Specified |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| start-ip | Start of IPv6 exclusive range. | ipv6-address | Not Specified |
| end-ip | End of IPv6 exclusive range. | ipv6-address | Not Specified |
config vpn ipsec phase1-interface
Description: Configure VPN remote gateway.
edit <name>
set type [static|dynamic|...]
set interface {string}
set ip-version [4|6]
set ike-version [1|2]
set local-gw {ipv4-address}
set local-gw6 {ipv6-address}
set remote-gw {ipv4-address}
set remote-gw6 {ipv6-address}
set remotegw-ddns {string}
set keylife {integer}
set certificate <name1>, <name2>, ...
set authmethod [psk|signature]
set authmethod-remote [psk|signature]
set mode [aggressive|main]
set peertype [any|one|...]
set peerid {string}
set default-gw {ipv4-address}
set default-gw-priority {integer}
set usrgrp {string}
set peer {string}
set peergrp {string}
set monitor {string}
set monitor-hold-down-type [immediate|delay|...]
set monitor-hold-down-delay {integer}
set monitor-hold-down-weekday [everyday|sunday|...]
set monitor-hold-down-time {user}
set net-device [enable|disable]
set tunnel-search [selectors|nexthop]
set passive-mode [enable|disable]
set exchange-interface-ip [enable|disable]
set exchange-ip-addr4 {ipv4-address}
set exchange-ip-addr6 {ipv6-address}
set aggregate-member [enable|disable]
set mode-cfg [disable|enable]
set assign-ip [disable|enable]
set assign-ip-from [range|usrgrp|...]
set ipv4-start-ip {ipv4-address}
set ipv4-end-ip {ipv4-address}
set ipv4-netmask {ipv4-netmask}
set dhcp-ra-giaddr {ipv4-address}
set dhcp6-ra-linkaddr {ipv6-address}
set dns-mode [manual|auto]
set ipv4-dns-server1 {ipv4-address}
set ipv4-dns-server2 {ipv4-address}
set ipv4-dns-server3 {ipv4-address}
set ipv4-wins-server1 {ipv4-address}
set ipv4-wins-server2 {ipv4-address}
config ipv4-exclude-range
Description: Configuration Method IPv4 exclude ranges.
edit <id>
set start-ip {ipv4-address}
set end-ip {ipv4-address}
next
end
set ipv4-split-include {string}
set split-include-service {string}
set ipv4-name {string}
set ipv6-start-ip {ipv6-address}
set ipv6-end-ip {ipv6-address}
set ipv6-prefix {integer}
set ipv6-dns-server1 {ipv6-address}
set ipv6-dns-server2 {ipv6-address}
set ipv6-dns-server3 {ipv6-address}
config ipv6-exclude-range
Description: Configuration method IPv6 exclude ranges.
edit <id>
set start-ip {ipv6-address}
set end-ip {ipv6-address}
next
end
set ipv6-split-include {string}
set ipv6-name {string}
set unity-support [disable|enable]
set domain {string}
set banner {var-string}
set include-local-lan [disable|enable]
set ipv4-split-exclude {string}
set ipv6-split-exclude {string}
set save-password [disable|enable]
set client-auto-negotiate [disable|enable]
set client-keep-alive [disable|enable]
set backup-gateway <address1>, <address2>, ...
set proposal {option1}, {option2}, ...
set add-route [disable|enable]
set add-gw-route [enable|disable]
set psksecret {password-3}
set psksecret-remote {password-3}
set keepalive {integer}
set distance {integer}
set priority {integer}
set localid {string}
set localid-type [auto|fqdn|...]
set auto-negotiate [enable|disable]
set negotiate-timeout {integer}
set fragmentation [enable|disable]
set ip-fragmentation [pre-encapsulation|post-encapsulation]
set dpd [disable|on-idle|...]
set dpd-retrycount {integer}
set dpd-retryinterval {user}
set forticlient-enforcement [enable|disable]
set comments {var-string}
set npu-offload [enable|disable]
set send-cert-chain [enable|disable]
set dhgrp {option1}, {option2}, ...
set suite-b [disable|suite-b-gcm-128|...]
set eap [enable|disable]
set eap-identity [use-id-payload|send-request]
set eap-exclude-peergrp {string}
set acct-verify [enable|disable]
set ppk [disable|allow|...]
set ppk-secret {password-3}
set ppk-identity {string}
set wizard-type [custom|dialup-forticlient|...]
set xauthtype [disable|client|...]
set reauth [disable|enable]
set authusr {string}
set authpasswd {password}
set group-authentication [enable|disable]
set group-authentication-secret {password-3}
set authusrgrp {string}
set mesh-selector-type [disable|subnet|...]
set idle-timeout [enable|disable]
set idle-timeoutinterval {integer}
set ha-sync-esp-seqno [enable|disable]
set auto-discovery-sender [enable|disable]
set auto-discovery-receiver [enable|disable]
set auto-discovery-forwarder [enable|disable]
set auto-discovery-psk [enable|disable]
set encapsulation [none|gre|...]
set encapsulation-address [ike|ipv4|...]
set encap-local-gw4 {ipv4-address}
set encap-local-gw6 {ipv6-address}
set encap-remote-gw4 {ipv4-address}
set encap-remote-gw6 {ipv6-address}
set vni {integer}
set nattraversal [enable|disable|...]
set esn [require|allow|...]
set fragmentation-mtu {integer}
set childless-ike [enable|disable]
set rekey [enable|disable]
set digital-signature-auth [enable|disable]
set signature-hash-alg {option1}, {option2}, ...
set rsa-signature-format [pkcs1|pss]
set enforce-unique-id [disable|keep-new|...]
set cert-id-validation [enable|disable]
set fec-egress [enable|disable]
set fec-send-timeout {integer}
set fec-base {integer}
set fec-redundant {integer}
set fec-ingress [enable|disable]
set fec-receive-timeout {integer}
set network-overlay [disable|enable]
set network-id {integer}
next
end| Parameter Name | Description | Type | Size |
|---|---|---|---|
| type | Remote gateway type. static: Remote VPN gateway has fixed IP address. dynamic: Remote VPN gateway has dynamic IP address. ddns: Remote VPN gateway has dynamic IP address and is a dynamic DNS client. |
option | - |
| interface | Local physical, aggregate, or VLAN outgoing interface. | string | Maximum length: 35 |
| ip-version | IP version to use for VPN interface. 4: Use IPv4 addressing for gateways. 6: Use IPv6 addressing for gateways. |
option | - |
| ike-version | IKE protocol version. 1: Use IKEv1 protocol. 2: Use IKEv2 protocol. |
option | - |
| local-gw | IPv4 address of the local gateway's external interface. | ipv4-address | Not Specified |
| local-gw6 | IPv6 address of the local gateway's external interface. | ipv6-address | Not Specified |
| remote-gw | IPv4 address of the remote gateway's external interface. | ipv4-address | Not Specified |
| remote-gw6 | IPv6 address of the remote gateway's external interface. | ipv6-address | Not Specified |
| remotegw-ddns | Domain name of remote gateway (eg. name.DDNS.com). | string | Maximum length: 63 |
| keylife | Time to wait in seconds before phase 1 encryption key expires. | integer | Minimum value: 120 Maximum value: 172800 |
certificate <name> |
The names of up to 4 signed personal certificates. Certificate name. |
string | Maximum length: 79 |
| authmethod | Authentication method. psk: PSK authentication method. signature: Signature authentication method. |
option | - |
| authmethod-remote | Authentication method (remote side). psk: PSK authentication method. signature: Signature authentication method. |
option | - |
| mode | The ID protection mode used to establish a secure channel. aggressive: Aggressive mode. main: Main mode. |
option | - |
| peertype | Accept this peer type. any: Accept any peer ID. one: Accept this peer ID. dialup: Accept peer ID in dialup group. peer: Accept this peer certificate. peergrp: Accept this peer certificate group. |
option | - |
| peerid | Accept this peer identity. | string | Maximum length: 255 |
| default-gw | IPv4 address of default route gateway to use for traffic exiting the interface. | ipv4-address | Not Specified |
| default-gw-priority | Priority for default gateway route. A higher priority number signifies a less preferred route. | integer | Minimum value: 0 Maximum value: 4294967295 |
| usrgrp | User group name for dialup peers. | string | Maximum length: 35 |
| peer | Accept this peer certificate. | string | Maximum length: 35 |
| peergrp | Accept this peer certificate group. | string | Maximum length: 35 |
| monitor | IPsec interface as backup for primary interface. | string | Maximum length: 35 |
| monitor-hold-down-type | Recovery time method when primary interface re-establishes. immediate: Fail back immediately after primary recovers. delay: Number of seconds to delay fail back after primary recovers. time: Specify a time at which to fail back after primary recovers. |
option | - |
| monitor-hold-down-delay | Time to wait in seconds before recovery once primary re-establishes. | integer | Minimum value: 0 Maximum value: 31536000 |
| monitor-hold-down-weekday | Day of the week to recover once primary re-establishes. everyday: Every Day. sunday: Sunday. monday: Monday. tuesday: Tuesday. wednesday: Wednesday. thursday: Thursday. friday: Friday. saturday: Saturday. |
option | - |
| monitor-hold-down-time | Time of day at which to fail back to primary after it re-establishes. | user | Not Specified |
| net-device | Enable/disable kernel device creation. enable: Create a kernel device for every tunnel. disable: Do not create a kernel device for tunnels. |
option | - |
| tunnel-search | Tunnel search method for when the interface is shared. selectors: Search for tunnel in selectors. nexthop: Search for tunnel using nexthop. |
option | - |
| passive-mode | Enable/disable IPsec passive mode for static tunnels. enable: Enable IPsec passive mode. disable: Disable IPsec passive mode. |
option | - |
| exchange-interface-ip | Enable/disable exchange of IPsec interface IP address. enable: Enable exchange of IPsec interface IP address. disable: Disable exchange of IPsec interface IP address. |
option | - |
| exchange-ip-addr4 | IPv4 address to exchange with peers. | ipv4-address | Not Specified |
| exchange-ip-addr6 | IPv6 address to exchange with peers | ipv6-address | Not Specified |
| aggregate-member | Enable/disable use as an aggregate member. enable: Enable use as an aggregate member. disable: Disable use as an aggregate member. |
option | - |
| mode-cfg | Enable/disable configuration method. disable: Disable Configuration Method. enable: Enable Configuration Method. |
option | - |
| assign-ip | Enable/disable assignment of IP to IPsec interface via configuration method. disable: Do not assign an IP address to the IPsec interface. enable: Assign an IP address to the IPsec interface. |
option | - |
| assign-ip-from | Method by which the IP address will be assigned. range: Assign IP address from locally defined range. usrgrp: Assign IP address via user group. dhcp: Assign IP address via DHCP. name: Assign IP address from firewall address or group. |
option | - |
| ipv4-start-ip | Start of IPv4 range. | ipv4-address | Not Specified |
| ipv4-end-ip | End of IPv4 range. | ipv4-address | Not Specified |
| ipv4-netmask | IPv4 Netmask. | ipv4-netmask | Not Specified |
| dhcp-ra-giaddr | Relay agent gateway IP address to use in the giaddr field of DHCP requests. | ipv4-address | Not Specified |
| dhcp6-ra-linkaddr | Relay agent IPv6 link address to use in DHCP6 requests. | ipv6-address | Not Specified |
| dns-mode | DNS server mode. manual: Manually configure DNS servers. auto: Use default DNS servers. |
option | - |
| ipv4-dns-server1 | IPv4 DNS server 1. | ipv4-address | Not Specified |
| ipv4-dns-server2 | IPv4 DNS server 2. | ipv4-address | Not Specified |
| ipv4-dns-server3 | IPv4 DNS server 3. | ipv4-address | Not Specified |
| ipv4-wins-server1 | WINS server 1. | ipv4-address | Not Specified |
| ipv4-wins-server2 | WINS server 2. | ipv4-address | Not Specified |
| ipv4-split-include | IPv4 split-include subnets. | string | Maximum length: 79 |
| split-include-service | Split-include services. | string | Maximum length: 79 |
| ipv4-name | IPv4 address name. | string | Maximum length: 79 |
| ipv6-start-ip | Start of IPv6 range. | ipv6-address | Not Specified |
| ipv6-end-ip | End of IPv6 range. | ipv6-address | Not Specified |
| ipv6-prefix | IPv6 prefix. | integer | Minimum value: 1 Maximum value: 128 |
| ipv6-dns-server1 | IPv6 DNS server 1. | ipv6-address | Not Specified |
| ipv6-dns-server2 | IPv6 DNS server 2. | ipv6-address | Not Specified |
| ipv6-dns-server3 | IPv6 DNS server 3. | ipv6-address | Not Specified |
| ipv6-split-include | IPv6 split-include subnets. | string | Maximum length: 79 |
| ipv6-name | IPv6 address name. | string | Maximum length: 79 |
| unity-support | Enable/disable support for Cisco UNITY Configuration Method extensions. disable: Disable Cisco Unity Configuration Method Extensions. enable: Enable Cisco Unity Configuration Method Extensions. |
option | - |
| domain | Instruct unity clients about the default DNS domain. | string | Maximum length: 63 |
| banner | Message that unity client should display after connecting. | var-string | Maximum length: 1024 |
| include-local-lan | Enable/disable allow local LAN access on unity clients. disable: Disable local LAN access on Unity clients. enable: Enable local LAN access on Unity clients. |
option | - |
| ipv4-split-exclude | IPv4 subnets that should not be sent over the IPsec tunnel. | string | Maximum length: 79 |
| ipv6-split-exclude | IPv6 subnets that should not be sent over the IPsec tunnel. | string | Maximum length: 79 |
| save-password | Enable/disable saving XAuth username and password on VPN clients. disable: Disable saving XAuth username and password on VPN clients. enable: Enable saving XAuth username and password on VPN clients. |
option | - |
| client-auto-negotiate | Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. disable: Disable allowing the VPN client to bring up the tunnel when there is no traffic. enable: Enable allowing the VPN client to bring up the tunnel when there is no traffic. |
option | - |
| client-keep-alive | Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. disable: Disable allowing the VPN client to keep the tunnel up when there is no traffic. enable: Enable allowing the VPN client to keep the tunnel up when there is no traffic. |
option | - |
backup-gateway <address> |
Instruct unity clients about the backup gateway address(es). Address of backup gateway. |
string | Maximum length: 79 |
| proposal | Phase1 proposal. des-md5: des-md5 des-sha1: des-sha1 des-sha256: des-sha256 des-sha384: des-sha384 des-sha512: des-sha512 3des-md5: 3des-md5 3des-sha1: 3des-sha1 3des-sha256: 3des-sha256 3des-sha384: 3des-sha384 3des-sha512: 3des-sha512 aes128-md5: aes128-md5 aes128-sha1: aes128-sha1 aes128-sha256: aes128-sha256 aes128-sha384: aes128-sha384 aes128-sha512: aes128-sha512 aes128gcm-prfsha1: aes128gcm-prfsha1 aes128gcm-prfsha256: aes128gcm-prfsha256 aes128gcm-prfsha384: aes128gcm-prfsha384 aes128gcm-prfsha512: aes128gcm-prfsha512 aes192-md5: aes192-md5 aes192-sha1: aes192-sha1 aes192-sha256: aes192-sha256 aes192-sha384: aes192-sha384 aes192-sha512: aes192-sha512 aes256-md5: aes256-md5 aes256-sha1: aes256-sha1 aes256-sha256: aes256-sha256 aes256-sha384: aes256-sha384 aes256-sha512: aes256-sha512 aes256gcm-prfsha1: aes256gcm-prfsha1 aes256gcm-prfsha256: aes256gcm-prfsha256 aes256gcm-prfsha384: aes256gcm-prfsha384 aes256gcm-prfsha512: aes256gcm-prfsha512 chacha20poly1305-prfsha1: chacha20poly1305-prfsha1 chacha20poly1305-prfsha256: chacha20poly1305-prfsha256 chacha20poly1305-prfsha384: chacha20poly1305-prfsha384 chacha20poly1305-prfsha512: chacha20poly1305-prfsha512 aria128-md5: aria128-md5 aria128-sha1: aria128-sha1 aria128-sha256: aria128-sha256 aria128-sha384: aria128-sha384 aria128-sha512: aria128-sha512 aria192-md5: aria192-md5 aria192-sha1: aria192-sha1 aria192-sha256: aria192-sha256 aria192-sha384: aria192-sha384 aria192-sha512: aria192-sha512 aria256-md5: aria256-md5 aria256-sha1: aria256-sha1 aria256-sha256: aria256-sha256 aria256-sha384: aria256-sha384 aria256-sha512: aria256-sha512 seed-md5: seed-md5 seed-sha1: seed-sha1 seed-sha256: seed-sha256 seed-sha384: seed-sha384 seed-sha512: seed-sha512 |
option | - |
| add-route | Enable/disable control addition of a route to peer destination selector. disable: Do not add a route to destination of peer selector. enable: Add route to destination of peer selector. |
option | - |
| add-gw-route | Enable/disable automatically add a route to the remote gateway. enable: Automatically add a route to the remote gateway. disable: Do not automatically add a route to the remote gateway. |
option | - |
| psksecret | Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). | password-3 | Not Specified |
| psksecret-remote | Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). | password-3 | Not Specified |
| keepalive | NAT-T keep alive interval. | integer | Minimum value: 10 Maximum value: 900 |
| distance | Distance for routes added by IKE (1 - 255). | integer | Minimum value: 1 Maximum value: 255 |
| priority | Priority for routes added by IKE (0 - 4294967295). | integer | Minimum value: 0 Maximum value: 4294967295 |
| localid | Local ID. | string | Maximum length: 63 |
| localid-type | Local ID type. auto: Select ID type automatically. fqdn: Use fully qualified domain name. user-fqdn: Use user fully qualified domain name. keyid: Use key-id string. address: Use local IP address. asn1dn: Use ASN.1 distinguished name. |
option | - |
| auto-negotiate | Enable/disable automatic initiation of IKE SA negotiation. enable: Enable automatic initiation of IKE SA negotiation. disable: Disable automatic initiation of IKE SA negotiation. |
option | - |
| negotiate-timeout | IKE SA negotiation timeout in seconds (1 - 300). | integer | Minimum value: 1 Maximum value: 300 |
| fragmentation | Enable/disable fragment IKE message on re-transmission. enable: Enable intra-IKE fragmentation support on re-transmission. disable: Disable intra-IKE fragmentation support. |
option | - |
| ip-fragmentation | Determine whether IP packets are fragmented before or after IPsec encapsulation. pre-encapsulation: Fragment before IPsec encapsulation. post-encapsulation: Fragment after IPsec encapsulation (RFC compliant). |
option | - |
| dpd | Dead Peer Detection mode. disable: Disable Dead Peer Detection. on-idle: Trigger Dead Peer Detection when IPsec is idle. on-demand: Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer. |
option | - |
| dpd-retrycount | Number of DPD retry attempts. | integer | Minimum value: 0 Maximum value: 10 |
| dpd-retryinterval | DPD retry interval. | user | Not Specified |
| forticlient-enforcement | Enable/disable FortiClient enforcement. enable: Enable FortiClient enforcement. disable: Disable FortiClient enforcement. |
option | - |
| comments | Comment. | var-string | Maximum length: 255 |
| npu-offload | Enable/disable offloading NPU. enable: Enable NPU offloading. disable: Disable NPU offloading. |
option | - |
| send-cert-chain | Enable/disable sending certificate chain. enable: Enable sending certificate chain. disable: Disable sending certificate chain. |
option | - |
| dhgrp | DH group. 1: DH Group 1. 2: DH Group 2. 5: DH Group 5. 14: DH Group 14. 15: DH Group 15. 16: DH Group 16. 17: DH Group 17. 18: DH Group 18. 19: DH Group 19. 20: DH Group 20. 21: DH Group 21. 27: DH Group 27. 28: DH Group 28. 29: DH Group 29. 30: DH Group 30. 31: DH Group 31. 32: DH Group 32. |
option | - |
| suite-b | Use Suite-B. disable: Do not use UI suite. suite-b-gcm-128: Use Suite-B-GCM-128. suite-b-gcm-256: Use Suite-B-GCM-256. |
option | - |
| eap | Enable/disable IKEv2 EAP authentication. enable: Enable IKEv2 EAP authentication. disable: Disable IKEv2 EAP authentication. |
option | - |
| eap-identity | IKEv2 EAP peer identity type. use-id-payload: Use IKEv2 IDi payload to resolve peer identity. send-request: Use EAP identity request to resolve peer identity. |
option | - |
| eap-exclude-peergrp | Peer group excluded from EAP authentication. | string | Maximum length: 35 |
| acct-verify | Enable/disable verification of RADIUS accounting record. enable: Enable verification of RADIUS accounting record. disable: Disable verification of RADIUS accounting record. |
option | - |
| ppk | Enable/disable IKEv2 Postquantum Preshared Key (PPK). disable: Disable use of IKEv2 Postquantum Preshared Key (PPK). allow: Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK). require: Require use of IKEv2 Postquantum Preshared Key (PPK). |
option | - |
| ppk-secret | IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). | password-3 | Not Specified |
| ppk-identity | IKEv2 Postquantum Preshared Key Identity. | string | Maximum length: 35 |
| wizard-type | GUI VPN Wizard Type. custom: Custom VPN configuration. dialup-forticlient: Dial Up - FortiClient Windows, Mac and Android. dialup-ios: Dial Up - iPhone / iPad Native IPsec Client. dialup-android: Dial Up - Android Native IPsec Client. dialup-windows: Dial Up - Windows Native IPsec Client. dialup-cisco: Dial Up - Cisco IPsec Client. static-fortigate: Site to Site - FortiGate. dialup-fortigate: Dial Up - FortiGate. static-cisco: Site to Site - Cisco. dialup-cisco-fw: Dialup Up - Cisco Firewall. simplified-static-fortigate: Site to Site - FortiGate (SD-WAN). hub-fortigate-auto-discovery: Hub role in a Hub-and-Spoke auto-discovery VPN. spoke-fortigate-auto-discovery: Spoke role in a Hub-and-Spoke auto-discovery VPN. |
option | - |
| xauthtype | XAuth type. disable: Disable. client: Enable as client. pap: Enable as server PAP. chap: Enable as server CHAP. auto: Enable as server auto. |
option | - |
| reauth | Enable/disable re-authentication upon IKE SA lifetime expiration. disable: Disable IKE SA re-authentication. enable: Enable IKE SA re-authentication. |
option | - |
| authusr | XAuth user name. | string | Maximum length: 64 |
| authpasswd | XAuth password (max 35 characters). | password | Not Specified |
| group-authentication | Enable/disable IKEv2 IDi group authentication. enable: Enable IKEv2 IDi group authentication. disable: Disable IKEv2 IDi group authentication. |
option | - |
| group-authentication-secret | Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.) | password-3 | Not Specified |
| authusrgrp | Authentication user group. | string | Maximum length: 35 |
| mesh-selector-type | Add selectors containing subsets of the configuration depending on traffic. disable: Disable. subnet: Enable addition of matching subnet selector. host: Enable addition of host to host selector. |
option | - |
| idle-timeout | Enable/disable IPsec tunnel idle timeout. enable: Enable IPsec tunnel idle timeout. disable: Disable IPsec tunnel idle timeout. |
option | - |
| idle-timeoutinterval | IPsec tunnel idle timeout in minutes (5 - 43200). | integer | Minimum value: 5 Maximum value: 43200 |
| ha-sync-esp-seqno | Enable/disable sequence number jump ahead for IPsec HA. enable: Enable HA syncing of ESP sequence numbers. disable: Disable HA syncing of ESP sequence numbers. |
option | - |
| auto-discovery-sender | Enable/disable sending auto-discovery short-cut messages. enable: Enable sending auto-discovery short-cut messages. disable: Disable sending auto-discovery short-cut messages. |
option | - |
| auto-discovery-receiver | Enable/disable accepting auto-discovery short-cut messages. enable: Enable receiving auto-discovery short-cut messages. disable: Disable receiving auto-discovery short-cut messages. |
option | - |
| auto-discovery-forwarder | Enable/disable forwarding auto-discovery short-cut messages. enable: Enable forwarding auto-discovery short-cut messages. disable: Disable forwarding auto-discovery short-cut messages. |
option | - |
| auto-discovery-psk | Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. enable: Enable use of pre-shared-secret authentication for auto-discovery tunnels. disable: Disable use of authentication defined by 'authmethod' for auto-discovery tunnels. |
option | - |
| encapsulation | Enable/disable GRE/VXLAN encapsulation. none: No additional encapsulation. gre: GRE encapsulation. vxlan: VXLAN encapsulation. |
option | - |
| encapsulation-address | Source for GRE/VXLAN tunnel address. ike: Use IKE/IPsec gateway addresses. ipv4: Specify separate GRE/VXLAN tunnel address. ipv6: Specify separate GRE/VXLAN tunnel address. |
option | - |
| encap-local-gw4 | Local IPv4 address of GRE/VXLAN tunnel. | ipv4-address | Not Specified |
| encap-local-gw6 | Local IPv6 address of GRE/VXLAN tunnel. | ipv6-address | Not Specified |
| encap-remote-gw4 | Remote IPv4 address of GRE/VXLAN tunnel. | ipv4-address | Not Specified |
| encap-remote-gw6 | Remote IPv6 address of GRE/VXLAN tunnel. | ipv6-address | Not Specified |
| vni | VNI of VXLAN tunnel. | integer | Minimum value: 1 Maximum value: 16777215 |
| nattraversal | Enable/disable NAT traversal. enable: Enable IPsec NAT traversal. disable: Disable IPsec NAT traversal. forced: Force IPsec NAT traversal on. |
option | - |
| esn | Extended sequence number (ESN) negotiation. require: Require extended sequence number. allow: Allow extended sequence number. disable: Disable extended sequence number. |
option | - |
| fragmentation-mtu | IKE fragmentation MTU (500 - 16000). | integer | Minimum value: 500 Maximum value: 16000 |
| childless-ike | Enable/disable childless IKEv2 initiation (RFC 6023). enable: Enable childless IKEv2 initiation (RFC 6023). disable: Disable childless IKEv2 initiation (RFC 6023). |
option | - |
| rekey | Enable/disable phase1 rekey. enable: Enable phase1 rekey. disable: Disable phase1 rekey. |
option | - |
| digital-signature-auth | Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). enable: Enable IKEv2 Digital Signature Authentication (RFC 7427). disable: Disable IKEv2 Digital Signature Authentication (RFC 7427). |
option | - |
| signature-hash-alg | Digital Signature Authentication hash algorithms. sha1: SHA1. sha2-256: SHA2-256. sha2-384: SHA2-384. sha2-512: SHA2-512. |
option | - |
| rsa-signature-format | Digital Signature Authentication RSA signature format. pkcs1: RSASSA PKCS#1 v1.5. pss: RSASSA Probabilistic Signature Scheme (PSS). |
option | - |
| enforce-unique-id | Enable/disable peer ID uniqueness check. disable: Disable peer ID uniqueness enforcement. keep-new: Enforce peer ID uniqueness, keep new connection if collision found. keep-old: Enforce peer ID uniqueness, keep old connection if collision found. |
option | - |
| cert-id-validation | Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. enable: Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. disable: Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. |
option | - |
| fec-egress | Enable/disable Forward Error Correction for egress IPsec traffic. enable: Enable Forward Error Correction for egress IPsec traffic. disable: Disable Forward Error Correction for egress IPsec traffic. |
option | - |
| fec-send-timeout | Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). | integer | Minimum value: 1 Maximum value: 1000 |
| fec-base | Number of base Forward Error Correction packets (1 - 100). | integer | Minimum value: 1 Maximum value: 100 |
| fec-redundant | Number of redundant Forward Error Correction packets (1 - 100). | integer | Minimum value: 1 Maximum value: 100 |
| fec-ingress | Enable/disable Forward Error Correction for ingress IPsec traffic. enable: Enable Forward Error Correction for ingress IPsec traffic. disable: Disable Forward Error Correction for ingress IPsec traffic. |
option | - |
| fec-receive-timeout | Timeout in milliseconds before dropping Forward Error Correction packets (1 - 10000). | integer | Minimum value: 1 Maximum value: 10000 |
| network-overlay | Enable/disable network overlays. disable: Disable network overlays. enable: Enable network overlays. |
option | - |
| network-id | VPN gateway network ID. | integer | Minimum value: 0 Maximum value: 255 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| start-ip | Start of IPv4 exclusive range. | ipv4-address | Not Specified |
| end-ip | End of IPv4 exclusive range. | ipv4-address | Not Specified |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| start-ip | Start of IPv6 exclusive range. | ipv6-address | Not Specified |
| end-ip | End of IPv6 exclusive range. | ipv6-address | Not Specified |