Fortinet white logo
Fortinet white logo

CLI Reference

config vpn ipsec phase1

config vpn ipsec phase1

Configure VPN remote gateway.

config vpn ipsec phase1

Description: Configure VPN remote gateway.

edit <name>

set type [static|dynamic|...]

set interface {string}

set ike-version [1|2]

set remote-gw {ipv4-address}

set local-gw {ipv4-address}

set remotegw-ddns {string}

set keylife {integer}

set certificate <name1>, <name2>, ...

set authmethod [psk|signature]

set authmethod-remote [psk|signature]

set mode [aggressive|main]

set peertype [any|one|...]

set peerid {string}

set usrgrp {string}

set peer {string}

set peergrp {string}

set mode-cfg [disable|enable]

set assign-ip [disable|enable]

set assign-ip-from [range|usrgrp|...]

set ipv4-start-ip {ipv4-address}

set ipv4-end-ip {ipv4-address}

set ipv4-netmask {ipv4-netmask}

set dhcp-ra-giaddr {ipv4-address}

set dhcp6-ra-linkaddr {ipv6-address}

set dns-mode [manual|auto]

set ipv4-dns-server1 {ipv4-address}

set ipv4-dns-server2 {ipv4-address}

set ipv4-dns-server3 {ipv4-address}

set ipv4-wins-server1 {ipv4-address}

set ipv4-wins-server2 {ipv4-address}

config ipv4-exclude-range

Description: Configuration Method IPv4 exclude ranges.

edit <id>

set start-ip {ipv4-address}

set end-ip {ipv4-address}

next

end

set ipv4-split-include {string}

set split-include-service {string}

set ipv4-name {string}

set ipv6-start-ip {ipv6-address}

set ipv6-end-ip {ipv6-address}

set ipv6-prefix {integer}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-dns-server3 {ipv6-address}

config ipv6-exclude-range

Description: Configuration method IPv6 exclude ranges.

edit <id>

set start-ip {ipv6-address}

set end-ip {ipv6-address}

next

end

set ipv6-split-include {string}

set ipv6-name {string}

set unity-support [disable|enable]

set domain {string}

set banner {var-string}

set include-local-lan [disable|enable]

set ipv4-split-exclude {string}

set ipv6-split-exclude {string}

set save-password [disable|enable]

set client-auto-negotiate [disable|enable]

set client-keep-alive [disable|enable]

set backup-gateway <address1>, <address2>, ...

set proposal {option1}, {option2}, ...

set add-route [disable|enable]

set add-gw-route [enable|disable]

set psksecret {password-3}

set psksecret-remote {password-3}

set keepalive {integer}

set distance {integer}

set priority {integer}

set localid {string}

set localid-type [auto|fqdn|...]

set auto-negotiate [enable|disable]

set negotiate-timeout {integer}

set fragmentation [enable|disable]

set dpd [disable|on-idle|...]

set dpd-retrycount {integer}

set dpd-retryinterval {user}

set forticlient-enforcement [enable|disable]

set comments {var-string}

set npu-offload [enable|disable]

set send-cert-chain [enable|disable]

set dhgrp {option1}, {option2}, ...

set suite-b [disable|suite-b-gcm-128|...]

set eap [enable|disable]

set eap-identity [use-id-payload|send-request]

set eap-exclude-peergrp {string}

set acct-verify [enable|disable]

set ppk [disable|allow|...]

set ppk-secret {password-3}

set ppk-identity {string}

set wizard-type [custom|dialup-forticlient|...]

set xauthtype [disable|client|...]

set reauth [disable|enable]

set authusr {string}

set authpasswd {password}

set group-authentication [enable|disable]

set group-authentication-secret {password-3}

set authusrgrp {string}

set mesh-selector-type [disable|subnet|...]

set idle-timeout [enable|disable]

set idle-timeoutinterval {integer}

set ha-sync-esp-seqno [enable|disable]

set nattraversal [enable|disable|...]

set fragmentation-mtu {integer}

set childless-ike [enable|disable]

set rekey [enable|disable]

set digital-signature-auth [enable|disable]

set signature-hash-alg {option1}, {option2}, ...

set rsa-signature-format [pkcs1|pss]

set enforce-unique-id [disable|keep-new|...]

set cert-id-validation [enable|disable]

set fec-egress [enable|disable]

set fec-send-timeout {integer}

set fec-base {integer}

set fec-redundant {integer}

set fec-ingress [enable|disable]

set fec-receive-timeout {integer}

set network-overlay [disable|enable]

set network-id {integer}

next

end

config vpn ipsec phase1

Parameter

Description

Type

Size

type

Remote gateway type.

option

-

Option

Description

static

Remote VPN gateway has fixed IP address.

dynamic

Remote VPN gateway has dynamic IP address.

ddns

Remote VPN gateway has dynamic IP address and is a dynamic DNS client.

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

ike-version

IKE protocol version.

option

-

Option

Description

1

Use IKEv1 protocol.

2

Use IKEv2 protocol.

remote-gw

Remote VPN gateway.

ipv4-address

Not Specified

local-gw

Local VPN gateway.

ipv4-address

Not Specified

remotegw-ddns

Domain name of remote gateway (eg. name.DDNS.com).

string

Maximum length: 63

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

certificate <name>

Names of up to 4 signed personal certificates.

Certificate name.

string

Maximum length: 79

authmethod

Authentication method.

option

-

Option

Description

psk

PSK authentication method.

signature

Signature authentication method.

authmethod-remote

Authentication method (remote side).

option

-

Option

Description

psk

PSK authentication method.

signature

Signature authentication method.

mode

ID protection mode used to establish a secure channel.

option

-

Option

Description

aggressive

Aggressive mode.

main

Main mode.

peertype

Accept this peer type.

option

-

Option

Description

any

Accept any peer ID.

one

Accept this peer ID.

dialup

Accept peer ID in dialup group.

peer

Accept this peer certificate.

peergrp

Accept this peer certificate group.

peerid

Accept this peer identity.

string

Maximum length: 255

usrgrp

User group name for dialup peers.

string

Maximum length: 35

peer

Accept this peer certificate.

string

Maximum length: 35

peergrp

Accept this peer certificate group.

string

Maximum length: 35

mode-cfg

Enable/disable configuration method.

option

-

Option

Description

disable

Disable Configuration Method.

enable

Enable Configuration Method.

assign-ip

Enable/disable assignment of IP to IPsec interface via configuration method.

option

-

Option

Description

disable

Do not assign an IP address to the IPsec interface.

enable

Assign an IP address to the IPsec interface.

assign-ip-from

Method by which the IP address will be assigned.

option

-

Option

Description

range

Assign IP address from locally defined range.

usrgrp

Assign IP address via user group.

dhcp

Assign IP address via DHCP.

name

Assign IP address from firewall address or group.

ipv4-start-ip

Start of IPv4 range.

ipv4-address

Not Specified

ipv4-end-ip

End of IPv4 range.

ipv4-address

Not Specified

ipv4-netmask

IPv4 Netmask.

ipv4-netmask

Not Specified

dhcp-ra-giaddr

Relay agent gateway IP address to use in the giaddr field of DHCP requests.

ipv4-address

Not Specified

dhcp6-ra-linkaddr

Relay agent IPv6 link address to use in DHCP6 requests.

ipv6-address

Not Specified

dns-mode

DNS server mode.

option

-

Option

Description

manual

Manually configure DNS servers.

auto

Use default DNS servers.

ipv4-dns-server1

IPv4 DNS server 1.

ipv4-address

Not Specified

ipv4-dns-server2

IPv4 DNS server 2.

ipv4-address

Not Specified

ipv4-dns-server3

IPv4 DNS server 3.

ipv4-address

Not Specified

ipv4-wins-server1

WINS server 1.

ipv4-address

Not Specified

ipv4-wins-server2

WINS server 2.

ipv4-address

Not Specified

ipv4-split-include

IPv4 split-include subnets.

string

Maximum length: 79

split-include-service

Split-include services.

string

Maximum length: 79

ipv4-name

IPv4 address name.

string

Maximum length: 79

ipv6-start-ip

Start of IPv6 range.

ipv6-address

Not Specified

ipv6-end-ip

End of IPv6 range.

ipv6-address

Not Specified

ipv6-prefix

IPv6 prefix.

integer

Minimum value: 1 Maximum value: 128

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

ipv6-dns-server3

IPv6 DNS server 3.

ipv6-address

Not Specified

ipv6-split-include

IPv6 split-include subnets.

string

Maximum length: 79

ipv6-name

IPv6 address name.

string

Maximum length: 79

unity-support

Enable/disable support for Cisco UNITY Configuration Method extensions.

option

-

Option

Description

disable

Disable Cisco Unity Configuration Method Extensions.

enable

Enable Cisco Unity Configuration Method Extensions.

domain

Instruct unity clients about the default DNS domain.

string

Maximum length: 63

banner

Message that unity client should display after connecting.

var-string

Maximum length: 1024

include-local-lan

Enable/disable allow local LAN access on unity clients.

option

-

Option

Description

disable

Disable local LAN access on Unity clients.

enable

Enable local LAN access on Unity clients.

ipv4-split-exclude

IPv4 subnets that should not be sent over the IPsec tunnel.

string

Maximum length: 79

ipv6-split-exclude

IPv6 subnets that should not be sent over the IPsec tunnel.

string

Maximum length: 79

save-password

Enable/disable saving XAuth username and password on VPN clients.

option

-

Option

Description

disable

Disable saving XAuth username and password on VPN clients.

enable

Enable saving XAuth username and password on VPN clients.

client-auto-negotiate

Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.

option

-

Option

Description

disable

Disable allowing the VPN client to bring up the tunnel when there is no traffic.

enable

Enable allowing the VPN client to bring up the tunnel when there is no traffic.

client-keep-alive

Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.

option

-

Option

Description

disable

Disable allowing the VPN client to keep the tunnel up when there is no traffic.

enable

Enable allowing the VPN client to keep the tunnel up when there is no traffic.

backup-gateway <address>

Instruct unity clients about the backup gateway address(es).

Address of backup gateway.

string

Maximum length: 79

proposal

Phase1 proposal.

option

-

Option

Description

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm-prfsha1

aes128gcm-prfsha1

aes128gcm-prfsha256

aes128gcm-prfsha256

aes128gcm-prfsha384

aes128gcm-prfsha384

aes128gcm-prfsha512

aes128gcm-prfsha512

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm-prfsha1

aes256gcm-prfsha1

aes256gcm-prfsha256

aes256gcm-prfsha256

aes256gcm-prfsha384

aes256gcm-prfsha384

aes256gcm-prfsha512

aes256gcm-prfsha512

chacha20poly1305-prfsha1

chacha20poly1305-prfsha1

chacha20poly1305-prfsha256

chacha20poly1305-prfsha256

chacha20poly1305-prfsha384

chacha20poly1305-prfsha384

chacha20poly1305-prfsha512

chacha20poly1305-prfsha512

add-route

Enable/disable control addition of a route to peer destination selector.

option

-

Option

Description

disable

Do not add a route to destination of peer selector.

enable

Add route to destination of peer selector.

add-gw-route

Enable/disable automatically add a route to the remote gateway.

option

-

Option

Description

enable

Automatically add a route to the remote gateway.

disable

Do not automatically add a route to the remote gateway.

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

psksecret-remote

Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

distance

Distance for routes added by IKE .

integer

Minimum value: 1 Maximum value: 255

priority

Priority for routes added by IKE .

integer

Minimum value: 0 Maximum value: 4294967295

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

-

Option

Description

auto

Select ID type automatically.

fqdn

Use fully qualified domain name.

user-fqdn

Use user fully qualified domain name.

keyid

Use key-id string.

address

Use local IP address.

asn1dn

Use ASN.1 distinguished name.

auto-negotiate

Enable/disable automatic initiation of IKE SA negotiation.

option

-

Option

Description

enable

Enable automatic initiation of IKE SA negotiation.

disable

Disable automatic initiation of IKE SA negotiation.

negotiate-timeout

IKE SA negotiation timeout in seconds .

integer

Minimum value: 1 Maximum value: 300

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

-

Option

Description

enable

Enable intra-IKE fragmentation support on re-transmission.

disable

Disable intra-IKE fragmentation support.

dpd

Dead Peer Detection mode.

option

-

Option

Description

disable

Disable Dead Peer Detection.

on-idle

Trigger Dead Peer Detection when IPsec is idle.

on-demand

Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

dpd-retrycount

Number of DPD retry attempts.

integer

Minimum value: 0 Maximum value: 10

dpd-retryinterval

DPD retry interval.

user

Not Specified

forticlient-enforcement

Enable/disable FortiClient enforcement.

option

-

Option

Description

enable

Enable FortiClient enforcement.

disable

Disable FortiClient enforcement.

comments

Comment.

var-string

Maximum length: 255

npu-offload *

Enable/disable offloading NPU.

option

-

Option

Description

enable

Enable NPU offloading.

disable

Disable NPU offloading.

send-cert-chain

Enable/disable sending certificate chain.

option

-

Option

Description

enable

Enable sending certificate chain.

disable

Disable sending certificate chain.

dhgrp

DH group.

option

-

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

suite-b

Use Suite-B.

option

-

Option

Description

disable

Do not use UI suite.

suite-b-gcm-128

Use Suite-B-GCM-128.

suite-b-gcm-256

Use Suite-B-GCM-256.

eap

Enable/disable IKEv2 EAP authentication.

option

-

Option

Description

enable

Enable IKEv2 EAP authentication.

disable

Disable IKEv2 EAP authentication.

eap-identity

IKEv2 EAP peer identity type.

option

-

Option

Description

use-id-payload

Use IKEv2 IDi payload to resolve peer identity.

send-request

Use EAP identity request to resolve peer identity.

eap-exclude-peergrp

Peer group excluded from EAP authentication.

string

Maximum length: 35

acct-verify

Enable/disable verification of RADIUS accounting record.

option

-

Option

Description

enable

Enable verification of RADIUS accounting record.

disable

Disable verification of RADIUS accounting record.

ppk

Enable/disable IKEv2 Postquantum Preshared Key (PPK).

option

-

Option

Description

disable

Disable use of IKEv2 Postquantum Preshared Key (PPK).

allow

Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).

require

Require use of IKEv2 Postquantum Preshared Key (PPK).

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Maximum length: 35

wizard-type

GUI VPN Wizard Type.

option

-

Option

Description

custom

Custom VPN configuration.

dialup-forticlient

Dial Up - FortiClient Windows, Mac and Android.

dialup-ios

Dial Up - iPhone / iPad Native IPsec Client.

dialup-android

Dial Up - Android Native IPsec Client.

dialup-windows

Dial Up - Windows Native IPsec Client.

dialup-cisco

Dial Up - Cisco IPsec Client.

static-fortigate

Site to Site - FortiGate.

dialup-fortigate

Dial Up - FortiGate.

static-cisco

Site to Site - Cisco.

dialup-cisco-fw

Dialup Up - Cisco Firewall.

simplified-static-fortigate

Site to Site - FortiGate (SD-WAN).

hub-fortigate-auto-discovery

Hub role in a Hub-and-Spoke auto-discovery VPN.

spoke-fortigate-auto-discovery

Spoke role in a Hub-and-Spoke auto-discovery VPN.

xauthtype

XAuth type.

option

-

Option

Description

disable

Disable.

client

Enable as client.

pap

Enable as server PAP.

chap

Enable as server CHAP.

auto

Enable as server auto.

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

-

Option

Description

disable

Disable IKE SA re-authentication.

enable

Enable IKE SA re-authentication.

authusr

XAuth user name.

string

Maximum length: 64

authpasswd

XAuth password (max 35 characters).

password

Not Specified

group-authentication

Enable/disable IKEv2 IDi group authentication.

option

-

Option

Description

enable

Enable IKEv2 IDi group authentication.

disable

Disable IKEv2 IDi group authentication.

group-authentication-secret

Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.)

password-3

Not Specified

authusrgrp

Authentication user group.

string

Maximum length: 35

mesh-selector-type

Add selectors containing subsets of the configuration depending on traffic.

option

-

Option

Description

disable

Disable.

subnet

Enable addition of matching subnet selector.

host

Enable addition of host to host selector.

idle-timeout

Enable/disable IPsec tunnel idle timeout.

option

-

Option

Description

enable

Enable IPsec tunnel idle timeout.

disable

Disable IPsec tunnel idle timeout.

idle-timeoutinterval

IPsec tunnel idle timeout in minutes .

integer

Minimum value: 5 Maximum value: 43200

ha-sync-esp-seqno

Enable/disable sequence number jump ahead for IPsec HA.

option

-

Option

Description

enable

Enable HA syncing of ESP sequence numbers.

disable

Disable HA syncing of ESP sequence numbers.

nattraversal

Enable/disable NAT traversal.

option

-

Option

Description

enable

Enable IPsec NAT traversal.

disable

Disable IPsec NAT traversal.

forced

Force IPsec NAT traversal on.

fragmentation-mtu

IKE fragmentation MTU .

integer

Minimum value: 500 Maximum value: 16000

childless-ike

Enable/disable childless IKEv2 initiation (RFC 6023).

option

-

Option

Description

enable

Enable childless IKEv2 initiation (RFC 6023).

disable

Disable childless IKEv2 initiation (RFC 6023).

rekey

Enable/disable phase1 rekey.

option

-

Option

Description

enable

Enable phase1 rekey.

disable

Disable phase1 rekey.

digital-signature-auth

Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

option

-

Option

Description

enable

Enable IKEv2 Digital Signature Authentication (RFC 7427).

disable

Disable IKEv2 Digital Signature Authentication (RFC 7427).

signature-hash-alg

Digital Signature Authentication hash algorithms.

option

-

Option

Description

sha1

SHA1.

sha2-256

SHA2-256.

sha2-384

SHA2-384.

sha2-512

SHA2-512.

rsa-signature-format

Digital Signature Authentication RSA signature format.

option

-

Option

Description

pkcs1

RSASSA PKCS#1 v1.5.

pss

RSASSA Probabilistic Signature Scheme (PSS).

enforce-unique-id

Enable/disable peer ID uniqueness check.

option

-

Option

Description

disable

Disable peer ID uniqueness enforcement.

keep-new

Enforce peer ID uniqueness, keep new connection if collision found.

keep-old

Enforce peer ID uniqueness, keep old connection if collision found.

cert-id-validation

Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

option

-

Option

Description

enable

Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

disable

Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

fec-egress

Enable/disable Forward Error Correction for egress IPsec traffic.

option

-

Option

Description

enable

Enable Forward Error Correction for egress IPsec traffic.

disable

Disable Forward Error Correction for egress IPsec traffic.

fec-send-timeout

Timeout in milliseconds before sending Forward Error Correction packets .

integer

Minimum value: 1 Maximum value: 1000

fec-base

Number of base Forward Error Correction packets .

integer

Minimum value: 1 Maximum value: 100

fec-redundant

Number of redundant Forward Error Correction packets .

integer

Minimum value: 1 Maximum value: 100

fec-ingress

Enable/disable Forward Error Correction for ingress IPsec traffic.

option

-

Option

Description

enable

Enable Forward Error Correction for ingress IPsec traffic.

disable

Disable Forward Error Correction for ingress IPsec traffic.

fec-receive-timeout

Timeout in milliseconds before dropping Forward Error Correction packets .

integer

Minimum value: 1 Maximum value: 10000

network-overlay

Enable/disable network overlays.

option

-

Option

Description

disable

Disable network overlays.

enable

Enable network overlays.

network-id

VPN gateway network ID.

integer

Minimum value: 0 Maximum value: 255

* This parameter may not exist in some models.

config ipv4-exclude-range

Parameter

Description

Type

Size

start-ip

Start of IPv4 exclusive range.

ipv4-address

Not Specified

end-ip

End of IPv4 exclusive range.

ipv4-address

Not Specified

config ipv6-exclude-range

Parameter

Description

Type

Size

start-ip

Start of IPv6 exclusive range.

ipv6-address

Not Specified

end-ip

End of IPv6 exclusive range.

ipv6-address

Not Specified

config vpn ipsec phase1

config vpn ipsec phase1

Configure VPN remote gateway.

config vpn ipsec phase1

Description: Configure VPN remote gateway.

edit <name>

set type [static|dynamic|...]

set interface {string}

set ike-version [1|2]

set remote-gw {ipv4-address}

set local-gw {ipv4-address}

set remotegw-ddns {string}

set keylife {integer}

set certificate <name1>, <name2>, ...

set authmethod [psk|signature]

set authmethod-remote [psk|signature]

set mode [aggressive|main]

set peertype [any|one|...]

set peerid {string}

set usrgrp {string}

set peer {string}

set peergrp {string}

set mode-cfg [disable|enable]

set assign-ip [disable|enable]

set assign-ip-from [range|usrgrp|...]

set ipv4-start-ip {ipv4-address}

set ipv4-end-ip {ipv4-address}

set ipv4-netmask {ipv4-netmask}

set dhcp-ra-giaddr {ipv4-address}

set dhcp6-ra-linkaddr {ipv6-address}

set dns-mode [manual|auto]

set ipv4-dns-server1 {ipv4-address}

set ipv4-dns-server2 {ipv4-address}

set ipv4-dns-server3 {ipv4-address}

set ipv4-wins-server1 {ipv4-address}

set ipv4-wins-server2 {ipv4-address}

config ipv4-exclude-range

Description: Configuration Method IPv4 exclude ranges.

edit <id>

set start-ip {ipv4-address}

set end-ip {ipv4-address}

next

end

set ipv4-split-include {string}

set split-include-service {string}

set ipv4-name {string}

set ipv6-start-ip {ipv6-address}

set ipv6-end-ip {ipv6-address}

set ipv6-prefix {integer}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-dns-server3 {ipv6-address}

config ipv6-exclude-range

Description: Configuration method IPv6 exclude ranges.

edit <id>

set start-ip {ipv6-address}

set end-ip {ipv6-address}

next

end

set ipv6-split-include {string}

set ipv6-name {string}

set unity-support [disable|enable]

set domain {string}

set banner {var-string}

set include-local-lan [disable|enable]

set ipv4-split-exclude {string}

set ipv6-split-exclude {string}

set save-password [disable|enable]

set client-auto-negotiate [disable|enable]

set client-keep-alive [disable|enable]

set backup-gateway <address1>, <address2>, ...

set proposal {option1}, {option2}, ...

set add-route [disable|enable]

set add-gw-route [enable|disable]

set psksecret {password-3}

set psksecret-remote {password-3}

set keepalive {integer}

set distance {integer}

set priority {integer}

set localid {string}

set localid-type [auto|fqdn|...]

set auto-negotiate [enable|disable]

set negotiate-timeout {integer}

set fragmentation [enable|disable]

set dpd [disable|on-idle|...]

set dpd-retrycount {integer}

set dpd-retryinterval {user}

set forticlient-enforcement [enable|disable]

set comments {var-string}

set npu-offload [enable|disable]

set send-cert-chain [enable|disable]

set dhgrp {option1}, {option2}, ...

set suite-b [disable|suite-b-gcm-128|...]

set eap [enable|disable]

set eap-identity [use-id-payload|send-request]

set eap-exclude-peergrp {string}

set acct-verify [enable|disable]

set ppk [disable|allow|...]

set ppk-secret {password-3}

set ppk-identity {string}

set wizard-type [custom|dialup-forticlient|...]

set xauthtype [disable|client|...]

set reauth [disable|enable]

set authusr {string}

set authpasswd {password}

set group-authentication [enable|disable]

set group-authentication-secret {password-3}

set authusrgrp {string}

set mesh-selector-type [disable|subnet|...]

set idle-timeout [enable|disable]

set idle-timeoutinterval {integer}

set ha-sync-esp-seqno [enable|disable]

set nattraversal [enable|disable|...]

set fragmentation-mtu {integer}

set childless-ike [enable|disable]

set rekey [enable|disable]

set digital-signature-auth [enable|disable]

set signature-hash-alg {option1}, {option2}, ...

set rsa-signature-format [pkcs1|pss]

set enforce-unique-id [disable|keep-new|...]

set cert-id-validation [enable|disable]

set fec-egress [enable|disable]

set fec-send-timeout {integer}

set fec-base {integer}

set fec-redundant {integer}

set fec-ingress [enable|disable]

set fec-receive-timeout {integer}

set network-overlay [disable|enable]

set network-id {integer}

next

end

config vpn ipsec phase1

Parameter

Description

Type

Size

type

Remote gateway type.

option

-

Option

Description

static

Remote VPN gateway has fixed IP address.

dynamic

Remote VPN gateway has dynamic IP address.

ddns

Remote VPN gateway has dynamic IP address and is a dynamic DNS client.

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

ike-version

IKE protocol version.

option

-

Option

Description

1

Use IKEv1 protocol.

2

Use IKEv2 protocol.

remote-gw

Remote VPN gateway.

ipv4-address

Not Specified

local-gw

Local VPN gateway.

ipv4-address

Not Specified

remotegw-ddns

Domain name of remote gateway (eg. name.DDNS.com).

string

Maximum length: 63

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

certificate <name>

Names of up to 4 signed personal certificates.

Certificate name.

string

Maximum length: 79

authmethod

Authentication method.

option

-

Option

Description

psk

PSK authentication method.

signature

Signature authentication method.

authmethod-remote

Authentication method (remote side).

option

-

Option

Description

psk

PSK authentication method.

signature

Signature authentication method.

mode

ID protection mode used to establish a secure channel.

option

-

Option

Description

aggressive

Aggressive mode.

main

Main mode.

peertype

Accept this peer type.

option

-

Option

Description

any

Accept any peer ID.

one

Accept this peer ID.

dialup

Accept peer ID in dialup group.

peer

Accept this peer certificate.

peergrp

Accept this peer certificate group.

peerid

Accept this peer identity.

string

Maximum length: 255

usrgrp

User group name for dialup peers.

string

Maximum length: 35

peer

Accept this peer certificate.

string

Maximum length: 35

peergrp

Accept this peer certificate group.

string

Maximum length: 35

mode-cfg

Enable/disable configuration method.

option

-

Option

Description

disable

Disable Configuration Method.

enable

Enable Configuration Method.

assign-ip

Enable/disable assignment of IP to IPsec interface via configuration method.

option

-

Option

Description

disable

Do not assign an IP address to the IPsec interface.

enable

Assign an IP address to the IPsec interface.

assign-ip-from

Method by which the IP address will be assigned.

option

-

Option

Description

range

Assign IP address from locally defined range.

usrgrp

Assign IP address via user group.

dhcp

Assign IP address via DHCP.

name

Assign IP address from firewall address or group.

ipv4-start-ip

Start of IPv4 range.

ipv4-address

Not Specified

ipv4-end-ip

End of IPv4 range.

ipv4-address

Not Specified

ipv4-netmask

IPv4 Netmask.

ipv4-netmask

Not Specified

dhcp-ra-giaddr

Relay agent gateway IP address to use in the giaddr field of DHCP requests.

ipv4-address

Not Specified

dhcp6-ra-linkaddr

Relay agent IPv6 link address to use in DHCP6 requests.

ipv6-address

Not Specified

dns-mode

DNS server mode.

option

-

Option

Description

manual

Manually configure DNS servers.

auto

Use default DNS servers.

ipv4-dns-server1

IPv4 DNS server 1.

ipv4-address

Not Specified

ipv4-dns-server2

IPv4 DNS server 2.

ipv4-address

Not Specified

ipv4-dns-server3

IPv4 DNS server 3.

ipv4-address

Not Specified

ipv4-wins-server1

WINS server 1.

ipv4-address

Not Specified

ipv4-wins-server2

WINS server 2.

ipv4-address

Not Specified

ipv4-split-include

IPv4 split-include subnets.

string

Maximum length: 79

split-include-service

Split-include services.

string

Maximum length: 79

ipv4-name

IPv4 address name.

string

Maximum length: 79

ipv6-start-ip

Start of IPv6 range.

ipv6-address

Not Specified

ipv6-end-ip

End of IPv6 range.

ipv6-address

Not Specified

ipv6-prefix

IPv6 prefix.

integer

Minimum value: 1 Maximum value: 128

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

ipv6-dns-server3

IPv6 DNS server 3.

ipv6-address

Not Specified

ipv6-split-include

IPv6 split-include subnets.

string

Maximum length: 79

ipv6-name

IPv6 address name.

string

Maximum length: 79

unity-support

Enable/disable support for Cisco UNITY Configuration Method extensions.

option

-

Option

Description

disable

Disable Cisco Unity Configuration Method Extensions.

enable

Enable Cisco Unity Configuration Method Extensions.

domain

Instruct unity clients about the default DNS domain.

string

Maximum length: 63

banner

Message that unity client should display after connecting.

var-string

Maximum length: 1024

include-local-lan

Enable/disable allow local LAN access on unity clients.

option

-

Option

Description

disable

Disable local LAN access on Unity clients.

enable

Enable local LAN access on Unity clients.

ipv4-split-exclude

IPv4 subnets that should not be sent over the IPsec tunnel.

string

Maximum length: 79

ipv6-split-exclude

IPv6 subnets that should not be sent over the IPsec tunnel.

string

Maximum length: 79

save-password

Enable/disable saving XAuth username and password on VPN clients.

option

-

Option

Description

disable

Disable saving XAuth username and password on VPN clients.

enable

Enable saving XAuth username and password on VPN clients.

client-auto-negotiate

Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.

option

-

Option

Description

disable

Disable allowing the VPN client to bring up the tunnel when there is no traffic.

enable

Enable allowing the VPN client to bring up the tunnel when there is no traffic.

client-keep-alive

Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.

option

-

Option

Description

disable

Disable allowing the VPN client to keep the tunnel up when there is no traffic.

enable

Enable allowing the VPN client to keep the tunnel up when there is no traffic.

backup-gateway <address>

Instruct unity clients about the backup gateway address(es).

Address of backup gateway.

string

Maximum length: 79

proposal

Phase1 proposal.

option

-

Option

Description

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm-prfsha1

aes128gcm-prfsha1

aes128gcm-prfsha256

aes128gcm-prfsha256

aes128gcm-prfsha384

aes128gcm-prfsha384

aes128gcm-prfsha512

aes128gcm-prfsha512

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm-prfsha1

aes256gcm-prfsha1

aes256gcm-prfsha256

aes256gcm-prfsha256

aes256gcm-prfsha384

aes256gcm-prfsha384

aes256gcm-prfsha512

aes256gcm-prfsha512

chacha20poly1305-prfsha1

chacha20poly1305-prfsha1

chacha20poly1305-prfsha256

chacha20poly1305-prfsha256

chacha20poly1305-prfsha384

chacha20poly1305-prfsha384

chacha20poly1305-prfsha512

chacha20poly1305-prfsha512

add-route

Enable/disable control addition of a route to peer destination selector.

option

-

Option

Description

disable

Do not add a route to destination of peer selector.

enable

Add route to destination of peer selector.

add-gw-route

Enable/disable automatically add a route to the remote gateway.

option

-

Option

Description

enable

Automatically add a route to the remote gateway.

disable

Do not automatically add a route to the remote gateway.

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

psksecret-remote

Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

distance

Distance for routes added by IKE .

integer

Minimum value: 1 Maximum value: 255

priority

Priority for routes added by IKE .

integer

Minimum value: 0 Maximum value: 4294967295

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

-

Option

Description

auto

Select ID type automatically.

fqdn

Use fully qualified domain name.

user-fqdn

Use user fully qualified domain name.

keyid

Use key-id string.

address

Use local IP address.

asn1dn

Use ASN.1 distinguished name.

auto-negotiate

Enable/disable automatic initiation of IKE SA negotiation.

option

-

Option

Description

enable

Enable automatic initiation of IKE SA negotiation.

disable

Disable automatic initiation of IKE SA negotiation.

negotiate-timeout

IKE SA negotiation timeout in seconds .

integer

Minimum value: 1 Maximum value: 300

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

-

Option

Description

enable

Enable intra-IKE fragmentation support on re-transmission.

disable

Disable intra-IKE fragmentation support.

dpd

Dead Peer Detection mode.

option

-

Option

Description

disable

Disable Dead Peer Detection.

on-idle

Trigger Dead Peer Detection when IPsec is idle.

on-demand

Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

dpd-retrycount

Number of DPD retry attempts.

integer

Minimum value: 0 Maximum value: 10

dpd-retryinterval

DPD retry interval.

user

Not Specified

forticlient-enforcement

Enable/disable FortiClient enforcement.

option

-

Option

Description

enable

Enable FortiClient enforcement.

disable

Disable FortiClient enforcement.

comments

Comment.

var-string

Maximum length: 255

npu-offload *

Enable/disable offloading NPU.

option

-

Option

Description

enable

Enable NPU offloading.

disable

Disable NPU offloading.

send-cert-chain

Enable/disable sending certificate chain.

option

-

Option

Description

enable

Enable sending certificate chain.

disable

Disable sending certificate chain.

dhgrp

DH group.

option

-

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

suite-b

Use Suite-B.

option

-

Option

Description

disable

Do not use UI suite.

suite-b-gcm-128

Use Suite-B-GCM-128.

suite-b-gcm-256

Use Suite-B-GCM-256.

eap

Enable/disable IKEv2 EAP authentication.

option

-

Option

Description

enable

Enable IKEv2 EAP authentication.

disable

Disable IKEv2 EAP authentication.

eap-identity

IKEv2 EAP peer identity type.

option

-

Option

Description

use-id-payload

Use IKEv2 IDi payload to resolve peer identity.

send-request

Use EAP identity request to resolve peer identity.

eap-exclude-peergrp

Peer group excluded from EAP authentication.

string

Maximum length: 35

acct-verify

Enable/disable verification of RADIUS accounting record.

option

-

Option

Description

enable

Enable verification of RADIUS accounting record.

disable

Disable verification of RADIUS accounting record.

ppk

Enable/disable IKEv2 Postquantum Preshared Key (PPK).

option

-

Option

Description

disable

Disable use of IKEv2 Postquantum Preshared Key (PPK).

allow

Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).

require

Require use of IKEv2 Postquantum Preshared Key (PPK).

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Maximum length: 35

wizard-type

GUI VPN Wizard Type.

option

-

Option

Description

custom

Custom VPN configuration.

dialup-forticlient

Dial Up - FortiClient Windows, Mac and Android.

dialup-ios

Dial Up - iPhone / iPad Native IPsec Client.

dialup-android

Dial Up - Android Native IPsec Client.

dialup-windows

Dial Up - Windows Native IPsec Client.

dialup-cisco

Dial Up - Cisco IPsec Client.

static-fortigate

Site to Site - FortiGate.

dialup-fortigate

Dial Up - FortiGate.

static-cisco

Site to Site - Cisco.

dialup-cisco-fw

Dialup Up - Cisco Firewall.

simplified-static-fortigate

Site to Site - FortiGate (SD-WAN).

hub-fortigate-auto-discovery

Hub role in a Hub-and-Spoke auto-discovery VPN.

spoke-fortigate-auto-discovery

Spoke role in a Hub-and-Spoke auto-discovery VPN.

xauthtype

XAuth type.

option

-

Option

Description

disable

Disable.

client

Enable as client.

pap

Enable as server PAP.

chap

Enable as server CHAP.

auto

Enable as server auto.

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

-

Option

Description

disable

Disable IKE SA re-authentication.

enable

Enable IKE SA re-authentication.

authusr

XAuth user name.

string

Maximum length: 64

authpasswd

XAuth password (max 35 characters).

password

Not Specified

group-authentication

Enable/disable IKEv2 IDi group authentication.

option

-

Option

Description

enable

Enable IKEv2 IDi group authentication.

disable

Disable IKEv2 IDi group authentication.

group-authentication-secret

Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.)

password-3

Not Specified

authusrgrp

Authentication user group.

string

Maximum length: 35

mesh-selector-type

Add selectors containing subsets of the configuration depending on traffic.

option

-

Option

Description

disable

Disable.

subnet

Enable addition of matching subnet selector.

host

Enable addition of host to host selector.

idle-timeout

Enable/disable IPsec tunnel idle timeout.

option

-

Option

Description

enable

Enable IPsec tunnel idle timeout.

disable

Disable IPsec tunnel idle timeout.

idle-timeoutinterval

IPsec tunnel idle timeout in minutes .

integer

Minimum value: 5 Maximum value: 43200

ha-sync-esp-seqno

Enable/disable sequence number jump ahead for IPsec HA.

option

-

Option

Description

enable

Enable HA syncing of ESP sequence numbers.

disable

Disable HA syncing of ESP sequence numbers.

nattraversal

Enable/disable NAT traversal.

option

-

Option

Description

enable

Enable IPsec NAT traversal.

disable

Disable IPsec NAT traversal.

forced

Force IPsec NAT traversal on.

fragmentation-mtu

IKE fragmentation MTU .

integer

Minimum value: 500 Maximum value: 16000

childless-ike

Enable/disable childless IKEv2 initiation (RFC 6023).

option

-

Option

Description

enable

Enable childless IKEv2 initiation (RFC 6023).

disable

Disable childless IKEv2 initiation (RFC 6023).

rekey

Enable/disable phase1 rekey.

option

-

Option

Description

enable

Enable phase1 rekey.

disable

Disable phase1 rekey.

digital-signature-auth

Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

option

-

Option

Description

enable

Enable IKEv2 Digital Signature Authentication (RFC 7427).

disable

Disable IKEv2 Digital Signature Authentication (RFC 7427).

signature-hash-alg

Digital Signature Authentication hash algorithms.

option

-

Option

Description

sha1

SHA1.

sha2-256

SHA2-256.

sha2-384

SHA2-384.

sha2-512

SHA2-512.

rsa-signature-format

Digital Signature Authentication RSA signature format.

option

-

Option

Description

pkcs1

RSASSA PKCS#1 v1.5.

pss

RSASSA Probabilistic Signature Scheme (PSS).

enforce-unique-id

Enable/disable peer ID uniqueness check.

option

-

Option

Description

disable

Disable peer ID uniqueness enforcement.

keep-new

Enforce peer ID uniqueness, keep new connection if collision found.

keep-old

Enforce peer ID uniqueness, keep old connection if collision found.

cert-id-validation

Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

option

-

Option

Description

enable

Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

disable

Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

fec-egress

Enable/disable Forward Error Correction for egress IPsec traffic.

option

-

Option

Description

enable

Enable Forward Error Correction for egress IPsec traffic.

disable

Disable Forward Error Correction for egress IPsec traffic.

fec-send-timeout

Timeout in milliseconds before sending Forward Error Correction packets .

integer

Minimum value: 1 Maximum value: 1000

fec-base

Number of base Forward Error Correction packets .

integer

Minimum value: 1 Maximum value: 100

fec-redundant

Number of redundant Forward Error Correction packets .

integer

Minimum value: 1 Maximum value: 100

fec-ingress

Enable/disable Forward Error Correction for ingress IPsec traffic.

option

-

Option

Description

enable

Enable Forward Error Correction for ingress IPsec traffic.

disable

Disable Forward Error Correction for ingress IPsec traffic.

fec-receive-timeout

Timeout in milliseconds before dropping Forward Error Correction packets .

integer

Minimum value: 1 Maximum value: 10000

network-overlay

Enable/disable network overlays.

option

-

Option

Description

disable

Disable network overlays.

enable

Enable network overlays.

network-id

VPN gateway network ID.

integer

Minimum value: 0 Maximum value: 255

* This parameter may not exist in some models.

config ipv4-exclude-range

Parameter

Description

Type

Size

start-ip

Start of IPv4 exclusive range.

ipv4-address

Not Specified

end-ip

End of IPv4 exclusive range.

ipv4-address

Not Specified

config ipv6-exclude-range

Parameter

Description

Type

Size

start-ip

Start of IPv6 exclusive range.

ipv6-address

Not Specified

end-ip

End of IPv6 exclusive range.

ipv6-address

Not Specified