Fortinet black logo

CLI Reference

vpn ipsec phase2

Configure VPN autokey tunnel.

  config vpn ipsec phase2
      Description: Configure VPN autokey tunnel.
      edit <name>
          set phase1name {string}
          set dhcp-ipsec [enable|disable]
          set use-natip [enable|disable]
          set selector-match [exact|subset|...]
          set proposal {option1}, {option2}, ...
          set pfs [enable|disable]
          set ipv4-df [enable|disable]
          set dhgrp {option1}, {option2}, ...
          set replay [enable|disable]
          set keepalive [enable|disable]
          set auto-negotiate [enable|disable]
          set add-route [phase1|enable|...]
          set keylifeseconds {integer}
          set keylifekbs {integer}
          set keylife-type [seconds|kbs|...]
          set single-source [enable|disable]
          set route-overlap [use-old|use-new|...]
          set encapsulation [tunnel-mode|transport-mode]
          set l2tp [enable|disable]
          set comments {var-string}
          set initiator-ts-narrow [enable|disable]
          set diffserv [enable|disable]
          set diffservcode {user}
          set protocol {integer}
          set src-name {string}
          set src-name6 {string}
          set src-addr-type [subnet|range|...]
          set src-start-ip {ipv4-address-any}
          set src-start-ip6 {ipv6-address}
          set src-end-ip {ipv4-address-any}
          set src-end-ip6 {ipv6-address}
          set src-subnet {ipv4-classnet-any}
          set src-subnet6 {ipv6-prefix}
          set src-port {integer}
          set dst-name {string}
          set dst-name6 {string}
          set dst-addr-type [subnet|range|...]
          set dst-start-ip {ipv4-address-any}
          set dst-start-ip6 {ipv6-address}
          set dst-end-ip {ipv4-address-any}
          set dst-end-ip6 {ipv6-address}
          set dst-subnet {ipv4-classnet-any}
          set dst-subnet6 {ipv6-prefix}
          set dst-port {integer}

config vpn ipsec phase2

Parameter Name Description Type Size
phase1name Phase 1 determines the options required for phase 2. string Maximum length: 35
dhcp-ipsec Enable/disable DHCP-IPsec.
enable: Enable setting.
disable: Disable setting.
option -
use-natip Enable to use the FortiGate public IP as the source selector when outbound NAT is used.
enable: Replace source selector with interface IP when using outbound NAT.
disable: Do not modify source selector when using outbound NAT.
option -
selector-match Match type to use when comparing selectors.
exact: Match selectors exactly.
subset: Match selectors by subset.
auto: Use subset or exact match depending on selector address type.
option -
proposal Phase2 proposal.
null-md5: null-md5
null-sha1: null-sha1
null-sha256: null-sha256
null-sha384: null-sha384
null-sha512: null-sha512
des-null: des-null
des-md5: des-md5
des-sha1: des-sha1
des-sha256: des-sha256
des-sha384: des-sha384
des-sha512: des-sha512
3des-null: 3des-null
3des-md5: 3des-md5
3des-sha1: 3des-sha1
3des-sha256: 3des-sha256
3des-sha384: 3des-sha384
3des-sha512: 3des-sha512
aes128-null: aes128-null
aes128-md5: aes128-md5
aes128-sha1: aes128-sha1
aes128-sha256: aes128-sha256
aes128-sha384: aes128-sha384
aes128-sha512: aes128-sha512
aes128gcm: aes128gcm
aes192-null: aes192-null
aes192-md5: aes192-md5
aes192-sha1: aes192-sha1
aes192-sha256: aes192-sha256
aes192-sha384: aes192-sha384
aes192-sha512: aes192-sha512
aes256-null: aes256-null
aes256-md5: aes256-md5
aes256-sha1: aes256-sha1
aes256-sha256: aes256-sha256
aes256-sha384: aes256-sha384
aes256-sha512: aes256-sha512
aes256gcm: aes256gcm
chacha20poly1305: chacha20poly1305
aria128-null: aria128-null
aria128-md5: aria128-md5
aria128-sha1: aria128-sha1
aria128-sha256: aria128-sha256
aria128-sha384: aria128-sha384
aria128-sha512: aria128-sha512
aria192-null: aria192-null
aria192-md5: aria192-md5
aria192-sha1: aria192-sha1
aria192-sha256: aria192-sha256
aria192-sha384: aria192-sha384
aria192-sha512: aria192-sha512
aria256-null: aria256-null
aria256-md5: aria256-md5
aria256-sha1: aria256-sha1
aria256-sha256: aria256-sha256
aria256-sha384: aria256-sha384
aria256-sha512: aria256-sha512
seed-null: seed-null
seed-md5: seed-md5
seed-sha1: seed-sha1
seed-sha256: seed-sha256
seed-sha384: seed-sha384
seed-sha512: seed-sha512
option -
pfs Enable/disable PFS feature.
enable: Enable setting.
disable: Disable setting.
option -
ipv4-df Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.
enable: Set IPv4 DF.
disable: Reset IPv4 DF.
option -
dhgrp Phase2 DH group.
1: DH Group 1.
2: DH Group 2.
5: DH Group 5.
14: DH Group 14.
15: DH Group 15.
16: DH Group 16.
17: DH Group 17.
18: DH Group 18.
19: DH Group 19.
20: DH Group 20.
21: DH Group 21.
27: DH Group 27.
28: DH Group 28.
29: DH Group 29.
30: DH Group 30.
31: DH Group 31.
32: DH Group 32.
option -
replay Enable/disable replay detection.
enable: Enable setting.
disable: Disable setting.
option -
keepalive Enable/disable keep alive.
enable: Enable setting.
disable: Disable setting.
option -
auto-negotiate Enable/disable IPsec SA auto-negotiation.
enable: Enable setting.
disable: Disable setting.
option -
add-route Enable/disable automatic route addition.
phase1: Add route according to phase1 add-route setting.
enable: Add route for remote proxy ID.
disable: Do not add route for remote proxy ID.
option -
keylifeseconds Phase2 key life in time in seconds (120 - 172800). integer Minimum value: 120 Maximum value: 172800
keylifekbs Phase2 key life in number of bytes of traffic (5120 - 4294967295). integer Minimum value: 5120 Maximum value: 4294967295
keylife-type Keylife type.
seconds: Key life in seconds.
kbs: Key life in kilobytes.
both: Key life both.
option -
single-source Enable/disable single source IP restriction.
enable: Only single source IP will be accepted.
disable: Source IP range will be accepted.
option -
route-overlap Action for overlapping routes.
use-old: Use the old route and do not add the new route.
use-new: Delete the old route and add the new route.
allow: Allow overlapping routes.
option -
encapsulation ESP encapsulation mode.
tunnel-mode: Use tunnel mode encapsulation.
transport-mode: Use transport mode encapsulation.
option -
l2tp Enable/disable L2TP over IPsec.
enable: Enable L2TP over IPsec.
disable: Disable L2TP over IPsec.
option -
comments Comment. var-string Maximum length: 255
initiator-ts-narrow Enable/disable traffic selector narrowing for IKEv2 initiator.
enable: Enable setting.
disable: Disable setting.
option -
diffserv Enable/disable applying DSCP value to the IPsec tunnel outer IP header.
enable: Enable setting.
disable: Disable setting.
option -
diffservcode DSCP value to be applied to the IPsec tunnel outer IP header. user Not Specified
protocol Quick mode protocol selector (1 - 255 or 0 for all). integer Minimum value: 0 Maximum value: 255
src-name Local proxy ID name. string Maximum length: 79
src-name6 Local proxy ID name. string Maximum length: 79
src-addr-type Local proxy ID type.
subnet: IPv4 subnet.
range: IPv4 range.
ip: IPv4 IP.
name: IPv4 firewall address or group name.
option -
src-start-ip Local proxy ID start. ipv4-address-any Not Specified
src-start-ip6 Local proxy ID IPv6 start. ipv6-address Not Specified
src-end-ip Local proxy ID end. ipv4-address-any Not Specified
src-end-ip6 Local proxy ID IPv6 end. ipv6-address Not Specified
src-subnet Local proxy ID subnet. ipv4-classnet-any Not Specified
src-subnet6 Local proxy ID IPv6 subnet. ipv6-prefix Not Specified
src-port Quick mode source port (1 - 65535 or 0 for all). integer Minimum value: 0 Maximum value: 65535
dst-name Remote proxy ID name. string Maximum length: 79
dst-name6 Remote proxy ID name. string Maximum length: 79
dst-addr-type Remote proxy ID type.
subnet: IPv4 subnet.
range: IPv4 range.
ip: IPv4 IP.
name: IPv4 firewall address or group name.
option -
dst-start-ip Remote proxy ID IPv4 start. ipv4-address-any Not Specified
dst-start-ip6 Remote proxy ID IPv6 start. ipv6-address Not Specified
dst-end-ip Remote proxy ID IPv4 end. ipv4-address-any Not Specified
dst-end-ip6 Remote proxy ID IPv6 end. ipv6-address Not Specified
dst-subnet Remote proxy ID IPv4 subnet. ipv4-classnet-any Not Specified
dst-subnet6 Remote proxy ID IPv6 subnet. ipv6-prefix Not Specified
dst-port Quick mode destination port (1 - 65535 or 0 for all). integer Minimum value: 0 Maximum value: 65535

Configure VPN autokey tunnel.

  config vpn ipsec phase2
      Description: Configure VPN autokey tunnel.
      edit <name>
          set phase1name {string}
          set dhcp-ipsec [enable|disable]
          set use-natip [enable|disable]
          set selector-match [exact|subset|...]
          set proposal {option1}, {option2}, ...
          set pfs [enable|disable]
          set ipv4-df [enable|disable]
          set dhgrp {option1}, {option2}, ...
          set replay [enable|disable]
          set keepalive [enable|disable]
          set auto-negotiate [enable|disable]
          set add-route [phase1|enable|...]
          set keylifeseconds {integer}
          set keylifekbs {integer}
          set keylife-type [seconds|kbs|...]
          set single-source [enable|disable]
          set route-overlap [use-old|use-new|...]
          set encapsulation [tunnel-mode|transport-mode]
          set l2tp [enable|disable]
          set comments {var-string}
          set initiator-ts-narrow [enable|disable]
          set diffserv [enable|disable]
          set diffservcode {user}
          set protocol {integer}
          set src-name {string}
          set src-name6 {string}
          set src-addr-type [subnet|range|...]
          set src-start-ip {ipv4-address-any}
          set src-start-ip6 {ipv6-address}
          set src-end-ip {ipv4-address-any}
          set src-end-ip6 {ipv6-address}
          set src-subnet {ipv4-classnet-any}
          set src-subnet6 {ipv6-prefix}
          set src-port {integer}
          set dst-name {string}
          set dst-name6 {string}
          set dst-addr-type [subnet|range|...]
          set dst-start-ip {ipv4-address-any}
          set dst-start-ip6 {ipv6-address}
          set dst-end-ip {ipv4-address-any}
          set dst-end-ip6 {ipv6-address}
          set dst-subnet {ipv4-classnet-any}
          set dst-subnet6 {ipv6-prefix}
          set dst-port {integer}

config vpn ipsec phase2

Parameter Name Description Type Size
phase1name Phase 1 determines the options required for phase 2. string Maximum length: 35
dhcp-ipsec Enable/disable DHCP-IPsec.
enable: Enable setting.
disable: Disable setting.
option -
use-natip Enable to use the FortiGate public IP as the source selector when outbound NAT is used.
enable: Replace source selector with interface IP when using outbound NAT.
disable: Do not modify source selector when using outbound NAT.
option -
selector-match Match type to use when comparing selectors.
exact: Match selectors exactly.
subset: Match selectors by subset.
auto: Use subset or exact match depending on selector address type.
option -
proposal Phase2 proposal.
null-md5: null-md5
null-sha1: null-sha1
null-sha256: null-sha256
null-sha384: null-sha384
null-sha512: null-sha512
des-null: des-null
des-md5: des-md5
des-sha1: des-sha1
des-sha256: des-sha256
des-sha384: des-sha384
des-sha512: des-sha512
3des-null: 3des-null
3des-md5: 3des-md5
3des-sha1: 3des-sha1
3des-sha256: 3des-sha256
3des-sha384: 3des-sha384
3des-sha512: 3des-sha512
aes128-null: aes128-null
aes128-md5: aes128-md5
aes128-sha1: aes128-sha1
aes128-sha256: aes128-sha256
aes128-sha384: aes128-sha384
aes128-sha512: aes128-sha512
aes128gcm: aes128gcm
aes192-null: aes192-null
aes192-md5: aes192-md5
aes192-sha1: aes192-sha1
aes192-sha256: aes192-sha256
aes192-sha384: aes192-sha384
aes192-sha512: aes192-sha512
aes256-null: aes256-null
aes256-md5: aes256-md5
aes256-sha1: aes256-sha1
aes256-sha256: aes256-sha256
aes256-sha384: aes256-sha384
aes256-sha512: aes256-sha512
aes256gcm: aes256gcm
chacha20poly1305: chacha20poly1305
aria128-null: aria128-null
aria128-md5: aria128-md5
aria128-sha1: aria128-sha1
aria128-sha256: aria128-sha256
aria128-sha384: aria128-sha384
aria128-sha512: aria128-sha512
aria192-null: aria192-null
aria192-md5: aria192-md5
aria192-sha1: aria192-sha1
aria192-sha256: aria192-sha256
aria192-sha384: aria192-sha384
aria192-sha512: aria192-sha512
aria256-null: aria256-null
aria256-md5: aria256-md5
aria256-sha1: aria256-sha1
aria256-sha256: aria256-sha256
aria256-sha384: aria256-sha384
aria256-sha512: aria256-sha512
seed-null: seed-null
seed-md5: seed-md5
seed-sha1: seed-sha1
seed-sha256: seed-sha256
seed-sha384: seed-sha384
seed-sha512: seed-sha512
option -
pfs Enable/disable PFS feature.
enable: Enable setting.
disable: Disable setting.
option -
ipv4-df Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.
enable: Set IPv4 DF.
disable: Reset IPv4 DF.
option -
dhgrp Phase2 DH group.
1: DH Group 1.
2: DH Group 2.
5: DH Group 5.
14: DH Group 14.
15: DH Group 15.
16: DH Group 16.
17: DH Group 17.
18: DH Group 18.
19: DH Group 19.
20: DH Group 20.
21: DH Group 21.
27: DH Group 27.
28: DH Group 28.
29: DH Group 29.
30: DH Group 30.
31: DH Group 31.
32: DH Group 32.
option -
replay Enable/disable replay detection.
enable: Enable setting.
disable: Disable setting.
option -
keepalive Enable/disable keep alive.
enable: Enable setting.
disable: Disable setting.
option -
auto-negotiate Enable/disable IPsec SA auto-negotiation.
enable: Enable setting.
disable: Disable setting.
option -
add-route Enable/disable automatic route addition.
phase1: Add route according to phase1 add-route setting.
enable: Add route for remote proxy ID.
disable: Do not add route for remote proxy ID.
option -
keylifeseconds Phase2 key life in time in seconds (120 - 172800). integer Minimum value: 120 Maximum value: 172800
keylifekbs Phase2 key life in number of bytes of traffic (5120 - 4294967295). integer Minimum value: 5120 Maximum value: 4294967295
keylife-type Keylife type.
seconds: Key life in seconds.
kbs: Key life in kilobytes.
both: Key life both.
option -
single-source Enable/disable single source IP restriction.
enable: Only single source IP will be accepted.
disable: Source IP range will be accepted.
option -
route-overlap Action for overlapping routes.
use-old: Use the old route and do not add the new route.
use-new: Delete the old route and add the new route.
allow: Allow overlapping routes.
option -
encapsulation ESP encapsulation mode.
tunnel-mode: Use tunnel mode encapsulation.
transport-mode: Use transport mode encapsulation.
option -
l2tp Enable/disable L2TP over IPsec.
enable: Enable L2TP over IPsec.
disable: Disable L2TP over IPsec.
option -
comments Comment. var-string Maximum length: 255
initiator-ts-narrow Enable/disable traffic selector narrowing for IKEv2 initiator.
enable: Enable setting.
disable: Disable setting.
option -
diffserv Enable/disable applying DSCP value to the IPsec tunnel outer IP header.
enable: Enable setting.
disable: Disable setting.
option -
diffservcode DSCP value to be applied to the IPsec tunnel outer IP header. user Not Specified
protocol Quick mode protocol selector (1 - 255 or 0 for all). integer Minimum value: 0 Maximum value: 255
src-name Local proxy ID name. string Maximum length: 79
src-name6 Local proxy ID name. string Maximum length: 79
src-addr-type Local proxy ID type.
subnet: IPv4 subnet.
range: IPv4 range.
ip: IPv4 IP.
name: IPv4 firewall address or group name.
option -
src-start-ip Local proxy ID start. ipv4-address-any Not Specified
src-start-ip6 Local proxy ID IPv6 start. ipv6-address Not Specified
src-end-ip Local proxy ID end. ipv4-address-any Not Specified
src-end-ip6 Local proxy ID IPv6 end. ipv6-address Not Specified
src-subnet Local proxy ID subnet. ipv4-classnet-any Not Specified
src-subnet6 Local proxy ID IPv6 subnet. ipv6-prefix Not Specified
src-port Quick mode source port (1 - 65535 or 0 for all). integer Minimum value: 0 Maximum value: 65535
dst-name Remote proxy ID name. string Maximum length: 79
dst-name6 Remote proxy ID name. string Maximum length: 79
dst-addr-type Remote proxy ID type.
subnet: IPv4 subnet.
range: IPv4 range.
ip: IPv4 IP.
name: IPv4 firewall address or group name.
option -
dst-start-ip Remote proxy ID IPv4 start. ipv4-address-any Not Specified
dst-start-ip6 Remote proxy ID IPv6 start. ipv6-address Not Specified
dst-end-ip Remote proxy ID IPv4 end. ipv4-address-any Not Specified
dst-end-ip6 Remote proxy ID IPv6 end. ipv6-address Not Specified
dst-subnet Remote proxy ID IPv4 subnet. ipv4-classnet-any Not Specified
dst-subnet6 Remote proxy ID IPv6 subnet. ipv6-prefix Not Specified
dst-port Quick mode destination port (1 - 65535 or 0 for all). integer Minimum value: 0 Maximum value: 65535