config vpn ipsec phase1-interface

Configure VPN remote gateway.

config vpn ipsec phase1-interface

Description: Configure VPN remote gateway.

edit <name>

set type [static|dynamic|...]

set interface {string}

set ip-version [4|6]

set ike-version [1|2]

set local-gw {ipv4-address}

set local-gw6 {ipv6-address}

set remote-gw {ipv4-address}

set remote-gw6 {ipv6-address}

set remotegw-ddns {string}

set keylife {integer}

set certificate <name1>, <name2>, ...

set authmethod [psk|signature]

set authmethod-remote [psk|signature]

set mode [aggressive|main]

set peertype [any|one|...]

set peerid {string}

set default-gw {ipv4-address}

set default-gw-priority {integer}

set usrgrp {string}

set peer {string}

set peergrp {string}

set monitor {string}

set monitor-hold-down-type [immediate|delay|...]

set monitor-hold-down-delay {integer}

set monitor-hold-down-weekday [everyday|sunday|...]

set monitor-hold-down-time {user}

set net-device [enable|disable]

set passive-mode [enable|disable]

set exchange-interface-ip [enable|disable]

set exchange-ip-addr4 {ipv4-address}

set exchange-ip-addr6 {ipv6-address}

set aggregate-member [enable|disable]

set aggregate-weight {integer}

set mode-cfg [disable|enable]

set mode-cfg-allow-client-selector [disable|enable]

set assign-ip [disable|enable]

set assign-ip-from [range|usrgrp|...]

set ipv4-start-ip {ipv4-address}

set ipv4-end-ip {ipv4-address}

set ipv4-netmask {ipv4-netmask}

set dhcp-ra-giaddr {ipv4-address}

set dhcp6-ra-linkaddr {ipv6-address}

set dns-mode [manual|auto]

set ipv4-dns-server1 {ipv4-address}

set ipv4-dns-server2 {ipv4-address}

set ipv4-dns-server3 {ipv4-address}

set ipv4-wins-server1 {ipv4-address}

set ipv4-wins-server2 {ipv4-address}

config ipv4-exclude-range

Description: Configuration Method IPv4 exclude ranges.

edit <id>

set start-ip {ipv4-address}

set end-ip {ipv4-address}

next

end

set ipv4-split-include {string}

set split-include-service {string}

set ipv4-name {string}

set ipv6-start-ip {ipv6-address}

set ipv6-end-ip {ipv6-address}

set ipv6-prefix {integer}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-dns-server3 {ipv6-address}

config ipv6-exclude-range

Description: Configuration method IPv6 exclude ranges.

edit <id>

set start-ip {ipv6-address}

set end-ip {ipv6-address}

next

end

set ipv6-split-include {string}

set ipv6-name {string}

set ip-delay-interval {integer}

set unity-support [disable|enable]

set domain {string}

set banner {var-string}

set include-local-lan [disable|enable]

set ipv4-split-exclude {string}

set ipv6-split-exclude {string}

set save-password [disable|enable]

set client-auto-negotiate [disable|enable]

set client-keep-alive [disable|enable]

set backup-gateway <address1>, <address2>, ...

set proposal {option1}, {option2}, ...

set add-route [disable|enable]

set add-gw-route [enable|disable]

set psksecret {password-3}

set psksecret-remote {password-3}

set keepalive {integer}

set distance {integer}

set priority {integer}

set localid {string}

set localid-type [auto|fqdn|...]

set auto-negotiate [enable|disable]

set negotiate-timeout {integer}

set fragmentation [enable|disable]

set ip-fragmentation [pre-encapsulation|post-encapsulation]

set dpd [disable|on-idle|...]

set dpd-retrycount {integer}

set dpd-retryinterval {user}

set forticlient-enforcement [enable|disable]

set comments {var-string}

set npu-offload [enable|disable]

set send-cert-chain [enable|disable]

set dhgrp {option1}, {option2}, ...

set suite-b [disable|suite-b-gcm-128|...]

set eap [enable|disable]

set eap-identity [use-id-payload|send-request]

set eap-exclude-peergrp {string}

set acct-verify [enable|disable]

set ppk [disable|allow|...]

set ppk-secret {password-3}

set ppk-identity {string}

set wizard-type [custom|dialup-forticlient|...]

set xauthtype [disable|client|...]

set reauth [disable|enable]

set authusr {string}

set authpasswd {password}

set group-authentication [enable|disable]

set group-authentication-secret {password-3}

set authusrgrp {string}

set mesh-selector-type [disable|subnet|...]

set idle-timeout [enable|disable]

set idle-timeoutinterval {integer}

set ha-sync-esp-seqno [enable|disable]

set auto-discovery-sender [enable|disable]

set auto-discovery-receiver [enable|disable]

set auto-discovery-forwarder [enable|disable]

set auto-discovery-psk [enable|disable]

set auto-discovery-shortcuts [independent|dependent]

set auto-discovery-offer-interval {integer}

set encapsulation [none|gre|...]

set encapsulation-address [ike|ipv4|...]

set encap-local-gw4 {ipv4-address}

set encap-local-gw6 {ipv6-address}

set encap-remote-gw4 {ipv4-address}

set encap-remote-gw6 {ipv6-address}

set vni {integer}

set nattraversal [enable|disable|...]

set esn [require|allow|...]

set fragmentation-mtu {integer}

set childless-ike [enable|disable]

set rekey [enable|disable]

set digital-signature-auth [enable|disable]

set signature-hash-alg {option1}, {option2}, ...

set rsa-signature-format [pkcs1|pss]

set enforce-unique-id [disable|keep-new|...]

set cert-id-validation [enable|disable]

set fec-egress [enable|disable]

set fec-send-timeout {integer}

set fec-base {integer}

set fec-codec [rs|xor]

set fec-redundant {integer}

set fec-ingress [enable|disable]

set fec-receive-timeout {integer}

set fec-health-check {string}

set fec-mapping-profile {string}

set network-overlay [disable|enable]

set network-id {integer}

set loopback-asymroute [enable|disable]

next

end

config vpn ipsec phase1-interface

Parameter	Description	Type	Size	Default
type	Remote gateway type.	option	-	static
	Option Description static Remote VPN gateway has fixed IP address. dynamic Remote VPN gateway has dynamic IP address. ddns Remote VPN gateway has dynamic IP address and is a dynamic DNS client.
interface	Local physical, aggregate, or VLAN outgoing interface.	string	Maximum length: 35
ip-version	IP version to use for VPN interface.	option	-	4
	Option Description 4 Use IPv4 addressing for gateways. 6 Use IPv6 addressing for gateways.
ike-version	IKE protocol version.	option	-	1
	Option Description 1 Use IKEv1 protocol. 2 Use IKEv2 protocol.
local-gw	IPv4 address of the local gateway's external interface.	ipv4-address	Not Specified	0.0.0.0
local-gw6	IPv6 address of the local gateway's external interface.	ipv6-address	Not Specified	::
remote-gw	IPv4 address of the remote gateway's external interface.	ipv4-address	Not Specified	0.0.0.0
remote-gw6	IPv6 address of the remote gateway's external interface.	ipv6-address	Not Specified	::
remotegw-ddns	Domain name of remote gateway. For example, name.ddns.com.	string	Maximum length: 63
keylife	Time to wait in seconds before phase 1 encryption key expires.	integer	Minimum value: 120 Maximum value: 172800	86400
certificate <name>	The names of up to 4 signed personal certificates. Certificate name.	string	Maximum length: 79
authmethod	Authentication method.	option	-	psk
	Option Description psk PSK authentication method. signature Signature authentication method.
authmethod-remote	Authentication method (remote side).	option	-
	Option Description psk PSK authentication method. signature Signature authentication method.
mode	The ID protection mode used to establish a secure channel.	option	-	main
	Option Description aggressive Aggressive mode. main Main mode.
peertype	Accept this peer type.	option	-	peer
	Option Description any Accept any peer ID. one Accept this peer ID. dialup Accept peer ID in dialup group. peer Accept this peer certificate. peergrp Accept this peer certificate group.
peerid	Accept this peer identity.	string	Maximum length: 255
default-gw	IPv4 address of default route gateway to use for traffic exiting the interface.	ipv4-address	Not Specified	0.0.0.0
default-gw-priority	Priority for default gateway route. A higher priority number signifies a less preferred route.	integer	Minimum value: 0 Maximum value: 4294967295	0
usrgrp	User group name for dialup peers.	string	Maximum length: 35
peer	Accept this peer certificate.	string	Maximum length: 35
peergrp	Accept this peer certificate group.	string	Maximum length: 35
monitor	IPsec interface as backup for primary interface.	string	Maximum length: 35
monitor-hold-down-type	Recovery time method when primary interface re-establishes.	option	-	immediate
	Option Description immediate Fail back immediately after primary recovers. delay Number of seconds to delay fail back after primary recovers. time Specify a time at which to fail back after primary recovers.
monitor-hold-down-delay	Time to wait in seconds before recovery once primary re-establishes.	integer	Minimum value: 0 Maximum value: 31536000	0
monitor-hold-down-weekday	Day of the week to recover once primary re-establishes.	option	-	sunday
	Option Description everyday Every Day. sunday Sunday. monday Monday. tuesday Tuesday. wednesday Wednesday. thursday Thursday. friday Friday. saturday Saturday.
monitor-hold-down-time	Time of day at which to fail back to primary after it re-establishes.	user	Not Specified
net-device	Enable/disable kernel device creation.	option	-	disable
	Option Description enable Create a kernel device for every tunnel. disable Do not create a kernel device for tunnels.
passive-mode	Enable/disable IPsec passive mode for static tunnels.	option	-	disable
	Option Description enable Enable IPsec passive mode. disable Disable IPsec passive mode.
exchange-interface-ip	Enable/disable exchange of IPsec interface IP address.	option	-	disable
	Option Description enable Enable exchange of IPsec interface IP address. disable Disable exchange of IPsec interface IP address.
exchange-ip-addr4	IPv4 address to exchange with peers.	ipv4-address	Not Specified	0.0.0.0
exchange-ip-addr6	IPv6 address to exchange with peers.	ipv6-address	Not Specified	::
aggregate-member	Enable/disable use as an aggregate member.	option	-	disable
	Option Description enable Enable use as an aggregate member. disable Disable use as an aggregate member.
aggregate-weight	Link weight for aggregate.	integer	Minimum value: 1 Maximum value: 100	1
mode-cfg	Enable/disable configuration method.	option	-	disable
	Option Description disable Disable Configuration Method. enable Enable Configuration Method.
mode-cfg-allow-client-selector	Enable/disable mode-cfg client to use custom phase2 selectors.	option	-	disable
	Option Description disable Mode-cfg client to use wildcard selectors. enable Mode-cfg client to use custom selectors.
assign-ip	Enable/disable assignment of IP to IPsec interface via configuration method.	option	-	enable
	Option Description disable Do not assign an IP address to the IPsec interface. enable Assign an IP address to the IPsec interface.
assign-ip-from	Method by which the IP address will be assigned.	option	-	range
	Option Description range Assign IP address from locally defined range. usrgrp Assign IP address via user group. dhcp Assign IP address via DHCP. name Assign IP address from firewall address or group.
ipv4-start-ip	Start of IPv4 range.	ipv4-address	Not Specified	0.0.0.0
ipv4-end-ip	End of IPv4 range.	ipv4-address	Not Specified	0.0.0.0
ipv4-netmask	IPv4 Netmask.	ipv4-netmask	Not Specified	255.255.255.255
dhcp-ra-giaddr	Relay agent gateway IP address to use in the giaddr field of DHCP requests.	ipv4-address	Not Specified	0.0.0.0
dhcp6-ra-linkaddr	Relay agent IPv6 link address to use in DHCP6 requests.	ipv6-address	Not Specified	::
dns-mode	DNS server mode.	option	-	manual
	Option Description manual Manually configure DNS servers. auto Use default DNS servers.
ipv4-dns-server1	IPv4 DNS server 1.	ipv4-address	Not Specified	0.0.0.0
ipv4-dns-server2	IPv4 DNS server 2.	ipv4-address	Not Specified	0.0.0.0
ipv4-dns-server3	IPv4 DNS server 3.	ipv4-address	Not Specified	0.0.0.0
ipv4-wins-server1	WINS server 1.	ipv4-address	Not Specified	0.0.0.0
ipv4-wins-server2	WINS server 2.	ipv4-address	Not Specified	0.0.0.0
ipv4-split-include	IPv4 split-include subnets.	string	Maximum length: 79
split-include-service	Split-include services.	string	Maximum length: 79
ipv4-name	IPv4 address name.	string	Maximum length: 79
ipv6-start-ip	Start of IPv6 range.	ipv6-address	Not Specified	::
ipv6-end-ip	End of IPv6 range.	ipv6-address	Not Specified	::
ipv6-prefix	IPv6 prefix.	integer	Minimum value: 1 Maximum value: 128	128
ipv6-dns-server1	IPv6 DNS server 1.	ipv6-address	Not Specified	::
ipv6-dns-server2	IPv6 DNS server 2.	ipv6-address	Not Specified	::
ipv6-dns-server3	IPv6 DNS server 3.	ipv6-address	Not Specified	::
ipv6-split-include	IPv6 split-include subnets.	string	Maximum length: 79
ipv6-name	IPv6 address name.	string	Maximum length: 79
ip-delay-interval	IP address reuse delay interval in seconds .	integer	Minimum value: 0 Maximum value: 28800	0
unity-support	Enable/disable support for Cisco UNITY Configuration Method extensions.	option	-	enable
	Option Description disable Disable Cisco Unity Configuration Method Extensions. enable Enable Cisco Unity Configuration Method Extensions.
domain	Instruct unity clients about the single default DNS domain.	string	Maximum length: 63
banner	Message that unity client should display after connecting.	var-string	Maximum length: 1024
include-local-lan	Enable/disable allow local LAN access on unity clients.	option	-	disable
	Option Description disable Disable local LAN access on Unity clients. enable Enable local LAN access on Unity clients.
ipv4-split-exclude	IPv4 subnets that should not be sent over the IPsec tunnel.	string	Maximum length: 79
ipv6-split-exclude	IPv6 subnets that should not be sent over the IPsec tunnel.	string	Maximum length: 79
save-password	Enable/disable saving XAuth username and password on VPN clients.	option	-	disable
	Option Description disable Disable saving XAuth username and password on VPN clients. enable Enable saving XAuth username and password on VPN clients.
client-auto-negotiate	Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.	option	-	disable
	Option Description disable Disable allowing the VPN client to bring up the tunnel when there is no traffic. enable Enable allowing the VPN client to bring up the tunnel when there is no traffic.
client-keep-alive