Fortinet black logo

CLI Reference

config vpn ipsec phase2

config vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2
    Description: Configure VPN autokey tunnel.
    edit <name>
        set add-route [phase1|enable|...]
        set auto-negotiate [enable|disable]
        set comments {var-string}
        set dhcp-ipsec [enable|disable]
        set dhgrp {option1}, {option2}, ...
        set diffserv [enable|disable]
        set diffservcode {user}
        set dst-addr-type [subnet|range|...]
        set dst-end-ip {ipv4-address-any}
        set dst-end-ip6 {ipv6-address}
        set dst-name {string}
        set dst-name6 {string}
        set dst-port {integer}
        set dst-start-ip {ipv4-address-any}
        set dst-start-ip6 {ipv6-address}
        set dst-subnet {ipv4-classnet-any}
        set dst-subnet6 {ipv6-prefix}
        set encapsulation [tunnel-mode|transport-mode]
        set inbound-dscp-copy [phase1|enable|...]
        set initiator-ts-narrow [enable|disable]
        set ipv4-df [enable|disable]
        set keepalive [enable|disable]
        set keylife-type [seconds|kbs|...]
        set keylifekbs {integer}
        set keylifeseconds {integer}
        set l2tp [enable|disable]
        set pfs [enable|disable]
        set phase1name {string}
        set proposal {option1}, {option2}, ...
        set protocol {integer}
        set replay [enable|disable]
        set route-overlap [use-old|use-new|...]
        set selector-match [exact|subset|...]
        set single-source [enable|disable]
        set src-addr-type [subnet|range|...]
        set src-end-ip {ipv4-address-any}
        set src-end-ip6 {ipv6-address}
        set src-name {string}
        set src-name6 {string}
        set src-port {integer}
        set src-start-ip {ipv4-address-any}
        set src-start-ip6 {ipv6-address}
        set src-subnet {ipv4-classnet-any}
        set src-subnet6 {ipv6-prefix}
        set use-natip [enable|disable]
    next
end

config vpn ipsec phase2

Parameter

Description

Type

Size

Default

add-route

Enable/disable automatic route addition.

option

-

phase1

Option

Description

phase1

Add route according to phase1 add-route setting.

enable

Add route for remote proxy ID.

disable

Do not add route for remote proxy ID.

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

comments

Comment.

var-string

Maximum length: 255

dhcp-ipsec

Enable/disable DHCP-IPsec.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

dhgrp

Phase2 DH group.

option

-

14

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

diffserv

Enable/disable applying DSCP value to the IPsec tunnel outer IP header.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

diffservcode

DSCP value to be applied to the IPsec tunnel outer IP header.

user

Not Specified

dst-addr-type

Remote proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

0.0.0.0

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

::

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-port

Quick mode destination port.

integer

Minimum value: 0 Maximum value: 65535

0

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

0.0.0.0

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

::

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

encapsulation

ESP encapsulation mode.

option

-

tunnel-mode

Option

Description

tunnel-mode

Use tunnel mode encapsulation.

transport-mode

Use transport mode encapsulation.

inbound-dscp-copy

Enable/disable copy the dscp in the ESP header to the inner IP Header.

option

-

phase1

Option

Description

phase1

copy the dscp in the ESP header to the inner IP Header according to the phase1 inbound_dscp_copy setting.

enable

Enable copy the dscp in the ESP header to the inner IP Header.

disable

Disable copy the dscp in the ESP header to the inner IP Header.

initiator-ts-narrow

Enable/disable traffic selector narrowing for IKEv2 initiator.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv4-df

Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.

option

-

disable

Option

Description

enable

Set IPv4 DF the same as original packet.

disable

Reset IPv4 DF.

keepalive

Enable/disable keep alive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

keylife-type

Keylife type.

option

-

seconds

Option

Description

seconds

Key life in seconds.

kbs

Key life in kilobytes.

both

Key life both.

keylifekbs

Phase2 key life in number of kilobytes of traffic.

integer

Minimum value: 5120 Maximum value: 4294967295

5120

keylifeseconds

Phase2 key life in time in seconds.

integer

Minimum value: 120 Maximum value: 172800

43200

l2tp

Enable/disable L2TP over IPsec.

option

-

disable

Option

Description

enable

Enable L2TP over IPsec.

disable

Disable L2TP over IPsec.

name

IPsec tunnel name.

string

Maximum length: 35

pfs

Enable/disable PFS feature.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 35

proposal

Phase2 proposal.

option

-

Option

Description

null-md5

null-md5

null-sha1

null-sha1

null-sha256

null-sha256

null-sha384

null-sha384

null-sha512

null-sha512

des-null

des-null

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-null

3des-null

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-null

aes128-null

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm

aes128gcm

aes192-null

aes192-null

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-null

aes256-null

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

aria128-null

aria128-null

aria128-md5

aria128-md5

aria128-sha1

aria128-sha1

aria128-sha256

aria128-sha256

aria128-sha384

aria128-sha384

aria128-sha512

aria128-sha512

aria192-null

aria192-null

aria192-md5

aria192-md5

aria192-sha1

aria192-sha1

aria192-sha256

aria192-sha256

aria192-sha384

aria192-sha384

aria192-sha512

aria192-sha512

aria256-null

aria256-null

aria256-md5

aria256-md5

aria256-sha1

aria256-sha1

aria256-sha256

aria256-sha256

aria256-sha384

aria256-sha384

aria256-sha512

aria256-sha512

seed-null

seed-null

seed-md5

seed-md5

seed-sha1

seed-sha1

seed-sha256

seed-sha256

seed-sha384

seed-sha384

seed-sha512

seed-sha512

protocol

Quick mode protocol selector.

integer

Minimum value: 0 Maximum value: 255

0

replay

Enable/disable replay detection.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

route-overlap

Action for overlapping routes.

option

-

use-new

Option

Description

use-old

Use the old route and do not add the new route.

use-new

Delete the old route and add the new route.

allow

Allow overlapping routes.

selector-match

Match type to use when comparing selectors.

option

-

auto

Option

Description

exact

Match selectors exactly.

subset

Match selectors by subset.

auto

Use subset or exact match depending on selector address type.

single-source

Enable/disable single source IP restriction.

option

-

disable

Option

Description

enable

Only single source IP will be accepted.

disable

Source IP range will be accepted.

src-addr-type

Local proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

0.0.0.0

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

::

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-port

Quick mode source port.

integer

Minimum value: 0 Maximum value: 65535

0

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

0.0.0.0

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

::

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

use-natip

Enable to use the FortiGate public IP as the source selector when outbound NAT is used.

option

-

enable

Option

Description

enable

Replace source selector with interface IP when using outbound NAT.

disable

Do not modify source selector when using outbound NAT.

config vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2
    Description: Configure VPN autokey tunnel.
    edit <name>
        set add-route [phase1|enable|...]
        set auto-negotiate [enable|disable]
        set comments {var-string}
        set dhcp-ipsec [enable|disable]
        set dhgrp {option1}, {option2}, ...
        set diffserv [enable|disable]
        set diffservcode {user}
        set dst-addr-type [subnet|range|...]
        set dst-end-ip {ipv4-address-any}
        set dst-end-ip6 {ipv6-address}
        set dst-name {string}
        set dst-name6 {string}
        set dst-port {integer}
        set dst-start-ip {ipv4-address-any}
        set dst-start-ip6 {ipv6-address}
        set dst-subnet {ipv4-classnet-any}
        set dst-subnet6 {ipv6-prefix}
        set encapsulation [tunnel-mode|transport-mode]
        set inbound-dscp-copy [phase1|enable|...]
        set initiator-ts-narrow [enable|disable]
        set ipv4-df [enable|disable]
        set keepalive [enable|disable]
        set keylife-type [seconds|kbs|...]
        set keylifekbs {integer}
        set keylifeseconds {integer}
        set l2tp [enable|disable]
        set pfs [enable|disable]
        set phase1name {string}
        set proposal {option1}, {option2}, ...
        set protocol {integer}
        set replay [enable|disable]
        set route-overlap [use-old|use-new|...]
        set selector-match [exact|subset|...]
        set single-source [enable|disable]
        set src-addr-type [subnet|range|...]
        set src-end-ip {ipv4-address-any}
        set src-end-ip6 {ipv6-address}
        set src-name {string}
        set src-name6 {string}
        set src-port {integer}
        set src-start-ip {ipv4-address-any}
        set src-start-ip6 {ipv6-address}
        set src-subnet {ipv4-classnet-any}
        set src-subnet6 {ipv6-prefix}
        set use-natip [enable|disable]
    next
end

config vpn ipsec phase2

Parameter

Description

Type

Size

Default

add-route

Enable/disable automatic route addition.

option

-

phase1

Option

Description

phase1

Add route according to phase1 add-route setting.

enable

Add route for remote proxy ID.

disable

Do not add route for remote proxy ID.

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

comments

Comment.

var-string

Maximum length: 255

dhcp-ipsec

Enable/disable DHCP-IPsec.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

dhgrp

Phase2 DH group.

option

-

14

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

diffserv

Enable/disable applying DSCP value to the IPsec tunnel outer IP header.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

diffservcode

DSCP value to be applied to the IPsec tunnel outer IP header.

user

Not Specified

dst-addr-type

Remote proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

0.0.0.0

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

::

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-port

Quick mode destination port.

integer

Minimum value: 0 Maximum value: 65535

0

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

0.0.0.0

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

::

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

encapsulation

ESP encapsulation mode.

option

-

tunnel-mode

Option

Description

tunnel-mode

Use tunnel mode encapsulation.

transport-mode

Use transport mode encapsulation.

inbound-dscp-copy

Enable/disable copy the dscp in the ESP header to the inner IP Header.

option

-

phase1

Option

Description

phase1

copy the dscp in the ESP header to the inner IP Header according to the phase1 inbound_dscp_copy setting.

enable

Enable copy the dscp in the ESP header to the inner IP Header.

disable

Disable copy the dscp in the ESP header to the inner IP Header.

initiator-ts-narrow

Enable/disable traffic selector narrowing for IKEv2 initiator.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv4-df

Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.

option

-

disable

Option

Description

enable

Set IPv4 DF the same as original packet.

disable

Reset IPv4 DF.

keepalive

Enable/disable keep alive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

keylife-type

Keylife type.

option

-

seconds

Option

Description

seconds

Key life in seconds.

kbs

Key life in kilobytes.

both

Key life both.

keylifekbs

Phase2 key life in number of kilobytes of traffic.

integer

Minimum value: 5120 Maximum value: 4294967295

5120

keylifeseconds

Phase2 key life in time in seconds.

integer

Minimum value: 120 Maximum value: 172800

43200

l2tp

Enable/disable L2TP over IPsec.

option

-

disable

Option

Description

enable

Enable L2TP over IPsec.

disable

Disable L2TP over IPsec.

name

IPsec tunnel name.

string

Maximum length: 35

pfs

Enable/disable PFS feature.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 35

proposal

Phase2 proposal.

option

-

Option

Description

null-md5

null-md5

null-sha1

null-sha1

null-sha256

null-sha256

null-sha384

null-sha384

null-sha512

null-sha512

des-null

des-null

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-null

3des-null

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-null

aes128-null

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm

aes128gcm

aes192-null

aes192-null

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-null

aes256-null

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

aria128-null

aria128-null

aria128-md5

aria128-md5

aria128-sha1

aria128-sha1

aria128-sha256

aria128-sha256

aria128-sha384

aria128-sha384

aria128-sha512

aria128-sha512

aria192-null

aria192-null

aria192-md5

aria192-md5

aria192-sha1

aria192-sha1

aria192-sha256

aria192-sha256

aria192-sha384

aria192-sha384

aria192-sha512

aria192-sha512

aria256-null

aria256-null

aria256-md5

aria256-md5

aria256-sha1

aria256-sha1

aria256-sha256

aria256-sha256

aria256-sha384

aria256-sha384

aria256-sha512

aria256-sha512

seed-null

seed-null

seed-md5

seed-md5

seed-sha1

seed-sha1

seed-sha256

seed-sha256

seed-sha384

seed-sha384

seed-sha512

seed-sha512

protocol

Quick mode protocol selector.

integer

Minimum value: 0 Maximum value: 255

0

replay

Enable/disable replay detection.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

route-overlap

Action for overlapping routes.

option

-

use-new

Option

Description

use-old

Use the old route and do not add the new route.

use-new

Delete the old route and add the new route.

allow

Allow overlapping routes.

selector-match

Match type to use when comparing selectors.

option

-

auto

Option

Description

exact

Match selectors exactly.

subset

Match selectors by subset.

auto

Use subset or exact match depending on selector address type.

single-source

Enable/disable single source IP restriction.

option

-

disable

Option

Description

enable

Only single source IP will be accepted.

disable

Source IP range will be accepted.

src-addr-type

Local proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

0.0.0.0

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

::

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-port

Quick mode source port.

integer

Minimum value: 0 Maximum value: 65535

0

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

0.0.0.0

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

::

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

use-natip

Enable to use the FortiGate public IP as the source selector when outbound NAT is used.

option

-

enable

Option

Description

enable

Replace source selector with interface IP when using outbound NAT.

disable

Do not modify source selector when using outbound NAT.