Fortinet black logo

SD-WAN Orchestrator 6.4.1 r7 Administration Guide

Home FortiManager 6.4.6 SD-WAN Orchestrator 6.4.1 r7 Administration Guide

config vpn ipsec phase1-interface

6.4.6
6.4.6
Copy Link
Copy Doc ID 6173f038-d5de-11eb-97f7-00505692583a:161041
Download PDF

config vpn ipsec phase1-interface

Configure VPN remote gateway.

ID generated by SD-WAN Orchestrator MEA:
  • Change the IPsec tunnel name on edge devices.
  • The general rule is <port_name> + <hub_role_indicator> + <peer_port_name>
  • For keeping the length of the tunnel name within 15 characters, the components of the general rule are simplified as follows:
    • If the port is a physical interface, we will compose the port_name with the first letter and the number of interface name. For example, if the interface is port1, port_name should be p1.
    • If the port is a VLAN interface, we will compose the port_name with the abbreviated physical port name and VLAN ID. For example, if the VLAN interface is configured on port2, and the VLAN ID is 1500, the port_name is p2v1500.
    • If the port is an aggregate interface, we will compose the port_name with the prefix a_ and the last three letters of interface name. For example, if the interface is agg_test, the port_name is a_est.
    • If the hub is a primary hub, hub_role_indicator is H1. If the hub is secondary hub, hub_rule_indicator is H2.
    • If the length of new tunnel name exceeds 15 characters, the previous numerical tunnel name is used, which is the method used in SD-WAN Orchestrator MEA 7.0.0.r1 and earlier.
  • The previous numerical tunnel name will be recorded in the comment of the phase1/phase2 configuration.
  • If the IPsec tunnel name is numerical, it starts from 1,000,000.
Attributes managed by SD-WAN Orchestrator MEA:

[ type, interface, psksecret, remote-gw, peertype, localid, peerid, comments, auto-discovery-sender, auto-discovery-forwarder, auto-discovery-receiver, net-device, add-route, tunnel-search, exchange-interface-ip, ike-version, network-overlay, network-id ]

Attributes initialized but not managed by SD-WAN Orchestrator MEA:

[ dhgrp, dpd, keylife, proposal, idle-timeout ]

Previous
Next

config vpn ipsec phase1-interface

Configure VPN remote gateway.

ID generated by SD-WAN Orchestrator MEA:
  • Change the IPsec tunnel name on edge devices.
  • The general rule is <port_name> + <hub_role_indicator> + <peer_port_name>
  • For keeping the length of the tunnel name within 15 characters, the components of the general rule are simplified as follows:
    • If the port is a physical interface, we will compose the port_name with the first letter and the number of interface name. For example, if the interface is port1, port_name should be p1.
    • If the port is a VLAN interface, we will compose the port_name with the abbreviated physical port name and VLAN ID. For example, if the VLAN interface is configured on port2, and the VLAN ID is 1500, the port_name is p2v1500.
    • If the port is an aggregate interface, we will compose the port_name with the prefix a_ and the last three letters of interface name. For example, if the interface is agg_test, the port_name is a_est.
    • If the hub is a primary hub, hub_role_indicator is H1. If the hub is secondary hub, hub_rule_indicator is H2.
    • If the length of new tunnel name exceeds 15 characters, the previous numerical tunnel name is used, which is the method used in SD-WAN Orchestrator MEA 7.0.0.r1 and earlier.
  • The previous numerical tunnel name will be recorded in the comment of the phase1/phase2 configuration.
  • If the IPsec tunnel name is numerical, it starts from 1,000,000.
Attributes managed by SD-WAN Orchestrator MEA:

[ type, interface, psksecret, remote-gw, peertype, localid, peerid, comments, auto-discovery-sender, auto-discovery-forwarder, auto-discovery-receiver, net-device, add-route, tunnel-search, exchange-interface-ip, ike-version, network-overlay, network-id ]

Attributes initialized but not managed by SD-WAN Orchestrator MEA:

[ dhgrp, dpd, keylife, proposal, idle-timeout ]

Previous
Next