Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiProxy 7.2.4 CLI Reference
    7.2.4
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.19
    7.0.18
    7.0.17
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    2.0.13
    2.0.12
    2.0.0
    1.2.4

    config vpn ipsec phase1-interface

    config vpn ipsec phase1-interface

    Configure VPN remote gateway.

    config vpn ipsec phase1-interface
    Description: Configure VPN remote gateway.
    edit <name>
        set interface {string}
        set ike-version [1|2]
        set local-gw {ipv4-address}
        set remote-gw {ipv4-address}
        set keylife {integer}
        set certificate <name1>, <name2>, ...
        set authmethod [psk|signature]
        set mode [aggressive|main]
        set peertype {option}
        set peerid {string}
        set peer {string}
        set proposal {option1}, {option2}, ...
        set psksecret {password-3}
        set keepalive {integer}
        set distance {integer}
        set priority {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set negotiate-timeout {integer}
        set fragmentation [enable|disable]
        set comments {var-string}
        set send-cert-chain [enable|disable]
        set dhgrp {option1}, {option2}, ...
        set eap [enable|disable]
        set eap-identity [use-id-payload|send-request]
        set eap-exclude-peergrp {string}
        set acct-verify [enable|disable]
        set ppk [disable|allow|...]
        set ppk-secret {password-3}
        set ppk-identity {string}
        set wizard-type [custom|dialup-forticlient|...]
        set xauthtype [disable|client|...]
        set reauth [disable|enable]
        set authusr {string}
        set authpasswd {password}
        set group-authentication [enable|disable]
        set group-authentication-secret {password-3}
        set authusrgrp {string}
        set idle-timeout [enable|disable]
        set idle-timeoutinterval {integer}
        set inbound-dscp-copy [enable|disable]
        set auto-discovery-sender [enable|disable]
        set auto-discovery-receiver [enable|disable]
        set auto-discovery-forwarder [enable|disable]
        set auto-discovery-psk [enable|disable]
        set auto-discovery-shortcuts [independent|dependent]
        set fragmentation-mtu {integer}
        set childless-ike [enable|disable]
        set rekey [enable|disable]
        set digital-signature-auth [enable|disable]
        set signature-hash-alg {option1}, {option2}, ...
        set rsa-signature-format [pkcs1|pss]
        set enforce-unique-id [disable|keep-new|...]
        set cert-id-validation [enable|disable]
        set network-overlay [disable|enable]
        set network-id {integer}
        set loopback-asymroute [enable|disable]
    next
end

    config vpn ipsec phase1-interface

    Parameter

    Description

    Type

    Size

    Default

    interface

    Local physical, aggregate, or VLAN outgoing interface.

    string

    Maximum length: 35

    ike-version

    IKE protocol version.

    option

    -

    1

    Option

    Description

    1

    Use IKEv1 protocol.

    2

    Use IKEv2 protocol.

    local-gw

    IPv4 address of the local gateway's external interface.

    ipv4-address

    Not Specified

    0.0.0.0

    remote-gw

    IPv4 address of the remote gateway's external interface.

    ipv4-address

    Not Specified

    0.0.0.0

    keylife

    Time to wait in seconds before phase 1 encryption key expires.

    integer

    Minimum value: 120 Maximum value: 172800

    86400

    certificate <name>

    The names of up to 4 signed personal certificates.

    Certificate name.

    string

    Maximum length: 79

    authmethod

    Authentication method.

    option

    -

    psk

    Option

    Description

    psk

    PSK authentication method.

    signature

    Signature authentication method.

    mode

    The ID protection mode used to establish a secure channel.

    option

    -

    main

    Option

    Description

    aggressive

    Aggressive mode.

    main

    Main mode.

    peertype

    Accept this peer type.

    option

    -

    Option

    Description

    any

    Accept any peer ID.

    peerid

    Accept this peer identity.

    string

    Maximum length: 255

    peer

    Accept this peer certificate.

    string

    Maximum length: 35

    proposal

    Phase1 proposal.

    option

    -

    Option

    Description

    des-md5

    des-md5

    des-sha1

    des-sha1

    des-sha256

    des-sha256

    des-sha384

    des-sha384

    des-sha512

    des-sha512

    psksecret

    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

    password-3

    Not Specified

    keepalive

    NAT-T keep alive interval.

    integer

    Minimum value: 10 Maximum value: 900

    10

    distance

    Distance for routes added by IKE .

    integer

    Minimum value: 1 Maximum value: 255

    15

    priority

    Priority for routes added by IKE .

    integer

    Minimum value: 1 Maximum value: 65535

    1

    localid

    Local ID.

    string

    Maximum length: 63

    localid-type

    Local ID type.

    option

    -

    auto

    Option

    Description

    auto

    Select ID type automatically.

    fqdn

    Use fully qualified domain name.

    user-fqdn

    Use user fully qualified domain name.

    keyid

    Use key-id string.

    address

    Use local IP address.

    asn1dn

    Use ASN.1 distinguished name.

    negotiate-timeout

    IKE SA negotiation timeout in seconds .

    integer

    Minimum value: 1 Maximum value: 300

    30

    fragmentation

    Enable/disable fragment IKE message on re-transmission.

    option

    -

    enable

    Option

    Description

    enable

    Enable intra-IKE fragmentation support on re-transmission.

    disable

    Disable intra-IKE fragmentation support.

    comments

    Comment.

    var-string

    Maximum length: 255

    send-cert-chain

    Enable/disable sending certificate chain.

    option

    -

    enable

    Option

    Description

    enable

    Enable sending certificate chain.

    disable

    Disable sending certificate chain.

    dhgrp

    DH group.

    option

    -

    14

    Option

    Description

    1

    DH Group 1.

    2

    DH Group 2.

    5

    DH Group 5.

    14

    DH Group 14.

    15

    DH Group 15.

    16

    DH Group 16.

    17

    DH Group 17.

    18

    DH Group 18.

    19

    DH Group 19.

    20

    DH Group 20.

    21

    DH Group 21.

    27

    DH Group 27.

    28

    DH Group 28.

    29

    DH Group 29.

    30

    DH Group 30.

    31

    DH Group 31.

    32

    DH Group 32.

    eap

    Enable/disable IKEv2 EAP authentication.

    option

    -

    disable

    Option

    Description

    enable

    Enable IKEv2 EAP authentication.

    disable

    Disable IKEv2 EAP authentication.

    eap-identity

    IKEv2 EAP peer identity type.

    option

    -

    use-id-payload

    Option

    Description

    use-id-payload

    Use IKEv2 IDi payload to resolve peer identity.

    send-request

    Use EAP identity request to resolve peer identity.

    eap-exclude-peergrp

    Peer group excluded from EAP authentication.

    string

    Maximum length: 35

    acct-verify

    Enable/disable verification of RADIUS accounting record.

    option

    -

    disable

    Option

    Description

    enable

    Enable verification of RADIUS accounting record.

    disable

    Disable verification of RADIUS accounting record.

    ppk

    Enable/disable IKEv2 Postquantum Preshared Key (PPK).

    option

    -

    disable

    Option

    Description

    disable

    Disable use of IKEv2 Postquantum Preshared Key (PPK).

    allow

    Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).

    require

    Require use of IKEv2 Postquantum Preshared Key (PPK).

    ppk-secret

    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

    password-3

    Not Specified

    ppk-identity

    IKEv2 Postquantum Preshared Key Identity.

    string

    Maximum length: 35

    wizard-type

    GUI VPN Wizard Type.

    option

    -

    custom

    Option

    Description

    custom

    Custom VPN configuration.

    dialup-forticlient

    Dial Up - FortiClient Windows, Mac and Android.

    dialup-ios

    Dial Up - iPhone / iPad Native IPsec Client.

    dialup-android

    Dial Up - Android Native IPsec Client.

    dialup-windows

    Dial Up - Windows Native IPsec Client.

    dialup-cisco

    Dial Up - Cisco IPsec Client.

    static-fortiproxy

    Site to Site - FortiProxy.

    dialup-fortiproxy

    Dial Up - FortiProxy.

    static-cisco

    Site to Site - Cisco.

    dialup-cisco-fw

    Dialup Up - Cisco Firewall.

    simplified-static-fortiproxy

    Site to Site - FortiProxy (SD-WAN).

    hub-fortiproxy-auto-discovery

    Hub role in a Hub-and-Spoke auto-discovery VPN.

    spoke-fortiproxy-auto-discovery

    Spoke role in a Hub-and-Spoke auto-discovery VPN.

    xauthtype

    XAuth type.

    option

    -

    disable

    Option

    Description

    disable

    Disable.

    client

    Enable as client.

    pap

    Enable as server PAP.

    chap

    Enable as server CHAP.

    auto

    Enable as server auto.

    reauth

    Enable/disable re-authentication upon IKE SA lifetime expiration.

    option

    -

    disable

    Option

    Description

    disable

    Disable IKE SA re-authentication.

    enable

    Enable IKE SA re-authentication.

    authusr

    XAuth user name.

    string

    Maximum length: 64

    authpasswd

    XAuth password (max 35 characters).

    password

    Not Specified

    group-authentication

    Enable/disable IKEv2 IDi group authentication.

    option

    -

    disable

    Option

    Description

    enable

    Enable IKEv2 IDi group authentication.

    disable

    Disable IKEv2 IDi group authentication.

    group-authentication-secret

    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.

    password-3

    Not Specified

    authusrgrp

    Authentication user group.

    string

    Maximum length: 35

    idle-timeout

    Enable/disable IPsec tunnel idle timeout.

    option

    -

    disable

    Option

    Description

    enable

    Enable IPsec tunnel idle timeout.

    disable

    Disable IPsec tunnel idle timeout.

    idle-timeoutinterval

    IPsec tunnel idle timeout in minutes .

    integer

    Minimum value: 5 Maximum value: 43200

    15

    inbound-dscp-copy

    Enable/disable copy the dscp in the ESP header to the inner IP Header.

    option

    -

    disable

    Option

    Description

    enable

    Enable copy the dscp in the ESP header to the inner IP Header.

    disable

    Disable copy the dscp in the ESP header to the inner IP Header.

    auto-discovery-sender

    Enable/disable sending auto-discovery short-cut messages.

    option

    -

    disable

    Option

    Description

    enable

    Enable sending auto-discovery short-cut messages.

    disable

    Disable sending auto-discovery short-cut messages.

    auto-discovery-receiver

    Enable/disable accepting auto-discovery short-cut messages.

    option

    -

    disable

    Option

    Description

    enable

    Enable receiving auto-discovery short-cut messages.

    disable

    Disable receiving auto-discovery short-cut messages.

    auto-discovery-forwarder

    Enable/disable forwarding auto-discovery short-cut messages.

    option

    -

    disable

    Option

    Description

    enable

    Enable forwarding auto-discovery short-cut messages.

    disable

    Disable forwarding auto-discovery short-cut messages.

    auto-discovery-psk

    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.

    option

    -

    disable

    Option

    Description

    enable

    Enable use of pre-shared-secret authentication for auto-discovery tunnels.

    disable

    Disable use of authentication defined by 'authmethod' for auto-discovery tunnels.

    auto-discovery-shortcuts

    Control deletion of child short-cut tunnels when the parent tunnel goes down.

    option

    -

    independent

    Option

    Description

    independent

    Short-cut tunnels remain up if the parent tunnel goes down.

    dependent

    Short-cut tunnels are brought down if the parent tunnel goes down.

    fragmentation-mtu

    IKE fragmentation MTU .

    integer

    Minimum value: 500 Maximum value: 16000

    1200

    childless-ike

    Enable/disable childless IKEv2 initiation (RFC 6023).

    option

    -

    disable

    Option

    Description

    enable

    Enable childless IKEv2 initiation (RFC 6023).

    disable

    Disable childless IKEv2 initiation (RFC 6023).

    rekey

    Enable/disable phase1 rekey.

    option

    -

    enable

    Option

    Description

    enable

    Enable phase1 rekey.

    disable

    Disable phase1 rekey.

    digital-signature-auth

    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

    option

    -

    disable

    Option

    Description

    enable

    Enable IKEv2 Digital Signature Authentication (RFC 7427).

    disable

    Disable IKEv2 Digital Signature Authentication (RFC 7427).

    signature-hash-alg

    Digital Signature Authentication hash algorithms.

    option

    -

    sha2-512

    Option

    Description

    sha1

    SHA1.

    sha2-256

    SHA2-256.

    sha2-384

    SHA2-384.

    sha2-512

    SHA2-512.

    rsa-signature-format

    Digital Signature Authentication RSA signature format.

    option

    -

    pkcs1

    Option

    Description

    pkcs1

    RSASSA PKCS#1 v1.5.

    pss

    RSASSA Probabilistic Signature Scheme (PSS).

    enforce-unique-id

    Enable/disable peer ID uniqueness check.

    option

    -

    disable

    Option

    Description

    disable

    Disable peer ID uniqueness enforcement.

    keep-new

    Enforce peer ID uniqueness, keep new connection if collision found.

    keep-old

    Enforce peer ID uniqueness, keep old connection if collision found.

    cert-id-validation

    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

    option

    -

    enable

    Option

    Description

    enable

    Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

    disable

    Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

    network-overlay

    Enable/disable network overlays.

    option

    -

    disable

    Option

    Description

    disable

    Disable network overlays.

    enable

    Enable network overlays.

    network-id

    VPN gateway network ID.

    integer

    Minimum value: 0 Maximum value: 255

    0

    loopback-asymroute

    Enable/disable asymmetric routing for IKE traffic on loopback interface.

    option

    -

    enable

    Option

    Description

    enable

    Allow ingress/egress IKE traffic to be routed over different interfaces.

    disable

    Ingress/egress IKE traffic must be routed over the same interface.
    Previous
    Next

    config vpn ipsec phase1-interface

    config vpn ipsec phase1-interface

    Configure VPN remote gateway.

    config vpn ipsec phase1-interface
    Description: Configure VPN remote gateway.
    edit <name>
        set interface {string}
        set ike-version [1|2]
        set local-gw {ipv4-address}
        set remote-gw {ipv4-address}
        set keylife {integer}
        set certificate <name1>, <name2>, ...
        set authmethod [psk|signature]
        set mode [aggressive|main]
        set peertype {option}
        set peerid {string}
        set peer {string}
        set proposal {option1}, {option2}, ...
        set psksecret {password-3}
        set keepalive {integer}
        set distance {integer}
        set priority {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set negotiate-timeout {integer}
        set fragmentation [enable|disable]
        set comments {var-string}
        set send-cert-chain [enable|disable]
        set dhgrp {option1}, {option2}, ...
        set eap [enable|disable]
        set eap-identity [use-id-payload|send-request]
        set eap-exclude-peergrp {string}
        set acct-verify [enable|disable]
        set ppk [disable|allow|...]
        set ppk-secret {password-3}
        set ppk-identity {string}
        set wizard-type [custom|dialup-forticlient|...]
        set xauthtype [disable|client|...]
        set reauth [disable|enable]
        set authusr {string}
        set authpasswd {password}
        set group-authentication [enable|disable]
        set group-authentication-secret {password-3}
        set authusrgrp {string}
        set idle-timeout [enable|disable]
        set idle-timeoutinterval {integer}
        set inbound-dscp-copy [enable|disable]
        set auto-discovery-sender [enable|disable]
        set auto-discovery-receiver [enable|disable]
        set auto-discovery-forwarder [enable|disable]
        set auto-discovery-psk [enable|disable]
        set auto-discovery-shortcuts [independent|dependent]
        set fragmentation-mtu {integer}
        set childless-ike [enable|disable]
        set rekey [enable|disable]
        set digital-signature-auth [enable|disable]
        set signature-hash-alg {option1}, {option2}, ...
        set rsa-signature-format [pkcs1|pss]
        set enforce-unique-id [disable|keep-new|...]
        set cert-id-validation [enable|disable]
        set network-overlay [disable|enable]
        set network-id {integer}
        set loopback-asymroute [enable|disable]
    next
end

    config vpn ipsec phase1-interface

    Parameter

    Description

    Type

    Size

    Default

    interface

    Local physical, aggregate, or VLAN outgoing interface.

    string

    Maximum length: 35

    ike-version

    IKE protocol version.

    option

    -

    1

    Option

    Description

    1

    Use IKEv1 protocol.

    2

    Use IKEv2 protocol.

    local-gw

    IPv4 address of the local gateway's external interface.

    ipv4-address

    Not Specified

    0.0.0.0

    remote-gw

    IPv4 address of the remote gateway's external interface.

    ipv4-address

    Not Specified

    0.0.0.0

    keylife

    Time to wait in seconds before phase 1 encryption key expires.

    integer

    Minimum value: 120 Maximum value: 172800

    86400

    certificate <name>

    The names of up to 4 signed personal certificates.

    Certificate name.

    string

    Maximum length: 79

    authmethod

    Authentication method.

    option

    -

    psk

    Option

    Description

    psk

    PSK authentication method.

    signature

    Signature authentication method.

    mode

    The ID protection mode used to establish a secure channel.

    option

    -

    main

    Option

    Description

    aggressive

    Aggressive mode.

    main

    Main mode.

    peertype

    Accept this peer type.

    option

    -

    Option

    Description

    any

    Accept any peer ID.

    peerid

    Accept this peer identity.

    string

    Maximum length: 255

    peer

    Accept this peer certificate.

    string

    Maximum length: 35

    proposal

    Phase1 proposal.

    option

    -

    Option

    Description

    des-md5

    des-md5

    des-sha1

    des-sha1

    des-sha256

    des-sha256

    des-sha384

    des-sha384

    des-sha512

    des-sha512

    psksecret

    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

    password-3

    Not Specified

    keepalive

    NAT-T keep alive interval.

    integer

    Minimum value: 10 Maximum value: 900

    10

    distance

    Distance for routes added by IKE .

    integer

    Minimum value: 1 Maximum value: 255

    15

    priority

    Priority for routes added by IKE .

    integer

    Minimum value: 1 Maximum value: 65535

    1

    localid

    Local ID.

    string

    Maximum length: 63

    localid-type

    Local ID type.

    option

    -

    auto

    Option

    Description

    auto

    Select ID type automatically.

    fqdn

    Use fully qualified domain name.

    user-fqdn

    Use user fully qualified domain name.

    keyid

    Use key-id string.

    address

    Use local IP address.

    asn1dn

    Use ASN.1 distinguished name.

    negotiate-timeout

    IKE SA negotiation timeout in seconds .

    integer

    Minimum value: 1 Maximum value: 300

    30

    fragmentation

    Enable/disable fragment IKE message on re-transmission.

    option

    -

    enable

    Option

    Description

    enable

    Enable intra-IKE fragmentation support on re-transmission.

    disable

    Disable intra-IKE fragmentation support.

    comments

    Comment.

    var-string

    Maximum length: 255

    send-cert-chain

    Enable/disable sending certificate chain.

    option

    -

    enable

    Option

    Description

    enable

    Enable sending certificate chain.

    disable

    Disable sending certificate chain.

    dhgrp

    DH group.

    option

    -

    14

    Option

    Description

    1

    DH Group 1.

    2

    DH Group 2.

    5

    DH Group 5.

    14

    DH Group 14.

    15

    DH Group 15.

    16

    DH Group 16.

    17

    DH Group 17.

    18

    DH Group 18.

    19

    DH Group 19.

    20

    DH Group 20.

    21

    DH Group 21.

    27

    DH Group 27.

    28

    DH Group 28.

    29

    DH Group 29.

    30

    DH Group 30.

    31

    DH Group 31.

    32

    DH Group 32.

    eap

    Enable/disable IKEv2 EAP authentication.

    option

    -

    disable

    Option

    Description

    enable

    Enable IKEv2 EAP authentication.

    disable

    Disable IKEv2 EAP authentication.

    eap-identity

    IKEv2 EAP peer identity type.

    option

    -

    use-id-payload

    Option

    Description

    use-id-payload

    Use IKEv2 IDi payload to resolve peer identity.

    send-request

    Use EAP identity request to resolve peer identity.

    eap-exclude-peergrp

    Peer group excluded from EAP authentication.

    string

    Maximum length: 35

    acct-verify

    Enable/disable verification of RADIUS accounting record.

    option

    -

    disable

    Option

    Description

    enable

    Enable verification of RADIUS accounting record.

    disable

    Disable verification of RADIUS accounting record.

    ppk

    Enable/disable IKEv2 Postquantum Preshared Key (PPK).

    option

    -

    disable

    Option

    Description

    disable

    Disable use of IKEv2 Postquantum Preshared Key (PPK).

    allow

    Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).

    require

    Require use of IKEv2 Postquantum Preshared Key (PPK).

    ppk-secret

    IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

    password-3

    Not Specified

    ppk-identity

    IKEv2 Postquantum Preshared Key Identity.

    string

    Maximum length: 35

    wizard-type

    GUI VPN Wizard Type.

    option

    -

    custom

    Option

    Description

    custom

    Custom VPN configuration.

    dialup-forticlient

    Dial Up - FortiClient Windows, Mac and Android.

    dialup-ios

    Dial Up - iPhone / iPad Native IPsec Client.

    dialup-android

    Dial Up - Android Native IPsec Client.

    dialup-windows

    Dial Up - Windows Native IPsec Client.

    dialup-cisco

    Dial Up - Cisco IPsec Client.

    static-fortiproxy

    Site to Site - FortiProxy.

    dialup-fortiproxy

    Dial Up - FortiProxy.

    static-cisco

    Site to Site - Cisco.

    dialup-cisco-fw

    Dialup Up - Cisco Firewall.

    simplified-static-fortiproxy

    Site to Site - FortiProxy (SD-WAN).

    hub-fortiproxy-auto-discovery

    Hub role in a Hub-and-Spoke auto-discovery VPN.

    spoke-fortiproxy-auto-discovery

    Spoke role in a Hub-and-Spoke auto-discovery VPN.

    xauthtype

    XAuth type.

    option

    -

    disable

    Option

    Description

    disable

    Disable.

    client

    Enable as client.

    pap

    Enable as server PAP.

    chap

    Enable as server CHAP.

    auto

    Enable as server auto.

    reauth

    Enable/disable re-authentication upon IKE SA lifetime expiration.

    option

    -

    disable

    Option

    Description

    disable

    Disable IKE SA re-authentication.

    enable

    Enable IKE SA re-authentication.

    authusr

    XAuth user name.

    string

    Maximum length: 64

    authpasswd

    XAuth password (max 35 characters).

    password

    Not Specified

    group-authentication

    Enable/disable IKEv2 IDi group authentication.

    option

    -

    disable

    Option

    Description

    enable

    Enable IKEv2 IDi group authentication.

    disable

    Disable IKEv2 IDi group authentication.

    group-authentication-secret

    Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.

    password-3

    Not Specified

    authusrgrp

    Authentication user group.

    string

    Maximum length: 35

    idle-timeout

    Enable/disable IPsec tunnel idle timeout.

    option

    -

    disable

    Option

    Description

    enable

    Enable IPsec tunnel idle timeout.

    disable

    Disable IPsec tunnel idle timeout.

    idle-timeoutinterval

    IPsec tunnel idle timeout in minutes .

    integer

    Minimum value: 5 Maximum value: 43200

    15

    inbound-dscp-copy

    Enable/disable copy the dscp in the ESP header to the inner IP Header.

    option

    -

    disable

    Option

    Description

    enable

    Enable copy the dscp in the ESP header to the inner IP Header.

    disable

    Disable copy the dscp in the ESP header to the inner IP Header.

    auto-discovery-sender

    Enable/disable sending auto-discovery short-cut messages.

    option

    -

    disable

    Option

    Description

    enable

    Enable sending auto-discovery short-cut messages.

    disable

    Disable sending auto-discovery short-cut messages.

    auto-discovery-receiver

    Enable/disable accepting auto-discovery short-cut messages.

    option

    -

    disable

    Option

    Description

    enable

    Enable receiving auto-discovery short-cut messages.

    disable

    Disable receiving auto-discovery short-cut messages.

    auto-discovery-forwarder

    Enable/disable forwarding auto-discovery short-cut messages.

    option

    -

    disable

    Option

    Description

    enable

    Enable forwarding auto-discovery short-cut messages.

    disable

    Disable forwarding auto-discovery short-cut messages.

    auto-discovery-psk

    Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.

    option

    -

    disable

    Option

    Description

    enable

    Enable use of pre-shared-secret authentication for auto-discovery tunnels.

    disable

    Disable use of authentication defined by 'authmethod' for auto-discovery tunnels.

    auto-discovery-shortcuts

    Control deletion of child short-cut tunnels when the parent tunnel goes down.

    option

    -

    independent

    Option

    Description

    independent

    Short-cut tunnels remain up if the parent tunnel goes down.

    dependent

    Short-cut tunnels are brought down if the parent tunnel goes down.

    fragmentation-mtu

    IKE fragmentation MTU .

    integer

    Minimum value: 500 Maximum value: 16000

    1200

    childless-ike

    Enable/disable childless IKEv2 initiation (RFC 6023).

    option

    -

    disable

    Option

    Description

    enable

    Enable childless IKEv2 initiation (RFC 6023).

    disable

    Disable childless IKEv2 initiation (RFC 6023).

    rekey

    Enable/disable phase1 rekey.

    option

    -

    enable

    Option

    Description

    enable

    Enable phase1 rekey.

    disable

    Disable phase1 rekey.

    digital-signature-auth

    Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

    option

    -

    disable

    Option

    Description

    enable

    Enable IKEv2 Digital Signature Authentication (RFC 7427).

    disable

    Disable IKEv2 Digital Signature Authentication (RFC 7427).

    signature-hash-alg

    Digital Signature Authentication hash algorithms.

    option

    -

    sha2-512

    Option

    Description

    sha1

    SHA1.

    sha2-256

    SHA2-256.

    sha2-384

    SHA2-384.

    sha2-512

    SHA2-512.

    rsa-signature-format

    Digital Signature Authentication RSA signature format.

    option

    -

    pkcs1

    Option

    Description

    pkcs1

    RSASSA PKCS#1 v1.5.

    pss

    RSASSA Probabilistic Signature Scheme (PSS).

    enforce-unique-id

    Enable/disable peer ID uniqueness check.

    option

    -

    disable

    Option

    Description

    disable

    Disable peer ID uniqueness enforcement.

    keep-new

    Enforce peer ID uniqueness, keep new connection if collision found.

    keep-old

    Enforce peer ID uniqueness, keep old connection if collision found.

    cert-id-validation

    Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

    option

    -

    enable

    Option

    Description

    enable

    Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

    disable

    Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

    network-overlay

    Enable/disable network overlays.

    option

    -

    disable

    Option

    Description

    disable

    Disable network overlays.

    enable

    Enable network overlays.

    network-id

    VPN gateway network ID.

    integer

    Minimum value: 0 Maximum value: 255

    0

    loopback-asymroute

    Enable/disable asymmetric routing for IKE traffic on loopback interface.

    option

    -

    enable

    Option

    Description

    enable

    Allow ingress/egress IKE traffic to be routed over different interfaces.

    disable

    Ingress/egress IKE traffic must be routed over the same interface.
    Previous
    Next