Fortinet white logo
Fortinet white logo

CLI Reference

config vpn ipsec phase2-interface

config vpn ipsec phase2-interface

Configure VPN autokey tunnel.

config vpn ipsec phase2-interface
    Description: Configure VPN autokey tunnel.
    edit <name>
        set phase1name {string}
        set proposal {option1}, {option2}, ...
        set dhgrp {option1}, {option2}, ...
        set replay [enable|disable]
        set keepalive [enable|disable]
        set auto-negotiate [enable|disable]
        set add-route [phase1|enable|...]
        set inbound-dscp-copy [phase1|enable|...]
        set auto-discovery-sender [phase1|enable|...]
        set auto-discovery-forwarder [phase1|enable|...]
        set keylifeseconds {integer}
        set keylifekbs {integer}
        set keylife-type [seconds|kbs|...]
        set single-source [enable|disable]
        set route-overlap [use-old|use-new|...]
        set comments {var-string}
        set protocol {integer}
        set src-name {string}
        set src-name6 {string}
        set src-addr-type [subnet|range|...]
        set src-start-ip {ipv4-address-any}
        set src-start-ip6 {ipv6-address}
        set src-end-ip {ipv4-address-any}
        set src-end-ip6 {ipv6-address}
        set src-subnet {ipv4-classnet-any}
        set src-subnet6 {ipv6-prefix}
        set src-port {integer}
        set dst-name {string}
        set dst-name6 {string}
        set dst-addr-type [subnet|range|...]
        set dst-start-ip {ipv4-address-any}
        set dst-start-ip6 {ipv6-address}
        set dst-end-ip {ipv4-address-any}
        set dst-end-ip6 {ipv6-address}
        set dst-subnet {ipv4-classnet-any}
        set dst-subnet6 {ipv6-prefix}
        set dst-port {integer}
    next
end

config vpn ipsec phase2-interface

Parameter

Description

Type

Size

Default

name

IPsec tunnel name.

string

Maximum length: 35

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 15

proposal

Phase2 proposal.

option

-

Option

Description

null-md5

null-md5

null-sha1

null-sha1

null-sha256

null-sha256

null-sha384

null-sha384

null-sha512

null-sha512

des-null

des-null

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-null

3des-null

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-null

aes128-null

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm

aes128gcm

aes192-null

aes192-null

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-null

aes256-null

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

aria128-null

aria128-null

aria128-md5

aria128-md5

aria128-sha1

aria128-sha1

aria128-sha256

aria128-sha256

aria128-sha384

aria128-sha384

aria128-sha512

aria128-sha512

aria192-null

aria192-null

aria192-md5

aria192-md5

aria192-sha1

aria192-sha1

aria192-sha256

aria192-sha256

aria192-sha384

aria192-sha384

aria192-sha512

aria192-sha512

aria256-null

aria256-null

aria256-md5

aria256-md5

aria256-sha1

aria256-sha1

aria256-sha256

aria256-sha256

aria256-sha384

aria256-sha384

aria256-sha512

aria256-sha512

seed-null

seed-null

seed-md5

seed-md5

seed-sha1

seed-sha1

seed-sha256

seed-sha256

seed-sha384

seed-sha384

seed-sha512

seed-sha512

dhgrp

Phase2 DH group.

option

-

14

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

replay

Enable/disable replay detection.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

keepalive

Enable/disable keep alive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

add-route

Enable/disable automatic route addition.

option

-

phase1

Option

Description

phase1

Add route according to phase1 add-route setting.

enable

Add route for remote proxy ID.

disable

Do not add route for remote proxy ID.

inbound-dscp-copy

Enable/disable copying of the DSCP in the ESP header to the inner IP header.

option

-

phase1

Option

Description

phase1

copy the DCSP in the ESP header to the inner IP Header according to the phase1 inbound_dscp_copy setting.

enable

Enable copying of the DSCP in the ESP header to the inner IP header.

disable

Disable copying of the DSCP in the ESP header to the inner IP header.

auto-discovery-sender

Enable/disable sending short-cut messages.

option

-

phase1

Option

Description

phase1

Send short-cut messages according to the phase1 auto-discovery-sender setting.

enable

Enable sending auto-discovery short-cut messages.

disable

Disable sending auto-discovery short-cut messages.

auto-discovery-forwarder

Enable/disable forwarding short-cut messages.

option

-

phase1

Option

Description

phase1

Forward short-cut messages according to the phase1 auto-discovery-forwarder setting.

enable

Enable forwarding auto-discovery short-cut messages.

disable

Disable forwarding auto-discovery short-cut messages.

keylifeseconds

Phase2 key life in time in seconds.

integer

Minimum value: 120 Maximum value: 172800

43200

keylifekbs

Phase2 key life in number of kilobytes of traffic.

integer

Minimum value: 5120 Maximum value: 4294967295

5120

keylife-type

Keylife type.

option

-

seconds

Option

Description

seconds

Key life in seconds.

kbs

Key life in kilobytes.

both

Key life both.

single-source

Enable/disable single source IP restriction.

option

-

disable

Option

Description

enable

Only single source IP will be accepted.

disable

Source IP range will be accepted.

route-overlap

Action for overlapping routes.

option

-

use-new

Option

Description

use-old

Use the old route and do not add the new route.

use-new

Delete the old route and add the new route.

allow

Allow overlapping routes.

comments

Comment.

var-string

Maximum length: 255

protocol

Quick mode protocol selector.

integer

Minimum value: 0 Maximum value: 255

0

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-addr-type

Local proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

subnet6

IPv6 subnet.

range6

IPv6 range.

ip6

IPv6 IP.

name6

IPv6 firewall address or group name.

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

0.0.0.0

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

::

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

0.0.0.0

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

::

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

src-port

Quick mode source port.

integer

Minimum value: 0 Maximum value: 65535

0

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-addr-type

Remote proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

subnet6

IPv6 subnet.

range6

IPv6 range.

ip6

IPv6 IP.

name6

IPv6 firewall address or group name.

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

0.0.0.0

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

::

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

0.0.0.0

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

::

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

dst-port

Quick mode destination port.

integer

Minimum value: 0 Maximum value: 65535

0

config vpn ipsec phase2-interface

config vpn ipsec phase2-interface

Configure VPN autokey tunnel.

config vpn ipsec phase2-interface
    Description: Configure VPN autokey tunnel.
    edit <name>
        set phase1name {string}
        set proposal {option1}, {option2}, ...
        set dhgrp {option1}, {option2}, ...
        set replay [enable|disable]
        set keepalive [enable|disable]
        set auto-negotiate [enable|disable]
        set add-route [phase1|enable|...]
        set inbound-dscp-copy [phase1|enable|...]
        set auto-discovery-sender [phase1|enable|...]
        set auto-discovery-forwarder [phase1|enable|...]
        set keylifeseconds {integer}
        set keylifekbs {integer}
        set keylife-type [seconds|kbs|...]
        set single-source [enable|disable]
        set route-overlap [use-old|use-new|...]
        set comments {var-string}
        set protocol {integer}
        set src-name {string}
        set src-name6 {string}
        set src-addr-type [subnet|range|...]
        set src-start-ip {ipv4-address-any}
        set src-start-ip6 {ipv6-address}
        set src-end-ip {ipv4-address-any}
        set src-end-ip6 {ipv6-address}
        set src-subnet {ipv4-classnet-any}
        set src-subnet6 {ipv6-prefix}
        set src-port {integer}
        set dst-name {string}
        set dst-name6 {string}
        set dst-addr-type [subnet|range|...]
        set dst-start-ip {ipv4-address-any}
        set dst-start-ip6 {ipv6-address}
        set dst-end-ip {ipv4-address-any}
        set dst-end-ip6 {ipv6-address}
        set dst-subnet {ipv4-classnet-any}
        set dst-subnet6 {ipv6-prefix}
        set dst-port {integer}
    next
end

config vpn ipsec phase2-interface

Parameter

Description

Type

Size

Default

name

IPsec tunnel name.

string

Maximum length: 35

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 15

proposal

Phase2 proposal.

option

-

Option

Description

null-md5

null-md5

null-sha1

null-sha1

null-sha256

null-sha256

null-sha384

null-sha384

null-sha512

null-sha512

des-null

des-null

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-null

3des-null

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-null

aes128-null

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm

aes128gcm

aes192-null

aes192-null

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-null

aes256-null

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

aria128-null

aria128-null

aria128-md5

aria128-md5

aria128-sha1

aria128-sha1

aria128-sha256

aria128-sha256

aria128-sha384

aria128-sha384

aria128-sha512

aria128-sha512

aria192-null

aria192-null

aria192-md5

aria192-md5

aria192-sha1

aria192-sha1

aria192-sha256

aria192-sha256

aria192-sha384

aria192-sha384

aria192-sha512

aria192-sha512

aria256-null

aria256-null

aria256-md5

aria256-md5

aria256-sha1

aria256-sha1

aria256-sha256

aria256-sha256

aria256-sha384

aria256-sha384

aria256-sha512

aria256-sha512

seed-null

seed-null

seed-md5

seed-md5

seed-sha1

seed-sha1

seed-sha256

seed-sha256

seed-sha384

seed-sha384

seed-sha512

seed-sha512

dhgrp

Phase2 DH group.

option

-

14

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

replay

Enable/disable replay detection.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

keepalive

Enable/disable keep alive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

add-route

Enable/disable automatic route addition.

option

-

phase1

Option

Description

phase1

Add route according to phase1 add-route setting.

enable

Add route for remote proxy ID.

disable

Do not add route for remote proxy ID.

inbound-dscp-copy

Enable/disable copying of the DSCP in the ESP header to the inner IP header.

option

-

phase1

Option

Description

phase1

copy the DCSP in the ESP header to the inner IP Header according to the phase1 inbound_dscp_copy setting.

enable

Enable copying of the DSCP in the ESP header to the inner IP header.

disable

Disable copying of the DSCP in the ESP header to the inner IP header.

auto-discovery-sender

Enable/disable sending short-cut messages.

option

-

phase1

Option

Description

phase1

Send short-cut messages according to the phase1 auto-discovery-sender setting.

enable

Enable sending auto-discovery short-cut messages.

disable

Disable sending auto-discovery short-cut messages.

auto-discovery-forwarder

Enable/disable forwarding short-cut messages.

option

-

phase1

Option

Description

phase1

Forward short-cut messages according to the phase1 auto-discovery-forwarder setting.

enable

Enable forwarding auto-discovery short-cut messages.

disable

Disable forwarding auto-discovery short-cut messages.

keylifeseconds

Phase2 key life in time in seconds.

integer

Minimum value: 120 Maximum value: 172800

43200

keylifekbs

Phase2 key life in number of kilobytes of traffic.

integer

Minimum value: 5120 Maximum value: 4294967295

5120

keylife-type

Keylife type.

option

-

seconds

Option

Description

seconds

Key life in seconds.

kbs

Key life in kilobytes.

both

Key life both.

single-source

Enable/disable single source IP restriction.

option

-

disable

Option

Description

enable

Only single source IP will be accepted.

disable

Source IP range will be accepted.

route-overlap

Action for overlapping routes.

option

-

use-new

Option

Description

use-old

Use the old route and do not add the new route.

use-new

Delete the old route and add the new route.

allow

Allow overlapping routes.

comments

Comment.

var-string

Maximum length: 255

protocol

Quick mode protocol selector.

integer

Minimum value: 0 Maximum value: 255

0

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-addr-type

Local proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

subnet6

IPv6 subnet.

range6

IPv6 range.

ip6

IPv6 IP.

name6

IPv6 firewall address or group name.

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

0.0.0.0

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

::

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

0.0.0.0

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

::

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

src-port

Quick mode source port.

integer

Minimum value: 0 Maximum value: 65535

0

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-addr-type

Remote proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

subnet6

IPv6 subnet.

range6

IPv6 range.

ip6

IPv6 IP.

name6

IPv6 firewall address or group name.

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

0.0.0.0

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

::

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

0.0.0.0

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

::

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

dst-port

Quick mode destination port.

integer

Minimum value: 0 Maximum value: 65535

0