Fortinet white logo
Fortinet white logo

CLI Reference

vpn ipsec phase1

Configure VPN remote gateway.

  config vpn ipsec phase1
      Description: Configure VPN remote gateway.
      edit <name>
          set type [static|dynamic|...]
          set interface {string}
          set ike-version [1|2]
          set remote-gw {ipv4-address}
          set local-gw {ipv4-address}
          set remotegw-ddns {string}
          set keylife {integer}
          set certificate <name1>, <name2>, ...
          set authmethod [psk|signature]
          set authmethod-remote [psk|signature]
          set mode [aggressive|main]
          set peertype [any|one|...]
          set peerid {string}
          set usrgrp {string}
          set peer {string}
          set peergrp {string}
          set mode-cfg [disable|enable]
          set assign-ip [disable|enable]
          set assign-ip-from [range|usrgrp|...]
          set ipv4-start-ip {ipv4-address}
          set ipv4-end-ip {ipv4-address}
          set ipv4-netmask {ipv4-netmask}
          set dns-mode [manual|auto]
          set ipv4-dns-server1 {ipv4-address}
          set ipv4-dns-server2 {ipv4-address}
          set ipv4-dns-server3 {ipv4-address}
          set ipv4-wins-server1 {ipv4-address}
          set ipv4-wins-server2 {ipv4-address}
          config ipv4-exclude-range
              Description: Configuration Method IPv4 exclude ranges.
              edit <id>
                  set start-ip {ipv4-address}
                  set end-ip {ipv4-address}
              next
          end
          set ipv4-split-include {string}
          set split-include-service {string}
          set ipv4-name {string}
          set ipv6-start-ip {ipv6-address}
          set ipv6-end-ip {ipv6-address}
          set ipv6-prefix {integer}
          set ipv6-dns-server1 {ipv6-address}
          set ipv6-dns-server2 {ipv6-address}
          set ipv6-dns-server3 {ipv6-address}
          config ipv6-exclude-range
              Description: Configuration method IPv6 exclude ranges.
              edit <id>
                  set start-ip {ipv6-address}
                  set end-ip {ipv6-address}
              next
          end
          set ipv6-split-include {string}
          set ipv6-name {string}
          set unity-support [disable|enable]
          set domain {string}
          set banner {var-string}
          set include-local-lan [disable|enable]
          set ipv4-split-exclude {string}
          set ipv6-split-exclude {string}
          set save-password [disable|enable]
          set client-auto-negotiate [disable|enable]
          set client-keep-alive [disable|enable]
          set backup-gateway <address1>, <address2>, ...
          set proposal {option1}, {option2}, ...
          set add-route [disable|enable]
          set add-gw-route [enable|disable]
          set psksecret {password-3}
          set psksecret-remote {password-3}
          set keepalive {integer}
          set distance {integer}
          set priority {integer}
          set localid {string}
          set localid-type [auto|fqdn|...]
          set auto-negotiate [enable|disable]
          set negotiate-timeout {integer}
          set fragmentation [enable|disable]
          set dpd [disable|on-idle|...]
          set dpd-retrycount {integer}
          set dpd-retryinterval {user}
          set forticlient-enforcement [enable|disable]
          set comments {var-string}
          set npu-offload [enable|disable]
          set send-cert-chain [enable|disable]
          set dhgrp {option1}, {option2}, ...
          set suite-b [disable|suite-b-gcm-128|...]
          set eap [enable|disable]
          set eap-identity [use-id-payload|send-request]
          set eap-exclude-peergrp {string}
          set acct-verify [enable|disable]
          set ppk [disable|allow|...]
          set ppk-secret {password-3}
          set ppk-identity {string}
          set wizard-type [custom|dialup-forticlient|...]
          set xauthtype [disable|client|...]
          set reauth [disable|enable]
          set authusr {string}
          set authpasswd {password}
          set group-authentication [enable|disable]
          set group-authentication-secret {password-3}
          set authusrgrp {string}
          set mesh-selector-type [disable|subnet|...]
          set idle-timeout [enable|disable]
          set idle-timeoutinterval {integer}
          set ha-sync-esp-seqno [enable|disable]
          set nattraversal [enable|disable|...]
          set esn [require|allow|...]
          set fragmentation-mtu {integer}
          set childless-ike [enable|disable]
          set rekey [enable|disable]
          set digital-signature-auth [enable|disable]
          set signature-hash-alg {option1}, {option2}, ...
          set rsa-signature-format [pkcs1|pss]
          set enforce-unique-id [disable|keep-new|...]
          set cert-id-validation [enable|disable]
          set fec-egress [enable|disable]
          set fec-send-timeout {integer}
          set fec-base {integer}
          set fec-redundant {integer}
          set fec-ingress [enable|disable]
          set fec-receive-timeout {integer}
          set network-overlay [disable|enable]
          set network-id {integer}
      next
  end

config vpn ipsec phase1

Parameter Name Description Type Size
type Remote gateway type.
static: Remote VPN gateway has fixed IP address.
dynamic: Remote VPN gateway has dynamic IP address.
ddns: Remote VPN gateway has dynamic IP address and is a dynamic DNS client.
option -
interface Local physical, aggregate, or VLAN outgoing interface. string Maximum length: 35
ike-version IKE protocol version.
1: Use IKEv1 protocol.
2: Use IKEv2 protocol.
option -
remote-gw Remote VPN gateway. ipv4-address Not Specified
local-gw Local VPN gateway. ipv4-address Not Specified
remotegw-ddns Domain name of remote gateway (eg. name.DDNS.com). string Maximum length: 63
keylife Time to wait in seconds before phase 1 encryption key expires. integer Minimum value: 120 Maximum value: 172800
certificate <name> Names of up to 4 signed personal certificates.
Certificate name.
string Maximum length: 79
authmethod Authentication method.
psk: PSK authentication method.
signature: Signature authentication method.
option -
authmethod-remote Authentication method (remote side).
psk: PSK authentication method.
signature: Signature authentication method.
option -
mode ID protection mode used to establish a secure channel.
aggressive: Aggressive mode.
main: Main mode.
option -
peertype Accept this peer type.
any: Accept any peer ID.
one: Accept this peer ID.
dialup: Accept peer ID in dialup group.
peer: Accept this peer certificate.
peergrp: Accept this peer certificate group.
option -
peerid Accept this peer identity. string Maximum length: 255
usrgrp User group name for dialup peers. string Maximum length: 35
peer Accept this peer certificate. string Maximum length: 35
peergrp Accept this peer certificate group. string Maximum length: 35
mode-cfg Enable/disable configuration method.
disable: Disable Configuration Method.
enable: Enable Configuration Method.
option -
assign-ip Enable/disable assignment of IP to IPsec interface via configuration method.
disable: Do not assign an IP address to the IPsec interface.
enable: Assign an IP address to the IPsec interface.
option -
assign-ip-from Method by which the IP address will be assigned.
range: Assign IP address from locally defined range.
usrgrp: Assign IP address via user group.
dhcp: Assign IP address via DHCP.
name: Assign IP address from firewall address or group.
option -
ipv4-start-ip Start of IPv4 range. ipv4-address Not Specified
ipv4-end-ip End of IPv4 range. ipv4-address Not Specified
ipv4-netmask IPv4 Netmask. ipv4-netmask Not Specified
dns-mode DNS server mode.
manual: Manually configure DNS servers.
auto: Use default DNS servers.
option -
ipv4-dns-server1 IPv4 DNS server 1. ipv4-address Not Specified
ipv4-dns-server2 IPv4 DNS server 2. ipv4-address Not Specified
ipv4-dns-server3 IPv4 DNS server 3. ipv4-address Not Specified
ipv4-wins-server1 WINS server 1. ipv4-address Not Specified
ipv4-wins-server2 WINS server 2. ipv4-address Not Specified
ipv4-split-include IPv4 split-include subnets. string Maximum length: 79
split-include-service Split-include services. string Maximum length: 79
ipv4-name IPv4 address name. string Maximum length: 79
ipv6-start-ip Start of IPv6 range. ipv6-address Not Specified
ipv6-end-ip End of IPv6 range. ipv6-address Not Specified
ipv6-prefix IPv6 prefix. integer Minimum value: 1 Maximum value: 128
ipv6-dns-server1 IPv6 DNS server 1. ipv6-address Not Specified
ipv6-dns-server2 IPv6 DNS server 2. ipv6-address Not Specified
ipv6-dns-server3 IPv6 DNS server 3. ipv6-address Not Specified
ipv6-split-include IPv6 split-include subnets. string Maximum length: 79
ipv6-name IPv6 address name. string Maximum length: 79
unity-support Enable/disable support for Cisco UNITY Configuration Method extensions.
disable: Disable Cisco Unity Configuration Method Extensions.
enable: Enable Cisco Unity Configuration Method Extensions.
option -
domain Instruct unity clients about the default DNS domain. string Maximum length: 63
banner Message that unity client should display after connecting. var-string Maximum length: 1024
include-local-lan Enable/disable allow local LAN access on unity clients.
disable: Disable local LAN access on Unity clients.
enable: Enable local LAN access on Unity clients.
option -
ipv4-split-exclude IPv4 subnets that should not be sent over the IPsec tunnel. string Maximum length: 79
ipv6-split-exclude IPv6 subnets that should not be sent over the IPsec tunnel. string Maximum length: 79
save-password Enable/disable saving XAuth username and password on VPN clients.
disable: Disable saving XAuth username and password on VPN clients.
enable: Enable saving XAuth username and password on VPN clients.
option -
client-auto-negotiate Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
disable: Disable allowing the VPN client to bring up the tunnel when there is no traffic.
enable: Enable allowing the VPN client to bring up the tunnel when there is no traffic.
option -
client-keep-alive Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
disable: Disable allowing the VPN client to keep the tunnel up when there is no traffic.
enable: Enable allowing the VPN client to keep the tunnel up when there is no traffic.
option -
backup-gateway <address> Instruct unity clients about the backup gateway address(es).
Address of backup gateway.
string Maximum length: 79
proposal Phase1 proposal.
des-md5: des-md5
des-sha1: des-sha1
des-sha256: des-sha256
des-sha384: des-sha384
des-sha512: des-sha512
3des-md5: 3des-md5
3des-sha1: 3des-sha1
3des-sha256: 3des-sha256
3des-sha384: 3des-sha384
3des-sha512: 3des-sha512
aes128-md5: aes128-md5
aes128-sha1: aes128-sha1
aes128-sha256: aes128-sha256
aes128-sha384: aes128-sha384
aes128-sha512: aes128-sha512
aes128gcm-prfsha1: aes128gcm-prfsha1
aes128gcm-prfsha256: aes128gcm-prfsha256
aes128gcm-prfsha384: aes128gcm-prfsha384
aes128gcm-prfsha512: aes128gcm-prfsha512
aes192-md5: aes192-md5
aes192-sha1: aes192-sha1
aes192-sha256: aes192-sha256
aes192-sha384: aes192-sha384
aes192-sha512: aes192-sha512
aes256-md5: aes256-md5
aes256-sha1: aes256-sha1
aes256-sha256: aes256-sha256
aes256-sha384: aes256-sha384
aes256-sha512: aes256-sha512
aes256gcm-prfsha1: aes256gcm-prfsha1
aes256gcm-prfsha256: aes256gcm-prfsha256
aes256gcm-prfsha384: aes256gcm-prfsha384
aes256gcm-prfsha512: aes256gcm-prfsha512
chacha20poly1305-prfsha1: chacha20poly1305-prfsha1
chacha20poly1305-prfsha256: chacha20poly1305-prfsha256
chacha20poly1305-prfsha384: chacha20poly1305-prfsha384
chacha20poly1305-prfsha512: chacha20poly1305-prfsha512
aria128-md5: aria128-md5
aria128-sha1: aria128-sha1
aria128-sha256: aria128-sha256
aria128-sha384: aria128-sha384
aria128-sha512: aria128-sha512
aria192-md5: aria192-md5
aria192-sha1: aria192-sha1
aria192-sha256: aria192-sha256
aria192-sha384: aria192-sha384
aria192-sha512: aria192-sha512
aria256-md5: aria256-md5
aria256-sha1: aria256-sha1
aria256-sha256: aria256-sha256
aria256-sha384: aria256-sha384
aria256-sha512: aria256-sha512
seed-md5: seed-md5
seed-sha1: seed-sha1
seed-sha256: seed-sha256
seed-sha384: seed-sha384
seed-sha512: seed-sha512
option -
add-route Enable/disable control addition of a route to peer destination selector.
disable: Do not add a route to destination of peer selector.
enable: Add route to destination of peer selector.
option -
add-gw-route Enable/disable automatically add a route to the remote gateway.
enable: Automatically add a route to the remote gateway.
disable: Do not automatically add a route to the remote gateway.
option -
psksecret Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
psksecret-remote Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
keepalive NAT-T keep alive interval. integer Minimum value: 10 Maximum value: 900
distance Distance for routes added by IKE (1 - 255). integer Minimum value: 1 Maximum value: 255
priority Priority for routes added by IKE (0 - 4294967295). integer Minimum value: 0 Maximum value: 4294967295
localid Local ID. string Maximum length: 63
localid-type Local ID type.
auto: Select ID type automatically.
fqdn: Use fully qualified domain name.
user-fqdn: Use user fully qualified domain name.
keyid: Use key-id string.
address: Use local IP address.
asn1dn: Use ASN.1 distinguished name.
option -
auto-negotiate Enable/disable automatic initiation of IKE SA negotiation.
enable: Enable automatic initiation of IKE SA negotiation.
disable: Disable automatic initiation of IKE SA negotiation.
option -
negotiate-timeout IKE SA negotiation timeout in seconds (1 - 300). integer Minimum value: 1 Maximum value: 300
fragmentation Enable/disable fragment IKE message on re-transmission.
enable: Enable intra-IKE fragmentation support on re-transmission.
disable: Disable intra-IKE fragmentation support.
option -
dpd Dead Peer Detection mode.
disable: Disable Dead Peer Detection.
on-idle: Trigger Dead Peer Detection when IPsec is idle.
on-demand: Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.
option -
dpd-retrycount Number of DPD retry attempts. integer Minimum value: 0 Maximum value: 10
dpd-retryinterval DPD retry interval. user Not Specified
forticlient-enforcement Enable/disable FortiClient enforcement.
enable: Enable FortiClient enforcement.
disable: Disable FortiClient enforcement.
option -
comments Comment. var-string Maximum length: 255
npu-offload Enable/disable offloading NPU.
enable: Enable NPU offloading.
disable: Disable NPU offloading.
option -
send-cert-chain Enable/disable sending certificate chain.
enable: Enable sending certificate chain.
disable: Disable sending certificate chain.
option -
dhgrp DH group.
1: DH Group 1.
2: DH Group 2.
5: DH Group 5.
14: DH Group 14.
15: DH Group 15.
16: DH Group 16.
17: DH Group 17.
18: DH Group 18.
19: DH Group 19.
20: DH Group 20.
21: DH Group 21.
27: DH Group 27.
28: DH Group 28.
29: DH Group 29.
30: DH Group 30.
31: DH Group 31.
32: DH Group 32.
option -
suite-b Use Suite-B.
disable: Do not use UI suite.
suite-b-gcm-128: Use Suite-B-GCM-128.
suite-b-gcm-256: Use Suite-B-GCM-256.
option -
eap Enable/disable IKEv2 EAP authentication.
enable: Enable IKEv2 EAP authentication.
disable: Disable IKEv2 EAP authentication.
option -
eap-identity IKEv2 EAP peer identity type.
use-id-payload: Use IKEv2 IDi payload to resolve peer identity.
send-request: Use EAP identity request to resolve peer identity.
option -
eap-exclude-peergrp Peer group excluded from EAP authentication. string Maximum length: 35
acct-verify Enable/disable verification of RADIUS accounting record.
enable: Enable verification of RADIUS accounting record.
disable: Disable verification of RADIUS accounting record.
option -
ppk Enable/disable IKEv2 Postquantum Preshared Key (PPK).
disable: Disable use of IKEv2 Postquantum Preshared Key (PPK).
allow: Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
require: Require use of IKEv2 Postquantum Preshared Key (PPK).
option -
ppk-secret IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
ppk-identity IKEv2 Postquantum Preshared Key Identity. string Maximum length: 35
wizard-type GUI VPN Wizard Type.
custom: Custom VPN configuration.
dialup-forticlient: Dial Up - FortiClient Windows, Mac and Android.
dialup-ios: Dial Up - iPhone / iPad Native IPsec Client.
dialup-android: Dial Up - Android Native IPsec Client.
dialup-windows: Dial Up - Windows Native IPsec Client.
dialup-cisco: Dial Up - Cisco IPsec Client.
static-fortigate: Site to Site - FortiGate.
dialup-fortigate: Dial Up - FortiGate.
static-cisco: Site to Site - Cisco.
dialup-cisco-fw: Dialup Up - Cisco Firewall.
simplified-static-fortigate: Site to Site - FortiGate (SD-WAN).
hub-fortigate-auto-discovery: Hub role in a Hub-and-Spoke auto-discovery VPN.
spoke-fortigate-auto-discovery: Spoke role in a Hub-and-Spoke auto-discovery VPN.
option -
xauthtype XAuth type.
disable: Disable.
client: Enable as client.
pap: Enable as server PAP.
chap: Enable as server CHAP.
auto: Enable as server auto.
option -
reauth Enable/disable re-authentication upon IKE SA lifetime expiration.
disable: Disable IKE SA re-authentication.
enable: Enable IKE SA re-authentication.
option -
authusr XAuth user name. string Maximum length: 64
authpasswd XAuth password (max 35 characters). password Not Specified
group-authentication Enable/disable IKEv2 IDi group authentication.
enable: Enable IKEv2 IDi group authentication.
disable: Disable IKEv2 IDi group authentication.
option -
group-authentication-secret Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.) password-3 Not Specified
authusrgrp Authentication user group. string Maximum length: 35
mesh-selector-type Add selectors containing subsets of the configuration depending on traffic.
disable: Disable.
subnet: Enable addition of matching subnet selector.
host: Enable addition of host to host selector.
option -
idle-timeout Enable/disable IPsec tunnel idle timeout.
enable: Enable IPsec tunnel idle timeout.
disable: Disable IPsec tunnel idle timeout.
option -
idle-timeoutinterval IPsec tunnel idle timeout in minutes (5 - 43200). integer Minimum value: 5 Maximum value: 43200
ha-sync-esp-seqno Enable/disable sequence number jump ahead for IPsec HA.
enable: Enable HA syncing of ESP sequence numbers.
disable: Disable HA syncing of ESP sequence numbers.
option -
nattraversal Enable/disable NAT traversal.
enable: Enable IPsec NAT traversal.
disable: Disable IPsec NAT traversal.
forced: Force IPsec NAT traversal on.
option -
esn Extended sequence number (ESN) negotiation.
require: Require extended sequence number.
allow: Allow extended sequence number.
disable: Disable extended sequence number.
option -
fragmentation-mtu IKE fragmentation MTU (500 - 16000). integer Minimum value: 500 Maximum value: 16000
childless-ike Enable/disable childless IKEv2 initiation (RFC 6023).
enable: Enable childless IKEv2 initiation (RFC 6023).
disable: Disable childless IKEv2 initiation (RFC 6023).
option -
rekey Enable/disable phase1 rekey.
enable: Enable phase1 rekey.
disable: Disable phase1 rekey.
option -
digital-signature-auth Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
enable: Enable IKEv2 Digital Signature Authentication (RFC 7427).
disable: Disable IKEv2 Digital Signature Authentication (RFC 7427).
option -
signature-hash-alg Digital Signature Authentication hash algorithms.
sha1: SHA1.
sha2-256: SHA2-256.
sha2-384: SHA2-384.
sha2-512: SHA2-512.
option -
rsa-signature-format Digital Signature Authentication RSA signature format.
pkcs1: RSASSA PKCS#1 v1.5.
pss: RSASSA Probabilistic Signature Scheme (PSS).
option -
enforce-unique-id Enable/disable peer ID uniqueness check.
disable: Disable peer ID uniqueness enforcement.
keep-new: Enforce peer ID uniqueness, keep new connection if collision found.
keep-old: Enforce peer ID uniqueness, keep old connection if collision found.
option -
cert-id-validation Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
enable: Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
disable: Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
option -
fec-egress Enable/disable Forward Error Correction for egress IPsec traffic.
enable: Enable Forward Error Correction for egress IPsec traffic.
disable: Disable Forward Error Correction for egress IPsec traffic.
option -
fec-send-timeout Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). integer Minimum value: 1 Maximum value: 1000
fec-base Number of base Forward Error Correction packets (1 - 100). integer Minimum value: 1 Maximum value: 100
fec-redundant Number of redundant Forward Error Correction packets (1 - 100). integer Minimum value: 1 Maximum value: 100
fec-ingress Enable/disable Forward Error Correction for ingress IPsec traffic.
enable: Enable Forward Error Correction for ingress IPsec traffic.
disable: Disable Forward Error Correction for ingress IPsec traffic.
option -
fec-receive-timeout Timeout in milliseconds before dropping Forward Error Correction packets (1 - 10000). integer Minimum value: 1 Maximum value: 10000
network-overlay Enable/disable network overlays.
disable: Disable network overlays.
enable: Enable network overlays.
option -
network-id VPN gateway network ID. integer Minimum value: 0 Maximum value: 255

config ipv4-exclude-range

Parameter Name Description Type Size
start-ip Start of IPv4 exclusive range. ipv4-address Not Specified
end-ip End of IPv4 exclusive range. ipv4-address Not Specified

config ipv6-exclude-range

Parameter Name Description Type Size
start-ip Start of IPv6 exclusive range. ipv6-address Not Specified
end-ip End of IPv6 exclusive range. ipv6-address Not Specified

vpn ipsec phase1

Configure VPN remote gateway.

  config vpn ipsec phase1
      Description: Configure VPN remote gateway.
      edit <name>
          set type [static|dynamic|...]
          set interface {string}
          set ike-version [1|2]
          set remote-gw {ipv4-address}
          set local-gw {ipv4-address}
          set remotegw-ddns {string}
          set keylife {integer}
          set certificate <name1>, <name2>, ...
          set authmethod [psk|signature]
          set authmethod-remote [psk|signature]
          set mode [aggressive|main]
          set peertype [any|one|...]
          set peerid {string}
          set usrgrp {string}
          set peer {string}
          set peergrp {string}
          set mode-cfg [disable|enable]
          set assign-ip [disable|enable]
          set assign-ip-from [range|usrgrp|...]
          set ipv4-start-ip {ipv4-address}
          set ipv4-end-ip {ipv4-address}
          set ipv4-netmask {ipv4-netmask}
          set dns-mode [manual|auto]
          set ipv4-dns-server1 {ipv4-address}
          set ipv4-dns-server2 {ipv4-address}
          set ipv4-dns-server3 {ipv4-address}
          set ipv4-wins-server1 {ipv4-address}
          set ipv4-wins-server2 {ipv4-address}
          config ipv4-exclude-range
              Description: Configuration Method IPv4 exclude ranges.
              edit <id>
                  set start-ip {ipv4-address}
                  set end-ip {ipv4-address}
              next
          end
          set ipv4-split-include {string}
          set split-include-service {string}
          set ipv4-name {string}
          set ipv6-start-ip {ipv6-address}
          set ipv6-end-ip {ipv6-address}
          set ipv6-prefix {integer}
          set ipv6-dns-server1 {ipv6-address}
          set ipv6-dns-server2 {ipv6-address}
          set ipv6-dns-server3 {ipv6-address}
          config ipv6-exclude-range
              Description: Configuration method IPv6 exclude ranges.
              edit <id>
                  set start-ip {ipv6-address}
                  set end-ip {ipv6-address}
              next
          end
          set ipv6-split-include {string}
          set ipv6-name {string}
          set unity-support [disable|enable]
          set domain {string}
          set banner {var-string}
          set include-local-lan [disable|enable]
          set ipv4-split-exclude {string}
          set ipv6-split-exclude {string}
          set save-password [disable|enable]
          set client-auto-negotiate [disable|enable]
          set client-keep-alive [disable|enable]
          set backup-gateway <address1>, <address2>, ...
          set proposal {option1}, {option2}, ...
          set add-route [disable|enable]
          set add-gw-route [enable|disable]
          set psksecret {password-3}
          set psksecret-remote {password-3}
          set keepalive {integer}
          set distance {integer}
          set priority {integer}
          set localid {string}
          set localid-type [auto|fqdn|...]
          set auto-negotiate [enable|disable]
          set negotiate-timeout {integer}
          set fragmentation [enable|disable]
          set dpd [disable|on-idle|...]
          set dpd-retrycount {integer}
          set dpd-retryinterval {user}
          set forticlient-enforcement [enable|disable]
          set comments {var-string}
          set npu-offload [enable|disable]
          set send-cert-chain [enable|disable]
          set dhgrp {option1}, {option2}, ...
          set suite-b [disable|suite-b-gcm-128|...]
          set eap [enable|disable]
          set eap-identity [use-id-payload|send-request]
          set eap-exclude-peergrp {string}
          set acct-verify [enable|disable]
          set ppk [disable|allow|...]
          set ppk-secret {password-3}
          set ppk-identity {string}
          set wizard-type [custom|dialup-forticlient|...]
          set xauthtype [disable|client|...]
          set reauth [disable|enable]
          set authusr {string}
          set authpasswd {password}
          set group-authentication [enable|disable]
          set group-authentication-secret {password-3}
          set authusrgrp {string}
          set mesh-selector-type [disable|subnet|...]
          set idle-timeout [enable|disable]
          set idle-timeoutinterval {integer}
          set ha-sync-esp-seqno [enable|disable]
          set nattraversal [enable|disable|...]
          set esn [require|allow|...]
          set fragmentation-mtu {integer}
          set childless-ike [enable|disable]
          set rekey [enable|disable]
          set digital-signature-auth [enable|disable]
          set signature-hash-alg {option1}, {option2}, ...
          set rsa-signature-format [pkcs1|pss]
          set enforce-unique-id [disable|keep-new|...]
          set cert-id-validation [enable|disable]
          set fec-egress [enable|disable]
          set fec-send-timeout {integer}
          set fec-base {integer}
          set fec-redundant {integer}
          set fec-ingress [enable|disable]
          set fec-receive-timeout {integer}
          set network-overlay [disable|enable]
          set network-id {integer}
      next
  end

config vpn ipsec phase1

Parameter Name Description Type Size
type Remote gateway type.
static: Remote VPN gateway has fixed IP address.
dynamic: Remote VPN gateway has dynamic IP address.
ddns: Remote VPN gateway has dynamic IP address and is a dynamic DNS client.
option -
interface Local physical, aggregate, or VLAN outgoing interface. string Maximum length: 35
ike-version IKE protocol version.
1: Use IKEv1 protocol.
2: Use IKEv2 protocol.
option -
remote-gw Remote VPN gateway. ipv4-address Not Specified
local-gw Local VPN gateway. ipv4-address Not Specified
remotegw-ddns Domain name of remote gateway (eg. name.DDNS.com). string Maximum length: 63
keylife Time to wait in seconds before phase 1 encryption key expires. integer Minimum value: 120 Maximum value: 172800
certificate <name> Names of up to 4 signed personal certificates.
Certificate name.
string Maximum length: 79
authmethod Authentication method.
psk: PSK authentication method.
signature: Signature authentication method.
option -
authmethod-remote Authentication method (remote side).
psk: PSK authentication method.
signature: Signature authentication method.
option -
mode ID protection mode used to establish a secure channel.
aggressive: Aggressive mode.
main: Main mode.
option -
peertype Accept this peer type.
any: Accept any peer ID.
one: Accept this peer ID.
dialup: Accept peer ID in dialup group.
peer: Accept this peer certificate.
peergrp: Accept this peer certificate group.
option -
peerid Accept this peer identity. string Maximum length: 255
usrgrp User group name for dialup peers. string Maximum length: 35
peer Accept this peer certificate. string Maximum length: 35
peergrp Accept this peer certificate group. string Maximum length: 35
mode-cfg Enable/disable configuration method.
disable: Disable Configuration Method.
enable: Enable Configuration Method.
option -
assign-ip Enable/disable assignment of IP to IPsec interface via configuration method.
disable: Do not assign an IP address to the IPsec interface.
enable: Assign an IP address to the IPsec interface.
option -
assign-ip-from Method by which the IP address will be assigned.
range: Assign IP address from locally defined range.
usrgrp: Assign IP address via user group.
dhcp: Assign IP address via DHCP.
name: Assign IP address from firewall address or group.
option -
ipv4-start-ip Start of IPv4 range. ipv4-address Not Specified
ipv4-end-ip End of IPv4 range. ipv4-address Not Specified
ipv4-netmask IPv4 Netmask. ipv4-netmask Not Specified
dns-mode DNS server mode.
manual: Manually configure DNS servers.
auto: Use default DNS servers.
option -
ipv4-dns-server1 IPv4 DNS server 1. ipv4-address Not Specified
ipv4-dns-server2 IPv4 DNS server 2. ipv4-address Not Specified
ipv4-dns-server3 IPv4 DNS server 3. ipv4-address Not Specified
ipv4-wins-server1 WINS server 1. ipv4-address Not Specified
ipv4-wins-server2 WINS server 2. ipv4-address Not Specified
ipv4-split-include IPv4 split-include subnets. string Maximum length: 79
split-include-service Split-include services. string Maximum length: 79
ipv4-name IPv4 address name. string Maximum length: 79
ipv6-start-ip Start of IPv6 range. ipv6-address Not Specified
ipv6-end-ip End of IPv6 range. ipv6-address Not Specified
ipv6-prefix IPv6 prefix. integer Minimum value: 1 Maximum value: 128
ipv6-dns-server1 IPv6 DNS server 1. ipv6-address Not Specified
ipv6-dns-server2 IPv6 DNS server 2. ipv6-address Not Specified
ipv6-dns-server3 IPv6 DNS server 3. ipv6-address Not Specified
ipv6-split-include IPv6 split-include subnets. string Maximum length: 79
ipv6-name IPv6 address name. string Maximum length: 79
unity-support Enable/disable support for Cisco UNITY Configuration Method extensions.
disable: Disable Cisco Unity Configuration Method Extensions.
enable: Enable Cisco Unity Configuration Method Extensions.
option -
domain Instruct unity clients about the default DNS domain. string Maximum length: 63
banner Message that unity client should display after connecting. var-string Maximum length: 1024
include-local-lan Enable/disable allow local LAN access on unity clients.
disable: Disable local LAN access on Unity clients.
enable: Enable local LAN access on Unity clients.
option -
ipv4-split-exclude IPv4 subnets that should not be sent over the IPsec tunnel. string Maximum length: 79
ipv6-split-exclude IPv6 subnets that should not be sent over the IPsec tunnel. string Maximum length: 79
save-password Enable/disable saving XAuth username and password on VPN clients.
disable: Disable saving XAuth username and password on VPN clients.
enable: Enable saving XAuth username and password on VPN clients.
option -
client-auto-negotiate Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic.
disable: Disable allowing the VPN client to bring up the tunnel when there is no traffic.
enable: Enable allowing the VPN client to bring up the tunnel when there is no traffic.
option -
client-keep-alive Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic.
disable: Disable allowing the VPN client to keep the tunnel up when there is no traffic.
enable: Enable allowing the VPN client to keep the tunnel up when there is no traffic.
option -
backup-gateway <address> Instruct unity clients about the backup gateway address(es).
Address of backup gateway.
string Maximum length: 79
proposal Phase1 proposal.
des-md5: des-md5
des-sha1: des-sha1
des-sha256: des-sha256
des-sha384: des-sha384
des-sha512: des-sha512
3des-md5: 3des-md5
3des-sha1: 3des-sha1
3des-sha256: 3des-sha256
3des-sha384: 3des-sha384
3des-sha512: 3des-sha512
aes128-md5: aes128-md5
aes128-sha1: aes128-sha1
aes128-sha256: aes128-sha256
aes128-sha384: aes128-sha384
aes128-sha512: aes128-sha512
aes128gcm-prfsha1: aes128gcm-prfsha1
aes128gcm-prfsha256: aes128gcm-prfsha256
aes128gcm-prfsha384: aes128gcm-prfsha384
aes128gcm-prfsha512: aes128gcm-prfsha512
aes192-md5: aes192-md5
aes192-sha1: aes192-sha1
aes192-sha256: aes192-sha256
aes192-sha384: aes192-sha384
aes192-sha512: aes192-sha512
aes256-md5: aes256-md5
aes256-sha1: aes256-sha1
aes256-sha256: aes256-sha256
aes256-sha384: aes256-sha384
aes256-sha512: aes256-sha512
aes256gcm-prfsha1: aes256gcm-prfsha1
aes256gcm-prfsha256: aes256gcm-prfsha256
aes256gcm-prfsha384: aes256gcm-prfsha384
aes256gcm-prfsha512: aes256gcm-prfsha512
chacha20poly1305-prfsha1: chacha20poly1305-prfsha1
chacha20poly1305-prfsha256: chacha20poly1305-prfsha256
chacha20poly1305-prfsha384: chacha20poly1305-prfsha384
chacha20poly1305-prfsha512: chacha20poly1305-prfsha512
aria128-md5: aria128-md5
aria128-sha1: aria128-sha1
aria128-sha256: aria128-sha256
aria128-sha384: aria128-sha384
aria128-sha512: aria128-sha512
aria192-md5: aria192-md5
aria192-sha1: aria192-sha1
aria192-sha256: aria192-sha256
aria192-sha384: aria192-sha384
aria192-sha512: aria192-sha512
aria256-md5: aria256-md5
aria256-sha1: aria256-sha1
aria256-sha256: aria256-sha256
aria256-sha384: aria256-sha384
aria256-sha512: aria256-sha512
seed-md5: seed-md5
seed-sha1: seed-sha1
seed-sha256: seed-sha256
seed-sha384: seed-sha384
seed-sha512: seed-sha512
option -
add-route Enable/disable control addition of a route to peer destination selector.
disable: Do not add a route to destination of peer selector.
enable: Add route to destination of peer selector.
option -
add-gw-route Enable/disable automatically add a route to the remote gateway.
enable: Automatically add a route to the remote gateway.
disable: Do not automatically add a route to the remote gateway.
option -
psksecret Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
psksecret-remote Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
keepalive NAT-T keep alive interval. integer Minimum value: 10 Maximum value: 900
distance Distance for routes added by IKE (1 - 255). integer Minimum value: 1 Maximum value: 255
priority Priority for routes added by IKE (0 - 4294967295). integer Minimum value: 0 Maximum value: 4294967295
localid Local ID. string Maximum length: 63
localid-type Local ID type.
auto: Select ID type automatically.
fqdn: Use fully qualified domain name.
user-fqdn: Use user fully qualified domain name.
keyid: Use key-id string.
address: Use local IP address.
asn1dn: Use ASN.1 distinguished name.
option -
auto-negotiate Enable/disable automatic initiation of IKE SA negotiation.
enable: Enable automatic initiation of IKE SA negotiation.
disable: Disable automatic initiation of IKE SA negotiation.
option -
negotiate-timeout IKE SA negotiation timeout in seconds (1 - 300). integer Minimum value: 1 Maximum value: 300
fragmentation Enable/disable fragment IKE message on re-transmission.
enable: Enable intra-IKE fragmentation support on re-transmission.
disable: Disable intra-IKE fragmentation support.
option -
dpd Dead Peer Detection mode.
disable: Disable Dead Peer Detection.
on-idle: Trigger Dead Peer Detection when IPsec is idle.
on-demand: Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.
option -
dpd-retrycount Number of DPD retry attempts. integer Minimum value: 0 Maximum value: 10
dpd-retryinterval DPD retry interval. user Not Specified
forticlient-enforcement Enable/disable FortiClient enforcement.
enable: Enable FortiClient enforcement.
disable: Disable FortiClient enforcement.
option -
comments Comment. var-string Maximum length: 255
npu-offload Enable/disable offloading NPU.
enable: Enable NPU offloading.
disable: Disable NPU offloading.
option -
send-cert-chain Enable/disable sending certificate chain.
enable: Enable sending certificate chain.
disable: Disable sending certificate chain.
option -
dhgrp DH group.
1: DH Group 1.
2: DH Group 2.
5: DH Group 5.
14: DH Group 14.
15: DH Group 15.
16: DH Group 16.
17: DH Group 17.
18: DH Group 18.
19: DH Group 19.
20: DH Group 20.
21: DH Group 21.
27: DH Group 27.
28: DH Group 28.
29: DH Group 29.
30: DH Group 30.
31: DH Group 31.
32: DH Group 32.
option -
suite-b Use Suite-B.
disable: Do not use UI suite.
suite-b-gcm-128: Use Suite-B-GCM-128.
suite-b-gcm-256: Use Suite-B-GCM-256.
option -
eap Enable/disable IKEv2 EAP authentication.
enable: Enable IKEv2 EAP authentication.
disable: Disable IKEv2 EAP authentication.
option -
eap-identity IKEv2 EAP peer identity type.
use-id-payload: Use IKEv2 IDi payload to resolve peer identity.
send-request: Use EAP identity request to resolve peer identity.
option -
eap-exclude-peergrp Peer group excluded from EAP authentication. string Maximum length: 35
acct-verify Enable/disable verification of RADIUS accounting record.
enable: Enable verification of RADIUS accounting record.
disable: Disable verification of RADIUS accounting record.
option -
ppk Enable/disable IKEv2 Postquantum Preshared Key (PPK).
disable: Disable use of IKEv2 Postquantum Preshared Key (PPK).
allow: Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
require: Require use of IKEv2 Postquantum Preshared Key (PPK).
option -
ppk-secret IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x). password-3 Not Specified
ppk-identity IKEv2 Postquantum Preshared Key Identity. string Maximum length: 35
wizard-type GUI VPN Wizard Type.
custom: Custom VPN configuration.
dialup-forticlient: Dial Up - FortiClient Windows, Mac and Android.
dialup-ios: Dial Up - iPhone / iPad Native IPsec Client.
dialup-android: Dial Up - Android Native IPsec Client.
dialup-windows: Dial Up - Windows Native IPsec Client.
dialup-cisco: Dial Up - Cisco IPsec Client.
static-fortigate: Site to Site - FortiGate.
dialup-fortigate: Dial Up - FortiGate.
static-cisco: Site to Site - Cisco.
dialup-cisco-fw: Dialup Up - Cisco Firewall.
simplified-static-fortigate: Site to Site - FortiGate (SD-WAN).
hub-fortigate-auto-discovery: Hub role in a Hub-and-Spoke auto-discovery VPN.
spoke-fortigate-auto-discovery: Spoke role in a Hub-and-Spoke auto-discovery VPN.
option -
xauthtype XAuth type.
disable: Disable.
client: Enable as client.
pap: Enable as server PAP.
chap: Enable as server CHAP.
auto: Enable as server auto.
option -
reauth Enable/disable re-authentication upon IKE SA lifetime expiration.
disable: Disable IKE SA re-authentication.
enable: Enable IKE SA re-authentication.
option -
authusr XAuth user name. string Maximum length: 64
authpasswd XAuth password (max 35 characters). password Not Specified
group-authentication Enable/disable IKEv2 IDi group authentication.
enable: Enable IKEv2 IDi group authentication.
disable: Disable IKEv2 IDi group authentication.
option -
group-authentication-secret Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.) password-3 Not Specified
authusrgrp Authentication user group. string Maximum length: 35
mesh-selector-type Add selectors containing subsets of the configuration depending on traffic.
disable: Disable.
subnet: Enable addition of matching subnet selector.
host: Enable addition of host to host selector.
option -
idle-timeout Enable/disable IPsec tunnel idle timeout.
enable: Enable IPsec tunnel idle timeout.
disable: Disable IPsec tunnel idle timeout.
option -
idle-timeoutinterval IPsec tunnel idle timeout in minutes (5 - 43200). integer Minimum value: 5 Maximum value: 43200
ha-sync-esp-seqno Enable/disable sequence number jump ahead for IPsec HA.
enable: Enable HA syncing of ESP sequence numbers.
disable: Disable HA syncing of ESP sequence numbers.
option -
nattraversal Enable/disable NAT traversal.
enable: Enable IPsec NAT traversal.
disable: Disable IPsec NAT traversal.
forced: Force IPsec NAT traversal on.
option -
esn Extended sequence number (ESN) negotiation.
require: Require extended sequence number.
allow: Allow extended sequence number.
disable: Disable extended sequence number.
option -
fragmentation-mtu IKE fragmentation MTU (500 - 16000). integer Minimum value: 500 Maximum value: 16000
childless-ike Enable/disable childless IKEv2 initiation (RFC 6023).
enable: Enable childless IKEv2 initiation (RFC 6023).
disable: Disable childless IKEv2 initiation (RFC 6023).
option -
rekey Enable/disable phase1 rekey.
enable: Enable phase1 rekey.
disable: Disable phase1 rekey.
option -
digital-signature-auth Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).
enable: Enable IKEv2 Digital Signature Authentication (RFC 7427).
disable: Disable IKEv2 Digital Signature Authentication (RFC 7427).
option -
signature-hash-alg Digital Signature Authentication hash algorithms.
sha1: SHA1.
sha2-256: SHA2-256.
sha2-384: SHA2-384.
sha2-512: SHA2-512.
option -
rsa-signature-format Digital Signature Authentication RSA signature format.
pkcs1: RSASSA PKCS#1 v1.5.
pss: RSASSA Probabilistic Signature Scheme (PSS).
option -
enforce-unique-id Enable/disable peer ID uniqueness check.
disable: Disable peer ID uniqueness enforcement.
keep-new: Enforce peer ID uniqueness, keep new connection if collision found.
keep-old: Enforce peer ID uniqueness, keep old connection if collision found.
option -
cert-id-validation Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
enable: Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
disable: Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
option -
fec-egress Enable/disable Forward Error Correction for egress IPsec traffic.
enable: Enable Forward Error Correction for egress IPsec traffic.
disable: Disable Forward Error Correction for egress IPsec traffic.
option -
fec-send-timeout Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000). integer Minimum value: 1 Maximum value: 1000
fec-base Number of base Forward Error Correction packets (1 - 100). integer Minimum value: 1 Maximum value: 100
fec-redundant Number of redundant Forward Error Correction packets (1 - 100). integer Minimum value: 1 Maximum value: 100
fec-ingress Enable/disable Forward Error Correction for ingress IPsec traffic.
enable: Enable Forward Error Correction for ingress IPsec traffic.
disable: Disable Forward Error Correction for ingress IPsec traffic.
option -
fec-receive-timeout Timeout in milliseconds before dropping Forward Error Correction packets (1 - 10000). integer Minimum value: 1 Maximum value: 10000
network-overlay Enable/disable network overlays.
disable: Disable network overlays.
enable: Enable network overlays.
option -
network-id VPN gateway network ID. integer Minimum value: 0 Maximum value: 255

config ipv4-exclude-range

Parameter Name Description Type Size
start-ip Start of IPv4 exclusive range. ipv4-address Not Specified
end-ip End of IPv4 exclusive range. ipv4-address Not Specified

config ipv6-exclude-range

Parameter Name Description Type Size
start-ip Start of IPv6 exclusive range. ipv6-address Not Specified
end-ip End of IPv6 exclusive range. ipv6-address Not Specified