Fortinet white logo
Fortinet white logo

CLI Reference

config vpn ipsec phase2

config vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2

Description: Configure VPN autokey tunnel.

edit <name>

set phase1name {string}

set dhcp-ipsec [enable|disable]

set use-natip [enable|disable]

set selector-match [exact|subset|...]

set proposal {option1}, {option2}, ...

set pfs [enable|disable]

set ipv4-df [enable|disable]

set dhgrp {option1}, {option2}, ...

set replay [enable|disable]

set keepalive [enable|disable]

set auto-negotiate [enable|disable]

set add-route [phase1|enable|...]

set keylifeseconds {integer}

set keylifekbs {integer}

set keylife-type [seconds|kbs|...]

set single-source [enable|disable]

set route-overlap [use-old|use-new|...]

set encapsulation [tunnel-mode|transport-mode]

set l2tp [enable|disable]

set comments {var-string}

set initiator-ts-narrow [enable|disable]

set diffserv [enable|disable]

set diffservcode {user}

set protocol {integer}

set src-name {string}

set src-name6 {string}

set src-addr-type [subnet|range|...]

set src-start-ip {ipv4-address-any}

set src-start-ip6 {ipv6-address}

set src-end-ip {ipv4-address-any}

set src-end-ip6 {ipv6-address}

set src-subnet {ipv4-classnet-any}

set src-subnet6 {ipv6-prefix}

set src-port {integer}

set dst-name {string}

set dst-name6 {string}

set dst-addr-type [subnet|range|...]

set dst-start-ip {ipv4-address-any}

set dst-start-ip6 {ipv6-address}

set dst-end-ip {ipv4-address-any}

set dst-end-ip6 {ipv6-address}

set dst-subnet {ipv4-classnet-any}

set dst-subnet6 {ipv6-prefix}

set dst-port {integer}

next

end

config vpn ipsec phase2

Parameter

Description

Type

Size

Default

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 35

dhcp-ipsec

Enable/disable DHCP-IPsec.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

use-natip

Enable to use the FortiGate public IP as the source selector when outbound NAT is used.

option

-

enable

Option

Description

enable

Replace source selector with interface IP when using outbound NAT.

disable

Do not modify source selector when using outbound NAT.

selector-match

Match type to use when comparing selectors.

option

-

auto

Option

Description

exact

Match selectors exactly.

subset

Match selectors by subset.

auto

Use subset or exact match depending on selector address type.

proposal

Phase2 proposal.

option

-

Option

Description

null-md5

null-md5

null-sha1

null-sha1

null-sha256

null-sha256

null-sha384

null-sha384

null-sha512

null-sha512

des-null

des-null

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-null

3des-null

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-null

aes128-null

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm

aes128gcm

aes192-null

aes192-null

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-null

aes256-null

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

aria128-null

aria128-null

aria128-md5

aria128-md5

aria128-sha1

aria128-sha1

aria128-sha256

aria128-sha256

aria128-sha384

aria128-sha384

aria128-sha512

aria128-sha512

aria192-null

aria192-null

aria192-md5

aria192-md5

aria192-sha1

aria192-sha1

aria192-sha256

aria192-sha256

aria192-sha384

aria192-sha384

aria192-sha512

aria192-sha512

aria256-null

aria256-null

aria256-md5

aria256-md5

aria256-sha1

aria256-sha1

aria256-sha256

aria256-sha256

aria256-sha384

aria256-sha384

aria256-sha512

aria256-sha512

seed-null

seed-null

seed-md5

seed-md5

seed-sha1

seed-sha1

seed-sha256

seed-sha256

seed-sha384

seed-sha384

seed-sha512

seed-sha512

pfs

Enable/disable PFS feature.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv4-df

Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.

option

-

disable

Option

Description

enable

Set IPv4 DF.

disable

Reset IPv4 DF.

dhgrp

Phase2 DH group.

option

-

14

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

replay

Enable/disable replay detection.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

keepalive

Enable/disable keep alive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

add-route

Enable/disable automatic route addition.

option

-

phase1

Option

Description

phase1

Add route according to phase1 add-route setting.

enable

Add route for remote proxy ID.

disable

Do not add route for remote proxy ID.

keylifeseconds

Phase2 key life in time in seconds .

integer

Minimum value: 120 Maximum value: 172800

43200

keylifekbs

Phase2 key life in number of bytes of traffic .

integer

Minimum value: 5120 Maximum value: 4294967295

5120

keylife-type

Keylife type.

option

-

seconds

Option

Description

seconds

Key life in seconds.

kbs

Key life in kilobytes.

both

Key life both.

single-source

Enable/disable single source IP restriction.

option

-

disable

Option

Description

enable

Only single source IP will be accepted.

disable

Source IP range will be accepted.

route-overlap

Action for overlapping routes.

option

-

use-new

Option

Description

use-old

Use the old route and do not add the new route.

use-new

Delete the old route and add the new route.

allow

Allow overlapping routes.

encapsulation

ESP encapsulation mode.

option

-

tunnel-mode

Option

Description

tunnel-mode

Use tunnel mode encapsulation.

transport-mode

Use transport mode encapsulation.

l2tp

Enable/disable L2TP over IPsec.

option

-

disable

Option

Description

enable

Enable L2TP over IPsec.

disable

Disable L2TP over IPsec.

comments

Comment.

var-string

Maximum length: 255

initiator-ts-narrow

Enable/disable traffic selector narrowing for IKEv2 initiator.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

diffserv

Enable/disable applying DSCP value to the IPsec tunnel outer IP header.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

diffservcode

DSCP value to be applied to the IPsec tunnel outer IP header.

user

Not Specified

protocol

Quick mode protocol selector .

integer

Minimum value: 0 Maximum value: 255

0

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-addr-type

Local proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

0.0.0.0

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

::

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

0.0.0.0

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

::

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

src-port

Quick mode source port .

integer

Minimum value: 0 Maximum value: 65535

0

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-addr-type

Remote proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

0.0.0.0

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

::

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

0.0.0.0

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

::

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

dst-port

Quick mode destination port .

integer

Minimum value: 0 Maximum value: 65535

0

config vpn ipsec phase2

config vpn ipsec phase2

Configure VPN autokey tunnel.

config vpn ipsec phase2

Description: Configure VPN autokey tunnel.

edit <name>

set phase1name {string}

set dhcp-ipsec [enable|disable]

set use-natip [enable|disable]

set selector-match [exact|subset|...]

set proposal {option1}, {option2}, ...

set pfs [enable|disable]

set ipv4-df [enable|disable]

set dhgrp {option1}, {option2}, ...

set replay [enable|disable]

set keepalive [enable|disable]

set auto-negotiate [enable|disable]

set add-route [phase1|enable|...]

set keylifeseconds {integer}

set keylifekbs {integer}

set keylife-type [seconds|kbs|...]

set single-source [enable|disable]

set route-overlap [use-old|use-new|...]

set encapsulation [tunnel-mode|transport-mode]

set l2tp [enable|disable]

set comments {var-string}

set initiator-ts-narrow [enable|disable]

set diffserv [enable|disable]

set diffservcode {user}

set protocol {integer}

set src-name {string}

set src-name6 {string}

set src-addr-type [subnet|range|...]

set src-start-ip {ipv4-address-any}

set src-start-ip6 {ipv6-address}

set src-end-ip {ipv4-address-any}

set src-end-ip6 {ipv6-address}

set src-subnet {ipv4-classnet-any}

set src-subnet6 {ipv6-prefix}

set src-port {integer}

set dst-name {string}

set dst-name6 {string}

set dst-addr-type [subnet|range|...]

set dst-start-ip {ipv4-address-any}

set dst-start-ip6 {ipv6-address}

set dst-end-ip {ipv4-address-any}

set dst-end-ip6 {ipv6-address}

set dst-subnet {ipv4-classnet-any}

set dst-subnet6 {ipv6-prefix}

set dst-port {integer}

next

end

config vpn ipsec phase2

Parameter

Description

Type

Size

Default

phase1name

Phase 1 determines the options required for phase 2.

string

Maximum length: 35

dhcp-ipsec

Enable/disable DHCP-IPsec.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

use-natip

Enable to use the FortiGate public IP as the source selector when outbound NAT is used.

option

-

enable

Option

Description

enable

Replace source selector with interface IP when using outbound NAT.

disable

Do not modify source selector when using outbound NAT.

selector-match

Match type to use when comparing selectors.

option

-

auto

Option

Description

exact

Match selectors exactly.

subset

Match selectors by subset.

auto

Use subset or exact match depending on selector address type.

proposal

Phase2 proposal.

option

-

Option

Description

null-md5

null-md5

null-sha1

null-sha1

null-sha256

null-sha256

null-sha384

null-sha384

null-sha512

null-sha512

des-null

des-null

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-null

3des-null

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-null

aes128-null

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm

aes128gcm

aes192-null

aes192-null

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-null

aes256-null

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm

aes256gcm

chacha20poly1305

chacha20poly1305

aria128-null

aria128-null

aria128-md5

aria128-md5

aria128-sha1

aria128-sha1

aria128-sha256

aria128-sha256

aria128-sha384

aria128-sha384

aria128-sha512

aria128-sha512

aria192-null

aria192-null

aria192-md5

aria192-md5

aria192-sha1

aria192-sha1

aria192-sha256

aria192-sha256

aria192-sha384

aria192-sha384

aria192-sha512

aria192-sha512

aria256-null

aria256-null

aria256-md5

aria256-md5

aria256-sha1

aria256-sha1

aria256-sha256

aria256-sha256

aria256-sha384

aria256-sha384

aria256-sha512

aria256-sha512

seed-null

seed-null

seed-md5

seed-md5

seed-sha1

seed-sha1

seed-sha256

seed-sha256

seed-sha384

seed-sha384

seed-sha512

seed-sha512

pfs

Enable/disable PFS feature.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv4-df

Enable/disable setting and resetting of IPv4 'Don't Fragment' bit.

option

-

disable

Option

Description

enable

Set IPv4 DF.

disable

Reset IPv4 DF.

dhgrp

Phase2 DH group.

option

-

14

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

replay

Enable/disable replay detection.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

keepalive

Enable/disable keep alive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

add-route

Enable/disable automatic route addition.

option

-

phase1

Option

Description

phase1

Add route according to phase1 add-route setting.

enable

Add route for remote proxy ID.

disable

Do not add route for remote proxy ID.

keylifeseconds

Phase2 key life in time in seconds .

integer

Minimum value: 120 Maximum value: 172800

43200

keylifekbs

Phase2 key life in number of bytes of traffic .

integer

Minimum value: 5120 Maximum value: 4294967295

5120

keylife-type

Keylife type.

option

-

seconds

Option

Description

seconds

Key life in seconds.

kbs

Key life in kilobytes.

both

Key life both.

single-source

Enable/disable single source IP restriction.

option

-

disable

Option

Description

enable

Only single source IP will be accepted.

disable

Source IP range will be accepted.

route-overlap

Action for overlapping routes.

option

-

use-new

Option

Description

use-old

Use the old route and do not add the new route.

use-new

Delete the old route and add the new route.

allow

Allow overlapping routes.

encapsulation

ESP encapsulation mode.

option

-

tunnel-mode

Option

Description

tunnel-mode

Use tunnel mode encapsulation.

transport-mode

Use transport mode encapsulation.

l2tp

Enable/disable L2TP over IPsec.

option

-

disable

Option

Description

enable

Enable L2TP over IPsec.

disable

Disable L2TP over IPsec.

comments

Comment.

var-string

Maximum length: 255

initiator-ts-narrow

Enable/disable traffic selector narrowing for IKEv2 initiator.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

diffserv

Enable/disable applying DSCP value to the IPsec tunnel outer IP header.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

diffservcode

DSCP value to be applied to the IPsec tunnel outer IP header.

user

Not Specified

protocol

Quick mode protocol selector .

integer

Minimum value: 0 Maximum value: 255

0

src-name

Local proxy ID name.

string

Maximum length: 79

src-name6

Local proxy ID name.

string

Maximum length: 79

src-addr-type

Local proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

src-start-ip

Local proxy ID start.

ipv4-address-any

Not Specified

0.0.0.0

src-start-ip6

Local proxy ID IPv6 start.

ipv6-address

Not Specified

::

src-end-ip

Local proxy ID end.

ipv4-address-any

Not Specified

0.0.0.0

src-end-ip6

Local proxy ID IPv6 end.

ipv6-address

Not Specified

::

src-subnet

Local proxy ID subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

src-subnet6

Local proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

src-port

Quick mode source port .

integer

Minimum value: 0 Maximum value: 65535

0

dst-name

Remote proxy ID name.

string

Maximum length: 79

dst-name6

Remote proxy ID name.

string

Maximum length: 79

dst-addr-type

Remote proxy ID type.

option

-

subnet

Option

Description

subnet

IPv4 subnet.

range

IPv4 range.

ip

IPv4 IP.

name

IPv4 firewall address or group name.

dst-start-ip

Remote proxy ID IPv4 start.

ipv4-address-any

Not Specified

0.0.0.0

dst-start-ip6

Remote proxy ID IPv6 start.

ipv6-address

Not Specified

::

dst-end-ip

Remote proxy ID IPv4 end.

ipv4-address-any

Not Specified

0.0.0.0

dst-end-ip6

Remote proxy ID IPv6 end.

ipv6-address

Not Specified

::

dst-subnet

Remote proxy ID IPv4 subnet.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dst-subnet6

Remote proxy ID IPv6 subnet.

ipv6-prefix

Not Specified

::/0

dst-port

Quick mode destination port .

integer

Minimum value: 0 Maximum value: 65535

0