Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiExtender 7.4.1 CLI Reference
    7.4.1
    7.6.5
    7.6.4
    7.6.2
    7.6.1
    7.6.0
    7.4.4
    7.4.1
    7.4.0
    7.2.3

    config phase1-interface

    config phase1-interface

    Description: Configure the VPN remote gateway.

    config ipsec

    config phase1-interface

    edit <name>

    set ike-version [1 | 2]

    set keylife [120 – 172800]

    set proposal [des-md5 | des-sha1 | des-sha256 | 3des-md5 | 3des-sha1 | 3des-sha256 | aes128-md5 | aes128-sha1 | aes128-sha256 | aes256-md5 | aes256-sha1 | aes256-sha256]

    set dhgrp [1 | 2 | 5 | 14]

    set *interface <name1>

    set type [static | ddns]

    set *remote-gw {ipv4-address}

    set *remotegw-ddns {string} *available when type is set to ddns

    set authmethod [psk | signature]

    set *psksecret {string}

    set localid {string}

    set peerid {string}

    set add-gw-route [enable | disable]

    set dev-id-notification [enable | disable]

    set dev-id <name1> *available when dev-id-notification is enabled

    set monitor <name>

    unset

    next

    show

    abort

    end

    delete <name>

    purge

    show

    end

    Sample command:
    config vpn ipsec phase1-interface
  edit phase1_1
    set ike-version 2
    set keylife 86400
    set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3dessha1
    set dhgrp 14 5 31 20
    set interface wan
    set type static
    set remote-gw 207.102.148.196
    set authmethod psk
    set psksecret ******
    set localid 92
    set peerid 22
    set add-gw-route disable
    set dev-id-notification disable
    set monitor pri
  next
end
    Parameter Description Type Size Default
    ike-version IKE protocol version. option - 2
    Option Description
    1 Version 1
    2 Version 2
    keylife Time to wait in seconds before the phase 1 encryption key expires. integer 120 - 172800 86400
    proposal Phase1 proposal. option -

    aes128-sha256

    aes256-sha256

    3des-sha256

    aes128-sha1

    aes256-sha1

    3des-sha1
    Option Description
    des-md5
    des-sha1
    des-sha256
    3des-md5
    3des-sha1
    3des-sha256
    aes128-md5
    aes128-sha1

    aes128-sha256

    aes256-md5

    aes256-sha1

    aes256-sha256

    dhgrp DH group. option - 14, 5
    Option Description
    1
    2
    5
    14
    interface The outgoing interface. option - none

    Option Description
    lan LAN as the outgoing interface.
    lo Loopback as the outgoing interface.
    lte1 LTE 1 as the outgoing interface.
    wan WAN as the outgoing interface.
    port4 Port 4 as the outgoing interface.

    remote-gw

    The IPv4 address of the remote gateway's external interface.

    IPv4 address

    -

    none

    authmethod

    Authentication method.

    option

    -

    psk

    Option Description
    psk Preshared key.
    signature Signature certificate.

    psksecret

    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

    string

    -

    none

    localid

    Local ID.

    string

    -

    none

    peerid

    Peer identity.

    string

    -

    none

    add-gw-route

    Whether to automatically add a route to the remote gateway.

    option

    -

    disable

    Option Description
    enable Enable automatically adding a route to the remote gateway.
    disable Disable automatically adding a route to the remote gateway.

    dev-id-notification

    Whether to enable device ID notification for the first IKE message.

    option

    -

    disable

    Option Description
    enable Enable device ID notification.
    disable Disable device ID notification.

    dev-id

    The Device ID carried by the device ID notification.

    string

    -

    none

    monitor

    Specify the IPsec phase1 interface as primary.

    string

    -

    none
    Previous
    Next

    config phase1-interface

    config phase1-interface

    Description: Configure the VPN remote gateway.

    config ipsec

    config phase1-interface

    edit <name>

    set ike-version [1 | 2]

    set keylife [120 – 172800]

    set proposal [des-md5 | des-sha1 | des-sha256 | 3des-md5 | 3des-sha1 | 3des-sha256 | aes128-md5 | aes128-sha1 | aes128-sha256 | aes256-md5 | aes256-sha1 | aes256-sha256]

    set dhgrp [1 | 2 | 5 | 14]

    set *interface <name1>

    set type [static | ddns]

    set *remote-gw {ipv4-address}

    set *remotegw-ddns {string} *available when type is set to ddns

    set authmethod [psk | signature]

    set *psksecret {string}

    set localid {string}

    set peerid {string}

    set add-gw-route [enable | disable]

    set dev-id-notification [enable | disable]

    set dev-id <name1> *available when dev-id-notification is enabled

    set monitor <name>

    unset

    next

    show

    abort

    end

    delete <name>

    purge

    show

    end

    Sample command:
    config vpn ipsec phase1-interface
  edit phase1_1
    set ike-version 2
    set keylife 86400
    set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3dessha1
    set dhgrp 14 5 31 20
    set interface wan
    set type static
    set remote-gw 207.102.148.196
    set authmethod psk
    set psksecret ******
    set localid 92
    set peerid 22
    set add-gw-route disable
    set dev-id-notification disable
    set monitor pri
  next
end
    Parameter Description Type Size Default
    ike-version IKE protocol version. option - 2
    Option Description
    1 Version 1
    2 Version 2
    keylife Time to wait in seconds before the phase 1 encryption key expires. integer 120 - 172800 86400
    proposal Phase1 proposal. option -

    aes128-sha256

    aes256-sha256

    3des-sha256

    aes128-sha1

    aes256-sha1

    3des-sha1
    Option Description
    des-md5
    des-sha1
    des-sha256
    3des-md5
    3des-sha1
    3des-sha256
    aes128-md5
    aes128-sha1

    aes128-sha256

    aes256-md5

    aes256-sha1

    aes256-sha256

    dhgrp DH group. option - 14, 5
    Option Description
    1
    2
    5
    14
    interface The outgoing interface. option - none

    Option Description
    lan LAN as the outgoing interface.
    lo Loopback as the outgoing interface.
    lte1 LTE 1 as the outgoing interface.
    wan WAN as the outgoing interface.
    port4 Port 4 as the outgoing interface.

    remote-gw

    The IPv4 address of the remote gateway's external interface.

    IPv4 address

    -

    none

    authmethod

    Authentication method.

    option

    -

    psk

    Option Description
    psk Preshared key.
    signature Signature certificate.

    psksecret

    Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

    string

    -

    none

    localid

    Local ID.

    string

    -

    none

    peerid

    Peer identity.

    string

    -

    none

    add-gw-route

    Whether to automatically add a route to the remote gateway.

    option

    -

    disable

    Option Description
    enable Enable automatically adding a route to the remote gateway.
    disable Disable automatically adding a route to the remote gateway.

    dev-id-notification

    Whether to enable device ID notification for the first IKE message.

    option

    -

    disable

    Option Description
    enable Enable device ID notification.
    disable Disable device ID notification.

    dev-id

    The Device ID carried by the device ID notification.

    string

    -

    none

    monitor

    Specify the IPsec phase1 interface as primary.

    string

    -

    none
    Previous
    Next