Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiExtender 7.6.5 CLI Reference
    7.6.5
    7.6.5
    7.6.4
    7.6.2
    7.6.1
    7.6.0
    7.4.4
    7.4.1
    7.4.0
    7.2.3

    config phase1-interface

    config phase1-interface

    Description: Configure the VPN remote gateway.

    config vpn ipsec phase1-interface
  edit <name>
    set ip-version [4 | 6]
    set ike-version [1 | 2]
    set keylife [120 – 172800]
    set proposal [des-md5 | des-sha1 | des-sha256 | 3des-md5 | 3des-sha1 | 3dessha256 | aes128-md5 | aes128-sha1 | aes128-sha256 | aes256-md5 | aes256-sha1 | aes256-sha256]
    set dhgrp [1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28| 29 | 30 | 31 | 32 ]
    set *interface <name1>
    set type [static | ddns]
    set *remote-gw {ipv4-address}
    set *remote-gw6 {ipv6-address}
    set *remotegw-ddns {string} *available when type is set to ddns
    set authmethod [psk | signature]
    set *psksecret {string}
    set *certificate <local-cert-name>
    set *peer <ca-cert-name>
    set localid {string}
    set peerid {string}
    set add-gw-route [enable | disable]
    set dev-id-notification [enable | disable]
    set dev-id <name1> *available when dev-id-notification is enabled
    set monitor <name>
  next
end
    Sample command:
    config vpn ipsec phase1-interface
  edit phase1_1
    set ike-version 2
    set keylife 86400
    set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3dessha1
    set dhgrp 14 5 31 20
    set interface wan
    set type static
    set remote-gw 207.102.148.196
    set authmethod psk
    set psksecret ******
    set localid 92
    set peerid 22
    set add-gw-route disable
    set dev-id-notification disable
    set monitor pri
  next
end
    Parameter Description Type Size Default

    ip-version

    Specify the IP version for the VPN interface.

    option

    -

    Option Description
    4 IPv4
    6 IPv6
    ike-version

    Specify the IKE protocol version.

    		 option - 2
    Option Description
    1 Version 1
    2 Version 2
    keylife Time to wait in seconds before the phase 1 encryption key expires. integer 120 - 172800 86400
    proposal

    Specify Phase-1 proposal.

    		 option -

    aes128-sha256

    aes256-sha256

    3des-sha256

    aes128-sha1

    aes256-sha1

    3des-sha1
    Option Description
    des-md5
    des-sha1
    des-sha256
    3des-md5
    3des-sha1
    3des-sha256
    aes128-md5
    aes128-sha1

    aes128-sha256

    aes256-md5

    aes256-sha1

    aes256-sha256

    dhgrp

    Diffie-Hellman (DH) key exchange in phase1 is used to negotiate and exchange private keys for phase2.

    Note: Any DH groups less than 15 are not recommended due to their low security levels. Elliptic Curve Groups (19, 20, 21, 27, 28, 29, 30, 31, 32) offer better security compared to the MODP groups (1, 2, 5, 14, 15, 16, 17, 18).

    		 option - 14, 5
    Option Description
    1
    2
    5
    14

    15

    16

    17

    18

    19

    20

    21

    27

    28

    29

    30

    31

    32

    interface The outgoing interface. option - none

    Option Description
    lan LAN as the outgoing interface.
    lo Loopback as the outgoing interface.
    lte1 LTE 1 as the outgoing interface.
    wan WAN as the outgoing interface.
    port4 Port 4 as the outgoing interface.

    type

    Select a remote gateway type.

    none

    Option Description
    static Static gateway.
    ddns Dynamic DNS gateway.

    remote-gw

    The IPv4 address of the remote gateway's external interface.

    IPv4 address

    -

    none

    remote-gw6

    The IPv6 address of the remote gateway's external interface.

    IPv6 address

    -

    none

    remotegw-ddns

    Specify the domain name of the remote gateway, for example, name.DDNS.com.

    Available when type is set to ddns.

    string

    -

    none

    authmethod

    Authentication method.

    option

    -

    psk

    Option Description
    psk Preshared key.
    signature Signature certificate.

    certificate

    Specify the name of up to four local signed personal certificates.

    Note: This entry is only available when authmethod is set to signature. The certificates must have already been installed on the FortiExtender before you are trying to enter them here.

    none

    peer

    The name of the CA certificate used to authenticate that the peer certificate is issued by it or its sub-CA.

    This entry is available only when authmethod is set to signature. The certificates must have already been installed on the FortiExtender before you are trying to enter them here.

    Note: If no peer is set, the peer certificate can still be accepted as long as a CA certificate that can verify the peer certificate exists.

    none

    psksecret

    Specify the pre-shared secret created when configuring the VPN client for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

    string

    -

    none

    localid

    Local ID.

    string

    -

    none

    peerid

    Peer identity to accept.

    string

    -

    none

    add-gw-route

    Whether to automatically add a route to the remote gateway.

    option

    -

    disable

    Option Description
    enable Enable automatically adding a route to the remote gateway.
    disable Disable automatically adding a route to the remote gateway.

    dev-id-notification

    Whether to enable device ID notification for the first IKE message.

    option

    -

    disable

    Option Description
    enable Enable device ID notification.
    disable Disable device ID notification.

    dev-id

    The Device ID carried by the device ID notification.

    Available when dev-id-notification is enabled.

    string

    -

    none

    monitor

    Specify the IPsec phase1 interface as primary.

    string

    -

    none
    Previous
    Next

    config phase1-interface

    config phase1-interface

    Description: Configure the VPN remote gateway.

    config vpn ipsec phase1-interface
  edit <name>
    set ip-version [4 | 6]
    set ike-version [1 | 2]
    set keylife [120 – 172800]
    set proposal [des-md5 | des-sha1 | des-sha256 | 3des-md5 | 3des-sha1 | 3dessha256 | aes128-md5 | aes128-sha1 | aes128-sha256 | aes256-md5 | aes256-sha1 | aes256-sha256]
    set dhgrp [1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28| 29 | 30 | 31 | 32 ]
    set *interface <name1>
    set type [static | ddns]
    set *remote-gw {ipv4-address}
    set *remote-gw6 {ipv6-address}
    set *remotegw-ddns {string} *available when type is set to ddns
    set authmethod [psk | signature]
    set *psksecret {string}
    set *certificate <local-cert-name>
    set *peer <ca-cert-name>
    set localid {string}
    set peerid {string}
    set add-gw-route [enable | disable]
    set dev-id-notification [enable | disable]
    set dev-id <name1> *available when dev-id-notification is enabled
    set monitor <name>
  next
end
    Sample command:
    config vpn ipsec phase1-interface
  edit phase1_1
    set ike-version 2
    set keylife 86400
    set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3dessha1
    set dhgrp 14 5 31 20
    set interface wan
    set type static
    set remote-gw 207.102.148.196
    set authmethod psk
    set psksecret ******
    set localid 92
    set peerid 22
    set add-gw-route disable
    set dev-id-notification disable
    set monitor pri
  next
end
    Parameter Description Type Size Default

    ip-version

    Specify the IP version for the VPN interface.

    option

    -

    Option Description
    4 IPv4
    6 IPv6
    ike-version

    Specify the IKE protocol version.

    		 option - 2
    Option Description
    1 Version 1
    2 Version 2
    keylife Time to wait in seconds before the phase 1 encryption key expires. integer 120 - 172800 86400
    proposal

    Specify Phase-1 proposal.

    		 option -

    aes128-sha256

    aes256-sha256

    3des-sha256

    aes128-sha1

    aes256-sha1

    3des-sha1
    Option Description
    des-md5
    des-sha1
    des-sha256
    3des-md5
    3des-sha1
    3des-sha256
    aes128-md5
    aes128-sha1

    aes128-sha256

    aes256-md5

    aes256-sha1

    aes256-sha256

    dhgrp

    Diffie-Hellman (DH) key exchange in phase1 is used to negotiate and exchange private keys for phase2.

    Note: Any DH groups less than 15 are not recommended due to their low security levels. Elliptic Curve Groups (19, 20, 21, 27, 28, 29, 30, 31, 32) offer better security compared to the MODP groups (1, 2, 5, 14, 15, 16, 17, 18).

    		 option - 14, 5
    Option Description
    1
    2
    5
    14

    15

    16

    17

    18

    19

    20

    21

    27

    28

    29

    30

    31

    32

    interface The outgoing interface. option - none

    Option Description
    lan LAN as the outgoing interface.
    lo Loopback as the outgoing interface.
    lte1 LTE 1 as the outgoing interface.
    wan WAN as the outgoing interface.
    port4 Port 4 as the outgoing interface.

    type

    Select a remote gateway type.

    none

    Option Description
    static Static gateway.
    ddns Dynamic DNS gateway.

    remote-gw

    The IPv4 address of the remote gateway's external interface.

    IPv4 address

    -

    none

    remote-gw6

    The IPv6 address of the remote gateway's external interface.

    IPv6 address

    -

    none

    remotegw-ddns

    Specify the domain name of the remote gateway, for example, name.DDNS.com.

    Available when type is set to ddns.

    string

    -

    none

    authmethod

    Authentication method.

    option

    -

    psk

    Option Description
    psk Preshared key.
    signature Signature certificate.

    certificate

    Specify the name of up to four local signed personal certificates.

    Note: This entry is only available when authmethod is set to signature. The certificates must have already been installed on the FortiExtender before you are trying to enter them here.

    none

    peer

    The name of the CA certificate used to authenticate that the peer certificate is issued by it or its sub-CA.

    This entry is available only when authmethod is set to signature. The certificates must have already been installed on the FortiExtender before you are trying to enter them here.

    Note: If no peer is set, the peer certificate can still be accepted as long as a CA certificate that can verify the peer certificate exists.

    none

    psksecret

    Specify the pre-shared secret created when configuring the VPN client for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

    string

    -

    none

    localid

    Local ID.

    string

    -

    none

    peerid

    Peer identity to accept.

    string

    -

    none

    add-gw-route

    Whether to automatically add a route to the remote gateway.

    option

    -

    disable

    Option Description
    enable Enable automatically adding a route to the remote gateway.
    disable Disable automatically adding a route to the remote gateway.

    dev-id-notification

    Whether to enable device ID notification for the first IKE message.

    option

    -

    disable

    Option Description
    enable Enable device ID notification.
    disable Disable device ID notification.

    dev-id

    The Device ID carried by the device ID notification.

    Available when dev-id-notification is enabled.

    string

    -

    none

    monitor

    Specify the IPsec phase1 interface as primary.

    string

    -

    none
    Previous
    Next