config phase2-interface

Description: Configure VPN autokey tunnel.

config phase2-interface
  edit <name>
    set *phase1name
    set proposal {option1}, {option2}, ...
    set pfs [enable | disable]
    set dhgrp [1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28| 29 | 30 | 31 | 32 ]
    set keylife-type [seconds | kbs]
    set keylifeseconds [120 – 172800]
    set keylifekbs [5120 - 4294967295]
    set encapsulation [tunnel-mode | transport-mode]
    set protocol [0 – 255]
    set src-addr-type [subnet | range | ip | name | subnet6 | range6 | ip6 | name6]
    set src-subnet {ipv4-subnet}
    set *src-start-ip {ipv4-address} *available when src-addr-type is range and ip
    set *src-end-ip {ipv4-address} *available when src-addr-type is range
    set *src-name {string} *available when src-addr-type is name
    set src-subnet6 {ipv6-subnet}
    set *src-start-ip6 {ipv6-address} *available when src-addr-type is range6 and ip6
    set *src-end-ip6 {ipv6-address} *available when src-addr-type is range6
    set *src-name6 {string} *available when src-addr-type is name6
    set src-port [0 – 65535]
    set dst-addr-type [subnet | range | ip | name | subnet6 | range6 | ip6 | name6]
    set dst-subnet {ipv4-subnet}
    set *dst-start-ip {ipv4-address} *available when dst-addr-type is range and ip
    set *dst-end-ip {ipv4-address} *available when dst-addr-type is range
    set *dst-name {string} *available when dst-addr-type is name
    set dst-subnet6 {ipv6-subnet}
    set *dst-start-ip6 {ipv6-address} *available when dst-addr-type is range6 and ip6
    set *dst-end-ip6 {ipv6-address} *available when dst-addr-type is range6
    set *dst-name6 {string} *available when dst-addr-type is name6
    set dst-port [0 – 65535]
unset
next
show
abort
end
delete <name>
purge
show
end
show
end 

Sample command:

FX201E5919000057 (phase2-interface) # show
config vpn ipsec phase2-interface
edit phase2_1
set phase1name phase1_1
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3dessha256
set pfs enable
set dhgrp 14 5 31 20
set keylife-type seconds
set keylifeseconds 43200
set encapsulation tunnel-mode
set protocol 0
set src-addr-type subnet
set src-subnet 0.0.0.0/0
set src-port 0
set dst-addr-type subnet
set dst-subnet 107.204.148.0/24
set dst-port 234
next
end

Parameter	Description	Type	Size	Default
phase1name	Phase 1 name (which determines the options required for phase 2).	string	-	none
proposal	Phase 2 proposal.	option	-	aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
	Option Description des-md5 des-md5 des-sha1 des-sha1 des-sha256 des-sha256 3des-md5 3des-md5 3des-sha1 3des-sha1 3des-sha256 3des-sha256 aes128-md5 aes128-md5 aes128-sha1 aes128-sha1 aes128-sha256 aes128-sha256 aes256-md5 aes256-md5 aes256-sha1 aes256-sha1 aes256-sha256 aes256-sha256 null-sha1 null-sha1 null-sha256 null-sha256
pfs	Status of the PFS feature.	option	-	enable
	Option Description enable Enable PFS. disable Disable PFS.
dhgrp	Phase 2 DH group.	option	-	14, 5
	Option Description 1 DH Group 1. 2 DH Group 2. 5 DH Group 5. 14 DH Group 14. 15 DH Group 15. 16 DH Group 16. 17 DH Group 17. 18 DH Group 18. 19 DH Group 19. 20 DH Group 20. 21 DH Group 21. 27 DH Group 27. 28 DH Group 28. 29 DH Group 29. 30 DH Group 30. 31 DH Group 31. 32 DH Group 32.
keylife-type	Keylife type	option	-	seconds
	Option Description seconds Seconds. kbs Kbs.
keylifeseconds	Phase 2 key life in seconds.	integer	120 – 172800	43200
keylifekbs	Phase 2 key life in the number of bytes of traffic.	integer	5120 - 4294967295	5120
encapsulation	ESP encapsulation mode.	option	-	tunnel-mode
	Option Description tunnel-mode Tunnel mode. transport-mode Transport mode.
protocol	Quick mode protocol selector.	integer	1 - 255	0
src-addr-type	Local proxy ID type.	option	-	subnet
	Option Description subnet IPv4 subnet. range IPv4 range. ip IPv4 address. name IPv4 address object name. subnet6 IPv6 subnet. range6 IPv6 range. ip6 IPv6 address. name6 IPv6 address object name.
src-subnet	Local proxy ID subnet.	IPv4 address	-	0.0.0.0/0
src-port	Quick mode source port.	integer	1 - 65535, or 0 for all	0
src-start-ip	Local proxy ID start when src-addr-type is range and ip.	IPv4 address	-	none
src-end-ip	Local proxy ID end when src-addr-type is range.	IPv4 address	-	none
src-name	Local proxy ID name when src-addr-type is name.	string	-	none
src-subnet6	Local proxy ID IPv6 subnet when src-addr-type is subnet6.	IPv6 address	-	0::0/0
src-start-ip6	Local proxy ID IPv6 start when src-addr-type is range6 and ip6.	IPv6 address	-	none
src-end-ip6	Local proxy ID IPv6 end when src-addr-type is range6.	IPv6 address	-	none
src-name6	Local proxy ID IPv6 name when src-addr-type is name6.	string	-	none
dst-addr-type	Remote proxy ID type.	option	-	subnet
	Option Description subnet IPv4 subnet. range IPv4 range. ip IPv4 address. name IPv4 address object name. subnet6 IPv6 subnet. range6 IPv6 range. ip6 IPv6 address. name6 IPv6 address object name.
dst-subnet	Remote proxy ID subnet.	IPv4 address	-	0.0.0.0/0
dst-port	Quick mode source port.	integer	1 - 65535, or 0 for all	0
dst-start-ip	Remote proxy ID start when dst-addr-type is range and ip.	IPv4 address	-	none
dst-end-ip	Remote proxy ID end when dst-addr-type is range.	IPv4 address	-	none
dst-name	Remote proxy ID name when dst-addr-type is name.	string	-	none
dst-subnet6	Remote proxy ID IPv6 subnet when dst-addr-type is subnet6.	IPv6 address	-	0::0/0
dst-start-ip6	Remote proxy ID IPv6 start when dst-addr-type is range6 and ip6.	IPv6 address	-	none
dst-end-ip6	Remote proxy ID IPv6 end when dst-addr-type is range6.	IPv6 address	-	none
dst-name6	Remote proxy ID IPv6 name when dst-addr-type is name6.	string	-	none