Fortinet white logo
Fortinet white logo

CLI Reference

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

Configure VPN remote gateway.

config vpn ipsec phase1-interface
    Description: Configure VPN remote gateway.
    edit <name>
        set interface {string}
        set ike-version [1|2]
        set local-gw {ipv4-address}
        set remote-gw {ipv4-address}
        set keylife {integer}
        set certificate <name1>, <name2>, ...
        set authmethod [psk|signature]
        set mode [aggressive|main]
        set peertype {option}
        set peerid {string}
        set peer {string}
        set packet-redistribution [enable|disable]
        set proposal {option1}, {option2}, ...
        set psksecret {password-3}
        set keepalive {integer}
        set distance {integer}
        set priority {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set negotiate-timeout {integer}
        set fragmentation [enable|disable]
        set comments {var-string}
        set send-cert-chain [enable|disable]
        set dhgrp {option1}, {option2}, ...
        set eap [enable|disable]
        set eap-identity [use-id-payload|send-request]
        set eap-exclude-peergrp {string}
        set acct-verify [enable|disable]
        set ppk [disable|allow|...]
        set ppk-secret {password-3}
        set ppk-identity {string}
        set wizard-type [custom|dialup-forticlient|...]
        set xauthtype [disable|client|...]
        set reauth [disable|enable]
        set authusr {string}
        set authpasswd {password}
        set group-authentication [enable|disable]
        set group-authentication-secret {password-3}
        set authusrgrp {string}
        set idle-timeout [enable|disable]
        set idle-timeoutinterval {integer}
        set fgsp-sync [enable|disable]
        set inbound-dscp-copy [enable|disable]
        set auto-discovery-sender [enable|disable]
        set auto-discovery-receiver [enable|disable]
        set auto-discovery-forwarder [enable|disable]
        set auto-discovery-psk [enable|disable]
        set auto-discovery-shortcuts [independent|dependent]
        set auto-discovery-crossover [allow|block]
        set auto-discovery-offer-interval {integer}
        set fragmentation-mtu {integer}
        set childless-ike [enable|disable]
        set rekey [enable|disable]
        set digital-signature-auth [enable|disable]
        set signature-hash-alg {option1}, {option2}, ...
        set rsa-signature-format [pkcs1|pss]
        set rsa-signature-hash-override [enable|disable]
        set enforce-unique-id [disable|keep-new|...]
        set cert-id-validation [enable|disable]
        set network-overlay [disable|enable]
        set network-id {integer}
        set dev-id-notification [disable|enable]
        set dev-id {string}
        set loopback-asymroute [enable|disable]
        set link-cost {integer}
        set exchange-fgt-device-id [enable|disable]
    next
end

config vpn ipsec phase1-interface

Parameter

Description

Type

Size

Default

name

IPsec remote gateway name.

string

Maximum length: 15

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

ike-version

IKE protocol version.

option

-

1

Option

Description

1

Use IKEv1 protocol.

2

Use IKEv2 protocol.

local-gw

IPv4 address of the local gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

remote-gw

IPv4 address of the remote gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

86400

certificate <name>

The names of up to 4 signed personal certificates.

Certificate name.

string

Maximum length: 79

authmethod

Authentication method.

option

-

psk

Option

Description

psk

PSK authentication method.

signature

Signature authentication method.

mode

The ID protection mode used to establish a secure channel.

option

-

main

Option

Description

aggressive

Aggressive mode.

main

Main mode.

peertype

Accept this peer type.

option

-

Option

Description

any

Accept any peer ID.

peerid

Accept this peer identity.

string

Maximum length: 255

peer

Accept this peer certificate.

string

Maximum length: 35

packet-redistribution

Enable/disable packet distribution (RPS) on the IPsec interface.

option

-

disable

Option

Description

enable

Enable packet redistribution.

disable

Disable packet redistribution.

proposal

Phase1 proposal.

option

-

Option

Description

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm-prfsha1

aes128gcm-prfsha1

aes128gcm-prfsha256

aes128gcm-prfsha256

aes128gcm-prfsha384

aes128gcm-prfsha384

aes128gcm-prfsha512

aes128gcm-prfsha512

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm-prfsha1

aes256gcm-prfsha1

aes256gcm-prfsha256

aes256gcm-prfsha256

aes256gcm-prfsha384

aes256gcm-prfsha384

aes256gcm-prfsha512

aes256gcm-prfsha512

chacha20poly1305-prfsha1

chacha20poly1305-prfsha1

chacha20poly1305-prfsha256

chacha20poly1305-prfsha256

chacha20poly1305-prfsha384

chacha20poly1305-prfsha384

chacha20poly1305-prfsha512

chacha20poly1305-prfsha512

aria128-md5

aria128-md5

aria128-sha1

aria128-sha1

aria128-sha256

aria128-sha256

aria128-sha384

aria128-sha384

aria128-sha512

aria128-sha512

aria192-md5

aria192-md5

aria192-sha1

aria192-sha1

aria192-sha256

aria192-sha256

aria192-sha384

aria192-sha384

aria192-sha512

aria192-sha512

aria256-md5

aria256-md5

aria256-sha1

aria256-sha1

aria256-sha256

aria256-sha256

aria256-sha384

aria256-sha384

aria256-sha512

aria256-sha512

seed-md5

seed-md5

seed-sha1

seed-sha1

seed-sha256

seed-sha256

seed-sha384

seed-sha384

seed-sha512

seed-sha512

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

10

distance

Distance for routes added by IKE.

integer

Minimum value: 1 Maximum value: 255

15

priority

Priority for routes added by IKE.

integer

Minimum value: 1 Maximum value: 65535

1

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

-

auto

Option

Description

auto

Select ID type automatically.

fqdn

Use fully qualified domain name.

user-fqdn

Use user fully qualified domain name.

keyid

Use key-id string.

address

Use local IP address.

asn1dn

Use ASN.1 distinguished name.

negotiate-timeout

IKE SA negotiation timeout in seconds.

integer

Minimum value: 1 Maximum value: 300

30

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

-

enable

Option

Description

enable

Enable intra-IKE fragmentation support on re-transmission.

disable

Disable intra-IKE fragmentation support.

comments

Comment.

var-string

Maximum length: 255

send-cert-chain

Enable/disable sending certificate chain.

option

-

enable

Option

Description

enable

Enable sending certificate chain.

disable

Disable sending certificate chain.

dhgrp

DH group.

option

-

14

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

eap

Enable/disable IKEv2 EAP authentication.

option

-

disable

Option

Description

enable

Enable IKEv2 EAP authentication.

disable

Disable IKEv2 EAP authentication.

eap-identity

IKEv2 EAP peer identity type.

option

-

use-id-payload

Option

Description

use-id-payload

Use IKEv2 IDi payload to resolve peer identity.

send-request

Use EAP identity request to resolve peer identity.

eap-exclude-peergrp

Peer group excluded from EAP authentication.

string

Maximum length: 35

acct-verify

Enable/disable verification of RADIUS accounting record.

option

-

disable

Option

Description

enable

Enable verification of RADIUS accounting record.

disable

Disable verification of RADIUS accounting record.

ppk

Enable/disable IKEv2 Postquantum Preshared Key (PPK).

option

-

disable

Option

Description

disable

Disable use of IKEv2 Postquantum Preshared Key (PPK).

allow

Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).

require

Require use of IKEv2 Postquantum Preshared Key (PPK).

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Maximum length: 35

wizard-type

GUI VPN Wizard Type.

option

-

custom

Option

Description

custom

Custom VPN configuration.

dialup-forticlient

Dial Up - FortiClient Windows, Mac and Android.

dialup-ios

Dial Up - iPhone / iPad Native IPsec Client.

dialup-android

Dial Up - Android Native IPsec Client.

dialup-windows

Dial Up - Windows Native IPsec Client.

dialup-cisco

Dial Up - Cisco IPsec Client.

static-fortiproxy

Site to Site - FortiProxy.

dialup-fortiproxy

Dial Up - FortiProxy.

static-cisco

Site to Site - Cisco.

dialup-cisco-fw

Dialup Up - Cisco Firewall.

simplified-static-fortiproxy

Site to Site - FortiProxy (SD-WAN).

hub-fortiproxy-auto-discovery

Hub role in a Hub-and-Spoke auto-discovery VPN.

spoke-fortiproxy-auto-discovery

Spoke role in a Hub-and-Spoke auto-discovery VPN.

xauthtype

XAuth type.

option

-

disable

Option

Description

disable

Disable.

client

Enable as client.

pap

Enable as server PAP.

chap

Enable as server CHAP.

auto

Enable as server auto.

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

-

disable

Option

Description

disable

Disable IKE SA re-authentication.

enable

Enable IKE SA re-authentication.

authusr

XAuth user name.

string

Maximum length: 64

authpasswd

XAuth password (max 35 characters).

password

Not Specified

group-authentication

Enable/disable IKEv2 IDi group authentication.

option

-

disable

Option

Description

enable

Enable IKEv2 IDi group authentication.

disable

Disable IKEv2 IDi group authentication.

group-authentication-secret

Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.

password-3

Not Specified

authusrgrp

Authentication user group.

string

Maximum length: 35

idle-timeout

Enable/disable IPsec tunnel idle timeout.

option

-

disable

Option

Description

enable

Enable IPsec tunnel idle timeout.

disable

Disable IPsec tunnel idle timeout.

idle-timeoutinterval

IPsec tunnel idle timeout in minutes.

integer

Minimum value: 5 Maximum value: 43200

15

fgsp-sync

Enable/disable IPsec syncing of tunnels for FGSP IPsec.

option

-

disable

Option

Description

enable

Enable IPsec syncing of tunnels to other cluster members.

disable

Disable IPsec syncing of tunnels to other cluster members.

inbound-dscp-copy

Enable/disable copy the dscp in the ESP header to the inner IP Header.

option

-

disable

Option

Description

enable

Enable copy the dscp in the ESP header to the inner IP Header.

disable

Disable copy the dscp in the ESP header to the inner IP Header.

auto-discovery-sender

Enable/disable sending auto-discovery short-cut messages.

option

-

disable

Option

Description

enable

Enable sending auto-discovery short-cut messages.

disable

Disable sending auto-discovery short-cut messages.

auto-discovery-receiver

Enable/disable accepting auto-discovery short-cut messages.

option

-

disable

Option

Description

enable

Enable receiving auto-discovery short-cut messages.

disable

Disable receiving auto-discovery short-cut messages.

auto-discovery-forwarder

Enable/disable forwarding auto-discovery short-cut messages.

option

-

disable

Option

Description

enable

Enable forwarding auto-discovery short-cut messages.

disable

Disable forwarding auto-discovery short-cut messages.

auto-discovery-psk

Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.

option

-

disable

Option

Description

enable

Enable use of pre-shared-secret authentication for auto-discovery tunnels.

disable

Disable use of authentication defined by 'authmethod' for auto-discovery tunnels.

auto-discovery-shortcuts

Control deletion of child short-cut tunnels when the parent tunnel goes down.

option

-

independent

Option

Description

independent

Short-cut tunnels remain up if the parent tunnel goes down.

dependent

Short-cut tunnels are brought down if the parent tunnel goes down.

auto-discovery-crossover

Allow/block set-up of short-cut tunnels between different network IDs.

option

-

allow

Option

Description

allow

Allow set-up of short-cut tunnels between different network IDs.

block

Block set-up of short-cut tunnels between different network IDs.

auto-discovery-offer-interval

Interval between shortcut offer messages in seconds.

integer

Minimum value: 1 Maximum value: 300

5

fragmentation-mtu

IKE fragmentation MTU.

integer

Minimum value: 500 Maximum value: 16000

1200

childless-ike

Enable/disable childless IKEv2 initiation (RFC 6023).

option

-

disable

Option

Description

enable

Enable childless IKEv2 initiation (RFC 6023).

disable

Disable childless IKEv2 initiation (RFC 6023).

rekey

Enable/disable phase1 rekey.

option

-

enable

Option

Description

enable

Enable phase1 rekey.

disable

Disable phase1 rekey.

digital-signature-auth

Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

option

-

disable

Option

Description

enable

Enable IKEv2 Digital Signature Authentication (RFC 7427).

disable

Disable IKEv2 Digital Signature Authentication (RFC 7427).

signature-hash-alg

Digital Signature Authentication hash algorithms.

option

-

sha2-512

Option

Description

sha1

SHA1.

sha2-256

SHA2-256.

sha2-384

SHA2-384.

sha2-512

SHA2-512.

rsa-signature-format

Digital Signature Authentication RSA signature format.

option

-

pkcs1

Option

Description

pkcs1

RSASSA PKCS#1 v1.5.

pss

RSASSA Probabilistic Signature Scheme (PSS).

rsa-signature-hash-override

Enable/disable IKEv2 RSA signature hash algorithm override.

option

-

disable

Option

Description

enable

Enable IKEv2 RSA signature hash algorithm override.

disable

Disable IKEv2 RSA signature hash algorithm override.

enforce-unique-id

Enable/disable peer ID uniqueness check.

option

-

disable

Option

Description

disable

Disable peer ID uniqueness enforcement.

keep-new

Enforce peer ID uniqueness, keep new connection if collision found.

keep-old

Enforce peer ID uniqueness, keep old connection if collision found.

cert-id-validation

Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

option

-

enable

Option

Description

enable

Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

disable

Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

network-overlay

Enable/disable network overlays.

option

-

disable

Option

Description

disable

Disable network overlays.

enable

Enable network overlays.

network-id

VPN gateway network ID.

integer

Minimum value: 0 Maximum value: 255

0

dev-id-notification

Enable/disable device ID notification.

option

-

disable

Option

Description

disable

Disable device ID notification.

enable

Enable device ID notification.

dev-id

Device ID carried by the device ID notification.

string

Maximum length: 63

loopback-asymroute

Enable/disable asymmetric routing for IKE traffic on loopback interface.

option

-

enable

Option

Description

enable

Allow ingress/egress IKE traffic to be routed over different interfaces.

disable

Ingress/egress IKE traffic must be routed over the same interface.

link-cost

VPN tunnel underlay link cost.

integer

Minimum value: 0 Maximum value: 255

0

exchange-fgt-device-id

Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager.

option

-

disable

Option

Description

enable

Enable exchange of FortiProxy device identifier.

disable

Disable exchange of FortiProxy device identifier.

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

Configure VPN remote gateway.

config vpn ipsec phase1-interface
    Description: Configure VPN remote gateway.
    edit <name>
        set interface {string}
        set ike-version [1|2]
        set local-gw {ipv4-address}
        set remote-gw {ipv4-address}
        set keylife {integer}
        set certificate <name1>, <name2>, ...
        set authmethod [psk|signature]
        set mode [aggressive|main]
        set peertype {option}
        set peerid {string}
        set peer {string}
        set packet-redistribution [enable|disable]
        set proposal {option1}, {option2}, ...
        set psksecret {password-3}
        set keepalive {integer}
        set distance {integer}
        set priority {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set negotiate-timeout {integer}
        set fragmentation [enable|disable]
        set comments {var-string}
        set send-cert-chain [enable|disable]
        set dhgrp {option1}, {option2}, ...
        set eap [enable|disable]
        set eap-identity [use-id-payload|send-request]
        set eap-exclude-peergrp {string}
        set acct-verify [enable|disable]
        set ppk [disable|allow|...]
        set ppk-secret {password-3}
        set ppk-identity {string}
        set wizard-type [custom|dialup-forticlient|...]
        set xauthtype [disable|client|...]
        set reauth [disable|enable]
        set authusr {string}
        set authpasswd {password}
        set group-authentication [enable|disable]
        set group-authentication-secret {password-3}
        set authusrgrp {string}
        set idle-timeout [enable|disable]
        set idle-timeoutinterval {integer}
        set fgsp-sync [enable|disable]
        set inbound-dscp-copy [enable|disable]
        set auto-discovery-sender [enable|disable]
        set auto-discovery-receiver [enable|disable]
        set auto-discovery-forwarder [enable|disable]
        set auto-discovery-psk [enable|disable]
        set auto-discovery-shortcuts [independent|dependent]
        set auto-discovery-crossover [allow|block]
        set auto-discovery-offer-interval {integer}
        set fragmentation-mtu {integer}
        set childless-ike [enable|disable]
        set rekey [enable|disable]
        set digital-signature-auth [enable|disable]
        set signature-hash-alg {option1}, {option2}, ...
        set rsa-signature-format [pkcs1|pss]
        set rsa-signature-hash-override [enable|disable]
        set enforce-unique-id [disable|keep-new|...]
        set cert-id-validation [enable|disable]
        set network-overlay [disable|enable]
        set network-id {integer}
        set dev-id-notification [disable|enable]
        set dev-id {string}
        set loopback-asymroute [enable|disable]
        set link-cost {integer}
        set exchange-fgt-device-id [enable|disable]
    next
end

config vpn ipsec phase1-interface

Parameter

Description

Type

Size

Default

name

IPsec remote gateway name.

string

Maximum length: 15

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

ike-version

IKE protocol version.

option

-

1

Option

Description

1

Use IKEv1 protocol.

2

Use IKEv2 protocol.

local-gw

IPv4 address of the local gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

remote-gw

IPv4 address of the remote gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

86400

certificate <name>

The names of up to 4 signed personal certificates.

Certificate name.

string

Maximum length: 79

authmethod

Authentication method.

option

-

psk

Option

Description

psk

PSK authentication method.

signature

Signature authentication method.

mode

The ID protection mode used to establish a secure channel.

option

-

main

Option

Description

aggressive

Aggressive mode.

main

Main mode.

peertype

Accept this peer type.

option

-

Option

Description

any

Accept any peer ID.

peerid

Accept this peer identity.

string

Maximum length: 255

peer

Accept this peer certificate.

string

Maximum length: 35

packet-redistribution

Enable/disable packet distribution (RPS) on the IPsec interface.

option

-

disable

Option

Description

enable

Enable packet redistribution.

disable

Disable packet redistribution.

proposal

Phase1 proposal.

option

-

Option

Description

des-md5

des-md5

des-sha1

des-sha1

des-sha256

des-sha256

des-sha384

des-sha384

des-sha512

des-sha512

3des-md5

3des-md5

3des-sha1

3des-sha1

3des-sha256

3des-sha256

3des-sha384

3des-sha384

3des-sha512

3des-sha512

aes128-md5

aes128-md5

aes128-sha1

aes128-sha1

aes128-sha256

aes128-sha256

aes128-sha384

aes128-sha384

aes128-sha512

aes128-sha512

aes128gcm-prfsha1

aes128gcm-prfsha1

aes128gcm-prfsha256

aes128gcm-prfsha256

aes128gcm-prfsha384

aes128gcm-prfsha384

aes128gcm-prfsha512

aes128gcm-prfsha512

aes192-md5

aes192-md5

aes192-sha1

aes192-sha1

aes192-sha256

aes192-sha256

aes192-sha384

aes192-sha384

aes192-sha512

aes192-sha512

aes256-md5

aes256-md5

aes256-sha1

aes256-sha1

aes256-sha256

aes256-sha256

aes256-sha384

aes256-sha384

aes256-sha512

aes256-sha512

aes256gcm-prfsha1

aes256gcm-prfsha1

aes256gcm-prfsha256

aes256gcm-prfsha256

aes256gcm-prfsha384

aes256gcm-prfsha384

aes256gcm-prfsha512

aes256gcm-prfsha512

chacha20poly1305-prfsha1

chacha20poly1305-prfsha1

chacha20poly1305-prfsha256

chacha20poly1305-prfsha256

chacha20poly1305-prfsha384

chacha20poly1305-prfsha384

chacha20poly1305-prfsha512

chacha20poly1305-prfsha512

aria128-md5

aria128-md5

aria128-sha1

aria128-sha1

aria128-sha256

aria128-sha256

aria128-sha384

aria128-sha384

aria128-sha512

aria128-sha512

aria192-md5

aria192-md5

aria192-sha1

aria192-sha1

aria192-sha256

aria192-sha256

aria192-sha384

aria192-sha384

aria192-sha512

aria192-sha512

aria256-md5

aria256-md5

aria256-sha1

aria256-sha1

aria256-sha256

aria256-sha256

aria256-sha384

aria256-sha384

aria256-sha512

aria256-sha512

seed-md5

seed-md5

seed-sha1

seed-sha1

seed-sha256

seed-sha256

seed-sha384

seed-sha384

seed-sha512

seed-sha512

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

10

distance

Distance for routes added by IKE.

integer

Minimum value: 1 Maximum value: 255

15

priority

Priority for routes added by IKE.

integer

Minimum value: 1 Maximum value: 65535

1

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

-

auto

Option

Description

auto

Select ID type automatically.

fqdn

Use fully qualified domain name.

user-fqdn

Use user fully qualified domain name.

keyid

Use key-id string.

address

Use local IP address.

asn1dn

Use ASN.1 distinguished name.

negotiate-timeout

IKE SA negotiation timeout in seconds.

integer

Minimum value: 1 Maximum value: 300

30

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

-

enable

Option

Description

enable

Enable intra-IKE fragmentation support on re-transmission.

disable

Disable intra-IKE fragmentation support.

comments

Comment.

var-string

Maximum length: 255

send-cert-chain

Enable/disable sending certificate chain.

option

-

enable

Option

Description

enable

Enable sending certificate chain.

disable

Disable sending certificate chain.

dhgrp

DH group.

option

-

14

Option

Description

1

DH Group 1.

2

DH Group 2.

5

DH Group 5.

14

DH Group 14.

15

DH Group 15.

16

DH Group 16.

17

DH Group 17.

18

DH Group 18.

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

27

DH Group 27.

28

DH Group 28.

29

DH Group 29.

30

DH Group 30.

31

DH Group 31.

32

DH Group 32.

eap

Enable/disable IKEv2 EAP authentication.

option

-

disable

Option

Description

enable

Enable IKEv2 EAP authentication.

disable

Disable IKEv2 EAP authentication.

eap-identity

IKEv2 EAP peer identity type.

option

-

use-id-payload

Option

Description

use-id-payload

Use IKEv2 IDi payload to resolve peer identity.

send-request

Use EAP identity request to resolve peer identity.

eap-exclude-peergrp

Peer group excluded from EAP authentication.

string

Maximum length: 35

acct-verify

Enable/disable verification of RADIUS accounting record.

option

-

disable

Option

Description

enable

Enable verification of RADIUS accounting record.

disable

Disable verification of RADIUS accounting record.

ppk

Enable/disable IKEv2 Postquantum Preshared Key (PPK).

option

-

disable

Option

Description

disable

Disable use of IKEv2 Postquantum Preshared Key (PPK).

allow

Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).

require

Require use of IKEv2 Postquantum Preshared Key (PPK).

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Maximum length: 35

wizard-type

GUI VPN Wizard Type.

option

-

custom

Option

Description

custom

Custom VPN configuration.

dialup-forticlient

Dial Up - FortiClient Windows, Mac and Android.

dialup-ios

Dial Up - iPhone / iPad Native IPsec Client.

dialup-android

Dial Up - Android Native IPsec Client.

dialup-windows

Dial Up - Windows Native IPsec Client.

dialup-cisco

Dial Up - Cisco IPsec Client.

static-fortiproxy

Site to Site - FortiProxy.

dialup-fortiproxy

Dial Up - FortiProxy.

static-cisco

Site to Site - Cisco.

dialup-cisco-fw

Dialup Up - Cisco Firewall.

simplified-static-fortiproxy

Site to Site - FortiProxy (SD-WAN).

hub-fortiproxy-auto-discovery

Hub role in a Hub-and-Spoke auto-discovery VPN.

spoke-fortiproxy-auto-discovery

Spoke role in a Hub-and-Spoke auto-discovery VPN.

xauthtype

XAuth type.

option

-

disable

Option

Description

disable

Disable.

client

Enable as client.

pap

Enable as server PAP.

chap

Enable as server CHAP.

auto

Enable as server auto.

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

-

disable

Option

Description

disable

Disable IKE SA re-authentication.

enable

Enable IKE SA re-authentication.

authusr

XAuth user name.

string

Maximum length: 64

authpasswd

XAuth password (max 35 characters).

password

Not Specified

group-authentication

Enable/disable IKEv2 IDi group authentication.

option

-

disable

Option

Description

enable

Enable IKEv2 IDi group authentication.

disable

Disable IKEv2 IDi group authentication.

group-authentication-secret

Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.

password-3

Not Specified

authusrgrp

Authentication user group.

string

Maximum length: 35

idle-timeout

Enable/disable IPsec tunnel idle timeout.

option

-

disable

Option

Description

enable

Enable IPsec tunnel idle timeout.

disable

Disable IPsec tunnel idle timeout.

idle-timeoutinterval

IPsec tunnel idle timeout in minutes.

integer

Minimum value: 5 Maximum value: 43200

15

fgsp-sync

Enable/disable IPsec syncing of tunnels for FGSP IPsec.

option

-

disable

Option

Description

enable

Enable IPsec syncing of tunnels to other cluster members.

disable

Disable IPsec syncing of tunnels to other cluster members.

inbound-dscp-copy

Enable/disable copy the dscp in the ESP header to the inner IP Header.

option

-

disable

Option

Description

enable

Enable copy the dscp in the ESP header to the inner IP Header.

disable

Disable copy the dscp in the ESP header to the inner IP Header.

auto-discovery-sender

Enable/disable sending auto-discovery short-cut messages.

option

-

disable

Option

Description

enable

Enable sending auto-discovery short-cut messages.

disable

Disable sending auto-discovery short-cut messages.

auto-discovery-receiver

Enable/disable accepting auto-discovery short-cut messages.

option

-

disable

Option

Description

enable

Enable receiving auto-discovery short-cut messages.

disable

Disable receiving auto-discovery short-cut messages.

auto-discovery-forwarder

Enable/disable forwarding auto-discovery short-cut messages.

option

-

disable

Option

Description

enable

Enable forwarding auto-discovery short-cut messages.

disable

Disable forwarding auto-discovery short-cut messages.

auto-discovery-psk

Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.

option

-

disable

Option

Description

enable

Enable use of pre-shared-secret authentication for auto-discovery tunnels.

disable

Disable use of authentication defined by 'authmethod' for auto-discovery tunnels.

auto-discovery-shortcuts

Control deletion of child short-cut tunnels when the parent tunnel goes down.

option

-

independent

Option

Description

independent

Short-cut tunnels remain up if the parent tunnel goes down.

dependent

Short-cut tunnels are brought down if the parent tunnel goes down.

auto-discovery-crossover

Allow/block set-up of short-cut tunnels between different network IDs.

option

-

allow

Option

Description

allow

Allow set-up of short-cut tunnels between different network IDs.

block

Block set-up of short-cut tunnels between different network IDs.

auto-discovery-offer-interval

Interval between shortcut offer messages in seconds.

integer

Minimum value: 1 Maximum value: 300

5

fragmentation-mtu

IKE fragmentation MTU.

integer

Minimum value: 500 Maximum value: 16000

1200

childless-ike

Enable/disable childless IKEv2 initiation (RFC 6023).

option

-

disable

Option

Description

enable

Enable childless IKEv2 initiation (RFC 6023).

disable

Disable childless IKEv2 initiation (RFC 6023).

rekey

Enable/disable phase1 rekey.

option

-

enable

Option

Description

enable

Enable phase1 rekey.

disable

Disable phase1 rekey.

digital-signature-auth

Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

option

-

disable

Option

Description

enable

Enable IKEv2 Digital Signature Authentication (RFC 7427).

disable

Disable IKEv2 Digital Signature Authentication (RFC 7427).

signature-hash-alg

Digital Signature Authentication hash algorithms.

option

-

sha2-512

Option

Description

sha1

SHA1.

sha2-256

SHA2-256.

sha2-384

SHA2-384.

sha2-512

SHA2-512.

rsa-signature-format

Digital Signature Authentication RSA signature format.

option

-

pkcs1

Option

Description

pkcs1

RSASSA PKCS#1 v1.5.

pss

RSASSA Probabilistic Signature Scheme (PSS).

rsa-signature-hash-override

Enable/disable IKEv2 RSA signature hash algorithm override.

option

-

disable

Option

Description

enable

Enable IKEv2 RSA signature hash algorithm override.

disable

Disable IKEv2 RSA signature hash algorithm override.

enforce-unique-id

Enable/disable peer ID uniqueness check.

option

-

disable

Option

Description

disable

Disable peer ID uniqueness enforcement.

keep-new

Enforce peer ID uniqueness, keep new connection if collision found.

keep-old

Enforce peer ID uniqueness, keep old connection if collision found.

cert-id-validation

Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

option

-

enable

Option

Description

enable

Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

disable

Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

network-overlay

Enable/disable network overlays.

option

-

disable

Option

Description

disable

Disable network overlays.

enable

Enable network overlays.

network-id

VPN gateway network ID.

integer

Minimum value: 0 Maximum value: 255

0

dev-id-notification

Enable/disable device ID notification.

option

-

disable

Option

Description

disable

Disable device ID notification.

enable

Enable device ID notification.

dev-id

Device ID carried by the device ID notification.

string

Maximum length: 63

loopback-asymroute

Enable/disable asymmetric routing for IKE traffic on loopback interface.

option

-

enable

Option

Description

enable

Allow ingress/egress IKE traffic to be routed over different interfaces.

disable

Ingress/egress IKE traffic must be routed over the same interface.

link-cost

VPN tunnel underlay link cost.

integer

Minimum value: 0 Maximum value: 255

0

exchange-fgt-device-id

Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager.

option

-

disable

Option

Description

enable

Enable exchange of FortiProxy device identifier.

disable

Disable exchange of FortiProxy device identifier.