vpn : ipsec manualkey-interface
 
ipsec manualkey-interface
Use this command to configure manual keys for a route-based (interface mode) IPSec VPN tunnel. When you create a route-based tunnel, the FortiGate unit creates a virtual IPSec interface automatically. The interface can be modified afterward using the system network interface CLI command. This command is available only in NAT/Route mode.
Syntax
config vpn ipsec manualkey-interface
edit <tunnel_name>
set auth-alg <authentication_algorithm>
set auth-key <authentication_key>
set enc-alg <method>
set enc-key <encryption_key>
set interface <interface_name>
set ip-version <4 | 6>
set local-gw <address_ipv4>
set local-gw6 <address_ipv6>
set local-spi <local_spi_number>
set npu-offload {enable | disable}
set remote-gw <address_ipv4>
set remote-gw6 <address_ipv6>
set remote-spi <remote_spi_number>
end
The auth-alg, enc-alg, interface, remote-gw, local-spi, and remote-spi fields are required. All other fields are optional.
Variable
Description
Default
edit <tunnel_name>
Enter a name for the tunnel.
No default.
auth-alg <authentication_algorithm>
Enter one of the following authentication algorithms:
md5
null
sha1
sha256
sha384
sha512
Make sure you use the same algorithm at both ends of the tunnel.
Note: enc-alg and auth-alg cannot both be null.
null
auth-key <authentication_key>
This field is available when auth-alg is set to md5, sha1 or sha256.
Enter the key in 16-digit (8-byte) segments separated by hyphens. For example (MD5):
0102030405060708-090a0b0c0d0e0f10
For a SHA1 key, the final segment is only 8 digits (4 bytes).
If auth-alg is md5, enter a 32-digit (16-byte) hexadecimal number.
If auth-alg is sha1, enter a 40-digit (20-byte) hexadecimal number.
If auth-alg is sha256, enter a 64-digit (32-byte) hexadecimal number.
Digits can be 0 to 9, and a to f.
Use the same authentication key at both ends of the tunnel.
-
(No default.)
enc-alg <method>
Enter one of the following encryption algorithms:
3des
aes128
aes192
aes256
des
aria128
aria192
aria256
seed
null
The ARIA algorithm is not available on some models.
Make sure you use the same algorithm at both ends of the tunnel.
Note: enc-alg and auth-alg cannot both be null.
null
enc-key <encryption_key>
This field is available when enc-alg is set to 3des, aes128, aes192, aes256, or des. Enter the associated encryption key:
If enc-alg is des, enter a 16 digit (8 byte) hexadecimal number.
If enc-alg is 3des, enter a 48 digit (24 byte) hexadecimal number.
If enc-alg is aes128, enter a 32 digit (16 byte) hexadecimal number.
If enc-alg is aes192, enter a 48 digit (24 byte) hexadecimal number.
If enc-alg is aes256, enter a 64 digit (32 byte) hexadecimal number.
Digits can be 0 to 9, and a to f.
For all of the above, separate each 16 digit (8 byte) hexadecimal segment with a hyphen.
Use the same encryption key at both ends of the tunnel.
-
(No default.)
interface <interface_name>
Enter the name of the physical, aggregate, or VLAN interface to which the IPSec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from system interface settings (see “interface”).
Null.
ip-version <4 | 6>
Enter 4 for IPv4 encapsulation or 6 for IPv6 encapsulation.
4
local-gw <address_ipv4>
local-gw6 <address_ipv6>
By default, the FortiGate unit determines the local gateway IP address from the interface setting. Optionally, you can specify a secondary IP address configured on the same interface.
local-gw6 is available when ip-version is 6.
local-gw is available when ip-version is 4.
0.0.0.0
for IPv4
:: for IPv6
local-spi <local_spi_number>
Local Security Parameter Index. Enter a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range 0x100 to FFFFFFF. This number must be added to the Remote SPI at the opposite end of the tunnel.
0x100
npu-offload {enable | disable}
Enable or disable offload of VPN session to NPU.
enable
remote-gw <address_ipv4>
remote-gw6 <address_ipv6>
The IP address of the remote gateway external interface.
remote-gw6 is available when ip-version is 6.
remote-gw is available when ip-version is 4.
0.0.0.0 for IPv4
:: for IPv6
remote-spi <remote_spi_number>
Remote Security Parameter Index. Enter a hexadecimal number of up to eight digits in the range 0x100 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel.
0x100