vpn : ipsec phase1
 
ipsec phase1
Use this command to add or edit IPSec tunnel-mode phase 1 configurations. When you add a tunnel-mode phase 1 configuration, you define how the FortiGate unit and a remote VPN peer (gateway or client) authenticate themselves to each other as part of establishing an IPSec VPN tunnel.
The phase 1 configuration specifies the name of a remote VPN peer, the nature of the connection (static IP, dialup, or dynamic DNS), the encryption and authentication keys for the phase 1 proposal, and the authentication method (preshared key or certificate). For authentication to be successful, the FortiGate unit and the remote VPN peer must be configured with compatible phase 1 settings.
You can change all settings except the type setting after you define the configuration: if the address type of a remote peer changes, you must delete the original phase 1 configuration and define a new one. As a general rule, create only one phase 1 configuration per remote VPN peer.
Syntax
config vpn ipsec phase1
edit <gateway_name>
set acct-verify {enable | disable}
set add-gw-route {enable | disable}
set authmethod <authentication_method>
set authpasswd <password>
set authusr <user_name>
set authusrgrp <group_name>
set autoconfig {client | gateway | disable}
set auto-negotiate {enable | disable}
set certificate <server_certificate_str>
set dhgrp {1 2 5 14 15 16 17 18 19 20 21}
set distance <int>
set dpd {disable | enable}
set dpd-retrycount <retry_integer>
set dpd-retryinterval <seconds> [<milliseconds>]
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set forticlient-enforcement {enable | disable}
set fragmentation {enable | disable}
set ike-version {1 | 2}
set interface <interface_name>
set keepalive <seconds>
set keylife <seconds>
set local-gw <address_ipv4>
set localid <local_id>
set localid-type {auto | fqdn | user‑fqdn | keyid | address | asn1dn}
set mode {aggressive | main}
set nattraversal {enable | disable}
set negotiate-timeout <seconds_int>
set npu-offload {enable | disable}
set peer <CA_certificate_name>
set peerid <peer_id>
set peergrp <certificate_group_name>
set peertype <authentication_method>
set priority <prio>
set proposal <encryption_combination>
set psksecret <preshared_key>
set remote-gw <address_ipv4>
set remotegw-ddns <domain_name>
set type <remote_gw_type>
set usrgrp <group_name>
set xauthtype <XAuth_type>
set xauthexpire {on‑disconnect | on‑rekey}
end
 
A proposal value is required. In NAT/Route mode, you must specify interface. A remote‑gw value may be required depending on the value of the type attribute. You must also enter a preshared key or a certificate name depending on the value of authmethod. All other fields are optional.
Variable
Description
Default
edit <gateway_name>
Enter a name (maximum 35 characters) for this gateway. If type is dynamic, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on.
No default.
acct-verify {enable | disable}
Enable to establish tunnel only after RADIUS server accounting response is received. This applies only to RADIUS-authenticated users when ike-version is 2 and eap is enabled.
disable
add-gw-route {enable | disable}
Enable to automatically add a route to the remote gateway specified in remote-gw.
Note: This command is deprecated.
Use the dynamic-gateway {enable | disable} field in config router static instead.
disable
authmethod <authentication_method>
Specify the authentication method:
Enter psk to authenticate using a pre-shared key. Use psksecret to enter the pre-shared key.
Enter signature to authenticate using a digital certificate. Use set certificate to enter the name of the digital certificate.
You must configure certificates before selecting signature here. For more information, see execute vpn certificate local generate and vpn certificate ca.
psk
authpasswd <password>
This field is available when xauthtype is set to client.
Enter the XAuth client password for the FortiGate unit.
No default.
authusr <user_name>
This field is available when xauthtype is set to client.
Enter the XAuth client user name for the FortiGate unit.
Null
authusrgrp <group_name>
This field is available when xauthtype is set to auto, pap, or chap.
When the FortiGate unit is configured as an XAuth server, enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before the group name can be cross-referenced. For more information, see user group, user ldap, user local, and user radius.
If this field is empty, authentication will occur against user groups in the policy for this phase 1.
Null
autoconfig {client | gateway | disable}
Select VPN auto configuration mode: VPN gateway, VPN client, or auto configuration disabled.
disable
auto-negotiate {enable | disable}
Enable to keep trying to negotiate an IKE SA even if the link is down. The primary use of this feature is in cases where there are multiple redundant tunnels and you prefer the primary connection if it can be established.
enable
certificate <server_certificate_str>
This field is available when authmethod is set to signature.
Enter the names of up to four signed personal certificate for the FortiGate unit. You must install the server certificate before you enter the server certificate name. For more information, see “vpn certificate local generate”.
Null.
dhgrp {1 2 5 14 15 16 17 18 19 20 21}
Enter one or more Diffie-Hellman group numbers in order of preference separated by spaces. At least one of the DH group settings on the remote peer or client must be identical to one of the selections on the FortiGate unit.
14 5
distance <int>
Configure the administrative distance for routes added when a dialup IPSec connection is established. Using administrative distance you can specify the relative priorities of different routes to the same destination. A lower administrative distance indicates a more preferred route. Distance can be an integer from 1‑255. See also router static “distance <distance>”.
1
dpd {disable | enable}
Enable or disable DPD (Dead Peer Detection). DPD detects the status of the connection between VPN peers. Enabling DPD facilitates cleaning up dead connections and establishing new VPN tunnels. DPD is not supported by all vendors and is not used unless DPD is supported and enabled by both VPN peers.
enable
dpd-retrycount <retry_integer>
This field is available when dpd is set to enable.
The DPD retry count when dpd is set to enable. Set the number of times that the local VPN peer sends a DPD probe before it considers the link to be dead and tears down the security association (SA). The dpd-retrycount range is 0 to 10.
To avoid false negatives due to congestion or other transient failures, set the retry count to a sufficiently high value for your network.
3
dpd-retryinterval <seconds> [<milliseconds>]
This field is available when dpd is set to enable.
The DPD (Dead Peer Detection) retry interval is the time that the local VPN peer waits between sending DPD probes.
Set the time in seconds plus, optionally, milliseconds. For example, for 2.5 seconds enter 2 500. The range is 1 to 60 seconds, 0 to 999 milliseconds.
When the tunnel is starting, or if it has failed, a retry interval of 5 seconds is used if dpd-retryinterval is less than 5 seconds.
5
eap {enable | disable}
Enable EAP authentication. This is available only if ike‑version is 2.
disable
eap-identity {use-id-payload | send-request}
Choose source of identity for EAP authentication.
use-id-payload — use IKEv2 payload
send-request — use EAP identity request
This is available when ike-version is 2 and eap is enabled.
use-id-payload
forticlient-enforcement {enable | disable}
Enable to allow only FortiClient users to connect.
disable
fragmentation {enable | disable}
Enable intra-IKE fragmentation support on re-transmission of fragmented packets.
enable
ike-version {1 | 2}
Select whether to use IKEv1 or IKEv2 (RFC 4306).
1
interface <interface_name>
Enter the name of the physical, aggregate, or VLAN interface to which the IPSec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from system interface settings (see “interface”) unless you specify a different IP address using the local-gw <address_ipv4> attribute.
You cannot change interface if a firewall policy references this VPN.
Null
keepalive <seconds>
This field is available when nattraversal is set to enable.
Set the NAT traversal keepalive frequency. This number specifies (in seconds) how frequently empty UDP packets are sent through the NAT device to make sure that the NAT mapping does not change until P1 and P2 security associations expire. The keepalive frequency can be from 10 to 900 seconds.
10
keylife <seconds>
Set the keylife time. The keylife is the amount of time (in seconds) before the phase 1 encryption key expires. When the key expires, a new key is generated without interrupting service. The range is 120 to 172,800 seconds.
86400
local-gw <address_ipv4>
Optionally, specify a secondary IP address of the interface selected in interface to use for the local end of the VPN tunnel. If you do not specify an IP address here, the FortiGate unit obtains the IP address of the interface from the system interface settings (see “interface”).
0.0.0.0
localid <local_id>
Enter a local ID if the FortiGate unit is functioning as a VPN client and will use the local ID for authentication purposes.
If you want to dedicate a tunnel to a FortiGate dialup client, you must assign a unique identifier (local ID) to the FortiGate client.
Whenever you configure a unique identifier (local ID) on a FortiGate dialup client, you must enable aggressive mode on the FortiGate dialup server and also specify the identifier as a peer ID on the FortiGate dialup server.
Null
localid-type {auto | fqdn | user‑fqdn | keyid | address | asn1dn}
Select the type of localid:
auto — select type automatically
fqdn — Fully Qualified Domain Name
user-fqdn — Use User Fully Qualified Domain Name
keyid — Use Key Identifier ID
address — Use IP address ID
asn1dn — Use ASN.1 Distinguished Name ID
auto
mode {aggressive | main}
Enter aggressive or main (ID Protection) mode. Both modes establish a secure channel.
In main mode, identifying information is hidden. Main mode is typically used when both VPN peers have static IP addresses.
In aggressive mode, identifying information is exchanged in the clear.
When the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID), you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address.
main
nattraversal {enable | disable}
Enable NAT traversal if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal has no effect. Both ends of the VPN must have the same NAT traversal setting. If you enable NAT traversal you can set the keepalive frequency.
enable
negotiate-timeout <seconds_int>
Enter how long in seconds the FortiGate unit will wait for the IKE SA to be negotiated. Range: 1 to 300 seconds.
30
npu-offload {enable | disable}
Enable or disable offload of VPN session to NPU.
enable
peer <CA_certificate_name>
This field is available when authmethod is set to rsa‑signature and peertype is set to peer.
Enter the name of the peer (CA) certificate that will be used to authenticate remote VPN clients or peers. Use the command config user peer to add peer certificates. Peer certificates must be added to the FortiGate configuration before they can be cross-referenced. For more information, see user peer.
Null
peerid <peer_id>
This field is available when peertype is set to one.
Enter the peer ID that will be used to authenticate remote clients or peers by peer ID.
Null
peergrp <certificate_group_name>
This field is available when type is set to dynamic, authmethod is set to rsa-signature, and peertype is set to peergrp.
Enter the name of the peer certificate group that will be used to authenticate remote clients or peers. You must create the peer certificate group before the group name can be cross-referenced. For more information, see user peergrp.
Null
peertype <authentication_method>
The following attributes are available under the following conditions:
one is available when mode is set to aggressive or when authmethod is set to rsa‑signature.
dialup is available when type is set to dynamic and authmethod is set to psk.
peer is available when authmethod is set to rsa‑signature.
peergrp is available when type is set to dynamic and authmethod is set to rsa-signature.
any
 
Enter the method for authenticating remote clients or peers when they connect to the FortiGate unit:
Type any to accept any remote client or peer (peer IDs are not used for authentication purposes). The mode attribute can be set to aggressive or main.
You can use this option with RSA Signature authentication. But, for highest security, you should configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only.
Type one to authenticate either a remote peer or client that has a dynamic IP address and connects using a unique identifier over a dedicated tunnel, or more than one dialup client that connects through the same tunnel using the same (shared) identifier. Use the peerid field to set the peer ID. If more than one dialup client will be connecting using the same (shared) identifier, set mode to aggressive.
 
 
Type dialup to authenticate dialup VPN clients that use unique identifiers and preshared keys (or unique preshared keys only) to connect to the VPN through the same VPN tunnel. In this case, you must create a dialup user group for authentication purposes. Use the usrgrp field to set the user group name. If the dialup clients use unique identifiers and preshared keys, set mode to aggressive. If the dialup clients use preshared keys only, set mode to main.
 
 
Type peer to authenticate one (or more) certificate holders based on a particular (or shared) certificate. Use the peer field to enter the certificate name. Set mode to aggressive if the remote peer or client has a dynamic IP address.
Type peergrp to authenticate certificate holders that use unique certificates. In this case, you must create a group of certificate holders for authentication purposes. Use the peergrp field to set the certificate group name. The mode attribute can be set to aggressive or main. Set mode to aggressive if the remote peer or client has a dynamic IP address.
 
priority <prio>
This value is used to be break ties in selection of dialup routes. In the case that both routes have the same priority, the egress index for the routes will be used to determine the selected route.
Set <prio> to a value between 0 and 4 294 967 295.
0
proposal <encryption_combination>
Select a minimum of one and a maximum of 10 encryption-message digest combinations for the phase 1 proposal (for example, 3des‑md5). The remote peer must be configured to use at least one of the proposals that you define. Use a space to separate the combinations.
aes128‑sha256 aes256‑sha256 3des‑sha256 aes128‑sha1 aes256‑sha1 3des‑sha1
 
You can choose any of the following abbreviated symmetric key encryption algorithms:
des — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3des — Triple-DES, in which plain text is encrypted three times by three keys.
aes128 — A 128-bit block algorithm that uses a 128-bit key.
aes192 — A 128-bit block algorithm that uses a 192-bit key.
aes256 — A 128-bit block algorithm that uses a 256-bit key.
 
 
aria128 — A 128-bit Korean block algorithm that uses a 128-bit key.
aria192 — A 128-bit Korean block algorithm that uses a 192-bit key.
aria256 — A 128-bit Korean block algorithm that uses a 256-bit key.
seed — A 128-bit Korean block algorithm that uses a 128-bit key.
The ARIA and seed algorithms are not available on some models.
 
 
You can select any of the following message digests to check the authenticity of messages during an encrypted session:
md5 — Message Digest 5, the hash algorithm developed by RSA Data Security.
sha1 — Secure Hash Algorithm 1, which produces a 160-bit message digest.
sha256 — Secure Hash Algorithm 2, which produces a 256‑bit message digest.
sha384 — Secure Hash Algorithm 2, which produces a 384‑bit message digest.
sha512 — Secure Hash Algorithm 2, which produces a 512‑bit message digest.
 
psksecret <preshared_key>
This field is available when authmethod is set to psk.
Enter the pre-shared key. The pre-shared key must be the same on the remote VPN gateway or client and should only be known by network administrators. The key must consist of at least 6 printable characters. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.
*
(No default.)
remote-gw <address_ipv4>
This field is available when type is set to static.
Enter the static IP address of the remote VPN peer.
0.0.0.0
remotegw-ddns <domain_name>
This field is available when type is set to ddns.
Enter the identifier of the remote peer (for example, a fully qualified domain name).
Use this setting when the remote peer has a static domain name and a dynamic IP address (the IP address is obtained dynamically from an ISP and the remote peer subscribes to a dynamic DNS service).
Null.
type <remote_gw_type>
Enter the connection type of the remote gateway:
If the remote VPN peer has a static IP address, type static. Use the remotegw field to enter the IP address.
If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), type dynamic.
If the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service, type ddns. Use the remotegw-ddns field to enter the domain name of the remote VPN peer.
static
usrgrp <group_name>
This field is available when type is set to dynamic, authmethod is set to psk, and peertype is set to dialup.
Enter the name of the group of dialup VPN clients to authenticate. The user group must be added to the FortiGate configuration before it can be cross-referenced here. For more information, see user group, user ldap, user local, and user radius.
Null.
xauthtype <XAuth_type>
Optionally configure XAuth (eXtended Authentication):
Type disable to disable XAuth.
Type client to configure the FortiGate unit to act as an XAuth client. Use the authuser field to add the XAuth user name and password.
Type auto, pap, or chap to configure the FortiGate unit as an XAuth server. These options are available only when type is dynamic. Use the authusrgrp field to specify the user group containing members that will be authenticated using XAuth.
disable
xauthexpire {on‑disconnect | on‑rekey}
Choose when the authentication with XAUTH expires:
on-disconnect — when the tunnel closes
on-rekey — when the phase 1 encryption key expires
on-disconnect