vpn : ipsec phase1-interface
 
ipsec phase1-interface
Use this command to define a phase 1 definition for a route-based (interface mode) IPSec VPN tunnel that generates authentication and encryption keys automatically. A new interface of type “tunnel” with the same name is created automatically as the local end of the tunnel.
Optionally, you can create a route-based phase 1 definition to act as a backup for another IPSec interface. See the monitor <phase1> field.
To complete the configuration of an IPSec tunnel, you need to:
configure phase 2 settings (see “ipsec phase2-interface”)
configure a firewall policy to pass traffic from the local private network to the tunnel interface
configure a static route via the IPSec interface to the private network at the remote end of the tunnel
optionally, define the IP addresses for each end of the tunnel to enable dynamic routing through the tunnel or to enable pinging of each end of the tunnel for testing
Syntax
config vpn ipsec phase1-interface
edit <gateway_name>
set acct-verify {enable | disable}
set add-gw-route {enable | disable}
set add-route {enable | disable}
set assign-ip {enable | disable}
set assign-ip-from {range | usrgrp | dhcp}
set assign-ip-type {ip | subnet}
set authmethod <authentication_method>
set authpasswd <password>
set authusr <user_name>
set authusrgrp <group_name>
set auto-negotiate {enable | disable}
set backup-gateway <gateway1> ... <gatewayn>
set banner <string>
set certificate <server_certificate>
set client-auto-negotiate {enable | disable}
set client-keep-alive {enable | disable}
set default-gw <gw_ip>
set default-gw-priority <int>
set dhgrp {1 2 5 14 15 16 17 18 19 20 21}
set distance <int>
set dns-mode {auto | manual}
set domain <string>
set dpd {enable | disable}
set dpd-retrycount <retry_integer>
set dpd-retryinterval <seconds> [<milliseconds]
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set forticlient-enforcement {enable | disable}
set fragmentation {enable | disable}
set ike-version {1 | 2}
set include-local-lan {enable | disable}
set interface <interface_name>
set ip-version <4 | 6>
set ipv4-dns-server1
set ipv6-dns-server1
set ipv4-dns-server2
set ipv6-dns-server2
set ipv4-dns-server3
set ipv6-dns-server3
set ipv4-end-ip <ip4addr>
set ipv6-end-ip <ip6addr>
set ipv4-netmask <ip4mask>
set ipv4-split-include <address_name>
set ipv4-start-ip <ip4addr>
set ipv6-start-ip <ip6addr>
set ipv4-wins-server1
set ipv4-wins-server2
set ipv6-prefix <ip6prefix>
set keepalive <seconds>
set keylife <seconds>
set local-gw <address_ipv4>
set local-gw6 <address_ipv6>
set localid <local_id>
set localid-type {auto | fqdn | user‑fqdn | keyid | address | asn1dn}
set mesh-selector-type {disable | subnet | host}
set mode {aggressive | main}
set mode-cfg {enable | disable}
set mode-cfg-ip-version {4|6}
set monitor <phase1>
set monitor-hold-down-delay <seconds_int>
set nattraversal {enable | disable}
set negotiate-timeout <seconds_int>
set npu-offload {enable | disable}
set peer <CA_certificate_name>
set peerid <peer_id>
set peergrp <certificate_group_name>
set peertype <authentication_method>
set priority <prio>
set proposal <encryption_combination>
set psksecret <preshared_key>
set remote-gw <address_ipv4>
set remote-gw6 <address_ipv6>
set remotegw-ddns <domain_name>
set save-password {enable | disable}
set save-password {enable | disable}
set send-cert-chain {enable | disable}
set split-include-service <service_group_name>
set type <remote_gw_type>
set unity-support {enable | disable}
set usrgrp <group_name>
set xauthtype <XAuth_type>
set xauthexpire {on‑disconnect | on‑rekey}
config ipv4-exclude-range
edit <entry_id>
set start-ip <ipaddr>
set end-ip <ipaddr>
end
config ipv6-exclude-range
edit <entry_id>
set start-ip <ipaddr>
set end-ip <ipaddr>
end
end
 
You must specify values for proposal and interface. A remote-gw value may be required depending on the value of the type attribute. You must also enter a preshared key or a certificate name depending on the value of authmethod. All other fields are optional.
Variable
Description
Default
edit <gateway_name>
Enter a name (maximum 15 characters) for the remote gateway. If type is dynamic, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on
No default.
acct-verify {enable | disable}
Enable to establish tunnel only after RADIUS server accounting response is received. This applies only to RADIUS-authenticated users when ike-version is 2 and eap is enabled.
disable
add-gw-route {enable | disable}
Enable to automatically add a route to the remote gateway specified in remote-gw.
Note: This command is deprecated.
Use the dynamic-gateway {enable | disable} field in config router static instead.
disable
add-route {enable | disable}
Enable to add a route to the client’s peer destination selector. Disable if you use dynamic routing over the tunnel.
This is available only when mode-cfg is enabled.
enable
assign-ip {enable | disable}
For a client, enable to request an IP address from the server. For a server, enable to assign an IP address to a dialup client. This is available if mode‑cfg (IKE Configuration Method) is enabled.
enable
 
assign-ip-from {range | usrgrp | dhcp}
Select source of IP address assigned to an IKE Configuration Method client.
range — Assign an IP address from the range defined in ipv4-start-ip and ipv4-end-ip (ipv6-start-ip and ipv4-end-ip for IPv6 clients).
usrgrp — Assign the address defined in the RADIUS Framed-IP-Address for the user. This is available when the VPN is configured to authenticate clients with XAuth. xauthtype must be auto, pap, or chap. This is available only if ike‑version is 1.
dhcp — Assign the address using a remote DHCP server. DHCP proxy must be enabled.
This is available if mode‑cfg (IKE Configuration Method) is enabled.
range
assign-ip-type {ip | subnet}
Select the type of IP address assigned to an IKE Configuration Method client:
ip — assign a single IP address to the client, as configured in assign-ip-from.
subnet — assign an IP address to each end of the VPN tunnel, as configured in assign-ip-from. This type of IP address assignment facilitates the use of dynamic routing through the tunnel.
This is available if mode‑cfg (IKE Configuration Method) is enabled.
ip
authmethod <authentication_method>
Specify the authentication method:
Enter psk to authenticate using a pre-shared key. Use psksecret to enter the pre-shared key.
Enter signature to authenticate using a digital certificate. Use set certificate to enter the name of the digital certificate.
You must configure certificates before selecting signature here. For more information, see execute vpn certificate local generate and vpn certificate ca.
psk
authpasswd <password>
This field is available when xauthtype is set to client.
Enter the XAuth client password for the FortiGate unit.
No default.
authusr <user_name>
This field is available when xauthtype is set to client.
Enter the XAuth client user name for the FortiGate unit.
Null
authusrgrp <group_name>
This field is available when xauthtype is set to auto, pap, or chap.
When the FortiGate unit is configured as an XAuth server, enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before the group name can be cross-referenced. For more information, see user group, user ldap, user local, and user radius.
If this field is empty, authentication will occur against user groups in the policy for this phase 1.
Null
auto-negotiate {enable | disable}
Enable to keep trying to negotiate an IKE SA even if the link is down. The primary use of this feature is in cases where there are multiple redundant tunnels and you prefer the primary connection if it can be established.
enable
backup-gateway <gateway1> ... <gatewayn>
Enter backup gateway IP address(es) or FQDN(s) separated by spaces. This is available if mode‑cfg is enabled and type is dynamic.
No default.
banner <string>
Specify a message to send to IKE Configuration Method clients. Some clients display this message to users. This is available if mode‑cfg (IKE Configuration Method) is enabled.
Null
certificate <server_certificate>
This field is available when authmethod is set to signature.
Enter the name of the signed personal certificate for the FortiGate unit. You must install the server certificate before you enter the server certificate name. For more information, see “vpn certificate local generate”.
Null
client-auto-negotiate {enable | disable}
Enable or disable allowing the client to bring up the tunnel when there is no traffic. This is available when type is dynamic and mode-cfg is enabled.
disable
client-keep-alive {enable | disable}
Enable or disable allowing the client to keep the tunnel up when there is no traffic. This is available when type is dynamic and mode-cfg is enabled.
disable
default-gw <gw_ip>
If the IPSec interface has a different default route than other traffic, enter the next hop router IP address. Be sure to set default-gw-priority to a higher priority (lower value) than the general default route.
This is available when type is dynamic. The route it creates is not visible in the routing table.
0.0.0.0
default-gw-priority <int>
If you set default-gw, set the priority to a lower value (higher priority) than the general default route.
0
dhgrp {1 2 5 14 15 16 17 18 19 20 21}
Enter one or more Diffie-Hellman group numbers in order of preference separated by spaces. At least one of the DH group settings on the remote peer or client must be identical to one of the selections on the FortiGate unit.
14 5
distance <int>
Configure the administrative distance for routes added when a dialup IPSec connection is established. Using administrative distance you can specify the relative priorities of different routes to the same destination. A lower administrative distance indicates a more preferred route. Distance can be an integer from 1‑255. See also router static “distance <distance>”.
1
dns-mode {auto | manual}
Set DNS behavior when mode-cfg is enabled.
auto — assign DNS servers in the following order:
1 servers assigned to interface by DHCP
2 per-VDOM assigned DNS servers
3 global DNS server
manual — use DNS servers specified in ipv4-dns-server1, ipv4-dns-server2, etc.
manual
domain <string>
Specify a domain name to send to IKE Configuration Method clients. This is available if mode‑cfg (IKE Configuration Method) is enabled.
Null
dpd {enable | disable}
Enable or disable DPD (Dead Peer Detection). DPD detects the status of the connection between VPN peers. Enabling DPD facilitates cleaning up dead connections and establishing new VPN tunnels. DPD is not supported by all vendors and is not used unless DPD is supported and enabled by both VPN peers.
enable
dpd-retrycount <retry_integer>
This field is available when dpd is set to enable.
The DPD retry count when dpd is set to enable. Set the number of times that the local VPN peer sends a DPD probe before it considers the link to be dead and tears down the security association (SA). The dpd-retrycount range is 0 to 10.
To avoid false negatives due to congestion or other transient failures, set the retry count to a sufficiently high value for your network.
3
dpd-retryinterval <seconds> [<milliseconds]
This field is available when dpd is set to enable.
The DPD (Dead Peer Detection) retry interval is the time that the local VPN peer waits between sending DPD probes.
Set the time in seconds plus, optionally, milliseconds. For example, for 2.5 seconds enter 2 500. The range is 1 to 60 seconds, 0 to 999 milliseconds.
When the tunnel is starting, or if it has failed, a retry interval of 5 seconds is used if dpd-retryinterval is less than 5 seconds.
5
eap {enable | disable}
Enable EAP authentication. This is available only if ike‑version is 2.
disable
eap-identity {use-id-payload | send-request}
Choose source of identity for EAP authentication.
use-id-payload — use IKEv2 payload
send-request — use EAP identity request
This is available when ike-version is 2 and eap is enabled.
use-id-payload
forticlient-enforcement {enable | disable}
Enable to allow only FortiClient users to connect.
disable
fragmentation {enable | disable}
Enable intra-IKE fragmentation support on re-transmission of fragmented packets.
enable
ike-version {1 | 2}
Select whether to use IKEv1 or IKEv2 (RFC 4306).
1
include-local-lan {enable | disable}
Allow Unity clients to access their local LAN even if they are using split tunneling.
This is available when type is dynamic and mode-config is enabled.
disable
interface <interface_name>
Enter the name of the physical, aggregate, or VLAN interface to which the IPSec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from system interface settings (see “interface”) unless you specify a different IP address using the local-gw <address_ipv4> attribute.
Null
ip-version <4 | 6>
Enter 4 for IPv4 encapsulation or 6 for IPv6 encapsulation.
4
ipv4-dns-server1
ipv6-dns-server1
ipv4-dns-server2
ipv6-dns-server2
ipv4-dns-server3
ipv6-dns-server3
Enter DNS server addresses to provide to IKE Configuration Method clients. If the value is 0.0.0.0, no DNS server address is provided.
Either the IPv4 or IPv6 version of these fields is available, depending on mode-cfg-ip-version.
0.0.0.0
::
ipv4-end-ip <ip4addr>
ipv6-end-ip <ip6addr>
Set end of IP address range to assign to IKE Configuration Method clients. This is available when mode-cfg is enabled, type is dynamic, and assign-ip-from is range.
Either the IPv4 or IPv6 version of this field is available, depending on mode-cfg-ip-version.
No default.
ipv4-netmask <ip4mask>
Set the netmask value to pass to IKE Configuration Method clients.
No default.
ipv4-split-include <address_name>
Select the address or address group that the client can reach through the VPN. This information is sent to the client as part of IKE Configuration Method.
This is available only if mode-cfg is set to enable.
Null.
ipv4-start-ip <ip4addr>
ipv6-start-ip <ip6addr>
Set start of IP address range to assign to IKE Configuration Method clients. This is available when mode-cfg is enabled, type is dynamic, and assign-ip-from is range.
Either the IPv4 or IPv6 version of this field is available, depending on mode-cfg-ip-version.
No default.
ipv4-wins-server1
ipv4-wins-server2
Enter WINS server addresses to provide to IKE Configuration Method clients. If the value is 0.0.0.0, no WINS server address is provided.
0.0.0.0
ipv6-prefix <ip6prefix>
Specify the size, in bits, of the network portion of the subnet address for IPv6 IKE Configuration Method clients. Range is 0 to 128.
This is available when mode-cfg-ip-version is 6 and assign-ip-type is subnet.
0
keepalive <seconds>
This field is available when nattraversal is set to enable.
Set the NAT traversal keepalive frequency. This number specifies (in seconds) how frequently empty UDP packets are sent through the NAT device to make sure that the NAT mapping does not change until P1 and P2 security associations expire. The keepalive frequency can be from 0 to 900 seconds.
5
keylife <seconds>
Set the keylife time. The keylife is the amount of time (in seconds) before the phase 1 encryption key expires. When the key expires, a new key is generated without interrupting service. The range is 120 to 172,800 seconds.
86400
local-gw <address_ipv4>
local-gw6 <address_ipv6>
Optionally, specify a secondary IP address of the interface selected in interface to use for the local end of the VPN tunnel. local-gw6 is available when ip-version is 6. local‑gw is available when ip-version is 4.
If you do not specify an IP address here, the FortiGate unit obtains the IP address of the interface from system interface settings (see “interface”).
0.0.0.0 for IPv4
:: for IPv6
localid <local_id>
Enter a local ID if the FortiGate unit is functioning as a VPN client and will use the local ID for authentication purposes.
If you want to dedicate a tunnel to a FortiGate dialup client, you must assign a unique identifier (local ID) to the FortiGate client.
Whenever you configure a unique identifier (local ID) on a FortiGate dialup client, you must enable aggressive mode on the FortiGate dialup server and also specify the identifier as a peer ID on the FortiGate dialup server.
Null
localid-type {auto | fqdn | user‑fqdn | keyid | address | asn1dn}
Select the type of localid:
auto — select type automatically
fqdn — Fully Qualified Domain Name
user-fqdn — Use User Fully Qualified Domain Name
keyid — Use Key Identifier ID
address — Use IP address ID
asn1dn — Use ASN.1 Distinguished Name ID
auto
mesh-selector-type {disable | subnet | host}
Enable dynamic selectors for IKEv1 VPNs.
disable — not enabled
subnet — install selector for address group that matches traffic packets
host — install selector for source and destination IP addresses of traffic packets
Dynamic selectors are not saved to the configuration and will be removed when tunnels are flushed.
disable
mode {aggressive | main}
Enter aggressive or main (ID Protection) mode. Both modes establish a secure channel.
In main mode, identifying information is hidden. Main mode is typically used when both VPN peers have static IP addresses.
In aggressive mode, identifying information is exchanged in the clear. Aggressive mode is typically used when a remote peer or dialup client has a dynamic IP address. You must enable aggressive mode when the remote FortiGate unit has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID).
This is available if ike-version is 1.
main
mode-cfg {enable | disable}
Enable IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.
This is available if type is dynamic.
disable
mode-cfg-ip-version {4|6}
Select whether an IKE Configuration Method client receives an IPv4 or IPv6 IP address. This is available if mode-cfg and assign-ip are enabled.
4
monitor <phase1>
Optionally, this IPSec interface can act as a backup for another (primary) IPSec interface. Enter the name of the primary interface.
The backup interface is used only while the primary interface is out of service. dpd must be enabled.
A primary interface can have only one backup interface and cannot act as a backup for another interface.
Null.
monitor-hold-down-delay <seconds_int>
Enter the number of seconds to delay returning traffic to the primary interface from backup after the primary interface becomes stable again. Range: 0 to 31 536 000 seconds.
0
nattraversal {enable | disable}
Enable NAT traversal if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal has no effect. Both ends of the VPN must have the same NAT traversal setting. If you enable NAT traversal you can set the keepalive frequency.
enable
negotiate-timeout <seconds_int>
Enter how long in seconds the FortiGate unit will wait for the IKE SA to be negotiated. Range: 1 to 300 seconds.
30
npu-offload {enable | disable}
Enable or disable offload of VPN session to NPU.
enable
peer <CA_certificate_name>
This field is available when authmethod is set to rsa‑signature and peertype is set to peer.
Enter the name of the peer (CA) certificate that will be used to authenticate remote VPN clients or peers. Use the command config user peer to add peer certificates. Peer certificates must be added to the FortiGate configuration before they can be cross-referenced. For more information, see user peer.
Null
peerid <peer_id>
This field is available when peertype is set to one.
Enter the peer ID that will be used to authenticate remote clients or peers by peer ID.
Null
peergrp <certificate_group_name>
This field is available when type is set to dynamic, authmethod is set to rsa-signature, and peertype is set to peergrp.
Enter the name of the peer certificate group that will be used to authenticate remote clients or peers. You must create the peer certificate group before the group name can be cross-referenced. For more information, see user peergrp.
Null
peertype <authentication_method>
The following attributes are available under the following conditions:
dialup is available when type is set to dynamic and authmethod is set to psk.
peer is available when authmethod is set to rsa‑signature.
peergrp is available when type is set to dynamic and authmethod is set to rsa-signature.
any
 
Enter the method for authenticating remote clients or peers when they connect to the FortiGate unit:
Type any to accept any remote client or peer (peer IDs are not used for authentication purposes). The mode attribute can be set to aggressive or main.
You can use this option with RSA Signature authentication. But, for highest security, you should configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only.
 
 
Type one to authenticate either a remote peer or client that has a dynamic IP address and connects using a unique identifier over a dedicated tunnel, or more than one dialup client that connects through the same tunnel using the same (shared) identifier. Use the peerid field to set the peer ID. If more than one dialup client will be connecting using the same (shared) identifier, set mode to aggressive.
 
 
Type dialup to authenticate dialup VPN clients that use unique identifiers and preshared keys (or unique preshared keys only) to connect to the VPN through the same VPN tunnel. In this case, you must create a dialup user group for authentication purposes. Use the usrgrp field to set the user group name. If the dialup clients use unique identifiers and preshared keys, set mode to aggressive. If the dialup clients use preshared keys only, set mode to main.
 
 
Type peer to authenticate one (or more) certificate holders based on a particular (or shared) certificate. Use the peer field to enter the certificate name. Set mode to aggressive if the remote peer or client has a dynamic IP address.
Type peergrp to authenticate certificate holders that use unique certificates. In this case, you must create a group of certificate holders for authentication purposes. Use the peergrp field to set the certificate group name. The mode attribute can be set to aggressive or main. Set mode to aggressive if the remote peer or client has a dynamic IP address.
 
priority <prio>
This value is used to be break ties in selection of dialup routes. In the case that both routes have the same priority, the egress index for the routes will be used to determine the selected route.
Set <prio> to a value between 0 and 4 294 967 295.
0
proposal <encryption_combination>
Select a minimum of one and a maximum of 10 encryption-message digest combinations for the phase 1 proposal (for example, 3des‑md5). The remote peer must be configured to use at least one of the proposals that you define. Use a space to separate the combinations.
aes128‑sha256 aes256‑sha256 3des‑sha256 aes128‑sha1 aes256‑sha1 3des‑sha1
 
You can choose any of the following abbreviated symmetric key encryption algorithms:
des — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3des — Triple-DES, in which plain text is encrypted three times by three keys.
aes128 — A 128-bit block algorithm that uses a 128-bit key.
aes192 — A 128-bit block algorithm that uses a 192-bit key.
aes256 — A 128-bit block algorithm that uses a 256-bit key.
 
 
aria128 — A 128-bit Korean block algorithm that uses a 128-bit key.
aria192 — A 128-bit Korean block algorithm that uses a 192-bit key.
aria256 — A 128-bit Korean block algorithm that uses a 256-bit key.
seed — A 128-bit Korean block algorithm that uses a 128-bit key.
The ARIA and seed algorithms are not available on some models.
 
 
You can select any of the following message digests to check the authenticity of messages during an encrypted session:
md5 — Message Digest 5, the hash algorithm developed by RSA Data Security.
sha1— Secure Hash Algorithm 1, which produces a 160-bit message digest.
sha256 — Secure Hash Algorithm 2, which produces a 256‑bit message digest.
sha384 — Secure Hash Algorithm 2, which produces a 384‑bit message digest.
sha512 — Secure Hash Algorithm 2, which produces a 512‑bit message digest.
 
psksecret <preshared_key>
This field is available when authmethod is set to psk.
Enter the pre-shared key. The pre-shared key must be the same on the remote VPN gateway or client and should only be known by network administrators. The key must consist of at least 6 printable characters. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.
*
(No default.)
remote-gw <address_ipv4>
remote-gw6 <address_ipv6>
This field is available when type is set to static.
Enter the static IP address of the remote VPN peer.
remote-gw6 is available when ip-version is 6. remote‑gw is available when ip-version is 4.
0.0.0.0 for IPv4
:: for IPv6
remotegw-ddns <domain_name>
This field is available when type is set to ddns and ip‑version is set to 4.
Enter the identifier of the remote peer (for example, a fully qualified domain name).
Use this setting when the remote peer has a static domain name and a dynamic IP address (the IP address is obtained dynamically from an ISP and the remote peer subscribes to a dynamic DNS service).
Null
save-password {enable | disable}
Enable or disable client saving Xauth user name and password.
disable
send-cert-chain {enable | disable}
Enable or disable sending of the certificate chain, rather than a single certificate.
enable
split-include-service <service_group_name>
Select the service types that the client can reach through the VPN. This information is sent to the client as part of IKE Configuration Method when mode-cfg is enabled.
Null
type <remote_gw_type>
Enter the connection type of the remote gateway:
If the remote VPN peer has a static IP address, type static. Use the remotegw field to enter the IP address.
If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), type dynamic.
If the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service, type ddns. Use the remotegw-ddns field to enter the domain name of the remote VPN peer. This option is not available if ip-version is 6.
static
unity-support {enable | disable}
Enable support for Cisco Unity IKE Configuration Method extensions in either a server or a client. This is available for IKEv1 only.
enable
usrgrp <group_name>
This field is available when type is set to dynamic, authmethod is set to psk, and peertype is set to dialup.
Enter the name of the group of dialup VPN clients to authenticate. The user group must be added to the FortiGate configuration before it can be cross-referenced here. For more information, see user group, user ldap, user local, and user radius.
Null
xauthtype <XAuth_type>
Optionally configure XAuth (eXtended Authentication):
Type disable to disable XAuth.
Type client to configure the FortiGate unit to act as an XAuth client. Use the authuser field to add the XAuth user name and password.
Type auto, pap, or chap to configure the FortiGate unit as an XAuth server. These options are available only when type is dynamic. Use the authusrgrp field to specify the user group containing members that will be authenticated using XAuth.
disable
xauthexpire {on‑disconnect | on‑rekey}
Choose when the authentication with XAUTH expires:
on-disconnect — when the tunnel closes
on-rekey — when the phase 1 encryption key expires
on-disconnect
config ipv4-exclude-range and config ipv6-exclude-range Variables
This subcommand is available only when mode-cfg is enabled.
start-ip <ipaddr>
Enter the start of the exclude range.
No default.
end-ip <ipaddr>
Enter the end of the exclude range.
No default.