vpn : ipsec phase2
 
ipsec phase2
Use this command to add or edit an IPSec tunnel-mode phase 2 configuration. The FortiGate unit uses the tunnel-mode phase 2 configuration to create and maintain an IPSec VPN tunnel with a remote VPN peer (the VPN gateway or client).
The phase 2 configuration consists of a name for the VPN tunnel, the name of an existing phase 1 configuration, the proposal settings (encryption and authentication algorithms) and DH group used for phase 2. For phase 2 to be successful, the FortiGate unit and the remote VPN peer must be configured with compatible proposal settings.
Syntax
config vpn ipsec phase2
edit <tunnel_name>
set add-route {enable | disable}
set auto-negotiate {enable | disable}
set dhcp-ipsec {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set dst-addr-type <type>
set dst-end-ip <address_ipv4>
set dst-name <address_name>
set dst-port <dest_port_number>
set dst-start-ip <address_ipv4>
set dst-subnet <address_ipv4mask>
set encapsulation {tunnel‑mode | transport‑mode}
set keepalive {enable | disable}
set keylife-type <keylife_type>
set keylifekbs <kb_integer>
set keylifeseconds <seconds>
set l2tp {enable | disable}
set pfs {enable | disable}
set phase1name <gateway_name>
set proposal <encrypt_digest>
set protocol <protocol_integer>
set replay {enable | disable}
set route-overlap {overlap_option}
set selector-match <match_type>
set single-source {enable | disable}
set src-addr-type <ip_source_name>
set src-end-ip <address_ipv4>
set src-name <address_name>
set src-port <src_port_number>
set src-start-ip <address_ipv4>
set src-subnet <address_ipv4mask>
set use-natip {enable | disable}
end
The phase1name field is required. All other fields are optional.
Variable
Description
Default
edit <tunnel_name>
Enter a name for the tunnel.
No default.
add-route {enable | disable}
Enable only if you are running a dynamic routing protocol (RIP, OSPF, or BGP) and want the routes to be propagated to routing peers.
disable
auto-negotiate {enable | disable}
Enable to negotiate the phase 2 security association (SA) automatically, even if there is no traffic. This repeats every five seconds until it succeeds.
You can use this option on a dialup peer to ensure that the tunnel is available for peers at the server end to initiate traffic to the dialup peer. Otherwise, the tunnel does not exist until the dialup peer initiates traffic.
disable
dhcp-ipsec {enable | disable}
This field is available when phase1name names a dialup gateway configuration.
Enable dhcp-ipsec if the FortiGate unit acts as a dialup server and FortiGate DHCP relay will be used to assign VIP addresses to FortiClient dialup clients. The DHCP relay parameters must be configured separately.
If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the peertype to dialup and specify the usrgrp in vpn ipsec phase1.
For information about how to configure a DHCP server on a FortiGate interface, see system dhcp server. For information about FortiGate DHCP relay, see system interface.
If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, select Enable to cause the FortiGate unit to act as a proxy for the dialup clients.
disable
dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
Enter the Diffie-Hellman groups to propose in order of preference separated by spaces. Both VPN peers must use the same DH Group.
14 5
dst-addr-type <type>
Enter the type of destination address that corresponds to the recipient(s) or network behind the remote VPN peer or FortiGate dialup client:
To specify the IP address of a server or host, type ip. Enter the IP address using the dst-start-ip field.
To specify a range of IP addresses, type range. Enter the starting and ending addresses using the dst-start-ip, and dst-end-ip fields.
To specify a network address, type subnet. Enter the network address using the dst-subnet field.
To specify a firewall address or address group, type name. Enter the address or address group name using the dst‑name field. You must also select the name option for src‑addr-type.
You should not use this option if ike-version is 1. IKEv1 does not support the use of multiple addresses in selectors. Instead, use the default 0.0.0.0/0 subnet selector and rely on the firewall policy to limit destination addresses.
subnet
dst-end-ip <address_ipv4>
This field is available when dst-addr-type is set to range. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the highest destination IP address in the range of IP addresses.
0.0.0.0
dst-name <address_name>
This field is available when dst-addr-type is set to name. Enter the name of a firewall address or address group.
No default.
dst-port <dest_port_number>
Enter the port number that the remote VPN peer or FortiGate dialup client uses to transport traffic related to the specified service (see protocol). The range is 1 to 65535. To specify all ports, type 0.
0
dst-start-ip <address_ipv4>
This field is available when dst-addr-type is set to range.
Enter the lowest destination IP address in the range of IP addresses.
0.0.0.0
dst-subnet <address_ipv4mask>
Enter the IP address and network mask that identifies the private network behind the remote VPN peer or FortiGate dialup client.
0.0.0.0
0.0.0.0
encapsulation {tunnel‑mode | transport‑mode}
Select encapsulation:
tunnel‑mode — Encrypt both payload data and headers.
transport‑mode — Encrypt only the payload data. This is used when combining IPsec with another encapsulation, such as L2TP.
tunnel‑mode
keepalive {enable | disable}
Enable to automatically negotiate a new phase 2 security association (SA) before the current SA expires, keeping the tunnel up. Otherwise, a new SA is negotiated only if there is traffic.
disable
keylife-type <keylife_type>
Set when the phase 2 key expires. When the key expires, a new key is generated without interrupting service.
To make the key expire after a period of time has expired and after an amount of data is transmitted, type both.
To make the key expire after an amount of data is transmitted, type kbs. Use the keylifekbs field to set the amount of data that is transmitted.
To make the key expire after a number of seconds elapses, type seconds. Use the keylifeseconds field to set the amount of time that elapses.
seconds
keylifekbs <kb_integer>
This field is available when keylife-type is set to kbs or both.
Set the number of Kbits of data to transmit before the phase 2 key expires. The range is 5120 to 4 294 967 295 Kbits.
5120
keylifeseconds <seconds>
This field is available when keylife-type is set to seconds or both.
Set the number of seconds to elapse before the phase 2 key expires. seconds can be 120 to 172800 seconds.
43200
l2tp {enable | disable}
Enable L2TP traffic through this VPN. This is available if encapsulation is transport-mode and the phase 1 type is dynamic.
disable
pfs {enable | disable}
Optionally, enable or disable perfect forward secrecy (PFS). PFS ensures that each key created during Phase 2 is unrelated to keys created during Phase 1 or to other keys created during Phase 2. PFS may cause minor delays during key generation.
enable
phase1name <gateway_name>
Enter a phase 1 gateway configuration name. You must add the phase 1 gateway definition to the FortiGate configuration before it can be cross-referenced.
Null
proposal <encrypt_digest>
Enter a minimum of one and a maximum of 10 encryption-message digest combinations (for example, 3des‑md5). The remote peer must be configured to use at least one of the proposals that you define. Use a space to separate the combinations.
You can enter any encryption-message digest combination except null-null.
aes128‑sha1 aes256‑sha1 3des‑sha1 aes128‑sha256 aes256‑sha256 3des‑sha256
 
Here is an explanation of the abbreviated encryption algorithms:
null— Do not use an encryption algorithm.
des — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3des — Triple-DES, in which plain text is encrypted three times by three keys.
aes128 — A 128-bit block algorithm that uses a 128-bit key.
 
 
aes192 — A 128-bit block algorithm that uses a 192-bit key.
aes256 — A 128-bit block algorithm that uses a 256-bit key.
aria128 — A 128-bit Korean block algorithm that uses a 128-bit key.
aria192 — A 128-bit Korean block algorithm that uses a 192-bit key.
aria256 — A 128-bit Korean block algorithm that uses a 256-bit key.
seed — A 128-bit Korean block algorithm that uses a 128-bit key.
The ARIA and seed algorithms are not available on some models.
 
 
You can enter any of the following message digests to check the authenticity of messages during an encrypted session:
null — Do not use a message digest.
md5 — Message Digest 5, the hash algorithm developed by RSA Data Security.
sha1— Secure Hash Algorithm 1, which produces a 160‑bit message digest.
sha256 — Secure Hash Algorithm 2, which produces a 256‑bit message digest.
 
protocol <protocol_integer>
This field is available when selector is set to specify.
Enter the IP protocol number for the service. The range is 1 to 255. To specify all services, type 0.
0
replay {enable | disable}
Optionally, enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. Enable replay detection to check the sequence number of every IPsec packet to see if it has been received before. If packets arrive out of sequence, the FortiGate units discards them.
You can configure the FortiGate unit to send an alert email when it detects a replay packet.
enable
route-overlap {overlap_option}
Specify how FortiGate unit handles multiple dialup users with the same IP source address. Set overlap_option to one of the following:
allow — allow overlapping routes
use-new — delete the old route and add the new route
use-old — use the old route and do not add the new route
use-new
selector-match <match_type>
The peer’s IPSec selectors are compared to FortiGate phase 2 selectors, which are any of src-start-ip / src‑end-ip, src‑subnet, dst‑subnet, dst-start-ip / dst-end-ip. The match_type value can be one of:
exact — peer’s selector must match exactly
subset — peer’s selector can be a subset of this selector
auto — use exact or subset match as needed (default)
Note: This field is configured automatically when upgrading a FortiOS version 2.80 VPN to version 3.0. You should not set this field when configuring a new VPN.
This field does not apply to IKEv2 connections.
auto
single-source {enable | disable}
Enable if src-addr-type is name and hosts on the internal network will initiate communication sessions with remote dialup clients.
disable
src-addr-type <ip_source_name>
If the FortiGate unit is a dialup server, enter the type of source address that corresponds to the local sender(s) or network behind the FortiGate dialup server:
To specify the IP address of a server or host, type ip. Enter the IP address using the src-start-ip field.
To specify a range of IP addresses, type range. Enter the starting and ending addresses using the src-start-ip and src-end-ip fields.
To specify a network address, type subnet. Enter the network address using the src-subnet field.
To specify a firewall address or address group, type name. Enter the address or address group name using the src-name field. You must also select the name option for dst‑addr-type.
You should not use this option if ike-version is 1. IKEv1 does not support the use of multiple addresses in selectors. Instead, use the default 0.0.0.0/0 subnet selector and rely on the firewall policy to limit source addresses.
If the FortiGate unit is a dialup client, src-addr-type must refer to the server(s), host(s), or private network behind the FortiGate dialup client.
subnet
src-end-ip <address_ipv4>
This field is available when src-addr-type is set to range.
Enter the highest source IP address in the range of IP addresses.
0.0.0.0
src-name <address_name>
This field is available when src-addr-type is set to name. Enter the name of a firewall address or address group.
No default.
src-port <src_port_number>
If the FortiGate unit is a dialup server, enter the port number that the FortiGate dialup server uses to transport traffic related to the specified service (see protocol). If the FortiGate unit is a dialup client, enter the port number that the FortiGate dialup client uses to transport traffic related to the specified service. The src-port range is 1 to 65535. To specify all ports, type 0.
0
src-start-ip <address_ipv4>
This field is available when src-addr-type is set to range.
Enter the lowest source IP address in the range of IP addresses.
0.0.0.0
src-subnet <address_ipv4mask>
If the FortiGate unit is a dialup server, enter the IP address and network mask that identifies the private network behind the FortiGate dialup server. If the FortiGate unit is a dialup client, enter the IP address and network mask that identifies the private network behind the FortiGate dialup client.
0.0.0.0
0.0.0.0
use-natip {enable | disable}
By default, when outbound NAT is used, the FortiGate unit public interface IP address is the source selector. If you disable use-natip, the source selector is as specified in src‑start-ip / src‑end-ip or src‑subnet.
Note: This field is configured automatically when upgrading a FortiOS version 2.80 VPN to version 3.0. You should not set this field when configuring a new VPN.
enable