vpn : ipsec phase2-interface
 
ipsec phase2-interface
Use this command to add a phase 2 configuration for a route-based (interface mode) IPSec tunnel or edit an existing interface-mode phase 2 configuration. This command is available only in NAT/Route mode.
Syntax
config vpn ipsec phase2-interface
edit <tunnel_name>
set auto-negotiate {enable | disable}
set dhcp-ipsec {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set dst-addr-type <type>
set dst-end-ip <address_ipv4>
set dst-end-ip6 <address_ipv6>
set dst-name <address_name>
set dst-port <dest_port_number>
set dst-start-ip <address_ipv4>
set dst-start-ip6 <address_ipv6>
set dst-subnet <address_ipv4mask>
set dst-subnet6 <address_ipv6mask>
set encapsulation {tunnel‑mode | transport‑mode}
set keepalive {enable | disable}
set keylife-type <keylife_type>
set keylifekbs <kb_integer>
set keylifeseconds <seconds>
set l2tp {enable | disable}
set pfs {enable | disable}
set phase1name <gateway_name>
set proposal <encrypt_digest>
set protocol <protocol_integer>
set replay {disable | enable}
set route-overlap {overlap_option}
set single-source {disable | enable}
set src-addr-type <ip_source_name>
set src-end-ip <address_ipv4>
set src-end-ip6 <address_ipv6>
set src-name <address_name>
set src-port <src_port_number>
set src-start-ip <address_ipv4>
set src-start-ip6 <address_ipv6>
set src-subnet <address_ipv4mask>
set src-subnet6 <address_ipv6mask>
end
The phase1name field is required. All other fields are optional.
Variable
Description
Default
edit <tunnel_name>
Enter a name for the phase 2 tunnel configuration.
No default.
auto-negotiate {enable | disable}
Enable to negotiate the phase 2 security association (SA) automatically, even if there is no traffic. This repeats every five seconds until it succeeds.
You can use this option on a dialup peer to ensure that the tunnel is available for peers at the server end to initiate traffic to the dialup peer. Otherwise, the tunnel does not exist until the dialup peer initiates traffic.
disable
dhcp-ipsec {enable | disable}
This field is available when phase1name names a dialup gateway configuration.
This field is not available if phase1name names a configuration that enables mode-cfg.
Enable dhcp-ipsec if the FortiGate unit acts as a dialup server and FortiGate DHCP relay will be used to assign VIP addresses to FortiClient dialup clients. The DHCP relay parameters must be configured separately.
If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the peertype to dialup and specify the usrgrp in vpn ipsec phase1.
For information about how to configure a DHCP server on a FortiGate interface, see system dhcp server. For information about FortiGate DHCP relay, see system interface.
If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, select Enable to cause the FortiGate unit to act as a proxy for the dialup clients.
disable
dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
Enter the Diffie-Hellman groups to propose in order of preference separated by spaces. Both VPN peers must use the same DH Group.
14 5
dst-addr-type <type>
Enter the type of destination address that corresponds to the recipient(s) or network behind the remote VPN peer or FortiGate dialup client:
To specify the IPv4 IP address of a server or host, type ip. Enter the IP address using the dst‑start‑ip field.
To specify the IPv6 IP address of a server or host, type ip6. Enter the IP address using the dst‑start‑ip6 field.
To specify a range of IPv4 IP addresses, type range. Enter the starting and ending addresses using the dst‑start-ip and dst-end-ip fields.
To specify a range of IPv6 IP addresses, type range6. Enter the starting and ending addresses using the dst‑start-ip6 and dst-end-ip6 fields.
To specify an IPv4 network address, type subnet. Enter the network address using the dst-subnet field.
To specify an IPv6 network address, type subnet6. Enter the network address using the dst-subnet field.
To specify an address defined in a firewall address or address group, type name. Enter the address name using the dst-name field. You must also select the name option for src‑addr-type. This is available only for IPv4 addresses.
You should not use this option if ike-version is 1. IKEv1 does not support the use of multiple addresses in selectors. Instead, use the default 0.0.0.0/0 subnet selector and rely on the firewall policy to limit destination addresses.
This field is not available if phase1name names a configuration that enables mode-cfg.
subnet
dst-end-ip <address_ipv4>
This field is available when dst-addr-type is set to range. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the highest destination IP address in the range of IP addresses.
0.0.0.0
dst-end-ip6 <address_ipv6>
This field is available when dst-addr-type is set to range6. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the highest destination IP address in the range of IP addresses.
::
dst-name <address_name>
This field is available when dst-addr-type is set to name. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the firewall address or address group name.
No default.
dst-port <dest_port_number>
Enter the port number that the remote VPN peer or FortiGate dialup client uses to transport traffic related to the specified service (see protocol). The range is 1 to 65535. To specify all ports, type 0.
This field is not available if phase1name names a configuration that enables mode-cfg.
0
dst-start-ip <address_ipv4>
This field is available when dst-addr-type is set to range. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the lowest destination IP address in the range of IP addresses.
0.0.0.0
dst-start-ip6 <address_ipv6>
This field is available when dst-addr-type is set to range6. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the lowest destination IP address in the range of IP addresses.
::
dst-subnet <address_ipv4mask>
Enter the IPv4 IP address and network mask that identifies the private network behind the remote VPN peer or FortiGate dialup client.
This field is not available if phase1name names a configuration that enables mode-cfg.
0.0.0.0
0.0.0.0
dst-subnet6 <address_ipv6mask>
Enter the IPv6 IP address and network mask that identifies the private network behind the remote VPN peer or FortiGate dialup client.
This field is not available if phase1name names a configuration that enables mode-cfg.
::/0
encapsulation {tunnel‑mode | transport‑mode}
Select encapsulation:
tunnel‑mode — Encrypt both payload data and headers.
transport‑mode — Encrypt only the payload data. This is used when combining IPsec with another encapsulation, such as GRE.
tunnel‑mode
keepalive {enable | disable}
Enable to automatically negotiate a new phase 2 security association (SA) before the current SA expires, keeping the tunnel up. Otherwise, a new SA is negotiated only if there is traffic.
disable
keylife-type <keylife_type>
Set when the phase 2 key expires. When the key expires, a new key is generated without interrupting service.
To make the key expire after a period of time has expired and after an amount of data is transmitted, type both.
To make the key expire after an amount of data is transmitted, type kbs. Use the keylifekbs field to set the amount of data that is transmitted.
To make the key expire after a number of seconds elapses, type seconds. Use the keylifeseconds field to set the amount of time that elapses.
seconds
keylifekbs <kb_integer>
This field is available when keylife-type is set to kbs or both.
Set the number of KBits of data to transmit before the phase 2 key expires. The range is 5120 to 4 294 967 295 KBits.
5120
keylifeseconds <seconds>
This field is available when keylife-type is set to seconds or both.
Set the number of seconds to elapse before the phase 2 key expires. seconds can be 120 to 172800 seconds.
43200
l2tp {enable | disable}
Enable L2TP traffic through this VPN. This is available if encapsulation is transport-mode and the phase 1 type is dynamic.
disable
pfs {enable | disable}
Optionally, enable or disable perfect forward secrecy (PFS). PFS ensures that each key created during Phase 2 is unrelated to keys created during Phase 1 or to other keys created during Phase 2. PFS may cause minor delays during key generation.
enable
phase1name <gateway_name>
Enter a phase 1 gateway configuration name. You must add the phase 1 gateway definition to the FortiGate configuration before it can be cross-referenced.
Null.
proposal <encrypt_digest>
Enter a minimum of one and a maximum of 10 encryption-message digest combinations (for example, 3des‑md5). The remote peer must be configured to use at least one of the proposals that you define. Use a space to separate the combinations.
You can enter any encryption-message digest combination except null-null.
Here is an explanation of the abbreviated encryption algorithms:
null — Do not use an encryption algorithm.
des — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3des — Triple-DES, which encrypts data three times by three keys.
aes128 — A 128-bit block algorithm that uses a 128-bit key.
aes192—- A 128-bit block algorithm that uses a 192-bit key.
aes256 — A 128-bit block algorithm that uses a 256-bit key.
aes128‑sha1 aes256‑sha1 3des‑sha1 aes128‑sha256 aes256‑sha256 3des‑sha256
 
aria128 — A 128-bit Korean block algorithm that uses a 128-bit key.
aria192 — A 128-bit Korean block algorithm that uses a 192-bit key.
aria256 — A 128-bit Korean block algorithm that uses a 256-bit key.
seed — A 128-bit Korean block algorithm that uses a 128-bit key.
The ARIA and seed algorithms are not available on some models.
 
 
You can enter any of the following message digests to check the authenticity of messages during an encrypted session:
null — Do not use a message digest.
md5 — Message Digest 5, the hash algorithm developed by RSA Data Security.
sha1 — Secure Hash Algorithm 1, which produces a 160-bit message digest.
sha256 — Secure Hash Algorithm 2, which produces a 256‑bit message digest.
 
protocol <protocol_integer>
This field is available when selector is set to specify.
Enter the IP protocol number for the service. The range is 1 to 255. To specify all services, type 0.
0
replay {disable | enable}
Optionally, enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel. Enable replay detection to check the sequence number of every IPSec packet to see if it has been received before. If packets arrive out of sequence, the FortiGate units discards them.
You can configure the FortiGate unit to send an alert email when it detects a replay packet.
enable
route-overlap {overlap_option}
Specify how FortiGate unit handles multiple dialup users with the same IP source address. Set overlap_option to one of the following:
allow — allow overlapping routes
use-new — delete the old route and add the new route
use-old — use the old route and do not add the new route
use-new
single-source {disable | enable}
Enable or disable all FortiClient dialup clients to connect using the same phase 2 tunnel definition.
disable
src-addr-type <ip_source_name>
If the FortiGate unit is a dialup server, enter the type of source address that corresponds to the local sender(s) or network behind the FortiGate dialup server:
To specify the IPv4 IP address of a server or host, type ip. Enter the IP address using the src-start-ip field.
To specify the IPv6 IP address of a server or host, type ip6. Enter the IP address using the src-start-ip6 field.
To specify a range of IPv4 IP addresses, type range. Enter the starting and ending addresses using the src‑start-ip and src-end-ip fields.
To specify a range of IPv6 IP addresses, type range6. Enter the starting and ending addresses using the src‑start-ip6 and src-end-ip6 fields.
To specify an IPv4 network address, type subnet. Enter the network address using the src-subnet field.
To specify an IPv6 network address, type subnet6. Enter the network address using the src-subnet6 field.
To specify an address defined in a firewall address or address group, type name. Enter the address name using the src-name field. You must also select the name option for dst‑addr-type. This is available only for IPv4 addresses.
You should not use this option if ike-version is 1. IKEv1 does not support the use of multiple addresses in selectors. Instead, use the default 0.0.0.0/0 subnet selector and rely on the firewall policy to limit source addresses.
If the FortiGate unit is a dialup client, src-addr-type must refer to the server(s), host(s), or private network behind the FortiGate dialup client.
This field is not available if phase1name names a configuration that enables mode-cfg.
subnet
src-end-ip <address_ipv4>
This field is available when src-addr-type is set to range. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the highest source IP address in the range of IP addresses.
0.0.0.0
src-end-ip6 <address_ipv6>
This field is available when src-addr-type is set to range6. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the highest source IP address in the range of IP addresses.
::
src-name <address_name>
This field is available when src-addr-type is set to name. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the firewall address or address group name.
 
src-port <src_port_number>
If the FortiGate unit is a dialup server, enter the port number that the FortiGate dialup server uses to transport traffic related to the specified service (see protocol). If the FortiGate unit is a dialup client, enter the port number that the FortiGate dialup client uses to transport traffic related to the specified service. The src-port range is 1 to 65535. To specify all ports, type 0.
This field is not available if phase1name names a configuration that enables mode-cfg.
0
src-start-ip <address_ipv4>
This field is available when src-addr-type is set to range. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the lowest source IP address in the range of IP addresses.
0.0.0.0
src-start-ip6 <address_ipv6>
This field is available when src-addr-type is set to range6. This field is not available if phase1name names a configuration that enables mode-cfg.
Enter the lowest source IP address in the range of IP addresses.
::
src-subnet <address_ipv4mask>
If the FortiGate unit is a dialup server, enter the IPv4 IP address and network mask that identifies the private network behind the FortiGate dialup server. If the FortiGate unit is a dialup client, enter the IP address and network mask that identifies the private network behind the FortiGate dialup client.
This field is not available if phase1name names a configuration that enables mode-cfg.
0.0.0.0
0.0.0.0
src-subnet6 <address_ipv6mask>
If the FortiGate unit is a dialup server, enter the IPv6 IP address and network mask that identifies the private network behind the FortiGate dialup server. If the FortiGate unit is a dialup client, enter the IP address and network mask that identifies the private network behind the FortiGate dialup client.
This field is not available if phase1name names a configuration that enables mode-cfg.
::/0