Example – Fortinet 100A User Manual

270

01-28007-0068-20041203

Fortinet Inc.

ipsec phase1

VPN

Example

Use the following command to edit an IPSec VPN phase 1 configuration with the
following characteristics:

• Phase 1 configuration name: Simple_GW

• Remote peer address type: Dynamic

• Encryption and authentication proposal: des-md5

• Authentication method: psk

• Pre-shared key: Qf2p3O93jIj2bz7E

• Mode: aggressive

• Dead Peer Detection: enable

• Long idle: 1000

• Short idle: 150

• Retry count: 5

• Retry interval: 30

config vpn ipsec phase1

edit Simple_GW

set Type dynamic
set proposal des-md5
set authmethod psk
set psksecret Qf2p3O93jIj2bz7E
set mode aggressive
set dpd enable
set dpd-idlecleanup 1000
set dpd-idleworry 150
set dpd-retrycount 5
set dpd-retryinterval 30

end

dpd-retrycount

The DPD retry count when dpd is set to

enable. Set the number of times that the

local VPN peer sends a DPD probe before

it considers the link to be dead and tears

down the security association (SA). The

dpd-retrycount range is 0 to 10.
To avoid false negatives due to congestion

or other transient failures, set the retry

count to a sufficiently high value for your

network.

3

All models.
dpd must

be set to

enable.

dpd-retryinterval

The DPD retry interval when dpd is set to

enable. Set the time, in seconds, that the

local VPN peer waits between sending DPD

probes. The dpd-retryinterval range

is 1 to 60.

5

seconds

All models.
dpd must

be set to

enable.

ipsec phase1 command keywords and variables (Continued)

Keywords and
variables

Description

Default

Availability