What’s new in FortiOS Version 4.0 MR1 Auto-configuration of IPsec VPNs
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 71
http://docs.fortinet.com/ • Feedback
IPsec Phase 2 configuration for IKE Configuration Method
There are several changes to the phase2-interface configuration when IKE
Configuration Method is configured in the corresponding phase1-interface
configuration.
The dhcp-ipsec keyword is not available if the corresponding phase1-interface has
mode-cfg enabled. IKE Configuration Method is an alternative to DHCP over IPsec.
The keywords beginning with “src-” and “dst-” are not available if the corresponding
phase1-interface configuration has mode-cfg enabled and type is set to static
or ddns. This is the configuration for an IKE Configuration Method client, which receives
information about destination subnets from the server and thus must not specify any traffic
selectors itself.
ipv4-dns-server1
ipv6-dns-server1
ipv4-dns-server2
ipv6-dns-server2
ipv4-dns-server3
ipv6-dns-server3
Enter DNS server addresses to provide to IKE
Configuration Method clients. If the value is
0.0.0.0, no DNS server address is provided.
Either the IPv4 or IPv6 version of these keywords is
available, depending on mode-cfg-ip-version.
0.0.0.0
::
ipv4-end-ip
<ip4addr>
ipv6-end-ip
<ip6addr>
Set end of IP address range to assign to IKE
Configuration Method clients. This is available when
mode-cfg is enabled, type is dynamic, and
assign-ip-from is range.
Either the IPv4 or IPv6 version of this keyword is
available, depending on mode-cfg-ip-version.
No default.
ipv4-netmask
<ip4mask>
Set the netmask value to pass to IKE Configuration
Method clients.
No default.
ipv4-split-include
<address_name>
Select the address or address group that the client
can reach through the VPN. This information is sent
to the client as part of IKE Configuration Method.
Null.
ipv4-start-ip
<ip4addr>
ipv6-start-ip
<ip6addr>
Set start of IP address range to assign to IKE
Configuration Method clients. This is available when
mode-cfg is enabled, type is dynamic, and
assign-ip-from is range.
Either the IPv4 or IPv6 version of this keyword is
available, depending on mode-cfg-ip-version.
No default.
ipv4-wins-server1
ipv4-wins-server2
Enter WINS server addresses to provide to IKE
Configuration Method clients. If the value is
0.0.0.0, no WINS server address is provided.
0.0.0.0
ipv6-prefix
<ip6prefix>
Specify the size, in bits, of the network portion of the
subnet address for IPv6 IKE Configuration Method
clients. Range is 0 to 128.
This is available when mode-cfg-ip-version is
6 and assign-ip-type is subnet.
0
unity-support
{enable | disable}
Enable support for Cisco Unity IKE Configuration
Method extensions in either a server or a client.
enable
config ipv4-exclude-range and
config ipv6-exclude-range Variables
start-ip <ipaddr> Enter the start of the exclude range. No default.
end-ip <ipaddr> Enter the end of the exclude range. No default.
Variable Description Default
To Next Page
Loading...
Need help?
General