Cli Configuration; Ipsec Phase1 - Fortinet FortiGate FortiGate-500 Administration Manual

VPN

CLI configuration

ipsec phase1

FortiGate-500 Administration Guide
To enable access for a specific certificate holder or a group of certificate
holders
Use this procedure to enhance access security if you are using digital certificates to
authenticate peers.
1 Go to VPN > IPSEC > Phase 1.
2 Under Peer Options, select one of these options:
• To accept a specific certificate holder, select Accept this peer certificate only and
select the certificate that belongs to that certificate holder. The certificate must be
added to the FortiGate configuration through the config user peer CLI
command before it can be selected here. For more information, see the "config
user" chapter of the CLI Reference Guide.
• To accept a group of certificate holders, select Accept this peer certificate group
only and select the certificate that belongs to the group. The group must be added
to the FortiGate configuration through the config user peergrp CLI command
before it can be selected here. For more information, see the "config user" chapter
of the CLI Reference Guide.
3 If you want to define the DN of the FortiGate unit, select Advanced, and from the Local
ID list, select the DN of the FortiGate unit.
4 Select OK.
This guide only covers Command Line Interface (CLI) commands, keywords, or
variables (in bold) that are not represented in the web-based manager. For complete
descriptions and examples of how to use CLI commands see the FortiGate CLI
Reference Guide.
In the web-based manager, the Dead Peer Detection option can be enabled when you
define advanced Phase 1 options. The config vpn ipsec phase1 CLI command
supports additional options for specifying a long and short idle time, a retry count, and
a retry interval.
Command syntax pattern
config vpn ipsec phase1
edit <name_str>
set <keyword> <variable>
end
config vpn ipsec phase1
edit <name_str>
unset <keyword>
end
01-28006-0007-20041105
CLI configuration
277