Skip to main content
FortiSpain
FortiSpain
Explorer
February 19, 2026
Solved

Disable VPN

  • February 19, 2026
  • 1 reply
  • 937 views

Hi to all,

I would like to disable VPN on my Fortigate. It was configured by the company who installed the firewall but I will not use it.

 

Which command do I have to run because I have asked to the Forticare and they told me to run the following which does not seem to correspond to unable the VPN but the opposite:

 

config vpn ipsec phase1-interface

    edit "VPN_Forticlient"

        set type dynamic

        set interface "wan"

        set peertype any

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set comments "VPN: VPN_Forticlient (Created by VPN wizard)"

        set wizard-type dialup-forticlient

        set xauthtype auto

        set authusrgrp "VPN_Group"

        set ipv4-start-ip 172.31.10.10

        set ipv4-end-ip 172.31.10.50

        set dns-mode auto

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret FortinetPasswordMask

    next

end

 

Thank you.

 

@AEK 

Best answer by Toshi_Esumi

config sys int
edit VPN_Forticlient
    set status down

end


Toshi

1 reply

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
February 19, 2026

config sys int
edit VPN_Forticlient
    set status down

end


Toshi

FortiSpain
FortiSpainAuthor
Explorer
February 20, 2026

Thank you very much Toshi.

 

By the way, are the commands I uploaded a configuration of VPN?

 

set peertype any

set mode-cfg enable

set client-keep-alive enable

 

These are commands that scare me a little bit...

 

Thanks

 

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 20, 2026

Why scary?
"peertype = any" allows accepting any peer IDs at this phase1-interface. So If you need to have multiple user groups need to be on different policies, you need to use "peertype = one" instead. Then set "peerid" at the phase1 while set "local ID" on the client side to match one of them.

"mode-cfg" is necessary if you are handing out IP from the FGT, which you're doing.

"keep-alive" and "auto-negotiation" is optional so you can disable them if you want. The IKE doesn't automatically get connected or re-establish without user traffic if you do that. But DPD setting also affect to decide the behavior. I'm not sure the default setting of DPD though since you're not configuring it like "on-idle".
"show full" or "get | grep dpd" would show the default value.
Probably it's not much of your concern because this is a dialup vpn, instead of site-to-site vpn. 

Toshi

Terms & ConditionsAccessibility statement