- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ipsec phase1 set domain
im trying to set domain on phase1-interface but i get the error
command parse error before 'domain'
Command fail. Return code -61
From what ive found only mode cfg should have to be enabled and type dynamic?
Am i missing anything
this is the config:
edit "<Withdrawn>"
set type dynamic
set interface "wan"
set ip-version 4
set ike-version 2
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
unset authmethod-remote
set peertype any
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg enable
set ipv4-dns-server1 <Withdrawn>
set ipv4-dns-server2 <Withdrawn>
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-dns-server3 ::
set proposal aes192-sha256 aes256-sha256
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-idle
set forticlient-enforcement disable
set comments ''
set npu-offload enable
set dhgrp 14
set suite-b disable
set eap enable
set eap-identity send-request
set acct-verify disable
set ppk disable
set wizard-type custom
set reauth disable
set authusrgrp "<Withdrawn>"
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set fragmentation-mtu 1200
set childless-ike disable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set network-overlay disable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from name
set ipv4-netmask 255.255.255.255
set dns-mode manual
set ipv4-split-include "<Withdrawn>"
set split-include-service ''
set ipv4-name "<Withdrawn>"
set ipv6-prefix 128
set ipv6-split-include ''
set ipv6-name ''
set ip-delay-interval 0
set save-password enable
set client-auto-negotiate enable
set client-keep-alive disable
set psksecret ENC <Withdrawn>
set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 3
set dpd-retryinterval 60
next
end
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please note that 'set domain' only available in IKEv1.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pelskyl,
Yes, the 'set domain' command should work. Which firmware version are you using?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That fw is on 7.0.12
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested in my lab. It should work with both wizard-types. However, you need to enable unity-support first (it is enabled by default).
config vpn ipsec phase1-interface
edit <>
set unity-support enable
set domain example.com
end
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats why its not working then since its an ikev2!
Then i need to figure out another way to push it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, you may refer here and see if it's working for you: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-DNS-suffix-for-VPN-SSL-and-IPse...
APAC TAC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks but i already have all thoose settings on phase1, thats the wierd part.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome. I did a quick test for version 7.0.12 and I'm able to set the domain. Here's my config for your reference:
edit "test"
set type dynamic
set interface "port1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg enable
set ipv4-dns-server1 0.0.0.0
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-dns-server3 ::
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-idle
set forticlient-enforcement disable
set comments "VPN: test (Created by VPN wizard)"
set npu-offload enable
set dhgrp 14 5
set suite-b disable
set wizard-type static-fortigate
set xauthtype disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set esn disable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 0.0.0.0
set ipv4-end-ip 0.0.0.0
set ipv4-netmask 255.255.255.255
set dns-mode manual
set ipv4-split-include ''
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set ip-delay-interval 0
set unity-support enable
set domain "test.com"
set banner ''
set include-local-lan disable
set ipv4-split-exclude ''
set ipv6-split-exclude ''
set client-auto-negotiate disable
set client-keep-alive disable
set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 3
set dpd-retryinterval 60
next
end
APAC TAC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yea it is possible, since we have it on old tunnel, can it be set wizard-type custom that prevents me from using that setting?