Ipsec phase1 set domain

pelskyl · ‎10-18-2023

im trying to set domain on phase1-interface but i get the error

command parse error before 'domain'

Command fail. Return code -61

From what ive found only mode cfg should have to be enabled and type dynamic?

Am i missing anything

this is the config:

edit "<Withdrawn>"
set type dynamic
set interface "wan"
set ip-version 4
set ike-version 2
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
unset authmethod-remote
set peertype any
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg enable
set ipv4-dns-server1 <Withdrawn>
set ipv4-dns-server2 <Withdrawn>
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-dns-server3 ::
set proposal aes192-sha256 aes256-sha256
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-idle
set forticlient-enforcement disable
set comments ''
set npu-offload enable
set dhgrp 14
set suite-b disable
set eap enable
set eap-identity send-request
set acct-verify disable
set ppk disable
set wizard-type custom
set reauth disable
set authusrgrp "<Withdrawn>"
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set fragmentation-mtu 1200
set childless-ike disable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set network-overlay disable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from name
set ipv4-netmask 255.255.255.255
set dns-mode manual
set ipv4-split-include "<Withdrawn>"
set split-include-service ''
set ipv4-name "<Withdrawn>"
set ipv6-prefix 128
set ipv6-split-include ''
set ipv6-name ''
set ip-delay-interval 0
set save-password enable
set client-auto-negotiate enable
set client-keep-alive disable
set psksecret ENC <Withdrawn>
set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 3
set dpd-retryinterval 60
next
end

hbac · ‎10-19-2023

@pelskyl,

Please note that 'set domain' only available in IKEv1.

Regards,

View solution in original post

hbac · ‎10-18-2023

Hi @pelskyl,

Yes, the 'set domain' command should work. Which firmware version are you using?

Regards,

pelskyl · ‎10-18-2023

That fw is on 7.0.12

hbac · ‎10-19-2023

@pelskyl,

I tested in my lab. It should work with both wizard-types. However, you need to enable unity-support first (it is enabled by default).

config vpn ipsec phase1-interface

edit <>

set unity-support enable

set domain example.com

end

Regards,

hbac · ‎10-19-2023

@pelskyl,

Please note that 'set domain' only available in IKEv1.

Regards,

pelskyl · ‎10-22-2023

Thats why its not working then since its an ikev2!

Then i need to figure out another way to push it

amuda · ‎10-18-2023

Hi, you may refer here and see if it's working for you: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-DNS-suffix-for-VPN-SSL-and-IPse...

Amerul
APAC TAC

pelskyl · ‎10-19-2023

Thanks but i already have all thoose settings on phase1, thats the wierd part.

amuda · ‎10-19-2023

You're welcome. I did a quick test for version 7.0.12 and I'm able to set the domain. Here's my config for your reference:

edit "test"
set type dynamic
set interface "port1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg enable
set ipv4-dns-server1 0.0.0.0
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-dns-server3 ::
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-idle
set forticlient-enforcement disable
set comments "VPN: test (Created by VPN wizard)"
set npu-offload enable
set dhgrp 14 5
set suite-b disable
set wizard-type static-fortigate
set xauthtype disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set esn disable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 0.0.0.0
set ipv4-end-ip 0.0.0.0
set ipv4-netmask 255.255.255.255
set dns-mode manual
set ipv4-split-include ''
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set ip-delay-interval 0
set unity-support enable
set domain "test.com"
set banner ''
set include-local-lan disable
set ipv4-split-exclude ''
set ipv6-split-exclude ''
set client-auto-negotiate disable
set client-keep-alive disable
set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 3
set dpd-retryinterval 60
next
end

Amerul
APAC TAC

pelskyl · ‎10-19-2023

Yea it is possible, since we have it on old tunnel, can it be set wizard-type custom that prevents me from using that setting?