Docs Home
Packages
Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse
fortios.vpn/ipsec.Phase1
Explore with Pulumi AI
Configure VPN remote gateway.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fortios from "@pulumiverse/fortios";
const trnamex1 = new fortios.vpn.ipsec.Phase1("trnamex1", {
acctVerify: "disable",
addGwRoute: "disable",
addRoute: "disable",
assignIp: "enable",
assignIpFrom: "range",
authmethod: "psk",
autoNegotiate: "enable",
certIdValidation: "enable",
childlessIke: "disable",
clientAutoNegotiate: "disable",
clientKeepAlive: "disable",
dhgrp: "14 5",
digitalSignatureAuth: "disable",
distance: 15,
dnsMode: "manual",
dpd: "on-demand",
dpdRetrycount: 3,
dpdRetryinterval: "20",
eap: "disable",
eapIdentity: "use-id-payload",
enforceUniqueId: "disable",
forticlientEnforcement: "disable",
fragmentation: "enable",
fragmentationMtu: 1200,
groupAuthentication: "disable",
haSyncEspSeqno: "enable",
idleTimeout: "disable",
idleTimeoutinterval: 15,
ikeVersion: "1",
includeLocalLan: "disable",
"interface": "port4",
ipv4DnsServer1: "0.0.0.0",
ipv4DnsServer2: "0.0.0.0",
ipv4DnsServer3: "0.0.0.0",
ipv4EndIp: "0.0.0.0",
ipv4Netmask: "255.255.255.255",
ipv4StartIp: "0.0.0.0",
ipv4WinsServer1: "0.0.0.0",
ipv4WinsServer2: "0.0.0.0",
ipv6DnsServer1: "::",
ipv6DnsServer2: "::",
ipv6DnsServer3: "::",
ipv6EndIp: "::",
ipv6Prefix: 128,
ipv6StartIp: "::",
keepalive: 10,
keylife: 86400,
localGw: "0.0.0.0",
localidType: "auto",
meshSelectorType: "disable",
mode: "main",
modeCfg: "disable",
nattraversal: "enable",
negotiateTimeout: 30,
peertype: "any",
ppk: "disable",
priority: 0,
proposal: "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
psksecret: "dewcEde2112",
reauth: "disable",
rekey: "enable",
remoteGw: "1.1.1.1",
rsaSignatureFormat: "pkcs1",
savePassword: "disable",
sendCertChain: "enable",
signatureHashAlg: "sha2-512 sha2-384 sha2-256 sha1",
suiteB: "disable",
type: "static",
unitySupport: "enable",
wizardType: "custom",
xauthtype: "disable",
});
import pulumi
import pulumiverse_fortios as fortios
trnamex1 = fortios.vpn.ipsec.Phase1("trnamex1",
acct_verify="disable",
add_gw_route="disable",
add_route="disable",
assign_ip="enable",
assign_ip_from="range",
authmethod="psk",
auto_negotiate="enable",
cert_id_validation="enable",
childless_ike="disable",
client_auto_negotiate="disable",
client_keep_alive="disable",
dhgrp="14 5",
digital_signature_auth="disable",
distance=15,
dns_mode="manual",
dpd="on-demand",
dpd_retrycount=3,
dpd_retryinterval="20",
eap="disable",
eap_identity="use-id-payload",
enforce_unique_id="disable",
forticlient_enforcement="disable",
fragmentation="enable",
fragmentation_mtu=1200,
group_authentication="disable",
ha_sync_esp_seqno="enable",
idle_timeout="disable",
idle_timeoutinterval=15,
ike_version="1",
include_local_lan="disable",
interface="port4",
ipv4_dns_server1="0.0.0.0",
ipv4_dns_server2="0.0.0.0",
ipv4_dns_server3="0.0.0.0",
ipv4_end_ip="0.0.0.0",
ipv4_netmask="255.255.255.255",
ipv4_start_ip="0.0.0.0",
ipv4_wins_server1="0.0.0.0",
ipv4_wins_server2="0.0.0.0",
ipv6_dns_server1="::",
ipv6_dns_server2="::",
ipv6_dns_server3="::",
ipv6_end_ip="::",
ipv6_prefix=128,
ipv6_start_ip="::",
keepalive=10,
keylife=86400,
local_gw="0.0.0.0",
localid_type="auto",
mesh_selector_type="disable",
mode="main",
mode_cfg="disable",
nattraversal="enable",
negotiate_timeout=30,
peertype="any",
ppk="disable",
priority=0,
proposal="aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
psksecret="dewcEde2112",
reauth="disable",
rekey="enable",
remote_gw="1.1.1.1",
rsa_signature_format="pkcs1",
save_password="disable",
send_cert_chain="enable",
signature_hash_alg="sha2-512 sha2-384 sha2-256 sha1",
suite_b="disable",
type="static",
unity_support="enable",
wizard_type="custom",
xauthtype="disable")
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/vpn"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpn.NewPhase1(ctx, "trnamex1", &vpn.Phase1Args{
AcctVerify: pulumi.String("disable"),
AddGwRoute: pulumi.String("disable"),
AddRoute: pulumi.String("disable"),
AssignIp: pulumi.String("enable"),
AssignIpFrom: pulumi.String("range"),
Authmethod: pulumi.String("psk"),
AutoNegotiate: pulumi.String("enable"),
CertIdValidation: pulumi.String("enable"),
ChildlessIke: pulumi.String("disable"),
ClientAutoNegotiate: pulumi.String("disable"),
ClientKeepAlive: pulumi.String("disable"),
Dhgrp: pulumi.String("14 5"),
DigitalSignatureAuth: pulumi.String("disable"),
Distance: pulumi.Int(15),
DnsMode: pulumi.String("manual"),
Dpd: pulumi.String("on-demand"),
DpdRetrycount: pulumi.Int(3),
DpdRetryinterval: pulumi.String("20"),
Eap: pulumi.String("disable"),
EapIdentity: pulumi.String("use-id-payload"),
EnforceUniqueId: pulumi.String("disable"),
ForticlientEnforcement: pulumi.String("disable"),
Fragmentation: pulumi.String("enable"),
FragmentationMtu: pulumi.Int(1200),
GroupAuthentication: pulumi.String("disable"),
HaSyncEspSeqno: pulumi.String("enable"),
IdleTimeout: pulumi.String("disable"),
IdleTimeoutinterval: pulumi.Int(15),
IkeVersion: pulumi.String("1"),
IncludeLocalLan: pulumi.String("disable"),
Interface: pulumi.String("port4"),
Ipv4DnsServer1: pulumi.String("0.0.0.0"),
Ipv4DnsServer2: pulumi.String("0.0.0.0"),
Ipv4DnsServer3: pulumi.String("0.0.0.0"),
Ipv4EndIp: pulumi.String("0.0.0.0"),
Ipv4Netmask: pulumi.String("255.255.255.255"),
Ipv4StartIp: pulumi.String("0.0.0.0"),
Ipv4WinsServer1: pulumi.String("0.0.0.0"),
Ipv4WinsServer2: pulumi.String("0.0.0.0"),
Ipv6DnsServer1: pulumi.String("::"),
Ipv6DnsServer2: pulumi.String("::"),
Ipv6DnsServer3: pulumi.String("::"),
Ipv6EndIp: pulumi.String("::"),
Ipv6Prefix: pulumi.Int(128),
Ipv6StartIp: pulumi.String("::"),
Keepalive: pulumi.Int(10),
Keylife: pulumi.Int(86400),
LocalGw: pulumi.String("0.0.0.0"),
LocalidType: pulumi.String("auto"),
MeshSelectorType: pulumi.String("disable"),
Mode: pulumi.String("main"),
ModeCfg: pulumi.String("disable"),
Nattraversal: pulumi.String("enable"),
NegotiateTimeout: pulumi.Int(30),
Peertype: pulumi.String("any"),
Ppk: pulumi.String("disable"),
Priority: pulumi.Int(0),
Proposal: pulumi.String("aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"),
Psksecret: pulumi.String("dewcEde2112"),
Reauth: pulumi.String("disable"),
Rekey: pulumi.String("enable"),
RemoteGw: pulumi.String("1.1.1.1"),
RsaSignatureFormat: pulumi.String("pkcs1"),
SavePassword: pulumi.String("disable"),
SendCertChain: pulumi.String("enable"),
SignatureHashAlg: pulumi.String("sha2-512 sha2-384 sha2-256 sha1"),
SuiteB: pulumi.String("disable"),
Type: pulumi.String("static"),
UnitySupport: pulumi.String("enable"),
WizardType: pulumi.String("custom"),
Xauthtype: pulumi.String("disable"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortios = Pulumiverse.Fortios;
return await Deployment.RunAsync(() =>
{
var trnamex1 = new Fortios.Vpn.Ipsec.Phase1("trnamex1", new()
{
AcctVerify = "disable",
AddGwRoute = "disable",
AddRoute = "disable",
AssignIp = "enable",
AssignIpFrom = "range",
Authmethod = "psk",
AutoNegotiate = "enable",
CertIdValidation = "enable",
ChildlessIke = "disable",
ClientAutoNegotiate = "disable",
ClientKeepAlive = "disable",
Dhgrp = "14 5",
DigitalSignatureAuth = "disable",
Distance = 15,
DnsMode = "manual",
Dpd = "on-demand",
DpdRetrycount = 3,
DpdRetryinterval = "20",
Eap = "disable",
EapIdentity = "use-id-payload",
EnforceUniqueId = "disable",
ForticlientEnforcement = "disable",
Fragmentation = "enable",
FragmentationMtu = 1200,
GroupAuthentication = "disable",
HaSyncEspSeqno = "enable",
IdleTimeout = "disable",
IdleTimeoutinterval = 15,
IkeVersion = "1",
IncludeLocalLan = "disable",
Interface = "port4",
Ipv4DnsServer1 = "0.0.0.0",
Ipv4DnsServer2 = "0.0.0.0",
Ipv4DnsServer3 = "0.0.0.0",
Ipv4EndIp = "0.0.0.0",
Ipv4Netmask = "255.255.255.255",
Ipv4StartIp = "0.0.0.0",
Ipv4WinsServer1 = "0.0.0.0",
Ipv4WinsServer2 = "0.0.0.0",
Ipv6DnsServer1 = "::",
Ipv6DnsServer2 = "::",
Ipv6DnsServer3 = "::",
Ipv6EndIp = "::",
Ipv6Prefix = 128,
Ipv6StartIp = "::",
Keepalive = 10,
Keylife = 86400,
LocalGw = "0.0.0.0",
LocalidType = "auto",
MeshSelectorType = "disable",
Mode = "main",
ModeCfg = "disable",
Nattraversal = "enable",
NegotiateTimeout = 30,
Peertype = "any",
Ppk = "disable",
Priority = 0,
Proposal = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
Psksecret = "dewcEde2112",
Reauth = "disable",
Rekey = "enable",
RemoteGw = "1.1.1.1",
RsaSignatureFormat = "pkcs1",
SavePassword = "disable",
SendCertChain = "enable",
SignatureHashAlg = "sha2-512 sha2-384 sha2-256 sha1",
SuiteB = "disable",
Type = "static",
UnitySupport = "enable",
WizardType = "custom",
Xauthtype = "disable",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortios.vpn.Phase1;
import com.pulumi.fortios.vpn.Phase1Args;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var trnamex1 = new Phase1("trnamex1", Phase1Args.builder()
.acctVerify("disable")
.addGwRoute("disable")
.addRoute("disable")
.assignIp("enable")
.assignIpFrom("range")
.authmethod("psk")
.autoNegotiate("enable")
.certIdValidation("enable")
.childlessIke("disable")
.clientAutoNegotiate("disable")
.clientKeepAlive("disable")
.dhgrp("14 5")
.digitalSignatureAuth("disable")
.distance(15)
.dnsMode("manual")
.dpd("on-demand")
.dpdRetrycount(3)
.dpdRetryinterval("20")
.eap("disable")
.eapIdentity("use-id-payload")
.enforceUniqueId("disable")
.forticlientEnforcement("disable")
.fragmentation("enable")
.fragmentationMtu(1200)
.groupAuthentication("disable")
.haSyncEspSeqno("enable")
.idleTimeout("disable")
.idleTimeoutinterval(15)
.ikeVersion("1")
.includeLocalLan("disable")
.interface_("port4")
.ipv4DnsServer1("0.0.0.0")
.ipv4DnsServer2("0.0.0.0")
.ipv4DnsServer3("0.0.0.0")
.ipv4EndIp("0.0.0.0")
.ipv4Netmask("255.255.255.255")
.ipv4StartIp("0.0.0.0")
.ipv4WinsServer1("0.0.0.0")
.ipv4WinsServer2("0.0.0.0")
.ipv6DnsServer1("::")
.ipv6DnsServer2("::")
.ipv6DnsServer3("::")
.ipv6EndIp("::")
.ipv6Prefix(128)
.ipv6StartIp("::")
.keepalive(10)
.keylife(86400)
.localGw("0.0.0.0")
.localidType("auto")
.meshSelectorType("disable")
.mode("main")
.modeCfg("disable")
.nattraversal("enable")
.negotiateTimeout(30)
.peertype("any")
.ppk("disable")
.priority(0)
.proposal("aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1")
.psksecret("dewcEde2112")
.reauth("disable")
.rekey("enable")
.remoteGw("1.1.1.1")
.rsaSignatureFormat("pkcs1")
.savePassword("disable")
.sendCertChain("enable")
.signatureHashAlg("sha2-512 sha2-384 sha2-256 sha1")
.suiteB("disable")
.type("static")
.unitySupport("enable")
.wizardType("custom")
.xauthtype("disable")
.build());
}
}
resources:
trnamex1:
type: fortios:vpn/ipsec:Phase1
properties:
acctVerify: disable
addGwRoute: disable
addRoute: disable
assignIp: enable
assignIpFrom: range
authmethod: psk
autoNegotiate: enable
certIdValidation: enable
childlessIke: disable
clientAutoNegotiate: disable
clientKeepAlive: disable
dhgrp: 14 5
digitalSignatureAuth: disable
distance: 15
dnsMode: manual
dpd: on-demand
dpdRetrycount: 3
dpdRetryinterval: '20'
eap: disable
eapIdentity: use-id-payload
enforceUniqueId: disable
forticlientEnforcement: disable
fragmentation: enable
fragmentationMtu: 1200
groupAuthentication: disable
haSyncEspSeqno: enable
idleTimeout: disable
idleTimeoutinterval: 15
ikeVersion: '1'
includeLocalLan: disable
interface: port4
ipv4DnsServer1: 0.0.0.0
ipv4DnsServer2: 0.0.0.0
ipv4DnsServer3: 0.0.0.0
ipv4EndIp: 0.0.0.0
ipv4Netmask: 255.255.255.255
ipv4StartIp: 0.0.0.0
ipv4WinsServer1: 0.0.0.0
ipv4WinsServer2: 0.0.0.0
ipv6DnsServer1: '::'
ipv6DnsServer2: '::'
ipv6DnsServer3: '::'
ipv6EndIp: '::'
ipv6Prefix: 128
ipv6StartIp: '::'
keepalive: 10
keylife: 86400
localGw: 0.0.0.0
localidType: auto
meshSelectorType: disable
mode: main
modeCfg: disable
nattraversal: enable
negotiateTimeout: 30
peertype: any
ppk: disable
priority: 0
proposal: aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
psksecret: dewcEde2112
reauth: disable
rekey: enable
remoteGw: 1.1.1.1
rsaSignatureFormat: pkcs1
savePassword: disable
sendCertChain: enable
signatureHashAlg: sha2-512 sha2-384 sha2-256 sha1
suiteB: disable
type: static
unitySupport: enable
wizardType: custom
xauthtype: disable
Create Phase1 Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Phase1(name: string, args: Phase1Args, opts?: CustomResourceOptions);@overload
def Phase1(resource_name: str,
args: Phase1Args,
opts: Optional[ResourceOptions] = None)
@overload
def Phase1(resource_name: str,
opts: Optional[ResourceOptions] = None,
interface: Optional[str] = None,
proposal: Optional[str] = None,
psksecret: Optional[str] = None,
acct_verify: Optional[str] = None,
add_gw_route: Optional[str] = None,
add_route: Optional[str] = None,
assign_ip: Optional[str] = None,
assign_ip_from: Optional[str] = None,
authmethod: Optional[str] = None,
authmethod_remote: Optional[str] = None,
authpasswd: Optional[str] = None,
authusr: Optional[str] = None,
authusrgrp: Optional[str] = None,
auto_negotiate: Optional[str] = None,
azure_ad_autoconnect: Optional[str] = None,
backup_gateways: Optional[Sequence[Phase1BackupGatewayArgs]] = None,
banner: Optional[str] = None,
cert_id_validation: Optional[str] = None,
cert_peer_username_strip: Optional[str] = None,
cert_peer_username_validation: Optional[str] = None,
cert_trust_store: Optional[str] = None,
certificates: Optional[Sequence[Phase1CertificateArgs]] = None,
childless_ike: Optional[str] = None,
client_auto_negotiate: Optional[str] = None,
client_keep_alive: Optional[str] = None,
client_resume: Optional[str] = None,
client_resume_interval: Optional[int] = None,
comments: Optional[str] = None,
dev_id: Optional[str] = None,
dev_id_notification: Optional[str] = None,
dhcp6_ra_linkaddr: Optional[str] = None,
dhcp_ra_giaddr: Optional[str] = None,
dhgrp: Optional[str] = None,
digital_signature_auth: Optional[str] = None,
distance: Optional[int] = None,
dns_mode: Optional[str] = None,
domain: Optional[str] = None,
dpd: Optional[str] = None,
dpd_retrycount: Optional[int] = None,
dpd_retryinterval: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
eap: Optional[str] = None,
eap_cert_auth: Optional[str] = None,
eap_exclude_peergrp: Optional[str] = None,
eap_identity: Optional[str] = None,
ems_sn_check: Optional[str] = None,
enforce_unique_id: Optional[str] = None,
esn: Optional[str] = None,
exchange_fgt_device_id: Optional[str] = None,
fallback_tcp_threshold: Optional[int] = None,
fec_base: Optional[int] = None,
fec_codec: Optional[int] = None,
fec_codec_string: Optional[str] = None,
fec_egress: Optional[str] = None,
fec_health_check: Optional[str] = None,
fec_ingress: Optional[str] = None,
fec_mapping_profile: Optional[str] = None,
fec_receive_timeout: Optional[int] = None,
fec_redundant: Optional[int] = None,
fec_send_timeout: Optional[int] = None,
fgsp_sync: Optional[str] = None,
forticlient_enforcement: Optional[str] = None,
fortinet_esp: Optional[str] = None,
fragmentation: Optional[str] = None,
fragmentation_mtu: Optional[int] = None,
get_all_tables: Optional[str] = None,
group_authentication: Optional[str] = None,
group_authentication_secret: Optional[str] = None,
ha_sync_esp_seqno: Optional[str] = None,
idle_timeout: Optional[str] = None,
idle_timeoutinterval: Optional[int] = None,
ike_version: Optional[str] = None,
inbound_dscp_copy: Optional[str] = None,
include_local_lan: Optional[str] = None,
internal_domain_lists: Optional[Sequence[Phase1InternalDomainListArgs]] = None,
ip_delay_interval: Optional[int] = None,
ipv4_dns_server1: Optional[str] = None,
ipv4_dns_server2: Optional[str] = None,
ipv4_dns_server3: Optional[str] = None,
ipv4_end_ip: Optional[str] = None,
ipv4_exclude_ranges: Optional[Sequence[Phase1Ipv4ExcludeRangeArgs]] = None,
ipv4_name: Optional[str] = None,
ipv4_netmask: Optional[str] = None,
ipv4_split_exclude: Optional[str] = None,
ipv4_split_include: Optional[str] = None,
ipv4_start_ip: Optional[str] = None,
ipv4_wins_server1: Optional[str] = None,
ipv4_wins_server2: Optional[str] = None,
ipv6_dns_server1: Optional[str] = None,
ipv6_dns_server2: Optional[str] = None,
ipv6_dns_server3: Optional[str] = None,
ipv6_end_ip: Optional[str] = None,
ipv6_exclude_ranges: Optional[Sequence[Phase1Ipv6ExcludeRangeArgs]] = None,
ipv6_name: Optional[str] = None,
ipv6_prefix: Optional[int] = None,
ipv6_split_exclude: Optional[str] = None,
ipv6_split_include: Optional[str] = None,
ipv6_start_ip: Optional[str] = None,
keepalive: Optional[int] = None,
keylife: Optional[int] = None,
kms: Optional[str] = None,
link_cost: Optional[int] = None,
local_gw: Optional[str] = None,
localid: Optional[str] = None,
localid_type: Optional[str] = None,
loopback_asymroute: Optional[str] = None,
mesh_selector_type: Optional[str] = None,
mode: Optional[str] = None,
mode_cfg: Optional[str] = None,
mode_cfg_allow_client_selector: Optional[str] = None,
name: Optional[str] = None,
nattraversal: Optional[str] = None,
negotiate_timeout: Optional[int] = None,
network_id: Optional[int] = None,
network_overlay: Optional[str] = None,
npu_offload: Optional[str] = None,
peer: Optional[str] = None,
peergrp: Optional[str] = None,
peerid: Optional[str] = None,
peertype: Optional[str] = None,
ppk: Optional[str] = None,
ppk_identity: Optional[str] = None,
ppk_secret: Optional[str] = None,
priority: Optional[int] = None,
psksecret_remote: Optional[str] = None,
qkd: Optional[str] = None,
qkd_profile: Optional[str] = None,
reauth: Optional[str] = None,
rekey: Optional[str] = None,
remote_gw: Optional[str] = None,
remote_gw6_country: Optional[str] = None,
remote_gw6_end_ip: Optional[str] = None,
remote_gw6_match: Optional[str] = None,
remote_gw6_start_ip: Optional[str] = None,
remote_gw6_subnet: Optional[str] = None,
remote_gw_country: Optional[str] = None,
remote_gw_end_ip: Optional[str] = None,
remote_gw_match: Optional[str] = None,
remote_gw_start_ip: Optional[str] = None,
remote_gw_subnet: Optional[str] = None,
remotegw_ddns: Optional[str] = None,
rsa_signature_format: Optional[str] = None,
rsa_signature_hash_override: Optional[str] = None,
save_password: Optional[str] = None,
send_cert_chain: Optional[str] = None,
signature_hash_alg: Optional[str] = None,
split_include_service: Optional[str] = None,
suite_b: Optional[str] = None,
transport: Optional[str] = None,
type: Optional[str] = None,
unity_support: Optional[str] = None,
usrgrp: Optional[str] = None,
vdomparam: Optional[str] = None,
wizard_type: Optional[str] = None,
xauthtype: Optional[str] = None)func NewPhase1(ctx *Context, name string, args Phase1Args, opts ...ResourceOption) (*Phase1, error)public Phase1(string name, Phase1Args args, CustomResourceOptions? opts = null)
public Phase1(String name, Phase1Args args)
public Phase1(String name, Phase1Args args, CustomResourceOptions options)
type: fortios:vpn/ipsec/phase1:Phase1
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args Phase1Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args Phase1Args
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args Phase1Args
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args Phase1Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args Phase1Args
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Phase1 Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Phase1 resource accepts the following input properties:
- Interface string
- Local physical, aggregate, or VLAN outgoing interface.
- Proposal string
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - Psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - Add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - Add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - Assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - Assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - Authmethod string
- Authentication method. Valid values:
psk,signature. - Authmethod
Remote string - Authentication method (remote side). Valid values:
psk,signature. - Authpasswd string
- XAuth password (max 35 characters).
- Authusr string
- XAuth user name.
- Authusrgrp string
- Authentication user group.
- Auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - Azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - Backup
Gateways List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1Backup Gateway> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - string
- Message that unity client should display after connecting.
- Cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - Cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - Cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - Cert
Trust stringStore - CA certificate trust store. Valid values:
local,ems. - Certificates
List<Pulumiverse.
Fortios. Vpn. Ipsec. Inputs. Phase1Certificate> - Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - Childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - Client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - Client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - Client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - Client
Resume intInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- Comments string
- Comment.
- Dev
Id string - Device ID carried by the device ID notification.
- Dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - Dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- Dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- Dhgrp string
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - Digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - Distance int
- Distance for routes added by IKE (1 - 255).
- Dns
Mode string - DNS server mode. Valid values:
manual,auto. - Domain string
- Instruct unity clients about the default DNS domain.
- Dpd string
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - Dpd
Retrycount int - Number of DPD retry attempts.
- Dpd
Retryinterval string - DPD retry interval.
- Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - Eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - Eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- Eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - Ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - Enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - Esn string
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - Exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - Fallback
Tcp intThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- Fec
Base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- Fec
Codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - Fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - Fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - Fec
Health stringCheck - SD-WAN health check.
- Fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - Fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- Fec
Receive intTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- Fec
Redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- Fec
Send intTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- Fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - Forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - Fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - Fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - Fragmentation
Mtu int - IKE fragmentation MTU (500 - 16000).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - Group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- Ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - Idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - Idle
Timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- Ike
Version string - IKE protocol version. Valid values:
1,2. - Inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - Include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - Internal
Domain List<Pulumiverse.Lists Fortios. Vpn. Ipsec. Inputs. Phase1Internal Domain List> - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - Ip
Delay intInterval - IP address reuse delay interval in seconds (0 - 28800).
- Ipv4Dns
Server1 string - IPv4 DNS server 1.
- Ipv4Dns
Server2 string - IPv4 DNS server 2.
- Ipv4Dns
Server3 string - IPv4 DNS server 3.
- Ipv4End
Ip string - End of IPv4 range.
- Ipv4Exclude
Ranges List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1Ipv4Exclude Range> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - Ipv4Name string
- IPv4 address name.
- Ipv4Netmask string
- IPv4 Netmask.
- Ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- Ipv4Split
Include string - IPv4 split-include subnets.
- Ipv4Start
Ip string - Start of IPv4 range.
- Ipv4Wins
Server1 string - WINS server 1.
- Ipv4Wins
Server2 string - WINS server 2.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Dns
Server3 string - IPv6 DNS server 3.
- Ipv6End
Ip string - End of IPv6 range.
- Ipv6Exclude
Ranges List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1Ipv6Exclude Range> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - Ipv6Name string
- IPv6 address name.
- Ipv6Prefix int
- IPv6 prefix.
- Ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- Ipv6Split
Include string - IPv6 split-include subnets.
- Ipv6Start
Ip string - Start of IPv6 range.
- Keepalive int
- NAT-T keep alive interval.
- Keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- Kms string
- Key Management Services server.
- Link
Cost int - VPN tunnel underlay link cost.
- Local
Gw string - Local VPN gateway.
- Localid string
- Local ID.
- Localid
Type string - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - Loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - Mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - Mode string
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - Mode
Cfg string - Enable/disable configuration method. Valid values:
disable,enable. - Mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - Name string
- IPsec remote gateway name.
- Nattraversal string
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - Negotiate
Timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- Network
Id int - VPN gateway network ID.
- Network
Overlay string - Enable/disable network overlays. Valid values:
disable,enable. - Npu
Offload string - Enable/disable offloading NPU. Valid values:
enable,disable. - Peer string
- Accept this peer certificate.
- Peergrp string
- Accept this peer certificate group.
- Peerid string
- Accept this peer identity.
- Peertype string
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - Ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - Ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- Ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- Priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- Psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - Qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- Reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - Rekey string
- Enable/disable phase1 rekey. Valid values:
enable,disable. - Remote
Gw string - Remote VPN gateway.
- Remote
Gw6Country string - IPv6 addresses associated to a specific country.
- Remote
Gw6End stringIp - Last IPv6 address in the range.
- Remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - Remote
Gw6Start stringIp - First IPv6 address in the range.
- Remote
Gw6Subnet string - IPv6 address and prefix.
- Remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- Remote
Gw stringEnd Ip - Last IPv4 address in the range.
- Remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - Remote
Gw stringStart Ip - First IPv4 address in the range.
- Remote
Gw stringSubnet - IPv4 address and subnet mask.
- Remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- Rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - Rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - Save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - Send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - Signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - Split
Include stringService - Split-include services.
- Suite
B string - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - Transport string
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - Type string
- Remote gateway type. Valid values:
static,dynamic,ddns. - Unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - Usrgrp string
- User group name for dialup peers.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Wizard
Type string - GUI VPN Wizard Type.
- Xauthtype string
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- Interface string
- Local physical, aggregate, or VLAN outgoing interface.
- Proposal string
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - Psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - Add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - Add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - Assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - Assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - Authmethod string
- Authentication method. Valid values:
psk,signature. - Authmethod
Remote string - Authentication method (remote side). Valid values:
psk,signature. - Authpasswd string
- XAuth password (max 35 characters).
- Authusr string
- XAuth user name.
- Authusrgrp string
- Authentication user group.
- Auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - Azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - Backup
Gateways []Phase1BackupGateway Args - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - string
- Message that unity client should display after connecting.
- Cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - Cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - Cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - Cert
Trust stringStore - CA certificate trust store. Valid values:
local,ems. - Certificates
[]Phase1Certificate
Args - Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - Childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - Client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - Client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - Client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - Client
Resume intInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- Comments string
- Comment.
- Dev
Id string - Device ID carried by the device ID notification.
- Dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - Dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- Dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- Dhgrp string
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - Digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - Distance int
- Distance for routes added by IKE (1 - 255).
- Dns
Mode string - DNS server mode. Valid values:
manual,auto. - Domain string
- Instruct unity clients about the default DNS domain.
- Dpd string
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - Dpd
Retrycount int - Number of DPD retry attempts.
- Dpd
Retryinterval string - DPD retry interval.
- Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - Eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - Eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- Eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - Ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - Enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - Esn string
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - Exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - Fallback
Tcp intThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- Fec
Base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- Fec
Codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - Fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - Fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - Fec
Health stringCheck - SD-WAN health check.
- Fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - Fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- Fec
Receive intTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- Fec
Redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- Fec
Send intTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- Fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - Forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - Fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - Fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - Fragmentation
Mtu int - IKE fragmentation MTU (500 - 16000).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - Group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- Ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - Idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - Idle
Timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- Ike
Version string - IKE protocol version. Valid values:
1,2. - Inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - Include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - Internal
Domain []Phase1InternalLists Domain List Args - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - Ip
Delay intInterval - IP address reuse delay interval in seconds (0 - 28800).
- Ipv4Dns
Server1 string - IPv4 DNS server 1.
- Ipv4Dns
Server2 string - IPv4 DNS server 2.
- Ipv4Dns
Server3 string - IPv4 DNS server 3.
- Ipv4End
Ip string - End of IPv4 range.
- Ipv4Exclude
Ranges []Phase1Ipv4ExcludeRange Args - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - Ipv4Name string
- IPv4 address name.
- Ipv4Netmask string
- IPv4 Netmask.
- Ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- Ipv4Split
Include string - IPv4 split-include subnets.
- Ipv4Start
Ip string - Start of IPv4 range.
- Ipv4Wins
Server1 string - WINS server 1.
- Ipv4Wins
Server2 string - WINS server 2.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Dns
Server3 string - IPv6 DNS server 3.
- Ipv6End
Ip string - End of IPv6 range.
- Ipv6Exclude
Ranges []Phase1Ipv6ExcludeRange Args - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - Ipv6Name string
- IPv6 address name.
- Ipv6Prefix int
- IPv6 prefix.
- Ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- Ipv6Split
Include string - IPv6 split-include subnets.
- Ipv6Start
Ip string - Start of IPv6 range.
- Keepalive int
- NAT-T keep alive interval.
- Keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- Kms string
- Key Management Services server.
- Link
Cost int - VPN tunnel underlay link cost.
- Local
Gw string - Local VPN gateway.
- Localid string
- Local ID.
- Localid
Type string - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - Loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - Mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - Mode string
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - Mode
Cfg string - Enable/disable configuration method. Valid values:
disable,enable. - Mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - Name string
- IPsec remote gateway name.
- Nattraversal string
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - Negotiate
Timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- Network
Id int - VPN gateway network ID.
- Network
Overlay string - Enable/disable network overlays. Valid values:
disable,enable. - Npu
Offload string - Enable/disable offloading NPU. Valid values:
enable,disable. - Peer string
- Accept this peer certificate.
- Peergrp string
- Accept this peer certificate group.
- Peerid string
- Accept this peer identity.
- Peertype string
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - Ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - Ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- Ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- Priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- Psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - Qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- Reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - Rekey string
- Enable/disable phase1 rekey. Valid values:
enable,disable. - Remote
Gw string - Remote VPN gateway.
- Remote
Gw6Country string - IPv6 addresses associated to a specific country.
- Remote
Gw6End stringIp - Last IPv6 address in the range.
- Remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - Remote
Gw6Start stringIp - First IPv6 address in the range.
- Remote
Gw6Subnet string - IPv6 address and prefix.
- Remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- Remote
Gw stringEnd Ip - Last IPv4 address in the range.
- Remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - Remote
Gw stringStart Ip - First IPv4 address in the range.
- Remote
Gw stringSubnet - IPv4 address and subnet mask.
- Remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- Rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - Rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - Save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - Send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - Signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - Split
Include stringService - Split-include services.
- Suite
B string - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - Transport string
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - Type string
- Remote gateway type. Valid values:
static,dynamic,ddns. - Unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - Usrgrp string
- User group name for dialup peers.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Wizard
Type string - GUI VPN Wizard Type.
- Xauthtype string
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- interface_ String
- Local physical, aggregate, or VLAN outgoing interface.
- proposal String
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - psksecret String
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- acct
Verify String - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - add
Gw StringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - add
Route String - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - assign
Ip String - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - assign
Ip StringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - authmethod String
- Authentication method. Valid values:
psk,signature. - authmethod
Remote String - Authentication method (remote side). Valid values:
psk,signature. - authpasswd String
- XAuth password (max 35 characters).
- authusr String
- XAuth user name.
- authusrgrp String
- Authentication user group.
- auto
Negotiate String - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - azure
Ad StringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - backup
Gateways List<Phase1BackupGateway> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - String
- Message that unity client should display after connecting.
- cert
Id StringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - cert
Peer StringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - cert
Peer StringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - cert
Trust StringStore - CA certificate trust store. Valid values:
local,ems. - certificates List<Phase1Certificate>
- Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - childless
Ike String - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - client
Auto StringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - client
Keep StringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - client
Resume String - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - client
Resume IntegerInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments String
- Comment.
- dev
Id String - Device ID carried by the device ID notification.
- dev
Id StringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - dhcp6Ra
Linkaddr String - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra StringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp String
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - digital
Signature StringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - distance Integer
- Distance for routes added by IKE (1 - 255).
- dns
Mode String - DNS server mode. Valid values:
manual,auto. - domain String
- Instruct unity clients about the default DNS domain.
- dpd String
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - dpd
Retrycount Integer - Number of DPD retry attempts.
- dpd
Retryinterval String - DPD retry interval.
- dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap String
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - eap
Cert StringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - eap
Exclude StringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity String - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - ems
Sn StringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - enforce
Unique StringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - esn String
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - exchange
Fgt StringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - fallback
Tcp IntegerThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base Integer - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec Integer - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - fec
Codec StringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - fec
Egress String - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - fec
Health StringCheck - SD-WAN health check.
- fec
Ingress String - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - fec
Mapping StringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive IntegerTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant Integer - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send IntegerTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync String - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - forticlient
Enforcement String - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - fortinet
Esp String - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - fragmentation String
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - fragmentation
Mtu Integer - IKE fragmentation MTU (500 - 16000).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication String - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - group
Authentication StringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync StringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - idle
Timeout String - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - idle
Timeoutinterval Integer - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version String - IKE protocol version. Valid values:
1,2. - inbound
Dscp StringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - include
Local StringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - internal
Domain List<Phase1InternalLists Domain List> - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - ip
Delay IntegerInterval - IP address reuse delay interval in seconds (0 - 28800).
- ipv4Dns
Server1 String - IPv4 DNS server 1.
- ipv4Dns
Server2 String - IPv4 DNS server 2.
- ipv4Dns
Server3 String - IPv4 DNS server 3.
- ipv4End
Ip String - End of IPv4 range.
- ipv4Exclude
Ranges List<Phase1Ipv4ExcludeRange> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - ipv4Name String
- IPv4 address name.
- ipv4Netmask String
- IPv4 Netmask.
- ipv4Split
Exclude String - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include String - IPv4 split-include subnets.
- ipv4Start
Ip String - Start of IPv4 range.
- ipv4Wins
Server1 String - WINS server 1.
- ipv4Wins
Server2 String - WINS server 2.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Dns
Server3 String - IPv6 DNS server 3.
- ipv6End
Ip String - End of IPv6 range.
- ipv6Exclude
Ranges List<Phase1Ipv6ExcludeRange> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - ipv6Name String
- IPv6 address name.
- ipv6Prefix Integer
- IPv6 prefix.
- ipv6Split
Exclude String - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include String - IPv6 split-include subnets.
- ipv6Start
Ip String - Start of IPv6 range.
- keepalive Integer
- NAT-T keep alive interval.
- keylife Integer
- Time to wait in seconds before phase 1 encryption key expires.
- kms String
- Key Management Services server.
- link
Cost Integer - VPN tunnel underlay link cost.
- local
Gw String - Local VPN gateway.
- localid String
- Local ID.
- localid
Type String - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - loopback
Asymroute String - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - mesh
Selector StringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - mode String
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - mode
Cfg String - Enable/disable configuration method. Valid values:
disable,enable. - mode
Cfg StringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - name String
- IPsec remote gateway name.
- nattraversal String
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - negotiate
Timeout Integer - IKE SA negotiation timeout in seconds (1 - 300).
- network
Id Integer - VPN gateway network ID.
- network
Overlay String - Enable/disable network overlays. Valid values:
disable,enable. - npu
Offload String - Enable/disable offloading NPU. Valid values:
enable,disable. - peer String
- Accept this peer certificate.
- peergrp String
- Accept this peer certificate group.
- peerid String
- Accept this peer identity.
- peertype String
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - ppk String
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - ppk
Identity String - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret String - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority Integer
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- psksecret
Remote String - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd String
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - qkd
Profile String - Quantum Key Distribution (QKD) server profile.
- reauth String
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - rekey String
- Enable/disable phase1 rekey. Valid values:
enable,disable. - remote
Gw String - Remote VPN gateway.
- remote
Gw6Country String - IPv6 addresses associated to a specific country.
- remote
Gw6End StringIp - Last IPv6 address in the range.
- remote
Gw6Match String - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - remote
Gw6Start StringIp - First IPv6 address in the range.
- remote
Gw6Subnet String - IPv6 address and prefix.
- remote
Gw StringCountry - IPv4 addresses associated to a specific country.
- remote
Gw StringEnd Ip - Last IPv4 address in the range.
- remote
Gw StringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - remote
Gw StringStart Ip - First IPv4 address in the range.
- remote
Gw StringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns String - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature StringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - rsa
Signature StringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - save
Password String - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - send
Cert StringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - signature
Hash StringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - split
Include StringService - Split-include services.
- suite
B String - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - transport String
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - type String
- Remote gateway type. Valid values:
static,dynamic,ddns. - unity
Support String - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - usrgrp String
- User group name for dialup peers.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- wizard
Type String - GUI VPN Wizard Type.
- xauthtype String
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- interface string
- Local physical, aggregate, or VLAN outgoing interface.
- proposal string
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - authmethod string
- Authentication method. Valid values:
psk,signature. - authmethod
Remote string - Authentication method (remote side). Valid values:
psk,signature. - authpasswd string
- XAuth password (max 35 characters).
- authusr string
- XAuth user name.
- authusrgrp string
- Authentication user group.
- auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - backup
Gateways Phase1BackupGateway[] - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - string
- Message that unity client should display after connecting.
- cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - cert
Trust stringStore - CA certificate trust store. Valid values:
local,ems. - certificates Phase1Certificate[]
- Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - client
Resume numberInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments string
- Comment.
- dev
Id string - Device ID carried by the device ID notification.
- dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp string
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - distance number
- Distance for routes added by IKE (1 - 255).
- dns
Mode string - DNS server mode. Valid values:
manual,auto. - domain string
- Instruct unity clients about the default DNS domain.
- dpd string
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - dpd
Retrycount number - Number of DPD retry attempts.
- dpd
Retryinterval string - DPD retry interval.
- dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - esn string
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - fallback
Tcp numberThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base number - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec number - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - fec
Health stringCheck - SD-WAN health check.
- fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive numberTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant number - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send numberTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - fragmentation
Mtu number - IKE fragmentation MTU (500 - 16000).
- get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - idle
Timeoutinterval number - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version string - IKE protocol version. Valid values:
1,2. - inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - internal
Domain Phase1InternalLists Domain List[] - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - ip
Delay numberInterval - IP address reuse delay interval in seconds (0 - 28800).
- ipv4Dns
Server1 string - IPv4 DNS server 1.
- ipv4Dns
Server2 string - IPv4 DNS server 2.
- ipv4Dns
Server3 string - IPv4 DNS server 3.
- ipv4End
Ip string - End of IPv4 range.
- ipv4Exclude
Ranges Phase1Ipv4ExcludeRange[] - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - ipv4Name string
- IPv4 address name.
- ipv4Netmask string
- IPv4 Netmask.
- ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include string - IPv4 split-include subnets.
- ipv4Start
Ip string - Start of IPv4 range.
- ipv4Wins
Server1 string - WINS server 1.
- ipv4Wins
Server2 string - WINS server 2.
- ipv6Dns
Server1 string - IPv6 DNS server 1.
- ipv6Dns
Server2 string - IPv6 DNS server 2.
- ipv6Dns
Server3 string - IPv6 DNS server 3.
- ipv6End
Ip string - End of IPv6 range.
- ipv6Exclude
Ranges Phase1Ipv6ExcludeRange[] - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - ipv6Name string
- IPv6 address name.
- ipv6Prefix number
- IPv6 prefix.
- ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include string - IPv6 split-include subnets.
- ipv6Start
Ip string - Start of IPv6 range.
- keepalive number
- NAT-T keep alive interval.
- keylife number
- Time to wait in seconds before phase 1 encryption key expires.
- kms string
- Key Management Services server.
- link
Cost number - VPN tunnel underlay link cost.
- local
Gw string - Local VPN gateway.
- localid string
- Local ID.
- localid
Type string - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - mode string
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - mode
Cfg string - Enable/disable configuration method. Valid values:
disable,enable. - mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - name string
- IPsec remote gateway name.
- nattraversal string
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - negotiate
Timeout number - IKE SA negotiation timeout in seconds (1 - 300).
- network
Id number - VPN gateway network ID.
- network
Overlay string - Enable/disable network overlays. Valid values:
disable,enable. - npu
Offload string - Enable/disable offloading NPU. Valid values:
enable,disable. - peer string
- Accept this peer certificate.
- peergrp string
- Accept this peer certificate group.
- peerid string
- Accept this peer identity.
- peertype string
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority number
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - rekey string
- Enable/disable phase1 rekey. Valid values:
enable,disable. - remote
Gw string - Remote VPN gateway.
- remote
Gw6Country string - IPv6 addresses associated to a specific country.
- remote
Gw6End stringIp - Last IPv6 address in the range.
- remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - remote
Gw6Start stringIp - First IPv6 address in the range.
- remote
Gw6Subnet string - IPv6 address and prefix.
- remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- remote
Gw stringEnd Ip - Last IPv4 address in the range.
- remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - remote
Gw stringStart Ip - First IPv4 address in the range.
- remote
Gw stringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - split
Include stringService - Split-include services.
- suite
B string - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - transport string
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - type string
- Remote gateway type. Valid values:
static,dynamic,ddns. - unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - usrgrp string
- User group name for dialup peers.
- vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- wizard
Type string - GUI VPN Wizard Type.
- xauthtype string
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- interface str
- Local physical, aggregate, or VLAN outgoing interface.
- proposal str
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - psksecret str
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- acct_
verify str - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - add_
gw_ strroute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - add_
route str - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - assign_
ip str - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - assign_
ip_ strfrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - authmethod str
- Authentication method. Valid values:
psk,signature. - authmethod_
remote str - Authentication method (remote side). Valid values:
psk,signature. - authpasswd str
- XAuth password (max 35 characters).
- authusr str
- XAuth user name.
- authusrgrp str
- Authentication user group.
- auto_
negotiate str - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - azure_
ad_ strautoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - backup_
gateways Sequence[Phase1BackupGateway Args] - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - str
- Message that unity client should display after connecting.
- cert_
id_ strvalidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - cert_
peer_ strusername_ strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - cert_
peer_ strusername_ validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - cert_
trust_ strstore - CA certificate trust store. Valid values:
local,ems. - certificates
Sequence[Phase1Certificate
Args] - Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - childless_
ike str - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - client_
auto_ strnegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - client_
keep_ stralive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - client_
resume str - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - client_
resume_ intinterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments str
- Comment.
- dev_
id str - Device ID carried by the device ID notification.
- dev_
id_ strnotification - Enable/disable device ID notification. Valid values:
disable,enable. - dhcp6_
ra_ strlinkaddr - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp_
ra_ strgiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp str
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - digital_
signature_ strauth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - distance int
- Distance for routes added by IKE (1 - 255).
- dns_
mode str - DNS server mode. Valid values:
manual,auto. - domain str
- Instruct unity clients about the default DNS domain.
- dpd str
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - dpd_
retrycount int - Number of DPD retry attempts.
- dpd_
retryinterval str - DPD retry interval.
- dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap str
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - eap_
cert_ strauth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - eap_
exclude_ strpeergrp - Peer group excluded from EAP authentication.
- eap_
identity str - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - ems_
sn_ strcheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - enforce_
unique_ strid - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - esn str
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - exchange_
fgt_ strdevice_ id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - fallback_
tcp_ intthreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec_
base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec_
codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - fec_
codec_ strstring - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - fec_
egress str - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - fec_
health_ strcheck - SD-WAN health check.
- fec_
ingress str - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - fec_
mapping_ strprofile - Forward Error Correction (FEC) mapping profile.
- fec_
receive_ inttimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec_
redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec_
send_ inttimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp_
sync str - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - forticlient_
enforcement str - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - fortinet_
esp str - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - fragmentation str
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - fragmentation_
mtu int - IKE fragmentation MTU (500 - 16000).
- get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group_
authentication str - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - group_
authentication_ strsecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha_
sync_ stresp_ seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - idle_
timeout str - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - idle_
timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike_
version str - IKE protocol version. Valid values:
1,2. - inbound_
dscp_ strcopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - include_
local_ strlan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - internal_
domain_ Sequence[Phase1Internallists Domain List Args] - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - ip_
delay_ intinterval - IP address reuse delay interval in seconds (0 - 28800).
- ipv4_
dns_ strserver1 - IPv4 DNS server 1.
- ipv4_
dns_ strserver2 - IPv4 DNS server 2.
- ipv4_
dns_ strserver3 - IPv4 DNS server 3.
- ipv4_
end_ strip - End of IPv4 range.
- ipv4_
exclude_ Sequence[Phase1Ipv4Excluderanges Range Args] - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - ipv4_
name str - IPv4 address name.
- ipv4_
netmask str - IPv4 Netmask.
- ipv4_
split_ strexclude - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4_
split_ strinclude - IPv4 split-include subnets.
- ipv4_
start_ strip - Start of IPv4 range.
- ipv4_
wins_ strserver1 - WINS server 1.
- ipv4_
wins_ strserver2 - WINS server 2.
- ipv6_
dns_ strserver1 - IPv6 DNS server 1.
- ipv6_
dns_ strserver2 - IPv6 DNS server 2.
- ipv6_
dns_ strserver3 - IPv6 DNS server 3.
- ipv6_
end_ strip - End of IPv6 range.
- ipv6_
exclude_ Sequence[Phase1Ipv6Excluderanges Range Args] - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - ipv6_
name str - IPv6 address name.
- ipv6_
prefix int - IPv6 prefix.
- ipv6_
split_ strexclude - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6_
split_ strinclude - IPv6 split-include subnets.
- ipv6_
start_ strip - Start of IPv6 range.
- keepalive int
- NAT-T keep alive interval.
- keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- kms str
- Key Management Services server.
- link_
cost int - VPN tunnel underlay link cost.
- local_
gw str - Local VPN gateway.
- localid str
- Local ID.
- localid_
type str - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - loopback_
asymroute str - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - mesh_
selector_ strtype - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - mode str
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - mode_
cfg str - Enable/disable configuration method. Valid values:
disable,enable. - mode_
cfg_ strallow_ client_ selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - name str
- IPsec remote gateway name.
- nattraversal str
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - negotiate_
timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- network_
id int - VPN gateway network ID.
- network_
overlay str - Enable/disable network overlays. Valid values:
disable,enable. - npu_
offload str - Enable/disable offloading NPU. Valid values:
enable,disable. - peer str
- Accept this peer certificate.
- peergrp str
- Accept this peer certificate group.
- peerid str
- Accept this peer identity.
- peertype str
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - ppk str
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - ppk_
identity str - IKEv2 Postquantum Preshared Key Identity.
- ppk_
secret str - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- psksecret_
remote str - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd str
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - qkd_
profile str - Quantum Key Distribution (QKD) server profile.
- reauth str
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - rekey str
- Enable/disable phase1 rekey. Valid values:
enable,disable. - remote_
gw str - Remote VPN gateway.
- remote_
gw6_ strcountry - IPv6 addresses associated to a specific country.
- remote_
gw6_ strend_ ip - Last IPv6 address in the range.
- remote_
gw6_ strmatch - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - remote_
gw6_ strstart_ ip - First IPv6 address in the range.
- remote_
gw6_ strsubnet - IPv6 address and prefix.
- remote_
gw_ strcountry - IPv4 addresses associated to a specific country.
- remote_
gw_ strend_ ip - Last IPv4 address in the range.
- remote_
gw_ strmatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - remote_
gw_ strstart_ ip - First IPv4 address in the range.
- remote_
gw_ strsubnet - IPv4 address and subnet mask.
- remotegw_
ddns str - Domain name of remote gateway. For example, name.ddns.com.
- rsa_
signature_ strformat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - rsa_
signature_ strhash_ override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - save_
password str - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - send_
cert_ strchain - Enable/disable sending certificate chain. Valid values:
enable,disable. - signature_
hash_ stralg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - split_
include_ strservice - Split-include services.
- suite_
b str - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - transport str
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - type str
- Remote gateway type. Valid values:
static,dynamic,ddns. - unity_
support str - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - usrgrp str
- User group name for dialup peers.
- vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- wizard_
type str - GUI VPN Wizard Type.
- xauthtype str
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- interface String
- Local physical, aggregate, or VLAN outgoing interface.
- proposal String
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - psksecret String
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- acct
Verify String - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - add
Gw StringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - add
Route String - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - assign
Ip String - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - assign
Ip StringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - authmethod String
- Authentication method. Valid values:
psk,signature. - authmethod
Remote String - Authentication method (remote side). Valid values:
psk,signature. - authpasswd String
- XAuth password (max 35 characters).
- authusr String
- XAuth user name.
- authusrgrp String
- Authentication user group.
- auto
Negotiate String - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - azure
Ad StringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - backup
Gateways List<Property Map> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - String
- Message that unity client should display after connecting.
- cert
Id StringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - cert
Peer StringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - cert
Peer StringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - cert
Trust StringStore - CA certificate trust store. Valid values:
local,ems. - certificates List<Property Map>
- Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - childless
Ike String - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - client
Auto StringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - client
Keep StringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - client
Resume String - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - client
Resume NumberInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments String
- Comment.
- dev
Id String - Device ID carried by the device ID notification.
- dev
Id StringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - dhcp6Ra
Linkaddr String - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra StringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp String
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - digital
Signature StringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - distance Number
- Distance for routes added by IKE (1 - 255).
- dns
Mode String - DNS server mode. Valid values:
manual,auto. - domain String
- Instruct unity clients about the default DNS domain.
- dpd String
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - dpd
Retrycount Number - Number of DPD retry attempts.
- dpd
Retryinterval String - DPD retry interval.
- dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap String
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - eap
Cert StringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - eap
Exclude StringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity String - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - ems
Sn StringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - enforce
Unique StringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - esn String
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - exchange
Fgt StringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - fallback
Tcp NumberThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base Number - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec Number - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - fec
Codec StringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - fec
Egress String - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - fec
Health StringCheck - SD-WAN health check.
- fec
Ingress String - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - fec
Mapping StringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive NumberTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant Number - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send NumberTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync String - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - forticlient
Enforcement String - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - fortinet
Esp String - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - fragmentation String
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - fragmentation
Mtu Number - IKE fragmentation MTU (500 - 16000).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication String - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - group
Authentication StringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync StringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - idle
Timeout String - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - idle
Timeoutinterval Number - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version String - IKE protocol version. Valid values:
1,2. - inbound
Dscp StringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - include
Local StringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - internal
Domain List<Property Map>Lists - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - ip
Delay NumberInterval - IP address reuse delay interval in seconds (0 - 28800).
- ipv4Dns
Server1 String - IPv4 DNS server 1.
- ipv4Dns
Server2 String - IPv4 DNS server 2.
- ipv4Dns
Server3 String - IPv4 DNS server 3.
- ipv4End
Ip String - End of IPv4 range.
- ipv4Exclude
Ranges List<Property Map> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - ipv4Name String
- IPv4 address name.
- ipv4Netmask String
- IPv4 Netmask.
- ipv4Split
Exclude String - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include String - IPv4 split-include subnets.
- ipv4Start
Ip String - Start of IPv4 range.
- ipv4Wins
Server1 String - WINS server 1.
- ipv4Wins
Server2 String - WINS server 2.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Dns
Server3 String - IPv6 DNS server 3.
- ipv6End
Ip String - End of IPv6 range.
- ipv6Exclude
Ranges List<Property Map> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - ipv6Name String
- IPv6 address name.
- ipv6Prefix Number
- IPv6 prefix.
- ipv6Split
Exclude String - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include String - IPv6 split-include subnets.
- ipv6Start
Ip String - Start of IPv6 range.
- keepalive Number
- NAT-T keep alive interval.
- keylife Number
- Time to wait in seconds before phase 1 encryption key expires.
- kms String
- Key Management Services server.
- link
Cost Number - VPN tunnel underlay link cost.
- local
Gw String - Local VPN gateway.
- localid String
- Local ID.
- localid
Type String - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - loopback
Asymroute String - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - mesh
Selector StringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - mode String
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - mode
Cfg String - Enable/disable configuration method. Valid values:
disable,enable. - mode
Cfg StringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - name String
- IPsec remote gateway name.
- nattraversal String
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - negotiate
Timeout Number - IKE SA negotiation timeout in seconds (1 - 300).
- network
Id Number - VPN gateway network ID.
- network
Overlay String - Enable/disable network overlays. Valid values:
disable,enable. - npu
Offload String - Enable/disable offloading NPU. Valid values:
enable,disable. - peer String
- Accept this peer certificate.
- peergrp String
- Accept this peer certificate group.
- peerid String
- Accept this peer identity.
- peertype String
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - ppk String
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - ppk
Identity String - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret String - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority Number
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- psksecret
Remote String - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd String
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - qkd
Profile String - Quantum Key Distribution (QKD) server profile.
- reauth String
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - rekey String
- Enable/disable phase1 rekey. Valid values:
enable,disable. - remote
Gw String - Remote VPN gateway.
- remote
Gw6Country String - IPv6 addresses associated to a specific country.
- remote
Gw6End StringIp - Last IPv6 address in the range.
- remote
Gw6Match String - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - remote
Gw6Start StringIp - First IPv6 address in the range.
- remote
Gw6Subnet String - IPv6 address and prefix.
- remote
Gw StringCountry - IPv4 addresses associated to a specific country.
- remote
Gw StringEnd Ip - Last IPv4 address in the range.
- remote
Gw StringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - remote
Gw StringStart Ip - First IPv4 address in the range.
- remote
Gw StringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns String - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature StringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - rsa
Signature StringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - save
Password String - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - send
Cert StringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - signature
Hash StringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - split
Include StringService - Split-include services.
- suite
B String - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - transport String
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - type String
- Remote gateway type. Valid values:
static,dynamic,ddns. - unity
Support String - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - usrgrp String
- User group name for dialup peers.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- wizard
Type String - GUI VPN Wizard Type.
- xauthtype String
- XAuth type. Valid values:
disable,client,pap,chap,auto.
Outputs
All input properties are implicitly available as output properties. Additionally, the Phase1 resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Phase1 Resource
Get an existing Phase1 resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: Phase1State, opts?: CustomResourceOptions): Phase1@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
acct_verify: Optional[str] = None,
add_gw_route: Optional[str] = None,
add_route: Optional[str] = None,
assign_ip: Optional[str] = None,
assign_ip_from: Optional[str] = None,
authmethod: Optional[str] = None,
authmethod_remote: Optional[str] = None,
authpasswd: Optional[str] = None,
authusr: Optional[str] = None,
authusrgrp: Optional[str] = None,
auto_negotiate: Optional[str] = None,
azure_ad_autoconnect: Optional[str] = None,
backup_gateways: Optional[Sequence[Phase1BackupGatewayArgs]] = None,
banner: Optional[str] = None,
cert_id_validation: Optional[str] = None,
cert_peer_username_strip: Optional[str] = None,
cert_peer_username_validation: Optional[str] = None,
cert_trust_store: Optional[str] = None,
certificates: Optional[Sequence[Phase1CertificateArgs]] = None,
childless_ike: Optional[str] = None,
client_auto_negotiate: Optional[str] = None,
client_keep_alive: Optional[str] = None,
client_resume: Optional[str] = None,
client_resume_interval: Optional[int] = None,
comments: Optional[str] = None,
dev_id: Optional[str] = None,
dev_id_notification: Optional[str] = None,
dhcp6_ra_linkaddr: Optional[str] = None,
dhcp_ra_giaddr: Optional[str] = None,
dhgrp: Optional[str] = None,
digital_signature_auth: Optional[str] = None,
distance: Optional[int] = None,
dns_mode: Optional[str] = None,
domain: Optional[str] = None,
dpd: Optional[str] = None,
dpd_retrycount: Optional[int] = None,
dpd_retryinterval: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
eap: Optional[str] = None,
eap_cert_auth: Optional[str] = None,
eap_exclude_peergrp: Optional[str] = None,
eap_identity: Optional[str] = None,
ems_sn_check: Optional[str] = None,
enforce_unique_id: Optional[str] = None,
esn: Optional[str] = None,
exchange_fgt_device_id: Optional[str] = None,
fallback_tcp_threshold: Optional[int] = None,
fec_base: Optional[int] = None,
fec_codec: Optional[int] = None,
fec_codec_string: Optional[str] = None,
fec_egress: Optional[str] = None,
fec_health_check: Optional[str] = None,
fec_ingress: Optional[str] = None,
fec_mapping_profile: Optional[str] = None,
fec_receive_timeout: Optional[int] = None,
fec_redundant: Optional[int] = None,
fec_send_timeout: Optional[int] = None,
fgsp_sync: Optional[str] = None,
forticlient_enforcement: Optional[str] = None,
fortinet_esp: Optional[str] = None,
fragmentation: Optional[str] = None,
fragmentation_mtu: Optional[int] = None,
get_all_tables: Optional[str] = None,
group_authentication: Optional[str] = None,
group_authentication_secret: Optional[str] = None,
ha_sync_esp_seqno: Optional[str] = None,
idle_timeout: Optional[str] = None,
idle_timeoutinterval: Optional[int] = None,
ike_version: Optional[str] = None,
inbound_dscp_copy: Optional[str] = None,
include_local_lan: Optional[str] = None,
interface: Optional[str] = None,
internal_domain_lists: Optional[Sequence[Phase1InternalDomainListArgs]] = None,
ip_delay_interval: Optional[int] = None,
ipv4_dns_server1: Optional[str] = None,
ipv4_dns_server2: Optional[str] = None,
ipv4_dns_server3: Optional[str] = None,
ipv4_end_ip: Optional[str] = None,
ipv4_exclude_ranges: Optional[Sequence[Phase1Ipv4ExcludeRangeArgs]] = None,
ipv4_name: Optional[str] = None,
ipv4_netmask: Optional[str] = None,
ipv4_split_exclude: Optional[str] = None,
ipv4_split_include: Optional[str] = None,
ipv4_start_ip: Optional[str] = None,
ipv4_wins_server1: Optional[str] = None,
ipv4_wins_server2: Optional[str] = None,
ipv6_dns_server1: Optional[str] = None,
ipv6_dns_server2: Optional[str] = None,
ipv6_dns_server3: Optional[str] = None,
ipv6_end_ip: Optional[str] = None,
ipv6_exclude_ranges: Optional[Sequence[Phase1Ipv6ExcludeRangeArgs]] = None,
ipv6_name: Optional[str] = None,
ipv6_prefix: Optional[int] = None,
ipv6_split_exclude: Optional[str] = None,
ipv6_split_include: Optional[str] = None,
ipv6_start_ip: Optional[str] = None,
keepalive: Optional[int] = None,
keylife: Optional[int] = None,
kms: Optional[str] = None,
link_cost: Optional[int] = None,
local_gw: Optional[str] = None,
localid: Optional[str] = None,
localid_type: Optional[str] = None,
loopback_asymroute: Optional[str] = None,
mesh_selector_type: Optional[str] = None,
mode: Optional[str] = None,
mode_cfg: Optional[str] = None,
mode_cfg_allow_client_selector: Optional[str] = None,
name: Optional[str] = None,
nattraversal: Optional[str] = None,
negotiate_timeout: Optional[int] = None,
network_id: Optional[int] = None,
network_overlay: Optional[str] = None,
npu_offload: Optional[str] = None,
peer: Optional[str] = None,
peergrp: Optional[str] = None,
peerid: Optional[str] = None,
peertype: Optional[str] = None,
ppk: Optional[str] = None,
ppk_identity: Optional[str] = None,
ppk_secret: Optional[str] = None,
priority: Optional[int] = None,
proposal: Optional[str] = None,
psksecret: Optional[str] = None,
psksecret_remote: Optional[str] = None,
qkd: Optional[str] = None,
qkd_profile: Optional[str] = None,
reauth: Optional[str] = None,
rekey: Optional[str] = None,
remote_gw: Optional[str] = None,
remote_gw6_country: Optional[str] = None,
remote_gw6_end_ip: Optional[str] = None,
remote_gw6_match: Optional[str] = None,
remote_gw6_start_ip: Optional[str] = None,
remote_gw6_subnet: Optional[str] = None,
remote_gw_country: Optional[str] = None,
remote_gw_end_ip: Optional[str] = None,
remote_gw_match: Optional[str] = None,
remote_gw_start_ip: Optional[str] = None,
remote_gw_subnet: Optional[str] = None,
remotegw_ddns: Optional[str] = None,
rsa_signature_format: Optional[str] = None,
rsa_signature_hash_override: Optional[str] = None,
save_password: Optional[str] = None,
send_cert_chain: Optional[str] = None,
signature_hash_alg: Optional[str] = None,
split_include_service: Optional[str] = None,
suite_b: Optional[str] = None,
transport: Optional[str] = None,
type: Optional[str] = None,
unity_support: Optional[str] = None,
usrgrp: Optional[str] = None,
vdomparam: Optional[str] = None,
wizard_type: Optional[str] = None,
xauthtype: Optional[str] = None) -> Phase1func GetPhase1(ctx *Context, name string, id IDInput, state *Phase1State, opts ...ResourceOption) (*Phase1, error)public static Phase1 Get(string name, Input<string> id, Phase1State? state, CustomResourceOptions? opts = null)public static Phase1 get(String name, Output<String> id, Phase1State state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - Add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - Add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - Assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - Assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - Authmethod string
- Authentication method. Valid values:
psk,signature. - Authmethod
Remote string - Authentication method (remote side). Valid values:
psk,signature. - Authpasswd string
- XAuth password (max 35 characters).
- Authusr string
- XAuth user name.
- Authusrgrp string
- Authentication user group.
- Auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - Azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - Backup
Gateways List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1Backup Gateway> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - string
- Message that unity client should display after connecting.
- Cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - Cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - Cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - Cert
Trust stringStore - CA certificate trust store. Valid values:
local,ems. - Certificates
List<Pulumiverse.
Fortios. Vpn. Ipsec. Inputs. Phase1Certificate> - Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - Childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - Client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - Client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - Client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - Client
Resume intInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- Comments string
- Comment.
- Dev
Id string - Device ID carried by the device ID notification.
- Dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - Dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- Dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- Dhgrp string
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - Digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - Distance int
- Distance for routes added by IKE (1 - 255).
- Dns
Mode string - DNS server mode. Valid values:
manual,auto. - Domain string
- Instruct unity clients about the default DNS domain.
- Dpd string
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - Dpd
Retrycount int - Number of DPD retry attempts.
- Dpd
Retryinterval string - DPD retry interval.
- Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - Eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - Eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- Eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - Ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - Enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - Esn string
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - Exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - Fallback
Tcp intThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- Fec
Base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- Fec
Codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - Fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - Fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - Fec
Health stringCheck - SD-WAN health check.
- Fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - Fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- Fec
Receive intTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- Fec
Redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- Fec
Send intTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- Fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - Forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - Fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - Fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - Fragmentation
Mtu int - IKE fragmentation MTU (500 - 16000).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - Group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- Ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - Idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - Idle
Timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- Ike
Version string - IKE protocol version. Valid values:
1,2. - Inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - Include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - Interface string
- Local physical, aggregate, or VLAN outgoing interface.
- Internal
Domain List<Pulumiverse.Lists Fortios. Vpn. Ipsec. Inputs. Phase1Internal Domain List> - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - Ip
Delay intInterval - IP address reuse delay interval in seconds (0 - 28800).
- Ipv4Dns
Server1 string - IPv4 DNS server 1.
- Ipv4Dns
Server2 string - IPv4 DNS server 2.
- Ipv4Dns
Server3 string - IPv4 DNS server 3.
- Ipv4End
Ip string - End of IPv4 range.
- Ipv4Exclude
Ranges List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1Ipv4Exclude Range> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - Ipv4Name string
- IPv4 address name.
- Ipv4Netmask string
- IPv4 Netmask.
- Ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- Ipv4Split
Include string - IPv4 split-include subnets.
- Ipv4Start
Ip string - Start of IPv4 range.
- Ipv4Wins
Server1 string - WINS server 1.
- Ipv4Wins
Server2 string - WINS server 2.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Dns
Server3 string - IPv6 DNS server 3.
- Ipv6End
Ip string - End of IPv6 range.
- Ipv6Exclude
Ranges List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1Ipv6Exclude Range> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - Ipv6Name string
- IPv6 address name.
- Ipv6Prefix int
- IPv6 prefix.
- Ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- Ipv6Split
Include string - IPv6 split-include subnets.
- Ipv6Start
Ip string - Start of IPv6 range.
- Keepalive int
- NAT-T keep alive interval.
- Keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- Kms string
- Key Management Services server.
- Link
Cost int - VPN tunnel underlay link cost.
- Local
Gw string - Local VPN gateway.
- Localid string
- Local ID.
- Localid
Type string - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - Loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - Mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - Mode string
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - Mode
Cfg string - Enable/disable configuration method. Valid values:
disable,enable. - Mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - Name string
- IPsec remote gateway name.
- Nattraversal string
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - Negotiate
Timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- Network
Id int - VPN gateway network ID.
- Network
Overlay string - Enable/disable network overlays. Valid values:
disable,enable. - Npu
Offload string - Enable/disable offloading NPU. Valid values:
enable,disable. - Peer string
- Accept this peer certificate.
- Peergrp string
- Accept this peer certificate group.
- Peerid string
- Accept this peer identity.
- Peertype string
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - Ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - Ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- Ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- Priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- Proposal string
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - Psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - Qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- Reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - Rekey string
- Enable/disable phase1 rekey. Valid values:
enable,disable. - Remote
Gw string - Remote VPN gateway.
- Remote
Gw6Country string - IPv6 addresses associated to a specific country.
- Remote
Gw6End stringIp - Last IPv6 address in the range.
- Remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - Remote
Gw6Start stringIp - First IPv6 address in the range.
- Remote
Gw6Subnet string - IPv6 address and prefix.
- Remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- Remote
Gw stringEnd Ip - Last IPv4 address in the range.
- Remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - Remote
Gw stringStart Ip - First IPv4 address in the range.
- Remote
Gw stringSubnet - IPv4 address and subnet mask.
- Remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- Rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - Rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - Save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - Send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - Signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - Split
Include stringService - Split-include services.
- Suite
B string - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - Transport string
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - Type string
- Remote gateway type. Valid values:
static,dynamic,ddns. - Unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - Usrgrp string
- User group name for dialup peers.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Wizard
Type string - GUI VPN Wizard Type.
- Xauthtype string
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- Acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - Add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - Add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - Assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - Assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - Authmethod string
- Authentication method. Valid values:
psk,signature. - Authmethod
Remote string - Authentication method (remote side). Valid values:
psk,signature. - Authpasswd string
- XAuth password (max 35 characters).
- Authusr string
- XAuth user name.
- Authusrgrp string
- Authentication user group.
- Auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - Azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - Backup
Gateways []Phase1BackupGateway Args - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - string
- Message that unity client should display after connecting.
- Cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - Cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - Cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - Cert
Trust stringStore - CA certificate trust store. Valid values:
local,ems. - Certificates
[]Phase1Certificate
Args - Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - Childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - Client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - Client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - Client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - Client
Resume intInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- Comments string
- Comment.
- Dev
Id string - Device ID carried by the device ID notification.
- Dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - Dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- Dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- Dhgrp string
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - Digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - Distance int
- Distance for routes added by IKE (1 - 255).
- Dns
Mode string - DNS server mode. Valid values:
manual,auto. - Domain string
- Instruct unity clients about the default DNS domain.
- Dpd string
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - Dpd
Retrycount int - Number of DPD retry attempts.
- Dpd
Retryinterval string - DPD retry interval.
- Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - Eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - Eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- Eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - Ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - Enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - Esn string
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - Exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - Fallback
Tcp intThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- Fec
Base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- Fec
Codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - Fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - Fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - Fec
Health stringCheck - SD-WAN health check.
- Fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - Fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- Fec
Receive intTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- Fec
Redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- Fec
Send intTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- Fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - Forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - Fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - Fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - Fragmentation
Mtu int - IKE fragmentation MTU (500 - 16000).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - Group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- Ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - Idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - Idle
Timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- Ike
Version string - IKE protocol version. Valid values:
1,2. - Inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - Include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - Interface string
- Local physical, aggregate, or VLAN outgoing interface.
- Internal
Domain []Phase1InternalLists Domain List Args - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - Ip
Delay intInterval - IP address reuse delay interval in seconds (0 - 28800).
- Ipv4Dns
Server1 string - IPv4 DNS server 1.
- Ipv4Dns
Server2 string - IPv4 DNS server 2.
- Ipv4Dns
Server3 string - IPv4 DNS server 3.
- Ipv4End
Ip string - End of IPv4 range.
- Ipv4Exclude
Ranges []Phase1Ipv4ExcludeRange Args - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - Ipv4Name string
- IPv4 address name.
- Ipv4Netmask string
- IPv4 Netmask.
- Ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- Ipv4Split
Include string - IPv4 split-include subnets.
- Ipv4Start
Ip string - Start of IPv4 range.
- Ipv4Wins
Server1 string - WINS server 1.
- Ipv4Wins
Server2 string - WINS server 2.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Dns
Server3 string - IPv6 DNS server 3.
- Ipv6End
Ip string - End of IPv6 range.
- Ipv6Exclude
Ranges []Phase1Ipv6ExcludeRange Args - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - Ipv6Name string
- IPv6 address name.
- Ipv6Prefix int
- IPv6 prefix.
- Ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- Ipv6Split
Include string - IPv6 split-include subnets.
- Ipv6Start
Ip string - Start of IPv6 range.
- Keepalive int
- NAT-T keep alive interval.
- Keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- Kms string
- Key Management Services server.
- Link
Cost int - VPN tunnel underlay link cost.
- Local
Gw string - Local VPN gateway.
- Localid string
- Local ID.
- Localid
Type string - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - Loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - Mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - Mode string
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - Mode
Cfg string - Enable/disable configuration method. Valid values:
disable,enable. - Mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - Name string
- IPsec remote gateway name.
- Nattraversal string
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - Negotiate
Timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- Network
Id int - VPN gateway network ID.
- Network
Overlay string - Enable/disable network overlays. Valid values:
disable,enable. - Npu
Offload string - Enable/disable offloading NPU. Valid values:
enable,disable. - Peer string
- Accept this peer certificate.
- Peergrp string
- Accept this peer certificate group.
- Peerid string
- Accept this peer identity.
- Peertype string
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - Ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - Ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- Ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- Priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- Proposal string
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - Psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - Qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- Reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - Rekey string
- Enable/disable phase1 rekey. Valid values:
enable,disable. - Remote
Gw string - Remote VPN gateway.
- Remote
Gw6Country string - IPv6 addresses associated to a specific country.
- Remote
Gw6End stringIp - Last IPv6 address in the range.
- Remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - Remote
Gw6Start stringIp - First IPv6 address in the range.
- Remote
Gw6Subnet string - IPv6 address and prefix.
- Remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- Remote
Gw stringEnd Ip - Last IPv4 address in the range.
- Remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - Remote
Gw stringStart Ip - First IPv4 address in the range.
- Remote
Gw stringSubnet - IPv4 address and subnet mask.
- Remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- Rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - Rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - Save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - Send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - Signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - Split
Include stringService - Split-include services.
- Suite
B string - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - Transport string
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - Type string
- Remote gateway type. Valid values:
static,dynamic,ddns. - Unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - Usrgrp string
- User group name for dialup peers.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Wizard
Type string - GUI VPN Wizard Type.
- Xauthtype string
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- acct
Verify String - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - add
Gw StringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - add
Route String - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - assign
Ip String - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - assign
Ip StringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - authmethod String
- Authentication method. Valid values:
psk,signature. - authmethod
Remote String - Authentication method (remote side). Valid values:
psk,signature. - authpasswd String
- XAuth password (max 35 characters).
- authusr String
- XAuth user name.
- authusrgrp String
- Authentication user group.
- auto
Negotiate String - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - azure
Ad StringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - backup
Gateways List<Phase1BackupGateway> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - String
- Message that unity client should display after connecting.
- cert
Id StringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - cert
Peer StringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - cert
Peer StringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - cert
Trust StringStore - CA certificate trust store. Valid values:
local,ems. - certificates List<Phase1Certificate>
- Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - childless
Ike String - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - client
Auto StringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - client
Keep StringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - client
Resume String - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - client
Resume IntegerInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments String
- Comment.
- dev
Id String - Device ID carried by the device ID notification.
- dev
Id StringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - dhcp6Ra
Linkaddr String - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra StringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp String
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - digital
Signature StringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - distance Integer
- Distance for routes added by IKE (1 - 255).
- dns
Mode String - DNS server mode. Valid values:
manual,auto. - domain String
- Instruct unity clients about the default DNS domain.
- dpd String
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - dpd
Retrycount Integer - Number of DPD retry attempts.
- dpd
Retryinterval String - DPD retry interval.
- dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap String
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - eap
Cert StringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - eap
Exclude StringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity String - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - ems
Sn StringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - enforce
Unique StringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - esn String
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - exchange
Fgt StringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - fallback
Tcp IntegerThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base Integer - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec Integer - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - fec
Codec StringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - fec
Egress String - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - fec
Health StringCheck - SD-WAN health check.
- fec
Ingress String - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - fec
Mapping StringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive IntegerTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant Integer - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send IntegerTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync String - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - forticlient
Enforcement String - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - fortinet
Esp String - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - fragmentation String
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - fragmentation
Mtu Integer - IKE fragmentation MTU (500 - 16000).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication String - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - group
Authentication StringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync StringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - idle
Timeout String - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - idle
Timeoutinterval Integer - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version String - IKE protocol version. Valid values:
1,2. - inbound
Dscp StringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - include
Local StringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - interface_ String
- Local physical, aggregate, or VLAN outgoing interface.
- internal
Domain List<Phase1InternalLists Domain List> - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - ip
Delay IntegerInterval - IP address reuse delay interval in seconds (0 - 28800).
- ipv4Dns
Server1 String - IPv4 DNS server 1.
- ipv4Dns
Server2 String - IPv4 DNS server 2.
- ipv4Dns
Server3 String - IPv4 DNS server 3.
- ipv4End
Ip String - End of IPv4 range.
- ipv4Exclude
Ranges List<Phase1Ipv4ExcludeRange> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - ipv4Name String
- IPv4 address name.
- ipv4Netmask String
- IPv4 Netmask.
- ipv4Split
Exclude String - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include String - IPv4 split-include subnets.
- ipv4Start
Ip String - Start of IPv4 range.
- ipv4Wins
Server1 String - WINS server 1.
- ipv4Wins
Server2 String - WINS server 2.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Dns
Server3 String - IPv6 DNS server 3.
- ipv6End
Ip String - End of IPv6 range.
- ipv6Exclude
Ranges List<Phase1Ipv6ExcludeRange> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - ipv6Name String
- IPv6 address name.
- ipv6Prefix Integer
- IPv6 prefix.
- ipv6Split
Exclude String - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include String - IPv6 split-include subnets.
- ipv6Start
Ip String - Start of IPv6 range.
- keepalive Integer
- NAT-T keep alive interval.
- keylife Integer
- Time to wait in seconds before phase 1 encryption key expires.
- kms String
- Key Management Services server.
- link
Cost Integer - VPN tunnel underlay link cost.
- local
Gw String - Local VPN gateway.
- localid String
- Local ID.
- localid
Type String - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - loopback
Asymroute String - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - mesh
Selector StringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - mode String
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - mode
Cfg String - Enable/disable configuration method. Valid values:
disable,enable. - mode
Cfg StringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - name String
- IPsec remote gateway name.
- nattraversal String
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - negotiate
Timeout Integer - IKE SA negotiation timeout in seconds (1 - 300).
- network
Id Integer - VPN gateway network ID.
- network
Overlay String - Enable/disable network overlays. Valid values:
disable,enable. - npu
Offload String - Enable/disable offloading NPU. Valid values:
enable,disable. - peer String
- Accept this peer certificate.
- peergrp String
- Accept this peer certificate group.
- peerid String
- Accept this peer identity.
- peertype String
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - ppk String
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - ppk
Identity String - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret String - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority Integer
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- proposal String
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - psksecret String
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote String - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd String
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - qkd
Profile String - Quantum Key Distribution (QKD) server profile.
- reauth String
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - rekey String
- Enable/disable phase1 rekey. Valid values:
enable,disable. - remote
Gw String - Remote VPN gateway.
- remote
Gw6Country String - IPv6 addresses associated to a specific country.
- remote
Gw6End StringIp - Last IPv6 address in the range.
- remote
Gw6Match String - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - remote
Gw6Start StringIp - First IPv6 address in the range.
- remote
Gw6Subnet String - IPv6 address and prefix.
- remote
Gw StringCountry - IPv4 addresses associated to a specific country.
- remote
Gw StringEnd Ip - Last IPv4 address in the range.
- remote
Gw StringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - remote
Gw StringStart Ip - First IPv4 address in the range.
- remote
Gw StringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns String - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature StringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - rsa
Signature StringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - save
Password String - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - send
Cert StringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - signature
Hash StringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - split
Include StringService - Split-include services.
- suite
B String - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - transport String
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - type String
- Remote gateway type. Valid values:
static,dynamic,ddns. - unity
Support String - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - usrgrp String
- User group name for dialup peers.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- wizard
Type String - GUI VPN Wizard Type.
- xauthtype String
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - authmethod string
- Authentication method. Valid values:
psk,signature. - authmethod
Remote string - Authentication method (remote side). Valid values:
psk,signature. - authpasswd string
- XAuth password (max 35 characters).
- authusr string
- XAuth user name.
- authusrgrp string
- Authentication user group.
- auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - backup
Gateways Phase1BackupGateway[] - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - string
- Message that unity client should display after connecting.
- cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - cert
Trust stringStore - CA certificate trust store. Valid values:
local,ems. - certificates Phase1Certificate[]
- Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - client
Resume numberInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments string
- Comment.
- dev
Id string - Device ID carried by the device ID notification.
- dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp string
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - distance number
- Distance for routes added by IKE (1 - 255).
- dns
Mode string - DNS server mode. Valid values:
manual,auto. - domain string
- Instruct unity clients about the default DNS domain.
- dpd string
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - dpd
Retrycount number - Number of DPD retry attempts.
- dpd
Retryinterval string - DPD retry interval.
- dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - esn string
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - fallback
Tcp numberThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base number - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec number - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - fec
Health stringCheck - SD-WAN health check.
- fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive numberTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant number - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send numberTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - fragmentation
Mtu number - IKE fragmentation MTU (500 - 16000).
- get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - idle
Timeoutinterval number - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version string - IKE protocol version. Valid values:
1,2. - inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - interface string
- Local physical, aggregate, or VLAN outgoing interface.
- internal
Domain Phase1InternalLists Domain List[] - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - ip
Delay numberInterval - IP address reuse delay interval in seconds (0 - 28800).
- ipv4Dns
Server1 string - IPv4 DNS server 1.
- ipv4Dns
Server2 string - IPv4 DNS server 2.
- ipv4Dns
Server3 string - IPv4 DNS server 3.
- ipv4End
Ip string - End of IPv4 range.
- ipv4Exclude
Ranges Phase1Ipv4ExcludeRange[] - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - ipv4Name string
- IPv4 address name.
- ipv4Netmask string
- IPv4 Netmask.
- ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include string - IPv4 split-include subnets.
- ipv4Start
Ip string - Start of IPv4 range.
- ipv4Wins
Server1 string - WINS server 1.
- ipv4Wins
Server2 string - WINS server 2.
- ipv6Dns
Server1 string - IPv6 DNS server 1.
- ipv6Dns
Server2 string - IPv6 DNS server 2.
- ipv6Dns
Server3 string - IPv6 DNS server 3.
- ipv6End
Ip string - End of IPv6 range.
- ipv6Exclude
Ranges Phase1Ipv6ExcludeRange[] - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - ipv6Name string
- IPv6 address name.
- ipv6Prefix number
- IPv6 prefix.
- ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include string - IPv6 split-include subnets.
- ipv6Start
Ip string - Start of IPv6 range.
- keepalive number
- NAT-T keep alive interval.
- keylife number
- Time to wait in seconds before phase 1 encryption key expires.
- kms string
- Key Management Services server.
- link
Cost number - VPN tunnel underlay link cost.
- local
Gw string - Local VPN gateway.
- localid string
- Local ID.
- localid
Type string - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - mode string
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - mode
Cfg string - Enable/disable configuration method. Valid values:
disable,enable. - mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - name string
- IPsec remote gateway name.
- nattraversal string
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - negotiate
Timeout number - IKE SA negotiation timeout in seconds (1 - 300).
- network
Id number - VPN gateway network ID.
- network
Overlay string - Enable/disable network overlays. Valid values:
disable,enable. - npu
Offload string - Enable/disable offloading NPU. Valid values:
enable,disable. - peer string
- Accept this peer certificate.
- peergrp string
- Accept this peer certificate group.
- peerid string
- Accept this peer identity.
- peertype string
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority number
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- proposal string
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - rekey string
- Enable/disable phase1 rekey. Valid values:
enable,disable. - remote
Gw string - Remote VPN gateway.
- remote
Gw6Country string - IPv6 addresses associated to a specific country.
- remote
Gw6End stringIp - Last IPv6 address in the range.
- remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - remote
Gw6Start stringIp - First IPv6 address in the range.
- remote
Gw6Subnet string - IPv6 address and prefix.
- remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- remote
Gw stringEnd Ip - Last IPv4 address in the range.
- remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - remote
Gw stringStart Ip - First IPv4 address in the range.
- remote
Gw stringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - split
Include stringService - Split-include services.
- suite
B string - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - transport string
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - type string
- Remote gateway type. Valid values:
static,dynamic,ddns. - unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - usrgrp string
- User group name for dialup peers.
- vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- wizard
Type string - GUI VPN Wizard Type.
- xauthtype string
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- acct_
verify str - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - add_
gw_ strroute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - add_
route str - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - assign_
ip str - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - assign_
ip_ strfrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - authmethod str
- Authentication method. Valid values:
psk,signature. - authmethod_
remote str - Authentication method (remote side). Valid values:
psk,signature. - authpasswd str
- XAuth password (max 35 characters).
- authusr str
- XAuth user name.
- authusrgrp str
- Authentication user group.
- auto_
negotiate str - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - azure_
ad_ strautoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - backup_
gateways Sequence[Phase1BackupGateway Args] - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - str
- Message that unity client should display after connecting.
- cert_
id_ strvalidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - cert_
peer_ strusername_ strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - cert_
peer_ strusername_ validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - cert_
trust_ strstore - CA certificate trust store. Valid values:
local,ems. - certificates
Sequence[Phase1Certificate
Args] - Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - childless_
ike str - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - client_
auto_ strnegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - client_
keep_ stralive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - client_
resume str - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - client_
resume_ intinterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments str
- Comment.
- dev_
id str - Device ID carried by the device ID notification.
- dev_
id_ strnotification - Enable/disable device ID notification. Valid values:
disable,enable. - dhcp6_
ra_ strlinkaddr - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp_
ra_ strgiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp str
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - digital_
signature_ strauth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - distance int
- Distance for routes added by IKE (1 - 255).
- dns_
mode str - DNS server mode. Valid values:
manual,auto. - domain str
- Instruct unity clients about the default DNS domain.
- dpd str
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - dpd_
retrycount int - Number of DPD retry attempts.
- dpd_
retryinterval str - DPD retry interval.
- dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap str
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - eap_
cert_ strauth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - eap_
exclude_ strpeergrp - Peer group excluded from EAP authentication.
- eap_
identity str - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - ems_
sn_ strcheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - enforce_
unique_ strid - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - esn str
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - exchange_
fgt_ strdevice_ id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - fallback_
tcp_ intthreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec_
base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec_
codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - fec_
codec_ strstring - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - fec_
egress str - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - fec_
health_ strcheck - SD-WAN health check.
- fec_
ingress str - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - fec_
mapping_ strprofile - Forward Error Correction (FEC) mapping profile.
- fec_
receive_ inttimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec_
redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec_
send_ inttimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp_
sync str - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - forticlient_
enforcement str - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - fortinet_
esp str - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - fragmentation str
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - fragmentation_
mtu int - IKE fragmentation MTU (500 - 16000).
- get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group_
authentication str - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - group_
authentication_ strsecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha_
sync_ stresp_ seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - idle_
timeout str - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - idle_
timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike_
version str - IKE protocol version. Valid values:
1,2. - inbound_
dscp_ strcopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - include_
local_ strlan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - interface str
- Local physical, aggregate, or VLAN outgoing interface.
- internal_
domain_ Sequence[Phase1Internallists Domain List Args] - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - ip_
delay_ intinterval - IP address reuse delay interval in seconds (0 - 28800).
- ipv4_
dns_ strserver1 - IPv4 DNS server 1.
- ipv4_
dns_ strserver2 - IPv4 DNS server 2.
- ipv4_
dns_ strserver3 - IPv4 DNS server 3.
- ipv4_
end_ strip - End of IPv4 range.
- ipv4_
exclude_ Sequence[Phase1Ipv4Excluderanges Range Args] - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - ipv4_
name str - IPv4 address name.
- ipv4_
netmask str - IPv4 Netmask.
- ipv4_
split_ strexclude - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4_
split_ strinclude - IPv4 split-include subnets.
- ipv4_
start_ strip - Start of IPv4 range.
- ipv4_
wins_ strserver1 - WINS server 1.
- ipv4_
wins_ strserver2 - WINS server 2.
- ipv6_
dns_ strserver1 - IPv6 DNS server 1.
- ipv6_
dns_ strserver2 - IPv6 DNS server 2.
- ipv6_
dns_ strserver3 - IPv6 DNS server 3.
- ipv6_
end_ strip - End of IPv6 range.
- ipv6_
exclude_ Sequence[Phase1Ipv6Excluderanges Range Args] - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - ipv6_
name str - IPv6 address name.
- ipv6_
prefix int - IPv6 prefix.
- ipv6_
split_ strexclude - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6_
split_ strinclude - IPv6 split-include subnets.
- ipv6_
start_ strip - Start of IPv6 range.
- keepalive int
- NAT-T keep alive interval.
- keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- kms str
- Key Management Services server.
- link_
cost int - VPN tunnel underlay link cost.
- local_
gw str - Local VPN gateway.
- localid str
- Local ID.
- localid_
type str - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - loopback_
asymroute str - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - mesh_
selector_ strtype - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - mode str
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - mode_
cfg str - Enable/disable configuration method. Valid values:
disable,enable. - mode_
cfg_ strallow_ client_ selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - name str
- IPsec remote gateway name.
- nattraversal str
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - negotiate_
timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- network_
id int - VPN gateway network ID.
- network_
overlay str - Enable/disable network overlays. Valid values:
disable,enable. - npu_
offload str - Enable/disable offloading NPU. Valid values:
enable,disable. - peer str
- Accept this peer certificate.
- peergrp str
- Accept this peer certificate group.
- peerid str
- Accept this peer identity.
- peertype str
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - ppk str
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - ppk_
identity str - IKEv2 Postquantum Preshared Key Identity.
- ppk_
secret str - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- proposal str
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - psksecret str
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret_
remote str - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd str
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - qkd_
profile str - Quantum Key Distribution (QKD) server profile.
- reauth str
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - rekey str
- Enable/disable phase1 rekey. Valid values:
enable,disable. - remote_
gw str - Remote VPN gateway.
- remote_
gw6_ strcountry - IPv6 addresses associated to a specific country.
- remote_
gw6_ strend_ ip - Last IPv6 address in the range.
- remote_
gw6_ strmatch - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - remote_
gw6_ strstart_ ip - First IPv6 address in the range.
- remote_
gw6_ strsubnet - IPv6 address and prefix.
- remote_
gw_ strcountry - IPv4 addresses associated to a specific country.
- remote_
gw_ strend_ ip - Last IPv4 address in the range.
- remote_
gw_ strmatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - remote_
gw_ strstart_ ip - First IPv4 address in the range.
- remote_
gw_ strsubnet - IPv4 address and subnet mask.
- remotegw_
ddns str - Domain name of remote gateway. For example, name.ddns.com.
- rsa_
signature_ strformat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - rsa_
signature_ strhash_ override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - save_
password str - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - send_
cert_ strchain - Enable/disable sending certificate chain. Valid values:
enable,disable. - signature_
hash_ stralg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - split_
include_ strservice - Split-include services.
- suite_
b str - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - transport str
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - type str
- Remote gateway type. Valid values:
static,dynamic,ddns. - unity_
support str - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - usrgrp str
- User group name for dialup peers.
- vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- wizard_
type str - GUI VPN Wizard Type.
- xauthtype str
- XAuth type. Valid values:
disable,client,pap,chap,auto.
- acct
Verify String - Enable/disable verification of RADIUS accounting record. Valid values:
enable,disable. - add
Gw StringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable,disable. - add
Route String - Enable/disable control addition of a route to peer destination selector. Valid values:
disable,enable. - assign
Ip String - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable,enable. - assign
Ip StringFrom - Method by which the IP address will be assigned. Valid values:
range,usrgrp,dhcp,name. - authmethod String
- Authentication method. Valid values:
psk,signature. - authmethod
Remote String - Authentication method (remote side). Valid values:
psk,signature. - authpasswd String
- XAuth password (max 35 characters).
- authusr String
- XAuth user name.
- authusrgrp String
- Authentication user group.
- auto
Negotiate String - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable,disable. - azure
Ad StringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable,disable. - backup
Gateways List<Property Map> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gatewayblock is documented below. - String
- Message that unity client should display after connecting.
- cert
Id StringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable,disable. - cert
Peer StringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable,enable. - cert
Peer StringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none,othername,rfc822name,cn. - cert
Trust StringStore - CA certificate trust store. Valid values:
local,ems. - certificates List<Property Map>
- Names of up to 4 signed personal certificates. The structure of
certificateblock is documented below. - childless
Ike String - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable,disable. - client
Auto StringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable,enable. - client
Keep StringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable,enable. - client
Resume String - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable,disable. - client
Resume NumberInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments String
- Comment.
- dev
Id String - Device ID carried by the device ID notification.
- dev
Id StringNotification - Enable/disable device ID notification. Valid values:
disable,enable. - dhcp6Ra
Linkaddr String - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra StringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp String
- DH group. Valid values:
1,2,5,14,15,16,17,18,19,20,21,27,28,29,30,31,32. - digital
Signature StringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable,disable. - distance Number
- Distance for routes added by IKE (1 - 255).
- dns
Mode String - DNS server mode. Valid values:
manual,auto. - domain String
- Instruct unity clients about the default DNS domain.
- dpd String
- Dead Peer Detection mode. Valid values:
disable,on-idle,on-demand. - dpd
Retrycount Number - Number of DPD retry attempts.
- dpd
Retryinterval String - DPD retry interval.
- dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap String
- Enable/disable IKEv2 EAP authentication. Valid values:
enable,disable. - eap
Cert StringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable,disable. - eap
Exclude StringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity String - IKEv2 EAP peer identity type. Valid values:
use-id-payload,send-request. - ems
Sn StringCheck - Enable/disable verification of EMS serial number. Valid values:
enable,disable. - enforce
Unique StringId - Enable/disable peer ID uniqueness check. Valid values:
disable,keep-new,keep-old. - esn String
- Extended sequence number (ESN) negotiation. Valid values:
require,allow,disable. - exchange
Fgt StringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable,disable. - fallback
Tcp NumberThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base Number - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec Number - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string. - fec
Codec StringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec. Valid values:rs,xor. - fec
Egress String - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable,disable. - fec
Health StringCheck - SD-WAN health check.
- fec
Ingress String - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable,disable. - fec
Mapping StringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive NumberTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant Number - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send NumberTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync String - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable,disable. - forticlient
Enforcement String - Enable/disable FortiClient enforcement. Valid values:
enable,disable. - fortinet
Esp String - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable,disable. - fragmentation String
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable,disable. - fragmentation
Mtu Number - IKE fragmentation MTU (500 - 16000).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication String - Enable/disable IKEv2 IDi group authentication. Valid values:
enable,disable. - group
Authentication StringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync StringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable,disable. - idle
Timeout String - Enable/disable IPsec tunnel idle timeout. Valid values:
enable,disable. - idle
Timeoutinterval Number - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version String - IKE protocol version. Valid values:
1,2. - inbound
Dscp StringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable,disable. - include
Local StringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable,enable. - interface String
- Local physical, aggregate, or VLAN outgoing interface.
- internal
Domain List<Property Map>Lists - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_listblock is documented below. - ip
Delay NumberInterval - IP address reuse delay interval in seconds (0 - 28800).
- ipv4Dns
Server1 String - IPv4 DNS server 1.
- ipv4Dns
Server2 String - IPv4 DNS server 2.
- ipv4Dns
Server3 String - IPv4 DNS server 3.
- ipv4End
Ip String - End of IPv4 range.
- ipv4Exclude
Ranges List<Property Map> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_rangeblock is documented below. - ipv4Name String
- IPv4 address name.
- ipv4Netmask String
- IPv4 Netmask.
- ipv4Split
Exclude String - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include String - IPv4 split-include subnets.
- ipv4Start
Ip String - Start of IPv4 range.
- ipv4Wins
Server1 String - WINS server 1.
- ipv4Wins
Server2 String - WINS server 2.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Dns
Server3 String - IPv6 DNS server 3.
- ipv6End
Ip String - End of IPv6 range.
- ipv6Exclude
Ranges List<Property Map> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_rangeblock is documented below. - ipv6Name String
- IPv6 address name.
- ipv6Prefix Number
- IPv6 prefix.
- ipv6Split
Exclude String - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include String - IPv6 split-include subnets.
- ipv6Start
Ip String - Start of IPv6 range.
- keepalive Number
- NAT-T keep alive interval.
- keylife Number
- Time to wait in seconds before phase 1 encryption key expires.
- kms String
- Key Management Services server.
- link
Cost Number - VPN tunnel underlay link cost.
- local
Gw String - Local VPN gateway.
- localid String
- Local ID.
- localid
Type String - Local ID type. Valid values:
auto,fqdn,user-fqdn,keyid,address,asn1dn. - loopback
Asymroute String - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable,disable. - mesh
Selector StringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable,subnet,host. - mode String
- ID protection mode used to establish a secure channel. Valid values:
aggressive,main. - mode
Cfg String - Enable/disable configuration method. Valid values:
disable,enable. - mode
Cfg StringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable,enable. - name String
- IPsec remote gateway name.
- nattraversal String
- Enable/disable NAT traversal. Valid values:
enable,disable,forced. - negotiate
Timeout Number - IKE SA negotiation timeout in seconds (1 - 300).
- network
Id Number - VPN gateway network ID.
- network
Overlay String - Enable/disable network overlays. Valid values:
disable,enable. - npu
Offload String - Enable/disable offloading NPU. Valid values:
enable,disable. - peer String
- Accept this peer certificate.
- peergrp String
- Accept this peer certificate group.
- peerid String
- Accept this peer identity.
- peertype String
- Accept this peer type. Valid values:
any,one,dialup,peer,peergrp. - ppk String
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable,allow,require. - ppk
Identity String - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret String - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority Number
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- proposal String
- Phase1 proposal. Valid values:
des-md5,des-sha1,des-sha256,des-sha384,des-sha512,3des-md5,3des-sha1,3des-sha256,3des-sha384,3des-sha512,aes128-md5,aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512,aes128gcm-prfsha1,aes128gcm-prfsha256,aes128gcm-prfsha384,aes128gcm-prfsha512,aes192-md5,aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512,aes256-md5,aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512,aes256gcm-prfsha1,aes256gcm-prfsha256,aes256gcm-prfsha384,aes256gcm-prfsha512,chacha20poly1305-prfsha1,chacha20poly1305-prfsha256,chacha20poly1305-prfsha384,chacha20poly1305-prfsha512,aria128-md5,aria128-sha1,aria128-sha256,aria128-sha384,aria128-sha512,aria192-md5,aria192-sha1,aria192-sha256,aria192-sha384,aria192-sha512,aria256-md5,aria256-sha1,aria256-sha256,aria256-sha384,aria256-sha512,seed-md5,seed-sha1,seed-sha256,seed-sha384,seed-sha512. - psksecret String
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote String - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd String
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable,allow,require. - qkd
Profile String - Quantum Key Distribution (QKD) server profile.
- reauth String
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable,enable. - rekey String
- Enable/disable phase1 rekey. Valid values:
enable,disable. - remote
Gw String - Remote VPN gateway.
- remote
Gw6Country String - IPv6 addresses associated to a specific country.
- remote
Gw6End StringIp - Last IPv6 address in the range.
- remote
Gw6Match String - Set type of IPv6 remote gateway address matching. Valid values:
any,ipprefix,iprange,geography. - remote
Gw6Start StringIp - First IPv6 address in the range.
- remote
Gw6Subnet String - IPv6 address and prefix.
- remote
Gw StringCountry - IPv4 addresses associated to a specific country.
- remote
Gw StringEnd Ip - Last IPv4 address in the range.
- remote
Gw StringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any,ipmask,iprange,geography. - remote
Gw StringStart Ip - First IPv4 address in the range.
- remote
Gw StringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns String - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature StringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1,pss. - rsa
Signature StringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable,disable. - save
Password String - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable,enable. - send
Cert StringChain - Enable/disable sending certificate chain. Valid values:
enable,disable. - signature
Hash StringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1,sha2-256,sha2-384,sha2-512. - split
Include StringService - Split-include services.
- suite
B String - Use Suite-B. Valid values:
disable,suite-b-gcm-128,suite-b-gcm-256. - transport String
- Set IKE transport protocol. Valid values:
udp,udp-fallback-tcp,tcp. - type String
- Remote gateway type. Valid values:
static,dynamic,ddns. - unity
Support String - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable,enable. - usrgrp String
- User group name for dialup peers.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- wizard
Type String - GUI VPN Wizard Type.
- xauthtype String
- XAuth type. Valid values:
disable,client,pap,chap,auto.
Supporting Types
Phase1BackupGateway, Phase1BackupGatewayArgs
- Address string
- Address of backup gateway.
- Address string
- Address of backup gateway.
- address String
- Address of backup gateway.
- address string
- Address of backup gateway.
- address str
- Address of backup gateway.
- address String
- Address of backup gateway.
Phase1Certificate, Phase1CertificateArgs
- Name string
- Certificate name.
- Name string
- Certificate name.
- name String
- Certificate name.
- name string
- Certificate name.
- name str
- Certificate name.
- name String
- Certificate name.
Phase1InternalDomainList, Phase1InternalDomainListArgs
- Domain
Name string Domain name.
The
ipv4_exclude_rangeblock supports:
- Domain
Name string Domain name.
The
ipv4_exclude_rangeblock supports:
- domain
Name String Domain name.
The
ipv4_exclude_rangeblock supports:
- domain
Name string Domain name.
The
ipv4_exclude_rangeblock supports:
- domain_
name str Domain name.
The
ipv4_exclude_rangeblock supports:
- domain
Name String Domain name.
The
ipv4_exclude_rangeblock supports:
Phase1Ipv4ExcludeRange, Phase1Ipv4ExcludeRangeArgs
Phase1Ipv6ExcludeRange, Phase1Ipv6ExcludeRangeArgs
Import
VpnIpsec Phase1 can be imported using any of these accepted formats:
$ pulumi import fortios:vpn/ipsec/phase1:Phase1 labelname {{name}}
If you do not want to import arguments of block:
$ export “FORTIOS_IMPORT_TABLE”=“false”
$ pulumi import fortios:vpn/ipsec/phase1:Phase1 labelname {{name}}
$ unset “FORTIOS_IMPORT_TABLE”
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- fortios pulumiverse/pulumi-fortios
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
fortiosTerraform Provider.