fortios.vpn/ipsec.Phase1interface
Explore with Pulumi AI
Configure VPN remote gateway.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fortios from "@pulumiverse/fortios";
const trname2 = new fortios.vpn.ipsec.Phase1interface("trname2", {
acctVerify: "disable",
addGwRoute: "disable",
addRoute: "enable",
assignIp: "enable",
assignIpFrom: "range",
authmethod: "psk",
autoDiscoveryForwarder: "disable",
autoDiscoveryPsk: "disable",
autoDiscoveryReceiver: "disable",
autoDiscoverySender: "disable",
autoNegotiate: "enable",
certIdValidation: "enable",
childlessIke: "disable",
clientAutoNegotiate: "disable",
clientKeepAlive: "disable",
defaultGw: "0.0.0.0",
defaultGwPriority: 0,
dhgrp: "14 5",
digitalSignatureAuth: "disable",
distance: 15,
dnsMode: "manual",
dpd: "on-demand",
dpdRetrycount: 3,
dpdRetryinterval: "20",
eap: "disable",
eapIdentity: "use-id-payload",
encapLocalGw4: "0.0.0.0",
encapLocalGw6: "::",
encapRemoteGw4: "0.0.0.0",
encapRemoteGw6: "::",
encapsulation: "none",
encapsulationAddress: "ike",
enforceUniqueId: "disable",
exchangeInterfaceIp: "disable",
exchangeIpAddr4: "0.0.0.0",
exchangeIpAddr6: "::",
forticlientEnforcement: "disable",
fragmentation: "enable",
fragmentationMtu: 1200,
groupAuthentication: "disable",
haSyncEspSeqno: "enable",
idleTimeout: "disable",
idleTimeoutinterval: 15,
ikeVersion: "1",
includeLocalLan: "disable",
"interface": "port3",
ipVersion: "4",
ipv4DnsServer1: "0.0.0.0",
ipv4DnsServer2: "0.0.0.0",
ipv4DnsServer3: "0.0.0.0",
ipv4EndIp: "0.0.0.0",
ipv4Netmask: "255.255.255.255",
ipv4StartIp: "0.0.0.0",
ipv4WinsServer1: "0.0.0.0",
ipv4WinsServer2: "0.0.0.0",
ipv6DnsServer1: "::",
ipv6DnsServer2: "::",
ipv6DnsServer3: "::",
ipv6EndIp: "::",
ipv6Prefix: 128,
ipv6StartIp: "::",
keepalive: 10,
keylife: 86400,
localGw: "0.0.0.0",
localGw6: "::",
localidType: "auto",
meshSelectorType: "disable",
mode: "main",
modeCfg: "disable",
monitorHoldDownDelay: 0,
monitorHoldDownTime: "00:00",
monitorHoldDownType: "immediate",
monitorHoldDownWeekday: "sunday",
nattraversal: "enable",
negotiateTimeout: 30,
netDevice: "disable",
passiveMode: "disable",
peertype: "any",
ppk: "disable",
priority: 0,
proposal: "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
psksecret: "eweeeeeeeecee",
reauth: "disable",
rekey: "enable",
remoteGw: "102.2.2.12",
remoteGw6: "::",
rsaSignatureFormat: "pkcs1",
savePassword: "disable",
sendCertChain: "enable",
signatureHashAlg: "sha2-512 sha2-384 sha2-256 sha1",
suiteB: "disable",
tunnelSearch: "selectors",
type: "static",
unitySupport: "enable",
wizardType: "custom",
xauthtype: "disable",
});
import pulumi
import pulumiverse_fortios as fortios
trname2 = fortios.vpn.ipsec.Phase1interface("trname2",
acct_verify="disable",
add_gw_route="disable",
add_route="enable",
assign_ip="enable",
assign_ip_from="range",
authmethod="psk",
auto_discovery_forwarder="disable",
auto_discovery_psk="disable",
auto_discovery_receiver="disable",
auto_discovery_sender="disable",
auto_negotiate="enable",
cert_id_validation="enable",
childless_ike="disable",
client_auto_negotiate="disable",
client_keep_alive="disable",
default_gw="0.0.0.0",
default_gw_priority=0,
dhgrp="14 5",
digital_signature_auth="disable",
distance=15,
dns_mode="manual",
dpd="on-demand",
dpd_retrycount=3,
dpd_retryinterval="20",
eap="disable",
eap_identity="use-id-payload",
encap_local_gw4="0.0.0.0",
encap_local_gw6="::",
encap_remote_gw4="0.0.0.0",
encap_remote_gw6="::",
encapsulation="none",
encapsulation_address="ike",
enforce_unique_id="disable",
exchange_interface_ip="disable",
exchange_ip_addr4="0.0.0.0",
exchange_ip_addr6="::",
forticlient_enforcement="disable",
fragmentation="enable",
fragmentation_mtu=1200,
group_authentication="disable",
ha_sync_esp_seqno="enable",
idle_timeout="disable",
idle_timeoutinterval=15,
ike_version="1",
include_local_lan="disable",
interface="port3",
ip_version="4",
ipv4_dns_server1="0.0.0.0",
ipv4_dns_server2="0.0.0.0",
ipv4_dns_server3="0.0.0.0",
ipv4_end_ip="0.0.0.0",
ipv4_netmask="255.255.255.255",
ipv4_start_ip="0.0.0.0",
ipv4_wins_server1="0.0.0.0",
ipv4_wins_server2="0.0.0.0",
ipv6_dns_server1="::",
ipv6_dns_server2="::",
ipv6_dns_server3="::",
ipv6_end_ip="::",
ipv6_prefix=128,
ipv6_start_ip="::",
keepalive=10,
keylife=86400,
local_gw="0.0.0.0",
local_gw6="::",
localid_type="auto",
mesh_selector_type="disable",
mode="main",
mode_cfg="disable",
monitor_hold_down_delay=0,
monitor_hold_down_time="00:00",
monitor_hold_down_type="immediate",
monitor_hold_down_weekday="sunday",
nattraversal="enable",
negotiate_timeout=30,
net_device="disable",
passive_mode="disable",
peertype="any",
ppk="disable",
priority=0,
proposal="aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
psksecret="eweeeeeeeecee",
reauth="disable",
rekey="enable",
remote_gw="102.2.2.12",
remote_gw6="::",
rsa_signature_format="pkcs1",
save_password="disable",
send_cert_chain="enable",
signature_hash_alg="sha2-512 sha2-384 sha2-256 sha1",
suite_b="disable",
tunnel_search="selectors",
type="static",
unity_support="enable",
wizard_type="custom",
xauthtype="disable")
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/vpn"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpn.NewPhase1interface(ctx, "trname2", &vpn.Phase1interfaceArgs{
AcctVerify: pulumi.String("disable"),
AddGwRoute: pulumi.String("disable"),
AddRoute: pulumi.String("enable"),
AssignIp: pulumi.String("enable"),
AssignIpFrom: pulumi.String("range"),
Authmethod: pulumi.String("psk"),
AutoDiscoveryForwarder: pulumi.String("disable"),
AutoDiscoveryPsk: pulumi.String("disable"),
AutoDiscoveryReceiver: pulumi.String("disable"),
AutoDiscoverySender: pulumi.String("disable"),
AutoNegotiate: pulumi.String("enable"),
CertIdValidation: pulumi.String("enable"),
ChildlessIke: pulumi.String("disable"),
ClientAutoNegotiate: pulumi.String("disable"),
ClientKeepAlive: pulumi.String("disable"),
DefaultGw: pulumi.String("0.0.0.0"),
DefaultGwPriority: pulumi.Int(0),
Dhgrp: pulumi.String("14 5"),
DigitalSignatureAuth: pulumi.String("disable"),
Distance: pulumi.Int(15),
DnsMode: pulumi.String("manual"),
Dpd: pulumi.String("on-demand"),
DpdRetrycount: pulumi.Int(3),
DpdRetryinterval: pulumi.String("20"),
Eap: pulumi.String("disable"),
EapIdentity: pulumi.String("use-id-payload"),
EncapLocalGw4: pulumi.String("0.0.0.0"),
EncapLocalGw6: pulumi.String("::"),
EncapRemoteGw4: pulumi.String("0.0.0.0"),
EncapRemoteGw6: pulumi.String("::"),
Encapsulation: pulumi.String("none"),
EncapsulationAddress: pulumi.String("ike"),
EnforceUniqueId: pulumi.String("disable"),
ExchangeInterfaceIp: pulumi.String("disable"),
ExchangeIpAddr4: pulumi.String("0.0.0.0"),
ExchangeIpAddr6: pulumi.String("::"),
ForticlientEnforcement: pulumi.String("disable"),
Fragmentation: pulumi.String("enable"),
FragmentationMtu: pulumi.Int(1200),
GroupAuthentication: pulumi.String("disable"),
HaSyncEspSeqno: pulumi.String("enable"),
IdleTimeout: pulumi.String("disable"),
IdleTimeoutinterval: pulumi.Int(15),
IkeVersion: pulumi.String("1"),
IncludeLocalLan: pulumi.String("disable"),
Interface: pulumi.String("port3"),
IpVersion: pulumi.String("4"),
Ipv4DnsServer1: pulumi.String("0.0.0.0"),
Ipv4DnsServer2: pulumi.String("0.0.0.0"),
Ipv4DnsServer3: pulumi.String("0.0.0.0"),
Ipv4EndIp: pulumi.String("0.0.0.0"),
Ipv4Netmask: pulumi.String("255.255.255.255"),
Ipv4StartIp: pulumi.String("0.0.0.0"),
Ipv4WinsServer1: pulumi.String("0.0.0.0"),
Ipv4WinsServer2: pulumi.String("0.0.0.0"),
Ipv6DnsServer1: pulumi.String("::"),
Ipv6DnsServer2: pulumi.String("::"),
Ipv6DnsServer3: pulumi.String("::"),
Ipv6EndIp: pulumi.String("::"),
Ipv6Prefix: pulumi.Int(128),
Ipv6StartIp: pulumi.String("::"),
Keepalive: pulumi.Int(10),
Keylife: pulumi.Int(86400),
LocalGw: pulumi.String("0.0.0.0"),
LocalGw6: pulumi.String("::"),
LocalidType: pulumi.String("auto"),
MeshSelectorType: pulumi.String("disable"),
Mode: pulumi.String("main"),
ModeCfg: pulumi.String("disable"),
MonitorHoldDownDelay: pulumi.Int(0),
MonitorHoldDownTime: pulumi.String("00:00"),
MonitorHoldDownType: pulumi.String("immediate"),
MonitorHoldDownWeekday: pulumi.String("sunday"),
Nattraversal: pulumi.String("enable"),
NegotiateTimeout: pulumi.Int(30),
NetDevice: pulumi.String("disable"),
PassiveMode: pulumi.String("disable"),
Peertype: pulumi.String("any"),
Ppk: pulumi.String("disable"),
Priority: pulumi.Int(0),
Proposal: pulumi.String("aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"),
Psksecret: pulumi.String("eweeeeeeeecee"),
Reauth: pulumi.String("disable"),
Rekey: pulumi.String("enable"),
RemoteGw: pulumi.String("102.2.2.12"),
RemoteGw6: pulumi.String("::"),
RsaSignatureFormat: pulumi.String("pkcs1"),
SavePassword: pulumi.String("disable"),
SendCertChain: pulumi.String("enable"),
SignatureHashAlg: pulumi.String("sha2-512 sha2-384 sha2-256 sha1"),
SuiteB: pulumi.String("disable"),
TunnelSearch: pulumi.String("selectors"),
Type: pulumi.String("static"),
UnitySupport: pulumi.String("enable"),
WizardType: pulumi.String("custom"),
Xauthtype: pulumi.String("disable"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortios = Pulumiverse.Fortios;
return await Deployment.RunAsync(() =>
{
var trname2 = new Fortios.Vpn.Ipsec.Phase1interface("trname2", new()
{
AcctVerify = "disable",
AddGwRoute = "disable",
AddRoute = "enable",
AssignIp = "enable",
AssignIpFrom = "range",
Authmethod = "psk",
AutoDiscoveryForwarder = "disable",
AutoDiscoveryPsk = "disable",
AutoDiscoveryReceiver = "disable",
AutoDiscoverySender = "disable",
AutoNegotiate = "enable",
CertIdValidation = "enable",
ChildlessIke = "disable",
ClientAutoNegotiate = "disable",
ClientKeepAlive = "disable",
DefaultGw = "0.0.0.0",
DefaultGwPriority = 0,
Dhgrp = "14 5",
DigitalSignatureAuth = "disable",
Distance = 15,
DnsMode = "manual",
Dpd = "on-demand",
DpdRetrycount = 3,
DpdRetryinterval = "20",
Eap = "disable",
EapIdentity = "use-id-payload",
EncapLocalGw4 = "0.0.0.0",
EncapLocalGw6 = "::",
EncapRemoteGw4 = "0.0.0.0",
EncapRemoteGw6 = "::",
Encapsulation = "none",
EncapsulationAddress = "ike",
EnforceUniqueId = "disable",
ExchangeInterfaceIp = "disable",
ExchangeIpAddr4 = "0.0.0.0",
ExchangeIpAddr6 = "::",
ForticlientEnforcement = "disable",
Fragmentation = "enable",
FragmentationMtu = 1200,
GroupAuthentication = "disable",
HaSyncEspSeqno = "enable",
IdleTimeout = "disable",
IdleTimeoutinterval = 15,
IkeVersion = "1",
IncludeLocalLan = "disable",
Interface = "port3",
IpVersion = "4",
Ipv4DnsServer1 = "0.0.0.0",
Ipv4DnsServer2 = "0.0.0.0",
Ipv4DnsServer3 = "0.0.0.0",
Ipv4EndIp = "0.0.0.0",
Ipv4Netmask = "255.255.255.255",
Ipv4StartIp = "0.0.0.0",
Ipv4WinsServer1 = "0.0.0.0",
Ipv4WinsServer2 = "0.0.0.0",
Ipv6DnsServer1 = "::",
Ipv6DnsServer2 = "::",
Ipv6DnsServer3 = "::",
Ipv6EndIp = "::",
Ipv6Prefix = 128,
Ipv6StartIp = "::",
Keepalive = 10,
Keylife = 86400,
LocalGw = "0.0.0.0",
LocalGw6 = "::",
LocalidType = "auto",
MeshSelectorType = "disable",
Mode = "main",
ModeCfg = "disable",
MonitorHoldDownDelay = 0,
MonitorHoldDownTime = "00:00",
MonitorHoldDownType = "immediate",
MonitorHoldDownWeekday = "sunday",
Nattraversal = "enable",
NegotiateTimeout = 30,
NetDevice = "disable",
PassiveMode = "disable",
Peertype = "any",
Ppk = "disable",
Priority = 0,
Proposal = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
Psksecret = "eweeeeeeeecee",
Reauth = "disable",
Rekey = "enable",
RemoteGw = "102.2.2.12",
RemoteGw6 = "::",
RsaSignatureFormat = "pkcs1",
SavePassword = "disable",
SendCertChain = "enable",
SignatureHashAlg = "sha2-512 sha2-384 sha2-256 sha1",
SuiteB = "disable",
TunnelSearch = "selectors",
Type = "static",
UnitySupport = "enable",
WizardType = "custom",
Xauthtype = "disable",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortios.vpn.Phase1interface;
import com.pulumi.fortios.vpn.Phase1interfaceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var trname2 = new Phase1interface("trname2", Phase1interfaceArgs.builder()
.acctVerify("disable")
.addGwRoute("disable")
.addRoute("enable")
.assignIp("enable")
.assignIpFrom("range")
.authmethod("psk")
.autoDiscoveryForwarder("disable")
.autoDiscoveryPsk("disable")
.autoDiscoveryReceiver("disable")
.autoDiscoverySender("disable")
.autoNegotiate("enable")
.certIdValidation("enable")
.childlessIke("disable")
.clientAutoNegotiate("disable")
.clientKeepAlive("disable")
.defaultGw("0.0.0.0")
.defaultGwPriority(0)
.dhgrp("14 5")
.digitalSignatureAuth("disable")
.distance(15)
.dnsMode("manual")
.dpd("on-demand")
.dpdRetrycount(3)
.dpdRetryinterval("20")
.eap("disable")
.eapIdentity("use-id-payload")
.encapLocalGw4("0.0.0.0")
.encapLocalGw6("::")
.encapRemoteGw4("0.0.0.0")
.encapRemoteGw6("::")
.encapsulation("none")
.encapsulationAddress("ike")
.enforceUniqueId("disable")
.exchangeInterfaceIp("disable")
.exchangeIpAddr4("0.0.0.0")
.exchangeIpAddr6("::")
.forticlientEnforcement("disable")
.fragmentation("enable")
.fragmentationMtu(1200)
.groupAuthentication("disable")
.haSyncEspSeqno("enable")
.idleTimeout("disable")
.idleTimeoutinterval(15)
.ikeVersion("1")
.includeLocalLan("disable")
.interface_("port3")
.ipVersion("4")
.ipv4DnsServer1("0.0.0.0")
.ipv4DnsServer2("0.0.0.0")
.ipv4DnsServer3("0.0.0.0")
.ipv4EndIp("0.0.0.0")
.ipv4Netmask("255.255.255.255")
.ipv4StartIp("0.0.0.0")
.ipv4WinsServer1("0.0.0.0")
.ipv4WinsServer2("0.0.0.0")
.ipv6DnsServer1("::")
.ipv6DnsServer2("::")
.ipv6DnsServer3("::")
.ipv6EndIp("::")
.ipv6Prefix(128)
.ipv6StartIp("::")
.keepalive(10)
.keylife(86400)
.localGw("0.0.0.0")
.localGw6("::")
.localidType("auto")
.meshSelectorType("disable")
.mode("main")
.modeCfg("disable")
.monitorHoldDownDelay(0)
.monitorHoldDownTime("00:00")
.monitorHoldDownType("immediate")
.monitorHoldDownWeekday("sunday")
.nattraversal("enable")
.negotiateTimeout(30)
.netDevice("disable")
.passiveMode("disable")
.peertype("any")
.ppk("disable")
.priority(0)
.proposal("aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1")
.psksecret("eweeeeeeeecee")
.reauth("disable")
.rekey("enable")
.remoteGw("102.2.2.12")
.remoteGw6("::")
.rsaSignatureFormat("pkcs1")
.savePassword("disable")
.sendCertChain("enable")
.signatureHashAlg("sha2-512 sha2-384 sha2-256 sha1")
.suiteB("disable")
.tunnelSearch("selectors")
.type("static")
.unitySupport("enable")
.wizardType("custom")
.xauthtype("disable")
.build());
}
}
resources:
trname2:
type: fortios:vpn/ipsec:Phase1interface
properties:
acctVerify: disable
addGwRoute: disable
addRoute: enable
assignIp: enable
assignIpFrom: range
authmethod: psk
autoDiscoveryForwarder: disable
autoDiscoveryPsk: disable
autoDiscoveryReceiver: disable
autoDiscoverySender: disable
autoNegotiate: enable
certIdValidation: enable
childlessIke: disable
clientAutoNegotiate: disable
clientKeepAlive: disable
defaultGw: 0.0.0.0
defaultGwPriority: 0
dhgrp: 14 5
digitalSignatureAuth: disable
distance: 15
dnsMode: manual
dpd: on-demand
dpdRetrycount: 3
dpdRetryinterval: '20'
eap: disable
eapIdentity: use-id-payload
encapLocalGw4: 0.0.0.0
encapLocalGw6: '::'
encapRemoteGw4: 0.0.0.0
encapRemoteGw6: '::'
encapsulation: none
encapsulationAddress: ike
enforceUniqueId: disable
exchangeInterfaceIp: disable
exchangeIpAddr4: 0.0.0.0
exchangeIpAddr6: '::'
forticlientEnforcement: disable
fragmentation: enable
fragmentationMtu: 1200
groupAuthentication: disable
haSyncEspSeqno: enable
idleTimeout: disable
idleTimeoutinterval: 15
ikeVersion: '1'
includeLocalLan: disable
interface: port3
ipVersion: '4'
ipv4DnsServer1: 0.0.0.0
ipv4DnsServer2: 0.0.0.0
ipv4DnsServer3: 0.0.0.0
ipv4EndIp: 0.0.0.0
ipv4Netmask: 255.255.255.255
ipv4StartIp: 0.0.0.0
ipv4WinsServer1: 0.0.0.0
ipv4WinsServer2: 0.0.0.0
ipv6DnsServer1: '::'
ipv6DnsServer2: '::'
ipv6DnsServer3: '::'
ipv6EndIp: '::'
ipv6Prefix: 128
ipv6StartIp: '::'
keepalive: 10
keylife: 86400
localGw: 0.0.0.0
localGw6: '::'
localidType: auto
meshSelectorType: disable
mode: main
modeCfg: disable
monitorHoldDownDelay: 0
monitorHoldDownTime: 00:00
monitorHoldDownType: immediate
monitorHoldDownWeekday: sunday
nattraversal: enable
negotiateTimeout: 30
netDevice: disable
passiveMode: disable
peertype: any
ppk: disable
priority: 0
proposal: aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
psksecret: eweeeeeeeecee
reauth: disable
rekey: enable
remoteGw: 102.2.2.12
remoteGw6: '::'
rsaSignatureFormat: pkcs1
savePassword: disable
sendCertChain: enable
signatureHashAlg: sha2-512 sha2-384 sha2-256 sha1
suiteB: disable
tunnelSearch: selectors
type: static
unitySupport: enable
wizardType: custom
xauthtype: disable
Create Phase1interface Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Phase1interface(name: string, args: Phase1interfaceArgs, opts?: CustomResourceOptions);
@overload
def Phase1interface(resource_name: str,
args: Phase1interfaceArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Phase1interface(resource_name: str,
opts: Optional[ResourceOptions] = None,
interface: Optional[str] = None,
proposal: Optional[str] = None,
acct_verify: Optional[str] = None,
add_gw_route: Optional[str] = None,
add_route: Optional[str] = None,
aggregate_member: Optional[str] = None,
aggregate_weight: Optional[int] = None,
assign_ip: Optional[str] = None,
assign_ip_from: Optional[str] = None,
authmethod: Optional[str] = None,
authmethod_remote: Optional[str] = None,
authpasswd: Optional[str] = None,
authusr: Optional[str] = None,
authusrgrp: Optional[str] = None,
auto_discovery_crossover: Optional[str] = None,
auto_discovery_forwarder: Optional[str] = None,
auto_discovery_offer_interval: Optional[int] = None,
auto_discovery_psk: Optional[str] = None,
auto_discovery_receiver: Optional[str] = None,
auto_discovery_sender: Optional[str] = None,
auto_discovery_shortcuts: Optional[str] = None,
auto_negotiate: Optional[str] = None,
azure_ad_autoconnect: Optional[str] = None,
backup_gateways: Optional[Sequence[Phase1interfaceBackupGatewayArgs]] = None,
banner: Optional[str] = None,
cert_id_validation: Optional[str] = None,
cert_peer_username_strip: Optional[str] = None,
cert_peer_username_validation: Optional[str] = None,
cert_trust_store: Optional[str] = None,
certificates: Optional[Sequence[Phase1interfaceCertificateArgs]] = None,
childless_ike: Optional[str] = None,
client_auto_negotiate: Optional[str] = None,
client_keep_alive: Optional[str] = None,
client_resume: Optional[str] = None,
client_resume_interval: Optional[int] = None,
comments: Optional[str] = None,
default_gw: Optional[str] = None,
default_gw_priority: Optional[int] = None,
dev_id: Optional[str] = None,
dev_id_notification: Optional[str] = None,
dhcp6_ra_linkaddr: Optional[str] = None,
dhcp_ra_giaddr: Optional[str] = None,
dhgrp: Optional[str] = None,
digital_signature_auth: Optional[str] = None,
distance: Optional[int] = None,
dns_mode: Optional[str] = None,
domain: Optional[str] = None,
dpd: Optional[str] = None,
dpd_retrycount: Optional[int] = None,
dpd_retryinterval: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
eap: Optional[str] = None,
eap_cert_auth: Optional[str] = None,
eap_exclude_peergrp: Optional[str] = None,
eap_identity: Optional[str] = None,
ems_sn_check: Optional[str] = None,
encap_local_gw4: Optional[str] = None,
encap_local_gw6: Optional[str] = None,
encap_remote_gw4: Optional[str] = None,
encap_remote_gw6: Optional[str] = None,
encapsulation: Optional[str] = None,
encapsulation_address: Optional[str] = None,
enforce_unique_id: Optional[str] = None,
esn: Optional[str] = None,
exchange_fgt_device_id: Optional[str] = None,
exchange_interface_ip: Optional[str] = None,
exchange_ip_addr4: Optional[str] = None,
exchange_ip_addr6: Optional[str] = None,
fallback_tcp_threshold: Optional[int] = None,
fec_base: Optional[int] = None,
fec_codec: Optional[int] = None,
fec_codec_string: Optional[str] = None,
fec_egress: Optional[str] = None,
fec_health_check: Optional[str] = None,
fec_ingress: Optional[str] = None,
fec_mapping_profile: Optional[str] = None,
fec_receive_timeout: Optional[int] = None,
fec_redundant: Optional[int] = None,
fec_send_timeout: Optional[int] = None,
fgsp_sync: Optional[str] = None,
forticlient_enforcement: Optional[str] = None,
fortinet_esp: Optional[str] = None,
fragmentation: Optional[str] = None,
fragmentation_mtu: Optional[int] = None,
get_all_tables: Optional[str] = None,
group_authentication: Optional[str] = None,
group_authentication_secret: Optional[str] = None,
ha_sync_esp_seqno: Optional[str] = None,
idle_timeout: Optional[str] = None,
idle_timeoutinterval: Optional[int] = None,
ike_version: Optional[str] = None,
inbound_dscp_copy: Optional[str] = None,
include_local_lan: Optional[str] = None,
internal_domain_lists: Optional[Sequence[Phase1interfaceInternalDomainListArgs]] = None,
ip_delay_interval: Optional[int] = None,
ip_fragmentation: Optional[str] = None,
ip_version: Optional[str] = None,
ipv4_dns_server1: Optional[str] = None,
ipv4_dns_server2: Optional[str] = None,
ipv4_dns_server3: Optional[str] = None,
ipv4_end_ip: Optional[str] = None,
ipv4_exclude_ranges: Optional[Sequence[Phase1interfaceIpv4ExcludeRangeArgs]] = None,
ipv4_name: Optional[str] = None,
ipv4_netmask: Optional[str] = None,
ipv4_split_exclude: Optional[str] = None,
ipv4_split_include: Optional[str] = None,
ipv4_start_ip: Optional[str] = None,
ipv4_wins_server1: Optional[str] = None,
ipv4_wins_server2: Optional[str] = None,
ipv6_dns_server1: Optional[str] = None,
ipv6_dns_server2: Optional[str] = None,
ipv6_dns_server3: Optional[str] = None,
ipv6_end_ip: Optional[str] = None,
ipv6_exclude_ranges: Optional[Sequence[Phase1interfaceIpv6ExcludeRangeArgs]] = None,
ipv6_name: Optional[str] = None,
ipv6_prefix: Optional[int] = None,
ipv6_split_exclude: Optional[str] = None,
ipv6_split_include: Optional[str] = None,
ipv6_start_ip: Optional[str] = None,
keepalive: Optional[int] = None,
keylife: Optional[int] = None,
kms: Optional[str] = None,
link_cost: Optional[int] = None,
local_gw: Optional[str] = None,
local_gw6: Optional[str] = None,
localid: Optional[str] = None,
localid_type: Optional[str] = None,
loopback_asymroute: Optional[str] = None,
mesh_selector_type: Optional[str] = None,
mode: Optional[str] = None,
mode_cfg: Optional[str] = None,
mode_cfg_allow_client_selector: Optional[str] = None,
monitor: Optional[str] = None,
monitor_hold_down_delay: Optional[int] = None,
monitor_hold_down_time: Optional[str] = None,
monitor_hold_down_type: Optional[str] = None,
monitor_hold_down_weekday: Optional[str] = None,
monitor_min: Optional[int] = None,
name: Optional[str] = None,
nattraversal: Optional[str] = None,
negotiate_timeout: Optional[int] = None,
net_device: Optional[str] = None,
network_id: Optional[int] = None,
network_overlay: Optional[str] = None,
npu_offload: Optional[str] = None,
packet_redistribution: Optional[str] = None,
passive_mode: Optional[str] = None,
peer: Optional[str] = None,
peergrp: Optional[str] = None,
peerid: Optional[str] = None,
peertype: Optional[str] = None,
ppk: Optional[str] = None,
ppk_identity: Optional[str] = None,
ppk_secret: Optional[str] = None,
priority: Optional[int] = None,
psksecret: Optional[str] = None,
psksecret_remote: Optional[str] = None,
qkd: Optional[str] = None,
qkd_profile: Optional[str] = None,
reauth: Optional[str] = None,
rekey: Optional[str] = None,
remote_gw: Optional[str] = None,
remote_gw6: Optional[str] = None,
remote_gw6_country: Optional[str] = None,
remote_gw6_end_ip: Optional[str] = None,
remote_gw6_match: Optional[str] = None,
remote_gw6_start_ip: Optional[str] = None,
remote_gw6_subnet: Optional[str] = None,
remote_gw_country: Optional[str] = None,
remote_gw_end_ip: Optional[str] = None,
remote_gw_match: Optional[str] = None,
remote_gw_start_ip: Optional[str] = None,
remote_gw_subnet: Optional[str] = None,
remotegw_ddns: Optional[str] = None,
rsa_signature_format: Optional[str] = None,
rsa_signature_hash_override: Optional[str] = None,
save_password: Optional[str] = None,
send_cert_chain: Optional[str] = None,
signature_hash_alg: Optional[str] = None,
split_include_service: Optional[str] = None,
suite_b: Optional[str] = None,
transport: Optional[str] = None,
tunnel_search: Optional[str] = None,
type: Optional[str] = None,
unity_support: Optional[str] = None,
usrgrp: Optional[str] = None,
vdomparam: Optional[str] = None,
vni: Optional[int] = None,
wizard_type: Optional[str] = None,
xauthtype: Optional[str] = None)
func NewPhase1interface(ctx *Context, name string, args Phase1interfaceArgs, opts ...ResourceOption) (*Phase1interface, error)
public Phase1interface(string name, Phase1interfaceArgs args, CustomResourceOptions? opts = null)
public Phase1interface(String name, Phase1interfaceArgs args)
public Phase1interface(String name, Phase1interfaceArgs args, CustomResourceOptions options)
type: fortios:vpn/ipsec/phase1interface:Phase1interface
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args Phase1interfaceArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args Phase1interfaceArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args Phase1interfaceArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args Phase1interfaceArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args Phase1interfaceArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Phase1interface Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Phase1interface resource accepts the following input properties:
- Interface string
- Local physical, aggregate, or VLAN outgoing interface.
- Proposal string
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - Acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - Add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - Add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - Aggregate
Member string - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - Aggregate
Weight int - Link weight for aggregate.
- Assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - Assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - Authmethod string
- Authentication method. Valid values:
psk
,signature
. - Authmethod
Remote string - Authentication method (remote side). Valid values:
psk
,signature
. - Authpasswd string
- XAuth password (max 35 characters).
- Authusr string
- XAuth user name.
- Authusrgrp string
- Authentication user group.
- Auto
Discovery stringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - Auto
Discovery stringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery intOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- Auto
Discovery stringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - Auto
Discovery stringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery stringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery stringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - Auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - Azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - Backup
Gateways List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1interface Backup Gateway> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - string
- Message that unity client should display after connecting.
- Cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - Cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - Cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - Cert
Trust stringStore - CA certificate trust store. Valid values:
local
,ems
. - Certificates
List<Pulumiverse.
Fortios. Vpn. Ipsec. Inputs. Phase1interface Certificate> - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - Childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - Client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - Client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - Client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - Client
Resume intInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- Comments string
- Comment.
- Default
Gw string - IPv4 address of default route gateway to use for traffic exiting the interface.
- Default
Gw intPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- Dev
Id string - Device ID carried by the device ID notification.
- Dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - Dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- Dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- Dhgrp string
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - Digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - Distance int
- Distance for routes added by IKE (1 - 255).
- Dns
Mode string - DNS server mode. Valid values:
manual
,auto
. - Domain string
- Instruct unity clients about the default DNS domain.
- Dpd string
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - Dpd
Retrycount int - Number of DPD retry attempts.
- Dpd
Retryinterval string - DPD retry interval.
- Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - Eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - Eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- Eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - Ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - Encap
Local stringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- Encap
Local stringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- Encap
Remote stringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- Encap
Remote stringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- Encapsulation string
- Enable/disable GRE/VXLAN encapsulation.
- Encapsulation
Address string - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - Enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - Esn string
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - Exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - Exchange
Interface stringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - Exchange
Ip stringAddr4 - IPv4 address to exchange with peers.
- Exchange
Ip stringAddr6 - IPv6 address to exchange with peers
- Fallback
Tcp intThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- Fec
Base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- Fec
Codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - Fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - Fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - Fec
Health stringCheck - SD-WAN health check.
- Fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - Fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- Fec
Receive intTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- Fec
Redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- Fec
Send intTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- Fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - Forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - Fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - Fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - Fragmentation
Mtu int - IKE fragmentation MTU (500 - 16000).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - Group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- Ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - Idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - Idle
Timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- Ike
Version string - IKE protocol version. Valid values:
1
,2
. - Inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - Include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - Internal
Domain List<Pulumiverse.Lists Fortios. Vpn. Ipsec. Inputs. Phase1interface Internal Domain List> - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - Ip
Delay intInterval - IP address reuse delay interval in seconds (0 - 28800).
- Ip
Fragmentation string - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - Ip
Version string - IP version to use for VPN interface. Valid values:
4
,6
. - Ipv4Dns
Server1 string - IPv4 DNS server 1.
- Ipv4Dns
Server2 string - IPv4 DNS server 2.
- Ipv4Dns
Server3 string - IPv4 DNS server 3.
- Ipv4End
Ip string - End of IPv4 range.
- Ipv4Exclude
Ranges List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1interface Ipv4Exclude Range> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - Ipv4Name string
- IPv4 address name.
- Ipv4Netmask string
- IPv4 Netmask.
- Ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- Ipv4Split
Include string - IPv4 split-include subnets.
- Ipv4Start
Ip string - Start of IPv4 range.
- Ipv4Wins
Server1 string - WINS server 1.
- Ipv4Wins
Server2 string - WINS server 2.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Dns
Server3 string - IPv6 DNS server 3.
- Ipv6End
Ip string - End of IPv6 range.
- Ipv6Exclude
Ranges List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1interface Ipv6Exclude Range> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - Ipv6Name string
- IPv6 address name.
- Ipv6Prefix int
- IPv6 prefix.
- Ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- Ipv6Split
Include string - IPv6 split-include subnets.
- Ipv6Start
Ip string - Start of IPv6 range.
- Keepalive int
- NAT-T keep alive interval.
- Keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- Kms string
- Key Management Services server.
- Link
Cost int - VPN tunnel underlay link cost.
- Local
Gw string - IPv4 address of the local gateway's external interface.
- Local
Gw6 string - IPv6 address of the local gateway's external interface.
- Localid string
- Local ID.
- Localid
Type string - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - Loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - Mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - Mode string
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - Mode
Cfg string - Enable/disable configuration method. Valid values:
disable
,enable
. - Mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - Monitor string
- IPsec interface as backup for primary interface.
- Monitor
Hold intDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- Monitor
Hold stringDown Time - Time of day at which to fail back to primary after it re-establishes.
- Monitor
Hold stringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - Monitor
Hold stringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - Monitor
Min int - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- Name string
- IPsec remote gateway name.
- Nattraversal string
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - Negotiate
Timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- Net
Device string - Enable/disable kernel device creation. Valid values:
enable
,disable
. - Network
Id int - VPN gateway network ID.
- Network
Overlay string - Enable/disable network overlays. Valid values:
disable
,enable
. - Npu
Offload string - Enable/disable offloading NPU. Valid values:
enable
,disable
. - Packet
Redistribution string - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - Passive
Mode string - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - Peer string
- Accept this peer certificate.
- Peergrp string
- Accept this peer certificate group.
- Peerid string
- Accept this peer identity.
- Peertype string
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - Ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - Ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- Ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- Priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- Psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - Qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- Reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - Rekey string
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - Remote
Gw string - IPv4 address of the remote gateway's external interface.
- Remote
Gw6 string - IPv6 address of the remote gateway's external interface.
- Remote
Gw6Country string - IPv6 addresses associated to a specific country.
- Remote
Gw6End stringIp - Last IPv6 address in the range.
- Remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - Remote
Gw6Start stringIp - First IPv6 address in the range.
- Remote
Gw6Subnet string - IPv6 address and prefix.
- Remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- Remote
Gw stringEnd Ip - Last IPv4 address in the range.
- Remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - Remote
Gw stringStart Ip - First IPv4 address in the range.
- Remote
Gw stringSubnet - IPv4 address and subnet mask.
- Remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- Rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - Rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - Save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - Send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - Signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - Split
Include stringService - Split-include services.
- Suite
B string - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - Transport string
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - Tunnel
Search string - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - Type string
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - Unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - Usrgrp string
- User group name for dialup peers.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vni int
- VNI of VXLAN tunnel.
- Wizard
Type string - GUI VPN Wizard Type.
- Xauthtype string
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- Interface string
- Local physical, aggregate, or VLAN outgoing interface.
- Proposal string
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - Acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - Add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - Add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - Aggregate
Member string - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - Aggregate
Weight int - Link weight for aggregate.
- Assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - Assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - Authmethod string
- Authentication method. Valid values:
psk
,signature
. - Authmethod
Remote string - Authentication method (remote side). Valid values:
psk
,signature
. - Authpasswd string
- XAuth password (max 35 characters).
- Authusr string
- XAuth user name.
- Authusrgrp string
- Authentication user group.
- Auto
Discovery stringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - Auto
Discovery stringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery intOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- Auto
Discovery stringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - Auto
Discovery stringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery stringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery stringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - Auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - Azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - Backup
Gateways []Phase1interfaceBackup Gateway Args - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - string
- Message that unity client should display after connecting.
- Cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - Cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - Cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - Cert
Trust stringStore - CA certificate trust store. Valid values:
local
,ems
. - Certificates
[]Phase1interface
Certificate Args - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - Childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - Client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - Client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - Client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - Client
Resume intInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- Comments string
- Comment.
- Default
Gw string - IPv4 address of default route gateway to use for traffic exiting the interface.
- Default
Gw intPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- Dev
Id string - Device ID carried by the device ID notification.
- Dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - Dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- Dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- Dhgrp string
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - Digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - Distance int
- Distance for routes added by IKE (1 - 255).
- Dns
Mode string - DNS server mode. Valid values:
manual
,auto
. - Domain string
- Instruct unity clients about the default DNS domain.
- Dpd string
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - Dpd
Retrycount int - Number of DPD retry attempts.
- Dpd
Retryinterval string - DPD retry interval.
- Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - Eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - Eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- Eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - Ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - Encap
Local stringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- Encap
Local stringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- Encap
Remote stringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- Encap
Remote stringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- Encapsulation string
- Enable/disable GRE/VXLAN encapsulation.
- Encapsulation
Address string - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - Enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - Esn string
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - Exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - Exchange
Interface stringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - Exchange
Ip stringAddr4 - IPv4 address to exchange with peers.
- Exchange
Ip stringAddr6 - IPv6 address to exchange with peers
- Fallback
Tcp intThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- Fec
Base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- Fec
Codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - Fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - Fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - Fec
Health stringCheck - SD-WAN health check.
- Fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - Fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- Fec
Receive intTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- Fec
Redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- Fec
Send intTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- Fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - Forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - Fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - Fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - Fragmentation
Mtu int - IKE fragmentation MTU (500 - 16000).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - Group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- Ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - Idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - Idle
Timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- Ike
Version string - IKE protocol version. Valid values:
1
,2
. - Inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - Include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - Internal
Domain []Phase1interfaceLists Internal Domain List Args - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - Ip
Delay intInterval - IP address reuse delay interval in seconds (0 - 28800).
- Ip
Fragmentation string - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - Ip
Version string - IP version to use for VPN interface. Valid values:
4
,6
. - Ipv4Dns
Server1 string - IPv4 DNS server 1.
- Ipv4Dns
Server2 string - IPv4 DNS server 2.
- Ipv4Dns
Server3 string - IPv4 DNS server 3.
- Ipv4End
Ip string - End of IPv4 range.
- Ipv4Exclude
Ranges []Phase1interfaceIpv4Exclude Range Args - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - Ipv4Name string
- IPv4 address name.
- Ipv4Netmask string
- IPv4 Netmask.
- Ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- Ipv4Split
Include string - IPv4 split-include subnets.
- Ipv4Start
Ip string - Start of IPv4 range.
- Ipv4Wins
Server1 string - WINS server 1.
- Ipv4Wins
Server2 string - WINS server 2.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Dns
Server3 string - IPv6 DNS server 3.
- Ipv6End
Ip string - End of IPv6 range.
- Ipv6Exclude
Ranges []Phase1interfaceIpv6Exclude Range Args - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - Ipv6Name string
- IPv6 address name.
- Ipv6Prefix int
- IPv6 prefix.
- Ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- Ipv6Split
Include string - IPv6 split-include subnets.
- Ipv6Start
Ip string - Start of IPv6 range.
- Keepalive int
- NAT-T keep alive interval.
- Keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- Kms string
- Key Management Services server.
- Link
Cost int - VPN tunnel underlay link cost.
- Local
Gw string - IPv4 address of the local gateway's external interface.
- Local
Gw6 string - IPv6 address of the local gateway's external interface.
- Localid string
- Local ID.
- Localid
Type string - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - Loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - Mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - Mode string
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - Mode
Cfg string - Enable/disable configuration method. Valid values:
disable
,enable
. - Mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - Monitor string
- IPsec interface as backup for primary interface.
- Monitor
Hold intDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- Monitor
Hold stringDown Time - Time of day at which to fail back to primary after it re-establishes.
- Monitor
Hold stringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - Monitor
Hold stringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - Monitor
Min int - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- Name string
- IPsec remote gateway name.
- Nattraversal string
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - Negotiate
Timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- Net
Device string - Enable/disable kernel device creation. Valid values:
enable
,disable
. - Network
Id int - VPN gateway network ID.
- Network
Overlay string - Enable/disable network overlays. Valid values:
disable
,enable
. - Npu
Offload string - Enable/disable offloading NPU. Valid values:
enable
,disable
. - Packet
Redistribution string - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - Passive
Mode string - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - Peer string
- Accept this peer certificate.
- Peergrp string
- Accept this peer certificate group.
- Peerid string
- Accept this peer identity.
- Peertype string
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - Ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - Ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- Ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- Priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- Psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - Qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- Reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - Rekey string
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - Remote
Gw string - IPv4 address of the remote gateway's external interface.
- Remote
Gw6 string - IPv6 address of the remote gateway's external interface.
- Remote
Gw6Country string - IPv6 addresses associated to a specific country.
- Remote
Gw6End stringIp - Last IPv6 address in the range.
- Remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - Remote
Gw6Start stringIp - First IPv6 address in the range.
- Remote
Gw6Subnet string - IPv6 address and prefix.
- Remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- Remote
Gw stringEnd Ip - Last IPv4 address in the range.
- Remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - Remote
Gw stringStart Ip - First IPv4 address in the range.
- Remote
Gw stringSubnet - IPv4 address and subnet mask.
- Remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- Rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - Rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - Save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - Send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - Signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - Split
Include stringService - Split-include services.
- Suite
B string - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - Transport string
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - Tunnel
Search string - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - Type string
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - Unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - Usrgrp string
- User group name for dialup peers.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vni int
- VNI of VXLAN tunnel.
- Wizard
Type string - GUI VPN Wizard Type.
- Xauthtype string
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- interface_ String
- Local physical, aggregate, or VLAN outgoing interface.
- proposal String
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - acct
Verify String - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - add
Gw StringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - add
Route String - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - aggregate
Member String - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - aggregate
Weight Integer - Link weight for aggregate.
- assign
Ip String - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - assign
Ip StringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - authmethod String
- Authentication method. Valid values:
psk
,signature
. - authmethod
Remote String - Authentication method (remote side). Valid values:
psk
,signature
. - authpasswd String
- XAuth password (max 35 characters).
- authusr String
- XAuth user name.
- authusrgrp String
- Authentication user group.
- auto
Discovery StringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - auto
Discovery StringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery IntegerOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- auto
Discovery StringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - auto
Discovery StringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery StringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery StringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - auto
Negotiate String - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - azure
Ad StringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - backup
Gateways List<Phase1interfaceBackup Gateway> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - String
- Message that unity client should display after connecting.
- cert
Id StringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - cert
Peer StringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - cert
Peer StringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - cert
Trust StringStore - CA certificate trust store. Valid values:
local
,ems
. - certificates
List<Phase1interface
Certificate> - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - childless
Ike String - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - client
Auto StringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - client
Keep StringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - client
Resume String - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - client
Resume IntegerInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments String
- Comment.
- default
Gw String - IPv4 address of default route gateway to use for traffic exiting the interface.
- default
Gw IntegerPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- dev
Id String - Device ID carried by the device ID notification.
- dev
Id StringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - dhcp6Ra
Linkaddr String - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra StringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp String
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - digital
Signature StringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - distance Integer
- Distance for routes added by IKE (1 - 255).
- dns
Mode String - DNS server mode. Valid values:
manual
,auto
. - domain String
- Instruct unity clients about the default DNS domain.
- dpd String
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - dpd
Retrycount Integer - Number of DPD retry attempts.
- dpd
Retryinterval String - DPD retry interval.
- dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap String
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - eap
Cert StringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - eap
Exclude StringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity String - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - ems
Sn StringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - encap
Local StringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- encap
Local StringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- encap
Remote StringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- encap
Remote StringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- encapsulation String
- Enable/disable GRE/VXLAN encapsulation.
- encapsulation
Address String - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - enforce
Unique StringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - esn String
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - exchange
Fgt StringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - exchange
Interface StringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - exchange
Ip StringAddr4 - IPv4 address to exchange with peers.
- exchange
Ip StringAddr6 - IPv6 address to exchange with peers
- fallback
Tcp IntegerThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base Integer - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec Integer - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - fec
Codec StringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - fec
Egress String - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - fec
Health StringCheck - SD-WAN health check.
- fec
Ingress String - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - fec
Mapping StringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive IntegerTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant Integer - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send IntegerTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync String - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - forticlient
Enforcement String - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - fortinet
Esp String - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - fragmentation String
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - fragmentation
Mtu Integer - IKE fragmentation MTU (500 - 16000).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication String - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - group
Authentication StringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync StringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - idle
Timeout String - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - idle
Timeoutinterval Integer - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version String - IKE protocol version. Valid values:
1
,2
. - inbound
Dscp StringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - include
Local StringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - internal
Domain List<Phase1interfaceLists Internal Domain List> - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - ip
Delay IntegerInterval - IP address reuse delay interval in seconds (0 - 28800).
- ip
Fragmentation String - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - ip
Version String - IP version to use for VPN interface. Valid values:
4
,6
. - ipv4Dns
Server1 String - IPv4 DNS server 1.
- ipv4Dns
Server2 String - IPv4 DNS server 2.
- ipv4Dns
Server3 String - IPv4 DNS server 3.
- ipv4End
Ip String - End of IPv4 range.
- ipv4Exclude
Ranges List<Phase1interfaceIpv4Exclude Range> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - ipv4Name String
- IPv4 address name.
- ipv4Netmask String
- IPv4 Netmask.
- ipv4Split
Exclude String - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include String - IPv4 split-include subnets.
- ipv4Start
Ip String - Start of IPv4 range.
- ipv4Wins
Server1 String - WINS server 1.
- ipv4Wins
Server2 String - WINS server 2.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Dns
Server3 String - IPv6 DNS server 3.
- ipv6End
Ip String - End of IPv6 range.
- ipv6Exclude
Ranges List<Phase1interfaceIpv6Exclude Range> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - ipv6Name String
- IPv6 address name.
- ipv6Prefix Integer
- IPv6 prefix.
- ipv6Split
Exclude String - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include String - IPv6 split-include subnets.
- ipv6Start
Ip String - Start of IPv6 range.
- keepalive Integer
- NAT-T keep alive interval.
- keylife Integer
- Time to wait in seconds before phase 1 encryption key expires.
- kms String
- Key Management Services server.
- link
Cost Integer - VPN tunnel underlay link cost.
- local
Gw String - IPv4 address of the local gateway's external interface.
- local
Gw6 String - IPv6 address of the local gateway's external interface.
- localid String
- Local ID.
- localid
Type String - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - loopback
Asymroute String - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - mesh
Selector StringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - mode String
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - mode
Cfg String - Enable/disable configuration method. Valid values:
disable
,enable
. - mode
Cfg StringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - monitor String
- IPsec interface as backup for primary interface.
- monitor
Hold IntegerDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- monitor
Hold StringDown Time - Time of day at which to fail back to primary after it re-establishes.
- monitor
Hold StringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - monitor
Hold StringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - monitor
Min Integer - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- name String
- IPsec remote gateway name.
- nattraversal String
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - negotiate
Timeout Integer - IKE SA negotiation timeout in seconds (1 - 300).
- net
Device String - Enable/disable kernel device creation. Valid values:
enable
,disable
. - network
Id Integer - VPN gateway network ID.
- network
Overlay String - Enable/disable network overlays. Valid values:
disable
,enable
. - npu
Offload String - Enable/disable offloading NPU. Valid values:
enable
,disable
. - packet
Redistribution String - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - passive
Mode String - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - peer String
- Accept this peer certificate.
- peergrp String
- Accept this peer certificate group.
- peerid String
- Accept this peer identity.
- peertype String
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - ppk String
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - ppk
Identity String - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret String - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority Integer
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- psksecret String
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote String - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd String
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - qkd
Profile String - Quantum Key Distribution (QKD) server profile.
- reauth String
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - rekey String
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - remote
Gw String - IPv4 address of the remote gateway's external interface.
- remote
Gw6 String - IPv6 address of the remote gateway's external interface.
- remote
Gw6Country String - IPv6 addresses associated to a specific country.
- remote
Gw6End StringIp - Last IPv6 address in the range.
- remote
Gw6Match String - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - remote
Gw6Start StringIp - First IPv6 address in the range.
- remote
Gw6Subnet String - IPv6 address and prefix.
- remote
Gw StringCountry - IPv4 addresses associated to a specific country.
- remote
Gw StringEnd Ip - Last IPv4 address in the range.
- remote
Gw StringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - remote
Gw StringStart Ip - First IPv4 address in the range.
- remote
Gw StringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns String - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature StringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - rsa
Signature StringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - save
Password String - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - send
Cert StringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - signature
Hash StringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - split
Include StringService - Split-include services.
- suite
B String - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - transport String
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - tunnel
Search String - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - type String
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - unity
Support String - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - usrgrp String
- User group name for dialup peers.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vni Integer
- VNI of VXLAN tunnel.
- wizard
Type String - GUI VPN Wizard Type.
- xauthtype String
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- interface string
- Local physical, aggregate, or VLAN outgoing interface.
- proposal string
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - aggregate
Member string - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - aggregate
Weight number - Link weight for aggregate.
- assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - authmethod string
- Authentication method. Valid values:
psk
,signature
. - authmethod
Remote string - Authentication method (remote side). Valid values:
psk
,signature
. - authpasswd string
- XAuth password (max 35 characters).
- authusr string
- XAuth user name.
- authusrgrp string
- Authentication user group.
- auto
Discovery stringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - auto
Discovery stringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery numberOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- auto
Discovery stringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - auto
Discovery stringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery stringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery stringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - backup
Gateways Phase1interfaceBackup Gateway[] - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - string
- Message that unity client should display after connecting.
- cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - cert
Trust stringStore - CA certificate trust store. Valid values:
local
,ems
. - certificates
Phase1interface
Certificate[] - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - client
Resume numberInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments string
- Comment.
- default
Gw string - IPv4 address of default route gateway to use for traffic exiting the interface.
- default
Gw numberPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- dev
Id string - Device ID carried by the device ID notification.
- dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp string
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - distance number
- Distance for routes added by IKE (1 - 255).
- dns
Mode string - DNS server mode. Valid values:
manual
,auto
. - domain string
- Instruct unity clients about the default DNS domain.
- dpd string
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - dpd
Retrycount number - Number of DPD retry attempts.
- dpd
Retryinterval string - DPD retry interval.
- dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - encap
Local stringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- encap
Local stringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- encap
Remote stringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- encap
Remote stringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- encapsulation string
- Enable/disable GRE/VXLAN encapsulation.
- encapsulation
Address string - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - esn string
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - exchange
Interface stringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - exchange
Ip stringAddr4 - IPv4 address to exchange with peers.
- exchange
Ip stringAddr6 - IPv6 address to exchange with peers
- fallback
Tcp numberThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base number - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec number - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - fec
Health stringCheck - SD-WAN health check.
- fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive numberTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant number - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send numberTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - fragmentation
Mtu number - IKE fragmentation MTU (500 - 16000).
- get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - idle
Timeoutinterval number - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version string - IKE protocol version. Valid values:
1
,2
. - inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - internal
Domain Phase1interfaceLists Internal Domain List[] - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - ip
Delay numberInterval - IP address reuse delay interval in seconds (0 - 28800).
- ip
Fragmentation string - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - ip
Version string - IP version to use for VPN interface. Valid values:
4
,6
. - ipv4Dns
Server1 string - IPv4 DNS server 1.
- ipv4Dns
Server2 string - IPv4 DNS server 2.
- ipv4Dns
Server3 string - IPv4 DNS server 3.
- ipv4End
Ip string - End of IPv4 range.
- ipv4Exclude
Ranges Phase1interfaceIpv4Exclude Range[] - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - ipv4Name string
- IPv4 address name.
- ipv4Netmask string
- IPv4 Netmask.
- ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include string - IPv4 split-include subnets.
- ipv4Start
Ip string - Start of IPv4 range.
- ipv4Wins
Server1 string - WINS server 1.
- ipv4Wins
Server2 string - WINS server 2.
- ipv6Dns
Server1 string - IPv6 DNS server 1.
- ipv6Dns
Server2 string - IPv6 DNS server 2.
- ipv6Dns
Server3 string - IPv6 DNS server 3.
- ipv6End
Ip string - End of IPv6 range.
- ipv6Exclude
Ranges Phase1interfaceIpv6Exclude Range[] - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - ipv6Name string
- IPv6 address name.
- ipv6Prefix number
- IPv6 prefix.
- ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include string - IPv6 split-include subnets.
- ipv6Start
Ip string - Start of IPv6 range.
- keepalive number
- NAT-T keep alive interval.
- keylife number
- Time to wait in seconds before phase 1 encryption key expires.
- kms string
- Key Management Services server.
- link
Cost number - VPN tunnel underlay link cost.
- local
Gw string - IPv4 address of the local gateway's external interface.
- local
Gw6 string - IPv6 address of the local gateway's external interface.
- localid string
- Local ID.
- localid
Type string - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - mode string
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - mode
Cfg string - Enable/disable configuration method. Valid values:
disable
,enable
. - mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - monitor string
- IPsec interface as backup for primary interface.
- monitor
Hold numberDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- monitor
Hold stringDown Time - Time of day at which to fail back to primary after it re-establishes.
- monitor
Hold stringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - monitor
Hold stringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - monitor
Min number - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- name string
- IPsec remote gateway name.
- nattraversal string
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - negotiate
Timeout number - IKE SA negotiation timeout in seconds (1 - 300).
- net
Device string - Enable/disable kernel device creation. Valid values:
enable
,disable
. - network
Id number - VPN gateway network ID.
- network
Overlay string - Enable/disable network overlays. Valid values:
disable
,enable
. - npu
Offload string - Enable/disable offloading NPU. Valid values:
enable
,disable
. - packet
Redistribution string - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - passive
Mode string - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - peer string
- Accept this peer certificate.
- peergrp string
- Accept this peer certificate group.
- peerid string
- Accept this peer identity.
- peertype string
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority number
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - rekey string
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - remote
Gw string - IPv4 address of the remote gateway's external interface.
- remote
Gw6 string - IPv6 address of the remote gateway's external interface.
- remote
Gw6Country string - IPv6 addresses associated to a specific country.
- remote
Gw6End stringIp - Last IPv6 address in the range.
- remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - remote
Gw6Start stringIp - First IPv6 address in the range.
- remote
Gw6Subnet string - IPv6 address and prefix.
- remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- remote
Gw stringEnd Ip - Last IPv4 address in the range.
- remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - remote
Gw stringStart Ip - First IPv4 address in the range.
- remote
Gw stringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - split
Include stringService - Split-include services.
- suite
B string - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - transport string
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - tunnel
Search string - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - type string
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - usrgrp string
- User group name for dialup peers.
- vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vni number
- VNI of VXLAN tunnel.
- wizard
Type string - GUI VPN Wizard Type.
- xauthtype string
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- interface str
- Local physical, aggregate, or VLAN outgoing interface.
- proposal str
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - acct_
verify str - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - add_
gw_ strroute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - add_
route str - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - aggregate_
member str - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - aggregate_
weight int - Link weight for aggregate.
- assign_
ip str - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - assign_
ip_ strfrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - authmethod str
- Authentication method. Valid values:
psk
,signature
. - authmethod_
remote str - Authentication method (remote side). Valid values:
psk
,signature
. - authpasswd str
- XAuth password (max 35 characters).
- authusr str
- XAuth user name.
- authusrgrp str
- Authentication user group.
- auto_
discovery_ strcrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - auto_
discovery_ strforwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto_
discovery_ intoffer_ interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- auto_
discovery_ strpsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - auto_
discovery_ strreceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto_
discovery_ strsender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto_
discovery_ strshortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - auto_
negotiate str - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - azure_
ad_ strautoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - backup_
gateways Sequence[Phase1interfaceBackup Gateway Args] - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - str
- Message that unity client should display after connecting.
- cert_
id_ strvalidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - cert_
peer_ strusername_ strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - cert_
peer_ strusername_ validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - cert_
trust_ strstore - CA certificate trust store. Valid values:
local
,ems
. - certificates
Sequence[Phase1interface
Certificate Args] - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - childless_
ike str - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - client_
auto_ strnegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - client_
keep_ stralive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - client_
resume str - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - client_
resume_ intinterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments str
- Comment.
- default_
gw str - IPv4 address of default route gateway to use for traffic exiting the interface.
- default_
gw_ intpriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- dev_
id str - Device ID carried by the device ID notification.
- dev_
id_ strnotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - dhcp6_
ra_ strlinkaddr - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp_
ra_ strgiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp str
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - digital_
signature_ strauth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - distance int
- Distance for routes added by IKE (1 - 255).
- dns_
mode str - DNS server mode. Valid values:
manual
,auto
. - domain str
- Instruct unity clients about the default DNS domain.
- dpd str
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - dpd_
retrycount int - Number of DPD retry attempts.
- dpd_
retryinterval str - DPD retry interval.
- dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap str
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - eap_
cert_ strauth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - eap_
exclude_ strpeergrp - Peer group excluded from EAP authentication.
- eap_
identity str - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - ems_
sn_ strcheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - encap_
local_ strgw4 - Local IPv4 address of GRE/VXLAN tunnel.
- encap_
local_ strgw6 - Local IPv6 address of GRE/VXLAN tunnel.
- encap_
remote_ strgw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- encap_
remote_ strgw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- encapsulation str
- Enable/disable GRE/VXLAN encapsulation.
- encapsulation_
address str - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - enforce_
unique_ strid - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - esn str
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - exchange_
fgt_ strdevice_ id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - exchange_
interface_ strip - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - exchange_
ip_ straddr4 - IPv4 address to exchange with peers.
- exchange_
ip_ straddr6 - IPv6 address to exchange with peers
- fallback_
tcp_ intthreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec_
base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec_
codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - fec_
codec_ strstring - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - fec_
egress str - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - fec_
health_ strcheck - SD-WAN health check.
- fec_
ingress str - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - fec_
mapping_ strprofile - Forward Error Correction (FEC) mapping profile.
- fec_
receive_ inttimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec_
redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec_
send_ inttimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp_
sync str - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - forticlient_
enforcement str - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - fortinet_
esp str - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - fragmentation str
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - fragmentation_
mtu int - IKE fragmentation MTU (500 - 16000).
- get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group_
authentication str - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - group_
authentication_ strsecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha_
sync_ stresp_ seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - idle_
timeout str - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - idle_
timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike_
version str - IKE protocol version. Valid values:
1
,2
. - inbound_
dscp_ strcopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - include_
local_ strlan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - internal_
domain_ Sequence[Phase1interfacelists Internal Domain List Args] - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - ip_
delay_ intinterval - IP address reuse delay interval in seconds (0 - 28800).
- ip_
fragmentation str - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - ip_
version str - IP version to use for VPN interface. Valid values:
4
,6
. - ipv4_
dns_ strserver1 - IPv4 DNS server 1.
- ipv4_
dns_ strserver2 - IPv4 DNS server 2.
- ipv4_
dns_ strserver3 - IPv4 DNS server 3.
- ipv4_
end_ strip - End of IPv4 range.
- ipv4_
exclude_ Sequence[Phase1interfaceranges Ipv4Exclude Range Args] - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - ipv4_
name str - IPv4 address name.
- ipv4_
netmask str - IPv4 Netmask.
- ipv4_
split_ strexclude - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4_
split_ strinclude - IPv4 split-include subnets.
- ipv4_
start_ strip - Start of IPv4 range.
- ipv4_
wins_ strserver1 - WINS server 1.
- ipv4_
wins_ strserver2 - WINS server 2.
- ipv6_
dns_ strserver1 - IPv6 DNS server 1.
- ipv6_
dns_ strserver2 - IPv6 DNS server 2.
- ipv6_
dns_ strserver3 - IPv6 DNS server 3.
- ipv6_
end_ strip - End of IPv6 range.
- ipv6_
exclude_ Sequence[Phase1interfaceranges Ipv6Exclude Range Args] - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - ipv6_
name str - IPv6 address name.
- ipv6_
prefix int - IPv6 prefix.
- ipv6_
split_ strexclude - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6_
split_ strinclude - IPv6 split-include subnets.
- ipv6_
start_ strip - Start of IPv6 range.
- keepalive int
- NAT-T keep alive interval.
- keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- kms str
- Key Management Services server.
- link_
cost int - VPN tunnel underlay link cost.
- local_
gw str - IPv4 address of the local gateway's external interface.
- local_
gw6 str - IPv6 address of the local gateway's external interface.
- localid str
- Local ID.
- localid_
type str - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - loopback_
asymroute str - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - mesh_
selector_ strtype - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - mode str
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - mode_
cfg str - Enable/disable configuration method. Valid values:
disable
,enable
. - mode_
cfg_ strallow_ client_ selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - monitor str
- IPsec interface as backup for primary interface.
- monitor_
hold_ intdown_ delay - Time to wait in seconds before recovery once primary re-establishes.
- monitor_
hold_ strdown_ time - Time of day at which to fail back to primary after it re-establishes.
- monitor_
hold_ strdown_ type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - monitor_
hold_ strdown_ weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - monitor_
min int - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- name str
- IPsec remote gateway name.
- nattraversal str
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - negotiate_
timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- net_
device str - Enable/disable kernel device creation. Valid values:
enable
,disable
. - network_
id int - VPN gateway network ID.
- network_
overlay str - Enable/disable network overlays. Valid values:
disable
,enable
. - npu_
offload str - Enable/disable offloading NPU. Valid values:
enable
,disable
. - packet_
redistribution str - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - passive_
mode str - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - peer str
- Accept this peer certificate.
- peergrp str
- Accept this peer certificate group.
- peerid str
- Accept this peer identity.
- peertype str
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - ppk str
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - ppk_
identity str - IKEv2 Postquantum Preshared Key Identity.
- ppk_
secret str - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- psksecret str
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret_
remote str - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd str
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - qkd_
profile str - Quantum Key Distribution (QKD) server profile.
- reauth str
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - rekey str
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - remote_
gw str - IPv4 address of the remote gateway's external interface.
- remote_
gw6 str - IPv6 address of the remote gateway's external interface.
- remote_
gw6_ strcountry - IPv6 addresses associated to a specific country.
- remote_
gw6_ strend_ ip - Last IPv6 address in the range.
- remote_
gw6_ strmatch - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - remote_
gw6_ strstart_ ip - First IPv6 address in the range.
- remote_
gw6_ strsubnet - IPv6 address and prefix.
- remote_
gw_ strcountry - IPv4 addresses associated to a specific country.
- remote_
gw_ strend_ ip - Last IPv4 address in the range.
- remote_
gw_ strmatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - remote_
gw_ strstart_ ip - First IPv4 address in the range.
- remote_
gw_ strsubnet - IPv4 address and subnet mask.
- remotegw_
ddns str - Domain name of remote gateway. For example, name.ddns.com.
- rsa_
signature_ strformat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - rsa_
signature_ strhash_ override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - save_
password str - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - send_
cert_ strchain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - signature_
hash_ stralg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - split_
include_ strservice - Split-include services.
- suite_
b str - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - transport str
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - tunnel_
search str - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - type str
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - unity_
support str - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - usrgrp str
- User group name for dialup peers.
- vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vni int
- VNI of VXLAN tunnel.
- wizard_
type str - GUI VPN Wizard Type.
- xauthtype str
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- interface String
- Local physical, aggregate, or VLAN outgoing interface.
- proposal String
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - acct
Verify String - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - add
Gw StringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - add
Route String - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - aggregate
Member String - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - aggregate
Weight Number - Link weight for aggregate.
- assign
Ip String - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - assign
Ip StringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - authmethod String
- Authentication method. Valid values:
psk
,signature
. - authmethod
Remote String - Authentication method (remote side). Valid values:
psk
,signature
. - authpasswd String
- XAuth password (max 35 characters).
- authusr String
- XAuth user name.
- authusrgrp String
- Authentication user group.
- auto
Discovery StringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - auto
Discovery StringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery NumberOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- auto
Discovery StringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - auto
Discovery StringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery StringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery StringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - auto
Negotiate String - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - azure
Ad StringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - backup
Gateways List<Property Map> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - String
- Message that unity client should display after connecting.
- cert
Id StringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - cert
Peer StringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - cert
Peer StringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - cert
Trust StringStore - CA certificate trust store. Valid values:
local
,ems
. - certificates List<Property Map>
- The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - childless
Ike String - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - client
Auto StringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - client
Keep StringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - client
Resume String - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - client
Resume NumberInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments String
- Comment.
- default
Gw String - IPv4 address of default route gateway to use for traffic exiting the interface.
- default
Gw NumberPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- dev
Id String - Device ID carried by the device ID notification.
- dev
Id StringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - dhcp6Ra
Linkaddr String - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra StringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp String
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - digital
Signature StringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - distance Number
- Distance for routes added by IKE (1 - 255).
- dns
Mode String - DNS server mode. Valid values:
manual
,auto
. - domain String
- Instruct unity clients about the default DNS domain.
- dpd String
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - dpd
Retrycount Number - Number of DPD retry attempts.
- dpd
Retryinterval String - DPD retry interval.
- dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap String
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - eap
Cert StringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - eap
Exclude StringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity String - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - ems
Sn StringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - encap
Local StringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- encap
Local StringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- encap
Remote StringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- encap
Remote StringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- encapsulation String
- Enable/disable GRE/VXLAN encapsulation.
- encapsulation
Address String - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - enforce
Unique StringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - esn String
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - exchange
Fgt StringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - exchange
Interface StringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - exchange
Ip StringAddr4 - IPv4 address to exchange with peers.
- exchange
Ip StringAddr6 - IPv6 address to exchange with peers
- fallback
Tcp NumberThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base Number - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec Number - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - fec
Codec StringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - fec
Egress String - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - fec
Health StringCheck - SD-WAN health check.
- fec
Ingress String - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - fec
Mapping StringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive NumberTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant Number - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send NumberTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync String - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - forticlient
Enforcement String - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - fortinet
Esp String - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - fragmentation String
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - fragmentation
Mtu Number - IKE fragmentation MTU (500 - 16000).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication String - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - group
Authentication StringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync StringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - idle
Timeout String - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - idle
Timeoutinterval Number - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version String - IKE protocol version. Valid values:
1
,2
. - inbound
Dscp StringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - include
Local StringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - internal
Domain List<Property Map>Lists - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - ip
Delay NumberInterval - IP address reuse delay interval in seconds (0 - 28800).
- ip
Fragmentation String - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - ip
Version String - IP version to use for VPN interface. Valid values:
4
,6
. - ipv4Dns
Server1 String - IPv4 DNS server 1.
- ipv4Dns
Server2 String - IPv4 DNS server 2.
- ipv4Dns
Server3 String - IPv4 DNS server 3.
- ipv4End
Ip String - End of IPv4 range.
- ipv4Exclude
Ranges List<Property Map> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - ipv4Name String
- IPv4 address name.
- ipv4Netmask String
- IPv4 Netmask.
- ipv4Split
Exclude String - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include String - IPv4 split-include subnets.
- ipv4Start
Ip String - Start of IPv4 range.
- ipv4Wins
Server1 String - WINS server 1.
- ipv4Wins
Server2 String - WINS server 2.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Dns
Server3 String - IPv6 DNS server 3.
- ipv6End
Ip String - End of IPv6 range.
- ipv6Exclude
Ranges List<Property Map> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - ipv6Name String
- IPv6 address name.
- ipv6Prefix Number
- IPv6 prefix.
- ipv6Split
Exclude String - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include String - IPv6 split-include subnets.
- ipv6Start
Ip String - Start of IPv6 range.
- keepalive Number
- NAT-T keep alive interval.
- keylife Number
- Time to wait in seconds before phase 1 encryption key expires.
- kms String
- Key Management Services server.
- link
Cost Number - VPN tunnel underlay link cost.
- local
Gw String - IPv4 address of the local gateway's external interface.
- local
Gw6 String - IPv6 address of the local gateway's external interface.
- localid String
- Local ID.
- localid
Type String - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - loopback
Asymroute String - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - mesh
Selector StringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - mode String
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - mode
Cfg String - Enable/disable configuration method. Valid values:
disable
,enable
. - mode
Cfg StringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - monitor String
- IPsec interface as backup for primary interface.
- monitor
Hold NumberDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- monitor
Hold StringDown Time - Time of day at which to fail back to primary after it re-establishes.
- monitor
Hold StringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - monitor
Hold StringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - monitor
Min Number - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- name String
- IPsec remote gateway name.
- nattraversal String
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - negotiate
Timeout Number - IKE SA negotiation timeout in seconds (1 - 300).
- net
Device String - Enable/disable kernel device creation. Valid values:
enable
,disable
. - network
Id Number - VPN gateway network ID.
- network
Overlay String - Enable/disable network overlays. Valid values:
disable
,enable
. - npu
Offload String - Enable/disable offloading NPU. Valid values:
enable
,disable
. - packet
Redistribution String - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - passive
Mode String - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - peer String
- Accept this peer certificate.
- peergrp String
- Accept this peer certificate group.
- peerid String
- Accept this peer identity.
- peertype String
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - ppk String
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - ppk
Identity String - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret String - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority Number
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- psksecret String
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote String - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd String
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - qkd
Profile String - Quantum Key Distribution (QKD) server profile.
- reauth String
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - rekey String
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - remote
Gw String - IPv4 address of the remote gateway's external interface.
- remote
Gw6 String - IPv6 address of the remote gateway's external interface.
- remote
Gw6Country String - IPv6 addresses associated to a specific country.
- remote
Gw6End StringIp - Last IPv6 address in the range.
- remote
Gw6Match String - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - remote
Gw6Start StringIp - First IPv6 address in the range.
- remote
Gw6Subnet String - IPv6 address and prefix.
- remote
Gw StringCountry - IPv4 addresses associated to a specific country.
- remote
Gw StringEnd Ip - Last IPv4 address in the range.
- remote
Gw StringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - remote
Gw StringStart Ip - First IPv4 address in the range.
- remote
Gw StringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns String - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature StringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - rsa
Signature StringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - save
Password String - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - send
Cert StringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - signature
Hash StringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - split
Include StringService - Split-include services.
- suite
B String - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - transport String
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - tunnel
Search String - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - type String
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - unity
Support String - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - usrgrp String
- User group name for dialup peers.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vni Number
- VNI of VXLAN tunnel.
- wizard
Type String - GUI VPN Wizard Type.
- xauthtype String
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
Outputs
All input properties are implicitly available as output properties. Additionally, the Phase1interface resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Phase1interface Resource
Get an existing Phase1interface resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: Phase1interfaceState, opts?: CustomResourceOptions): Phase1interface
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
acct_verify: Optional[str] = None,
add_gw_route: Optional[str] = None,
add_route: Optional[str] = None,
aggregate_member: Optional[str] = None,
aggregate_weight: Optional[int] = None,
assign_ip: Optional[str] = None,
assign_ip_from: Optional[str] = None,
authmethod: Optional[str] = None,
authmethod_remote: Optional[str] = None,
authpasswd: Optional[str] = None,
authusr: Optional[str] = None,
authusrgrp: Optional[str] = None,
auto_discovery_crossover: Optional[str] = None,
auto_discovery_forwarder: Optional[str] = None,
auto_discovery_offer_interval: Optional[int] = None,
auto_discovery_psk: Optional[str] = None,
auto_discovery_receiver: Optional[str] = None,
auto_discovery_sender: Optional[str] = None,
auto_discovery_shortcuts: Optional[str] = None,
auto_negotiate: Optional[str] = None,
azure_ad_autoconnect: Optional[str] = None,
backup_gateways: Optional[Sequence[Phase1interfaceBackupGatewayArgs]] = None,
banner: Optional[str] = None,
cert_id_validation: Optional[str] = None,
cert_peer_username_strip: Optional[str] = None,
cert_peer_username_validation: Optional[str] = None,
cert_trust_store: Optional[str] = None,
certificates: Optional[Sequence[Phase1interfaceCertificateArgs]] = None,
childless_ike: Optional[str] = None,
client_auto_negotiate: Optional[str] = None,
client_keep_alive: Optional[str] = None,
client_resume: Optional[str] = None,
client_resume_interval: Optional[int] = None,
comments: Optional[str] = None,
default_gw: Optional[str] = None,
default_gw_priority: Optional[int] = None,
dev_id: Optional[str] = None,
dev_id_notification: Optional[str] = None,
dhcp6_ra_linkaddr: Optional[str] = None,
dhcp_ra_giaddr: Optional[str] = None,
dhgrp: Optional[str] = None,
digital_signature_auth: Optional[str] = None,
distance: Optional[int] = None,
dns_mode: Optional[str] = None,
domain: Optional[str] = None,
dpd: Optional[str] = None,
dpd_retrycount: Optional[int] = None,
dpd_retryinterval: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
eap: Optional[str] = None,
eap_cert_auth: Optional[str] = None,
eap_exclude_peergrp: Optional[str] = None,
eap_identity: Optional[str] = None,
ems_sn_check: Optional[str] = None,
encap_local_gw4: Optional[str] = None,
encap_local_gw6: Optional[str] = None,
encap_remote_gw4: Optional[str] = None,
encap_remote_gw6: Optional[str] = None,
encapsulation: Optional[str] = None,
encapsulation_address: Optional[str] = None,
enforce_unique_id: Optional[str] = None,
esn: Optional[str] = None,
exchange_fgt_device_id: Optional[str] = None,
exchange_interface_ip: Optional[str] = None,
exchange_ip_addr4: Optional[str] = None,
exchange_ip_addr6: Optional[str] = None,
fallback_tcp_threshold: Optional[int] = None,
fec_base: Optional[int] = None,
fec_codec: Optional[int] = None,
fec_codec_string: Optional[str] = None,
fec_egress: Optional[str] = None,
fec_health_check: Optional[str] = None,
fec_ingress: Optional[str] = None,
fec_mapping_profile: Optional[str] = None,
fec_receive_timeout: Optional[int] = None,
fec_redundant: Optional[int] = None,
fec_send_timeout: Optional[int] = None,
fgsp_sync: Optional[str] = None,
forticlient_enforcement: Optional[str] = None,
fortinet_esp: Optional[str] = None,
fragmentation: Optional[str] = None,
fragmentation_mtu: Optional[int] = None,
get_all_tables: Optional[str] = None,
group_authentication: Optional[str] = None,
group_authentication_secret: Optional[str] = None,
ha_sync_esp_seqno: Optional[str] = None,
idle_timeout: Optional[str] = None,
idle_timeoutinterval: Optional[int] = None,
ike_version: Optional[str] = None,
inbound_dscp_copy: Optional[str] = None,
include_local_lan: Optional[str] = None,
interface: Optional[str] = None,
internal_domain_lists: Optional[Sequence[Phase1interfaceInternalDomainListArgs]] = None,
ip_delay_interval: Optional[int] = None,
ip_fragmentation: Optional[str] = None,
ip_version: Optional[str] = None,
ipv4_dns_server1: Optional[str] = None,
ipv4_dns_server2: Optional[str] = None,
ipv4_dns_server3: Optional[str] = None,
ipv4_end_ip: Optional[str] = None,
ipv4_exclude_ranges: Optional[Sequence[Phase1interfaceIpv4ExcludeRangeArgs]] = None,
ipv4_name: Optional[str] = None,
ipv4_netmask: Optional[str] = None,
ipv4_split_exclude: Optional[str] = None,
ipv4_split_include: Optional[str] = None,
ipv4_start_ip: Optional[str] = None,
ipv4_wins_server1: Optional[str] = None,
ipv4_wins_server2: Optional[str] = None,
ipv6_dns_server1: Optional[str] = None,
ipv6_dns_server2: Optional[str] = None,
ipv6_dns_server3: Optional[str] = None,
ipv6_end_ip: Optional[str] = None,
ipv6_exclude_ranges: Optional[Sequence[Phase1interfaceIpv6ExcludeRangeArgs]] = None,
ipv6_name: Optional[str] = None,
ipv6_prefix: Optional[int] = None,
ipv6_split_exclude: Optional[str] = None,
ipv6_split_include: Optional[str] = None,
ipv6_start_ip: Optional[str] = None,
keepalive: Optional[int] = None,
keylife: Optional[int] = None,
kms: Optional[str] = None,
link_cost: Optional[int] = None,
local_gw: Optional[str] = None,
local_gw6: Optional[str] = None,
localid: Optional[str] = None,
localid_type: Optional[str] = None,
loopback_asymroute: Optional[str] = None,
mesh_selector_type: Optional[str] = None,
mode: Optional[str] = None,
mode_cfg: Optional[str] = None,
mode_cfg_allow_client_selector: Optional[str] = None,
monitor: Optional[str] = None,
monitor_hold_down_delay: Optional[int] = None,
monitor_hold_down_time: Optional[str] = None,
monitor_hold_down_type: Optional[str] = None,
monitor_hold_down_weekday: Optional[str] = None,
monitor_min: Optional[int] = None,
name: Optional[str] = None,
nattraversal: Optional[str] = None,
negotiate_timeout: Optional[int] = None,
net_device: Optional[str] = None,
network_id: Optional[int] = None,
network_overlay: Optional[str] = None,
npu_offload: Optional[str] = None,
packet_redistribution: Optional[str] = None,
passive_mode: Optional[str] = None,
peer: Optional[str] = None,
peergrp: Optional[str] = None,
peerid: Optional[str] = None,
peertype: Optional[str] = None,
ppk: Optional[str] = None,
ppk_identity: Optional[str] = None,
ppk_secret: Optional[str] = None,
priority: Optional[int] = None,
proposal: Optional[str] = None,
psksecret: Optional[str] = None,
psksecret_remote: Optional[str] = None,
qkd: Optional[str] = None,
qkd_profile: Optional[str] = None,
reauth: Optional[str] = None,
rekey: Optional[str] = None,
remote_gw: Optional[str] = None,
remote_gw6: Optional[str] = None,
remote_gw6_country: Optional[str] = None,
remote_gw6_end_ip: Optional[str] = None,
remote_gw6_match: Optional[str] = None,
remote_gw6_start_ip: Optional[str] = None,
remote_gw6_subnet: Optional[str] = None,
remote_gw_country: Optional[str] = None,
remote_gw_end_ip: Optional[str] = None,
remote_gw_match: Optional[str] = None,
remote_gw_start_ip: Optional[str] = None,
remote_gw_subnet: Optional[str] = None,
remotegw_ddns: Optional[str] = None,
rsa_signature_format: Optional[str] = None,
rsa_signature_hash_override: Optional[str] = None,
save_password: Optional[str] = None,
send_cert_chain: Optional[str] = None,
signature_hash_alg: Optional[str] = None,
split_include_service: Optional[str] = None,
suite_b: Optional[str] = None,
transport: Optional[str] = None,
tunnel_search: Optional[str] = None,
type: Optional[str] = None,
unity_support: Optional[str] = None,
usrgrp: Optional[str] = None,
vdomparam: Optional[str] = None,
vni: Optional[int] = None,
wizard_type: Optional[str] = None,
xauthtype: Optional[str] = None) -> Phase1interface
func GetPhase1interface(ctx *Context, name string, id IDInput, state *Phase1interfaceState, opts ...ResourceOption) (*Phase1interface, error)
public static Phase1interface Get(string name, Input<string> id, Phase1interfaceState? state, CustomResourceOptions? opts = null)
public static Phase1interface get(String name, Output<String> id, Phase1interfaceState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - Add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - Add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - Aggregate
Member string - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - Aggregate
Weight int - Link weight for aggregate.
- Assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - Assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - Authmethod string
- Authentication method. Valid values:
psk
,signature
. - Authmethod
Remote string - Authentication method (remote side). Valid values:
psk
,signature
. - Authpasswd string
- XAuth password (max 35 characters).
- Authusr string
- XAuth user name.
- Authusrgrp string
- Authentication user group.
- Auto
Discovery stringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - Auto
Discovery stringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery intOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- Auto
Discovery stringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - Auto
Discovery stringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery stringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery stringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - Auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - Azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - Backup
Gateways List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1interface Backup Gateway> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - string
- Message that unity client should display after connecting.
- Cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - Cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - Cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - Cert
Trust stringStore - CA certificate trust store. Valid values:
local
,ems
. - Certificates
List<Pulumiverse.
Fortios. Vpn. Ipsec. Inputs. Phase1interface Certificate> - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - Childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - Client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - Client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - Client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - Client
Resume intInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- Comments string
- Comment.
- Default
Gw string - IPv4 address of default route gateway to use for traffic exiting the interface.
- Default
Gw intPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- Dev
Id string - Device ID carried by the device ID notification.
- Dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - Dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- Dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- Dhgrp string
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - Digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - Distance int
- Distance for routes added by IKE (1 - 255).
- Dns
Mode string - DNS server mode. Valid values:
manual
,auto
. - Domain string
- Instruct unity clients about the default DNS domain.
- Dpd string
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - Dpd
Retrycount int - Number of DPD retry attempts.
- Dpd
Retryinterval string - DPD retry interval.
- Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - Eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - Eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- Eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - Ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - Encap
Local stringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- Encap
Local stringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- Encap
Remote stringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- Encap
Remote stringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- Encapsulation string
- Enable/disable GRE/VXLAN encapsulation.
- Encapsulation
Address string - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - Enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - Esn string
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - Exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - Exchange
Interface stringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - Exchange
Ip stringAddr4 - IPv4 address to exchange with peers.
- Exchange
Ip stringAddr6 - IPv6 address to exchange with peers
- Fallback
Tcp intThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- Fec
Base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- Fec
Codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - Fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - Fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - Fec
Health stringCheck - SD-WAN health check.
- Fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - Fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- Fec
Receive intTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- Fec
Redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- Fec
Send intTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- Fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - Forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - Fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - Fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - Fragmentation
Mtu int - IKE fragmentation MTU (500 - 16000).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - Group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- Ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - Idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - Idle
Timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- Ike
Version string - IKE protocol version. Valid values:
1
,2
. - Inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - Include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - Interface string
- Local physical, aggregate, or VLAN outgoing interface.
- Internal
Domain List<Pulumiverse.Lists Fortios. Vpn. Ipsec. Inputs. Phase1interface Internal Domain List> - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - Ip
Delay intInterval - IP address reuse delay interval in seconds (0 - 28800).
- Ip
Fragmentation string - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - Ip
Version string - IP version to use for VPN interface. Valid values:
4
,6
. - Ipv4Dns
Server1 string - IPv4 DNS server 1.
- Ipv4Dns
Server2 string - IPv4 DNS server 2.
- Ipv4Dns
Server3 string - IPv4 DNS server 3.
- Ipv4End
Ip string - End of IPv4 range.
- Ipv4Exclude
Ranges List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1interface Ipv4Exclude Range> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - Ipv4Name string
- IPv4 address name.
- Ipv4Netmask string
- IPv4 Netmask.
- Ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- Ipv4Split
Include string - IPv4 split-include subnets.
- Ipv4Start
Ip string - Start of IPv4 range.
- Ipv4Wins
Server1 string - WINS server 1.
- Ipv4Wins
Server2 string - WINS server 2.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Dns
Server3 string - IPv6 DNS server 3.
- Ipv6End
Ip string - End of IPv6 range.
- Ipv6Exclude
Ranges List<Pulumiverse.Fortios. Vpn. Ipsec. Inputs. Phase1interface Ipv6Exclude Range> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - Ipv6Name string
- IPv6 address name.
- Ipv6Prefix int
- IPv6 prefix.
- Ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- Ipv6Split
Include string - IPv6 split-include subnets.
- Ipv6Start
Ip string - Start of IPv6 range.
- Keepalive int
- NAT-T keep alive interval.
- Keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- Kms string
- Key Management Services server.
- Link
Cost int - VPN tunnel underlay link cost.
- Local
Gw string - IPv4 address of the local gateway's external interface.
- Local
Gw6 string - IPv6 address of the local gateway's external interface.
- Localid string
- Local ID.
- Localid
Type string - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - Loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - Mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - Mode string
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - Mode
Cfg string - Enable/disable configuration method. Valid values:
disable
,enable
. - Mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - Monitor string
- IPsec interface as backup for primary interface.
- Monitor
Hold intDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- Monitor
Hold stringDown Time - Time of day at which to fail back to primary after it re-establishes.
- Monitor
Hold stringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - Monitor
Hold stringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - Monitor
Min int - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- Name string
- IPsec remote gateway name.
- Nattraversal string
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - Negotiate
Timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- Net
Device string - Enable/disable kernel device creation. Valid values:
enable
,disable
. - Network
Id int - VPN gateway network ID.
- Network
Overlay string - Enable/disable network overlays. Valid values:
disable
,enable
. - Npu
Offload string - Enable/disable offloading NPU. Valid values:
enable
,disable
. - Packet
Redistribution string - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - Passive
Mode string - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - Peer string
- Accept this peer certificate.
- Peergrp string
- Accept this peer certificate group.
- Peerid string
- Accept this peer identity.
- Peertype string
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - Ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - Ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- Ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- Priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- Proposal string
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - Psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - Qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- Reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - Rekey string
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - Remote
Gw string - IPv4 address of the remote gateway's external interface.
- Remote
Gw6 string - IPv6 address of the remote gateway's external interface.
- Remote
Gw6Country string - IPv6 addresses associated to a specific country.
- Remote
Gw6End stringIp - Last IPv6 address in the range.
- Remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - Remote
Gw6Start stringIp - First IPv6 address in the range.
- Remote
Gw6Subnet string - IPv6 address and prefix.
- Remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- Remote
Gw stringEnd Ip - Last IPv4 address in the range.
- Remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - Remote
Gw stringStart Ip - First IPv4 address in the range.
- Remote
Gw stringSubnet - IPv4 address and subnet mask.
- Remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- Rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - Rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - Save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - Send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - Signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - Split
Include stringService - Split-include services.
- Suite
B string - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - Transport string
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - Tunnel
Search string - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - Type string
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - Unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - Usrgrp string
- User group name for dialup peers.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vni int
- VNI of VXLAN tunnel.
- Wizard
Type string - GUI VPN Wizard Type.
- Xauthtype string
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- Acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - Add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - Add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - Aggregate
Member string - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - Aggregate
Weight int - Link weight for aggregate.
- Assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - Assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - Authmethod string
- Authentication method. Valid values:
psk
,signature
. - Authmethod
Remote string - Authentication method (remote side). Valid values:
psk
,signature
. - Authpasswd string
- XAuth password (max 35 characters).
- Authusr string
- XAuth user name.
- Authusrgrp string
- Authentication user group.
- Auto
Discovery stringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - Auto
Discovery stringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery intOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- Auto
Discovery stringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - Auto
Discovery stringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery stringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - Auto
Discovery stringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - Auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - Azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - Backup
Gateways []Phase1interfaceBackup Gateway Args - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - string
- Message that unity client should display after connecting.
- Cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - Cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - Cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - Cert
Trust stringStore - CA certificate trust store. Valid values:
local
,ems
. - Certificates
[]Phase1interface
Certificate Args - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - Childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - Client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - Client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - Client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - Client
Resume intInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- Comments string
- Comment.
- Default
Gw string - IPv4 address of default route gateway to use for traffic exiting the interface.
- Default
Gw intPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- Dev
Id string - Device ID carried by the device ID notification.
- Dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - Dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- Dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- Dhgrp string
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - Digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - Distance int
- Distance for routes added by IKE (1 - 255).
- Dns
Mode string - DNS server mode. Valid values:
manual
,auto
. - Domain string
- Instruct unity clients about the default DNS domain.
- Dpd string
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - Dpd
Retrycount int - Number of DPD retry attempts.
- Dpd
Retryinterval string - DPD retry interval.
- Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - Eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - Eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- Eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - Ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - Encap
Local stringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- Encap
Local stringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- Encap
Remote stringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- Encap
Remote stringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- Encapsulation string
- Enable/disable GRE/VXLAN encapsulation.
- Encapsulation
Address string - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - Enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - Esn string
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - Exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - Exchange
Interface stringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - Exchange
Ip stringAddr4 - IPv4 address to exchange with peers.
- Exchange
Ip stringAddr6 - IPv6 address to exchange with peers
- Fallback
Tcp intThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- Fec
Base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- Fec
Codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - Fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - Fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - Fec
Health stringCheck - SD-WAN health check.
- Fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - Fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- Fec
Receive intTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- Fec
Redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- Fec
Send intTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- Fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - Forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - Fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - Fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - Fragmentation
Mtu int - IKE fragmentation MTU (500 - 16000).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - Group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- Ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - Idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - Idle
Timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- Ike
Version string - IKE protocol version. Valid values:
1
,2
. - Inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - Include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - Interface string
- Local physical, aggregate, or VLAN outgoing interface.
- Internal
Domain []Phase1interfaceLists Internal Domain List Args - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - Ip
Delay intInterval - IP address reuse delay interval in seconds (0 - 28800).
- Ip
Fragmentation string - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - Ip
Version string - IP version to use for VPN interface. Valid values:
4
,6
. - Ipv4Dns
Server1 string - IPv4 DNS server 1.
- Ipv4Dns
Server2 string - IPv4 DNS server 2.
- Ipv4Dns
Server3 string - IPv4 DNS server 3.
- Ipv4End
Ip string - End of IPv4 range.
- Ipv4Exclude
Ranges []Phase1interfaceIpv4Exclude Range Args - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - Ipv4Name string
- IPv4 address name.
- Ipv4Netmask string
- IPv4 Netmask.
- Ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- Ipv4Split
Include string - IPv4 split-include subnets.
- Ipv4Start
Ip string - Start of IPv4 range.
- Ipv4Wins
Server1 string - WINS server 1.
- Ipv4Wins
Server2 string - WINS server 2.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Dns
Server3 string - IPv6 DNS server 3.
- Ipv6End
Ip string - End of IPv6 range.
- Ipv6Exclude
Ranges []Phase1interfaceIpv6Exclude Range Args - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - Ipv6Name string
- IPv6 address name.
- Ipv6Prefix int
- IPv6 prefix.
- Ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- Ipv6Split
Include string - IPv6 split-include subnets.
- Ipv6Start
Ip string - Start of IPv6 range.
- Keepalive int
- NAT-T keep alive interval.
- Keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- Kms string
- Key Management Services server.
- Link
Cost int - VPN tunnel underlay link cost.
- Local
Gw string - IPv4 address of the local gateway's external interface.
- Local
Gw6 string - IPv6 address of the local gateway's external interface.
- Localid string
- Local ID.
- Localid
Type string - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - Loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - Mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - Mode string
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - Mode
Cfg string - Enable/disable configuration method. Valid values:
disable
,enable
. - Mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - Monitor string
- IPsec interface as backup for primary interface.
- Monitor
Hold intDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- Monitor
Hold stringDown Time - Time of day at which to fail back to primary after it re-establishes.
- Monitor
Hold stringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - Monitor
Hold stringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - Monitor
Min int - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- Name string
- IPsec remote gateway name.
- Nattraversal string
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - Negotiate
Timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- Net
Device string - Enable/disable kernel device creation. Valid values:
enable
,disable
. - Network
Id int - VPN gateway network ID.
- Network
Overlay string - Enable/disable network overlays. Valid values:
disable
,enable
. - Npu
Offload string - Enable/disable offloading NPU. Valid values:
enable
,disable
. - Packet
Redistribution string - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - Passive
Mode string - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - Peer string
- Accept this peer certificate.
- Peergrp string
- Accept this peer certificate group.
- Peerid string
- Accept this peer identity.
- Peertype string
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - Ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - Ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- Ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- Priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- Proposal string
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - Psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- Qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - Qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- Reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - Rekey string
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - Remote
Gw string - IPv4 address of the remote gateway's external interface.
- Remote
Gw6 string - IPv6 address of the remote gateway's external interface.
- Remote
Gw6Country string - IPv6 addresses associated to a specific country.
- Remote
Gw6End stringIp - Last IPv6 address in the range.
- Remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - Remote
Gw6Start stringIp - First IPv6 address in the range.
- Remote
Gw6Subnet string - IPv6 address and prefix.
- Remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- Remote
Gw stringEnd Ip - Last IPv4 address in the range.
- Remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - Remote
Gw stringStart Ip - First IPv4 address in the range.
- Remote
Gw stringSubnet - IPv4 address and subnet mask.
- Remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- Rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - Rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - Save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - Send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - Signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - Split
Include stringService - Split-include services.
- Suite
B string - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - Transport string
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - Tunnel
Search string - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - Type string
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - Unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - Usrgrp string
- User group name for dialup peers.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vni int
- VNI of VXLAN tunnel.
- Wizard
Type string - GUI VPN Wizard Type.
- Xauthtype string
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- acct
Verify String - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - add
Gw StringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - add
Route String - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - aggregate
Member String - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - aggregate
Weight Integer - Link weight for aggregate.
- assign
Ip String - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - assign
Ip StringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - authmethod String
- Authentication method. Valid values:
psk
,signature
. - authmethod
Remote String - Authentication method (remote side). Valid values:
psk
,signature
. - authpasswd String
- XAuth password (max 35 characters).
- authusr String
- XAuth user name.
- authusrgrp String
- Authentication user group.
- auto
Discovery StringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - auto
Discovery StringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery IntegerOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- auto
Discovery StringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - auto
Discovery StringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery StringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery StringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - auto
Negotiate String - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - azure
Ad StringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - backup
Gateways List<Phase1interfaceBackup Gateway> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - String
- Message that unity client should display after connecting.
- cert
Id StringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - cert
Peer StringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - cert
Peer StringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - cert
Trust StringStore - CA certificate trust store. Valid values:
local
,ems
. - certificates
List<Phase1interface
Certificate> - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - childless
Ike String - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - client
Auto StringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - client
Keep StringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - client
Resume String - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - client
Resume IntegerInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments String
- Comment.
- default
Gw String - IPv4 address of default route gateway to use for traffic exiting the interface.
- default
Gw IntegerPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- dev
Id String - Device ID carried by the device ID notification.
- dev
Id StringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - dhcp6Ra
Linkaddr String - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra StringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp String
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - digital
Signature StringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - distance Integer
- Distance for routes added by IKE (1 - 255).
- dns
Mode String - DNS server mode. Valid values:
manual
,auto
. - domain String
- Instruct unity clients about the default DNS domain.
- dpd String
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - dpd
Retrycount Integer - Number of DPD retry attempts.
- dpd
Retryinterval String - DPD retry interval.
- dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap String
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - eap
Cert StringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - eap
Exclude StringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity String - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - ems
Sn StringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - encap
Local StringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- encap
Local StringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- encap
Remote StringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- encap
Remote StringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- encapsulation String
- Enable/disable GRE/VXLAN encapsulation.
- encapsulation
Address String - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - enforce
Unique StringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - esn String
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - exchange
Fgt StringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - exchange
Interface StringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - exchange
Ip StringAddr4 - IPv4 address to exchange with peers.
- exchange
Ip StringAddr6 - IPv6 address to exchange with peers
- fallback
Tcp IntegerThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base Integer - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec Integer - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - fec
Codec StringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - fec
Egress String - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - fec
Health StringCheck - SD-WAN health check.
- fec
Ingress String - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - fec
Mapping StringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive IntegerTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant Integer - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send IntegerTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync String - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - forticlient
Enforcement String - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - fortinet
Esp String - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - fragmentation String
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - fragmentation
Mtu Integer - IKE fragmentation MTU (500 - 16000).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication String - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - group
Authentication StringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync StringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - idle
Timeout String - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - idle
Timeoutinterval Integer - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version String - IKE protocol version. Valid values:
1
,2
. - inbound
Dscp StringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - include
Local StringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - interface_ String
- Local physical, aggregate, or VLAN outgoing interface.
- internal
Domain List<Phase1interfaceLists Internal Domain List> - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - ip
Delay IntegerInterval - IP address reuse delay interval in seconds (0 - 28800).
- ip
Fragmentation String - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - ip
Version String - IP version to use for VPN interface. Valid values:
4
,6
. - ipv4Dns
Server1 String - IPv4 DNS server 1.
- ipv4Dns
Server2 String - IPv4 DNS server 2.
- ipv4Dns
Server3 String - IPv4 DNS server 3.
- ipv4End
Ip String - End of IPv4 range.
- ipv4Exclude
Ranges List<Phase1interfaceIpv4Exclude Range> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - ipv4Name String
- IPv4 address name.
- ipv4Netmask String
- IPv4 Netmask.
- ipv4Split
Exclude String - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include String - IPv4 split-include subnets.
- ipv4Start
Ip String - Start of IPv4 range.
- ipv4Wins
Server1 String - WINS server 1.
- ipv4Wins
Server2 String - WINS server 2.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Dns
Server3 String - IPv6 DNS server 3.
- ipv6End
Ip String - End of IPv6 range.
- ipv6Exclude
Ranges List<Phase1interfaceIpv6Exclude Range> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - ipv6Name String
- IPv6 address name.
- ipv6Prefix Integer
- IPv6 prefix.
- ipv6Split
Exclude String - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include String - IPv6 split-include subnets.
- ipv6Start
Ip String - Start of IPv6 range.
- keepalive Integer
- NAT-T keep alive interval.
- keylife Integer
- Time to wait in seconds before phase 1 encryption key expires.
- kms String
- Key Management Services server.
- link
Cost Integer - VPN tunnel underlay link cost.
- local
Gw String - IPv4 address of the local gateway's external interface.
- local
Gw6 String - IPv6 address of the local gateway's external interface.
- localid String
- Local ID.
- localid
Type String - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - loopback
Asymroute String - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - mesh
Selector StringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - mode String
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - mode
Cfg String - Enable/disable configuration method. Valid values:
disable
,enable
. - mode
Cfg StringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - monitor String
- IPsec interface as backup for primary interface.
- monitor
Hold IntegerDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- monitor
Hold StringDown Time - Time of day at which to fail back to primary after it re-establishes.
- monitor
Hold StringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - monitor
Hold StringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - monitor
Min Integer - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- name String
- IPsec remote gateway name.
- nattraversal String
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - negotiate
Timeout Integer - IKE SA negotiation timeout in seconds (1 - 300).
- net
Device String - Enable/disable kernel device creation. Valid values:
enable
,disable
. - network
Id Integer - VPN gateway network ID.
- network
Overlay String - Enable/disable network overlays. Valid values:
disable
,enable
. - npu
Offload String - Enable/disable offloading NPU. Valid values:
enable
,disable
. - packet
Redistribution String - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - passive
Mode String - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - peer String
- Accept this peer certificate.
- peergrp String
- Accept this peer certificate group.
- peerid String
- Accept this peer identity.
- peertype String
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - ppk String
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - ppk
Identity String - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret String - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority Integer
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- proposal String
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - psksecret String
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote String - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd String
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - qkd
Profile String - Quantum Key Distribution (QKD) server profile.
- reauth String
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - rekey String
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - remote
Gw String - IPv4 address of the remote gateway's external interface.
- remote
Gw6 String - IPv6 address of the remote gateway's external interface.
- remote
Gw6Country String - IPv6 addresses associated to a specific country.
- remote
Gw6End StringIp - Last IPv6 address in the range.
- remote
Gw6Match String - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - remote
Gw6Start StringIp - First IPv6 address in the range.
- remote
Gw6Subnet String - IPv6 address and prefix.
- remote
Gw StringCountry - IPv4 addresses associated to a specific country.
- remote
Gw StringEnd Ip - Last IPv4 address in the range.
- remote
Gw StringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - remote
Gw StringStart Ip - First IPv4 address in the range.
- remote
Gw StringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns String - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature StringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - rsa
Signature StringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - save
Password String - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - send
Cert StringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - signature
Hash StringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - split
Include StringService - Split-include services.
- suite
B String - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - transport String
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - tunnel
Search String - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - type String
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - unity
Support String - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - usrgrp String
- User group name for dialup peers.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vni Integer
- VNI of VXLAN tunnel.
- wizard
Type String - GUI VPN Wizard Type.
- xauthtype String
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- acct
Verify string - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - add
Gw stringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - add
Route string - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - aggregate
Member string - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - aggregate
Weight number - Link weight for aggregate.
- assign
Ip string - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - assign
Ip stringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - authmethod string
- Authentication method. Valid values:
psk
,signature
. - authmethod
Remote string - Authentication method (remote side). Valid values:
psk
,signature
. - authpasswd string
- XAuth password (max 35 characters).
- authusr string
- XAuth user name.
- authusrgrp string
- Authentication user group.
- auto
Discovery stringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - auto
Discovery stringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery numberOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- auto
Discovery stringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - auto
Discovery stringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery stringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery stringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - auto
Negotiate string - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - azure
Ad stringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - backup
Gateways Phase1interfaceBackup Gateway[] - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - string
- Message that unity client should display after connecting.
- cert
Id stringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - cert
Peer stringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - cert
Peer stringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - cert
Trust stringStore - CA certificate trust store. Valid values:
local
,ems
. - certificates
Phase1interface
Certificate[] - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - childless
Ike string - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - client
Auto stringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - client
Keep stringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - client
Resume string - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - client
Resume numberInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments string
- Comment.
- default
Gw string - IPv4 address of default route gateway to use for traffic exiting the interface.
- default
Gw numberPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- dev
Id string - Device ID carried by the device ID notification.
- dev
Id stringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - dhcp6Ra
Linkaddr string - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra stringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp string
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - digital
Signature stringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - distance number
- Distance for routes added by IKE (1 - 255).
- dns
Mode string - DNS server mode. Valid values:
manual
,auto
. - domain string
- Instruct unity clients about the default DNS domain.
- dpd string
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - dpd
Retrycount number - Number of DPD retry attempts.
- dpd
Retryinterval string - DPD retry interval.
- dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap string
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - eap
Cert stringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - eap
Exclude stringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity string - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - ems
Sn stringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - encap
Local stringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- encap
Local stringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- encap
Remote stringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- encap
Remote stringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- encapsulation string
- Enable/disable GRE/VXLAN encapsulation.
- encapsulation
Address string - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - enforce
Unique stringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - esn string
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - exchange
Fgt stringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - exchange
Interface stringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - exchange
Ip stringAddr4 - IPv4 address to exchange with peers.
- exchange
Ip stringAddr6 - IPv6 address to exchange with peers
- fallback
Tcp numberThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base number - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec number - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - fec
Codec stringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - fec
Egress string - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - fec
Health stringCheck - SD-WAN health check.
- fec
Ingress string - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - fec
Mapping stringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive numberTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant number - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send numberTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync string - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - forticlient
Enforcement string - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - fortinet
Esp string - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - fragmentation string
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - fragmentation
Mtu number - IKE fragmentation MTU (500 - 16000).
- get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication string - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - group
Authentication stringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync stringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - idle
Timeout string - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - idle
Timeoutinterval number - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version string - IKE protocol version. Valid values:
1
,2
. - inbound
Dscp stringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - include
Local stringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - interface string
- Local physical, aggregate, or VLAN outgoing interface.
- internal
Domain Phase1interfaceLists Internal Domain List[] - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - ip
Delay numberInterval - IP address reuse delay interval in seconds (0 - 28800).
- ip
Fragmentation string - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - ip
Version string - IP version to use for VPN interface. Valid values:
4
,6
. - ipv4Dns
Server1 string - IPv4 DNS server 1.
- ipv4Dns
Server2 string - IPv4 DNS server 2.
- ipv4Dns
Server3 string - IPv4 DNS server 3.
- ipv4End
Ip string - End of IPv4 range.
- ipv4Exclude
Ranges Phase1interfaceIpv4Exclude Range[] - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - ipv4Name string
- IPv4 address name.
- ipv4Netmask string
- IPv4 Netmask.
- ipv4Split
Exclude string - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include string - IPv4 split-include subnets.
- ipv4Start
Ip string - Start of IPv4 range.
- ipv4Wins
Server1 string - WINS server 1.
- ipv4Wins
Server2 string - WINS server 2.
- ipv6Dns
Server1 string - IPv6 DNS server 1.
- ipv6Dns
Server2 string - IPv6 DNS server 2.
- ipv6Dns
Server3 string - IPv6 DNS server 3.
- ipv6End
Ip string - End of IPv6 range.
- ipv6Exclude
Ranges Phase1interfaceIpv6Exclude Range[] - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - ipv6Name string
- IPv6 address name.
- ipv6Prefix number
- IPv6 prefix.
- ipv6Split
Exclude string - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include string - IPv6 split-include subnets.
- ipv6Start
Ip string - Start of IPv6 range.
- keepalive number
- NAT-T keep alive interval.
- keylife number
- Time to wait in seconds before phase 1 encryption key expires.
- kms string
- Key Management Services server.
- link
Cost number - VPN tunnel underlay link cost.
- local
Gw string - IPv4 address of the local gateway's external interface.
- local
Gw6 string - IPv6 address of the local gateway's external interface.
- localid string
- Local ID.
- localid
Type string - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - loopback
Asymroute string - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - mesh
Selector stringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - mode string
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - mode
Cfg string - Enable/disable configuration method. Valid values:
disable
,enable
. - mode
Cfg stringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - monitor string
- IPsec interface as backup for primary interface.
- monitor
Hold numberDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- monitor
Hold stringDown Time - Time of day at which to fail back to primary after it re-establishes.
- monitor
Hold stringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - monitor
Hold stringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - monitor
Min number - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- name string
- IPsec remote gateway name.
- nattraversal string
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - negotiate
Timeout number - IKE SA negotiation timeout in seconds (1 - 300).
- net
Device string - Enable/disable kernel device creation. Valid values:
enable
,disable
. - network
Id number - VPN gateway network ID.
- network
Overlay string - Enable/disable network overlays. Valid values:
disable
,enable
. - npu
Offload string - Enable/disable offloading NPU. Valid values:
enable
,disable
. - packet
Redistribution string - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - passive
Mode string - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - peer string
- Accept this peer certificate.
- peergrp string
- Accept this peer certificate group.
- peerid string
- Accept this peer identity.
- peertype string
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - ppk string
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - ppk
Identity string - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret string - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority number
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- proposal string
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - psksecret string
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote string - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd string
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - qkd
Profile string - Quantum Key Distribution (QKD) server profile.
- reauth string
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - rekey string
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - remote
Gw string - IPv4 address of the remote gateway's external interface.
- remote
Gw6 string - IPv6 address of the remote gateway's external interface.
- remote
Gw6Country string - IPv6 addresses associated to a specific country.
- remote
Gw6End stringIp - Last IPv6 address in the range.
- remote
Gw6Match string - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - remote
Gw6Start stringIp - First IPv6 address in the range.
- remote
Gw6Subnet string - IPv6 address and prefix.
- remote
Gw stringCountry - IPv4 addresses associated to a specific country.
- remote
Gw stringEnd Ip - Last IPv4 address in the range.
- remote
Gw stringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - remote
Gw stringStart Ip - First IPv4 address in the range.
- remote
Gw stringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns string - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature stringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - rsa
Signature stringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - save
Password string - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - send
Cert stringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - signature
Hash stringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - split
Include stringService - Split-include services.
- suite
B string - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - transport string
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - tunnel
Search string - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - type string
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - unity
Support string - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - usrgrp string
- User group name for dialup peers.
- vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vni number
- VNI of VXLAN tunnel.
- wizard
Type string - GUI VPN Wizard Type.
- xauthtype string
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- acct_
verify str - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - add_
gw_ strroute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - add_
route str - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - aggregate_
member str - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - aggregate_
weight int - Link weight for aggregate.
- assign_
ip str - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - assign_
ip_ strfrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - authmethod str
- Authentication method. Valid values:
psk
,signature
. - authmethod_
remote str - Authentication method (remote side). Valid values:
psk
,signature
. - authpasswd str
- XAuth password (max 35 characters).
- authusr str
- XAuth user name.
- authusrgrp str
- Authentication user group.
- auto_
discovery_ strcrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - auto_
discovery_ strforwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto_
discovery_ intoffer_ interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- auto_
discovery_ strpsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - auto_
discovery_ strreceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto_
discovery_ strsender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto_
discovery_ strshortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - auto_
negotiate str - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - azure_
ad_ strautoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - backup_
gateways Sequence[Phase1interfaceBackup Gateway Args] - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - str
- Message that unity client should display after connecting.
- cert_
id_ strvalidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - cert_
peer_ strusername_ strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - cert_
peer_ strusername_ validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - cert_
trust_ strstore - CA certificate trust store. Valid values:
local
,ems
. - certificates
Sequence[Phase1interface
Certificate Args] - The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - childless_
ike str - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - client_
auto_ strnegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - client_
keep_ stralive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - client_
resume str - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - client_
resume_ intinterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments str
- Comment.
- default_
gw str - IPv4 address of default route gateway to use for traffic exiting the interface.
- default_
gw_ intpriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- dev_
id str - Device ID carried by the device ID notification.
- dev_
id_ strnotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - dhcp6_
ra_ strlinkaddr - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp_
ra_ strgiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp str
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - digital_
signature_ strauth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - distance int
- Distance for routes added by IKE (1 - 255).
- dns_
mode str - DNS server mode. Valid values:
manual
,auto
. - domain str
- Instruct unity clients about the default DNS domain.
- dpd str
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - dpd_
retrycount int - Number of DPD retry attempts.
- dpd_
retryinterval str - DPD retry interval.
- dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap str
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - eap_
cert_ strauth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - eap_
exclude_ strpeergrp - Peer group excluded from EAP authentication.
- eap_
identity str - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - ems_
sn_ strcheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - encap_
local_ strgw4 - Local IPv4 address of GRE/VXLAN tunnel.
- encap_
local_ strgw6 - Local IPv6 address of GRE/VXLAN tunnel.
- encap_
remote_ strgw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- encap_
remote_ strgw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- encapsulation str
- Enable/disable GRE/VXLAN encapsulation.
- encapsulation_
address str - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - enforce_
unique_ strid - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - esn str
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - exchange_
fgt_ strdevice_ id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - exchange_
interface_ strip - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - exchange_
ip_ straddr4 - IPv4 address to exchange with peers.
- exchange_
ip_ straddr6 - IPv6 address to exchange with peers
- fallback_
tcp_ intthreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec_
base int - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec_
codec int - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - fec_
codec_ strstring - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - fec_
egress str - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - fec_
health_ strcheck - SD-WAN health check.
- fec_
ingress str - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - fec_
mapping_ strprofile - Forward Error Correction (FEC) mapping profile.
- fec_
receive_ inttimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec_
redundant int - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec_
send_ inttimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp_
sync str - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - forticlient_
enforcement str - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - fortinet_
esp str - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - fragmentation str
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - fragmentation_
mtu int - IKE fragmentation MTU (500 - 16000).
- get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group_
authentication str - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - group_
authentication_ strsecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha_
sync_ stresp_ seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - idle_
timeout str - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - idle_
timeoutinterval int - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike_
version str - IKE protocol version. Valid values:
1
,2
. - inbound_
dscp_ strcopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - include_
local_ strlan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - interface str
- Local physical, aggregate, or VLAN outgoing interface.
- internal_
domain_ Sequence[Phase1interfacelists Internal Domain List Args] - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - ip_
delay_ intinterval - IP address reuse delay interval in seconds (0 - 28800).
- ip_
fragmentation str - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - ip_
version str - IP version to use for VPN interface. Valid values:
4
,6
. - ipv4_
dns_ strserver1 - IPv4 DNS server 1.
- ipv4_
dns_ strserver2 - IPv4 DNS server 2.
- ipv4_
dns_ strserver3 - IPv4 DNS server 3.
- ipv4_
end_ strip - End of IPv4 range.
- ipv4_
exclude_ Sequence[Phase1interfaceranges Ipv4Exclude Range Args] - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - ipv4_
name str - IPv4 address name.
- ipv4_
netmask str - IPv4 Netmask.
- ipv4_
split_ strexclude - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4_
split_ strinclude - IPv4 split-include subnets.
- ipv4_
start_ strip - Start of IPv4 range.
- ipv4_
wins_ strserver1 - WINS server 1.
- ipv4_
wins_ strserver2 - WINS server 2.
- ipv6_
dns_ strserver1 - IPv6 DNS server 1.
- ipv6_
dns_ strserver2 - IPv6 DNS server 2.
- ipv6_
dns_ strserver3 - IPv6 DNS server 3.
- ipv6_
end_ strip - End of IPv6 range.
- ipv6_
exclude_ Sequence[Phase1interfaceranges Ipv6Exclude Range Args] - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - ipv6_
name str - IPv6 address name.
- ipv6_
prefix int - IPv6 prefix.
- ipv6_
split_ strexclude - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6_
split_ strinclude - IPv6 split-include subnets.
- ipv6_
start_ strip - Start of IPv6 range.
- keepalive int
- NAT-T keep alive interval.
- keylife int
- Time to wait in seconds before phase 1 encryption key expires.
- kms str
- Key Management Services server.
- link_
cost int - VPN tunnel underlay link cost.
- local_
gw str - IPv4 address of the local gateway's external interface.
- local_
gw6 str - IPv6 address of the local gateway's external interface.
- localid str
- Local ID.
- localid_
type str - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - loopback_
asymroute str - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - mesh_
selector_ strtype - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - mode str
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - mode_
cfg str - Enable/disable configuration method. Valid values:
disable
,enable
. - mode_
cfg_ strallow_ client_ selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - monitor str
- IPsec interface as backup for primary interface.
- monitor_
hold_ intdown_ delay - Time to wait in seconds before recovery once primary re-establishes.
- monitor_
hold_ strdown_ time - Time of day at which to fail back to primary after it re-establishes.
- monitor_
hold_ strdown_ type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - monitor_
hold_ strdown_ weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - monitor_
min int - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- name str
- IPsec remote gateway name.
- nattraversal str
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - negotiate_
timeout int - IKE SA negotiation timeout in seconds (1 - 300).
- net_
device str - Enable/disable kernel device creation. Valid values:
enable
,disable
. - network_
id int - VPN gateway network ID.
- network_
overlay str - Enable/disable network overlays. Valid values:
disable
,enable
. - npu_
offload str - Enable/disable offloading NPU. Valid values:
enable
,disable
. - packet_
redistribution str - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - passive_
mode str - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - peer str
- Accept this peer certificate.
- peergrp str
- Accept this peer certificate group.
- peerid str
- Accept this peer identity.
- peertype str
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - ppk str
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - ppk_
identity str - IKEv2 Postquantum Preshared Key Identity.
- ppk_
secret str - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority int
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- proposal str
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - psksecret str
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret_
remote str - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd str
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - qkd_
profile str - Quantum Key Distribution (QKD) server profile.
- reauth str
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - rekey str
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - remote_
gw str - IPv4 address of the remote gateway's external interface.
- remote_
gw6 str - IPv6 address of the remote gateway's external interface.
- remote_
gw6_ strcountry - IPv6 addresses associated to a specific country.
- remote_
gw6_ strend_ ip - Last IPv6 address in the range.
- remote_
gw6_ strmatch - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - remote_
gw6_ strstart_ ip - First IPv6 address in the range.
- remote_
gw6_ strsubnet - IPv6 address and prefix.
- remote_
gw_ strcountry - IPv4 addresses associated to a specific country.
- remote_
gw_ strend_ ip - Last IPv4 address in the range.
- remote_
gw_ strmatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - remote_
gw_ strstart_ ip - First IPv4 address in the range.
- remote_
gw_ strsubnet - IPv4 address and subnet mask.
- remotegw_
ddns str - Domain name of remote gateway. For example, name.ddns.com.
- rsa_
signature_ strformat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - rsa_
signature_ strhash_ override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - save_
password str - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - send_
cert_ strchain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - signature_
hash_ stralg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - split_
include_ strservice - Split-include services.
- suite_
b str - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - transport str
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - tunnel_
search str - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - type str
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - unity_
support str - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - usrgrp str
- User group name for dialup peers.
- vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vni int
- VNI of VXLAN tunnel.
- wizard_
type str - GUI VPN Wizard Type.
- xauthtype str
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
- acct
Verify String - Enable/disable verification of RADIUS accounting record. Valid values:
enable
,disable
. - add
Gw StringRoute - Enable/disable automatically add a route to the remote gateway. Valid values:
enable
,disable
. - add
Route String - Enable/disable control addition of a route to peer destination selector. Valid values:
disable
,enable
. - aggregate
Member String - Enable/disable use as an aggregate member. Valid values:
enable
,disable
. - aggregate
Weight Number - Link weight for aggregate.
- assign
Ip String - Enable/disable assignment of IP to IPsec interface via configuration method. Valid values:
disable
,enable
. - assign
Ip StringFrom - Method by which the IP address will be assigned. Valid values:
range
,usrgrp
,dhcp
,name
. - authmethod String
- Authentication method. Valid values:
psk
,signature
. - authmethod
Remote String - Authentication method (remote side). Valid values:
psk
,signature
. - authpasswd String
- XAuth password (max 35 characters).
- authusr String
- XAuth user name.
- authusrgrp String
- Authentication user group.
- auto
Discovery StringCrossover - Allow/block set-up of short-cut tunnels between different network IDs. Valid values:
allow
,block
. - auto
Discovery StringForwarder - Enable/disable forwarding auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery NumberOffer Interval - Interval between shortcut offer messages in seconds (1 - 300, default = 5).
- auto
Discovery StringPsk - Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values:
enable
,disable
. - auto
Discovery StringReceiver - Enable/disable accepting auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery StringSender - Enable/disable sending auto-discovery short-cut messages. Valid values:
enable
,disable
. - auto
Discovery StringShortcuts - Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values:
independent
,dependent
. - auto
Negotiate String - Enable/disable automatic initiation of IKE SA negotiation. Valid values:
enable
,disable
. - azure
Ad StringAutoconnect - Enable/disable Azure AD Auto-Connect for FortiClient. Valid values:
enable
,disable
. - backup
Gateways List<Property Map> - Instruct unity clients about the backup gateway address(es). The structure of
backup_gateway
block is documented below. - String
- Message that unity client should display after connecting.
- cert
Id StringValidation - Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values:
enable
,disable
. - cert
Peer StringUsername Strip - Enable/disable domain stripping on certificate identity. Valid values:
disable
,enable
. - cert
Peer StringUsername Validation - Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values:
none
,othername
,rfc822name
,cn
. - cert
Trust StringStore - CA certificate trust store. Valid values:
local
,ems
. - certificates List<Property Map>
- The names of up to 4 signed personal certificates. The structure of
certificate
block is documented below. - childless
Ike String - Enable/disable childless IKEv2 initiation (RFC 6023). Valid values:
enable
,disable
. - client
Auto StringNegotiate - Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values:
disable
,enable
. - client
Keep StringAlive - Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values:
disable
,enable
. - client
Resume String - Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values:
enable
,disable
. - client
Resume NumberInterval - Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
- comments String
- Comment.
- default
Gw String - IPv4 address of default route gateway to use for traffic exiting the interface.
- default
Gw NumberPriority - Priority for default gateway route. A higher priority number signifies a less preferred route.
- dev
Id String - Device ID carried by the device ID notification.
- dev
Id StringNotification - Enable/disable device ID notification. Valid values:
disable
,enable
. - dhcp6Ra
Linkaddr String - Relay agent IPv6 link address to use in DHCP6 requests.
- dhcp
Ra StringGiaddr - Relay agent gateway IP address to use in the giaddr field of DHCP requests.
- dhgrp String
- DH group. Valid values:
1
,2
,5
,14
,15
,16
,17
,18
,19
,20
,21
,27
,28
,29
,30
,31
,32
. - digital
Signature StringAuth - Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values:
enable
,disable
. - distance Number
- Distance for routes added by IKE (1 - 255).
- dns
Mode String - DNS server mode. Valid values:
manual
,auto
. - domain String
- Instruct unity clients about the default DNS domain.
- dpd String
- Dead Peer Detection mode. Valid values:
disable
,on-idle
,on-demand
. - dpd
Retrycount Number - Number of DPD retry attempts.
- dpd
Retryinterval String - DPD retry interval.
- dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- eap String
- Enable/disable IKEv2 EAP authentication. Valid values:
enable
,disable
. - eap
Cert StringAuth - Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values:
enable
,disable
. - eap
Exclude StringPeergrp - Peer group excluded from EAP authentication.
- eap
Identity String - IKEv2 EAP peer identity type. Valid values:
use-id-payload
,send-request
. - ems
Sn StringCheck - Enable/disable verification of EMS serial number. Valid values:
enable
,disable
. - encap
Local StringGw4 - Local IPv4 address of GRE/VXLAN tunnel.
- encap
Local StringGw6 - Local IPv6 address of GRE/VXLAN tunnel.
- encap
Remote StringGw4 - Remote IPv4 address of GRE/VXLAN tunnel.
- encap
Remote StringGw6 - Remote IPv6 address of GRE/VXLAN tunnel.
- encapsulation String
- Enable/disable GRE/VXLAN encapsulation.
- encapsulation
Address String - Source for GRE/VXLAN tunnel address. Valid values:
ike
,ipv4
,ipv6
. - enforce
Unique StringId - Enable/disable peer ID uniqueness check. Valid values:
disable
,keep-new
,keep-old
. - esn String
- Extended sequence number (ESN) negotiation. Valid values:
require
,allow
,disable
. - exchange
Fgt StringDevice Id - Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values:
enable
,disable
. - exchange
Interface StringIp - Enable/disable exchange of IPsec interface IP address. Valid values:
enable
,disable
. - exchange
Ip StringAddr4 - IPv4 address to exchange with peers.
- exchange
Ip StringAddr6 - IPv6 address to exchange with peers
- fallback
Tcp NumberThreshold - Timeout in seconds before falling back IKE/IPsec traffic to tcp.
- fec
Base Number - Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
- fec
Codec Number - ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec_string
. - fec
Codec StringString - Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable
fec-codec
. Valid values:rs
,xor
. - fec
Egress String - Enable/disable Forward Error Correction for egress IPsec traffic. Valid values:
enable
,disable
. - fec
Health StringCheck - SD-WAN health check.
- fec
Ingress String - Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values:
enable
,disable
. - fec
Mapping StringProfile - Forward Error Correction (FEC) mapping profile.
- fec
Receive NumberTimeout - Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
- fec
Redundant Number - Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
- fec
Send NumberTimeout - Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
- fgsp
Sync String - Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values:
enable
,disable
. - forticlient
Enforcement String - Enable/disable FortiClient enforcement. Valid values:
enable
,disable
. - fortinet
Esp String - Enable/disable Fortinet ESP encapsulaton. Valid values:
enable
,disable
. - fragmentation String
- Enable/disable fragment IKE message on re-transmission. Valid values:
enable
,disable
. - fragmentation
Mtu Number - IKE fragmentation MTU (500 - 16000).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- group
Authentication String - Enable/disable IKEv2 IDi group authentication. Valid values:
enable
,disable
. - group
Authentication StringSecret - Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
- ha
Sync StringEsp Seqno - Enable/disable sequence number jump ahead for IPsec HA. Valid values:
enable
,disable
. - idle
Timeout String - Enable/disable IPsec tunnel idle timeout. Valid values:
enable
,disable
. - idle
Timeoutinterval Number - IPsec tunnel idle timeout in minutes (5 - 43200).
- ike
Version String - IKE protocol version. Valid values:
1
,2
. - inbound
Dscp StringCopy - Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values:
enable
,disable
. - include
Local StringLan - Enable/disable allow local LAN access on unity clients. Valid values:
disable
,enable
. - interface String
- Local physical, aggregate, or VLAN outgoing interface.
- internal
Domain List<Property Map>Lists - One or more internal domain names in quotes separated by spaces. The structure of
internal_domain_list
block is documented below. - ip
Delay NumberInterval - IP address reuse delay interval in seconds (0 - 28800).
- ip
Fragmentation String - Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values:
pre-encapsulation
,post-encapsulation
. - ip
Version String - IP version to use for VPN interface. Valid values:
4
,6
. - ipv4Dns
Server1 String - IPv4 DNS server 1.
- ipv4Dns
Server2 String - IPv4 DNS server 2.
- ipv4Dns
Server3 String - IPv4 DNS server 3.
- ipv4End
Ip String - End of IPv4 range.
- ipv4Exclude
Ranges List<Property Map> - Configuration Method IPv4 exclude ranges. The structure of
ipv4_exclude_range
block is documented below. - ipv4Name String
- IPv4 address name.
- ipv4Netmask String
- IPv4 Netmask.
- ipv4Split
Exclude String - IPv4 subnets that should not be sent over the IPsec tunnel.
- ipv4Split
Include String - IPv4 split-include subnets.
- ipv4Start
Ip String - Start of IPv4 range.
- ipv4Wins
Server1 String - WINS server 1.
- ipv4Wins
Server2 String - WINS server 2.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Dns
Server3 String - IPv6 DNS server 3.
- ipv6End
Ip String - End of IPv6 range.
- ipv6Exclude
Ranges List<Property Map> - Configuration method IPv6 exclude ranges. The structure of
ipv6_exclude_range
block is documented below. - ipv6Name String
- IPv6 address name.
- ipv6Prefix Number
- IPv6 prefix.
- ipv6Split
Exclude String - IPv6 subnets that should not be sent over the IPsec tunnel.
- ipv6Split
Include String - IPv6 split-include subnets.
- ipv6Start
Ip String - Start of IPv6 range.
- keepalive Number
- NAT-T keep alive interval.
- keylife Number
- Time to wait in seconds before phase 1 encryption key expires.
- kms String
- Key Management Services server.
- link
Cost Number - VPN tunnel underlay link cost.
- local
Gw String - IPv4 address of the local gateway's external interface.
- local
Gw6 String - IPv6 address of the local gateway's external interface.
- localid String
- Local ID.
- localid
Type String - Local ID type. Valid values:
auto
,fqdn
,user-fqdn
,keyid
,address
,asn1dn
. - loopback
Asymroute String - Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values:
enable
,disable
. - mesh
Selector StringType - Add selectors containing subsets of the configuration depending on traffic. Valid values:
disable
,subnet
,host
. - mode String
- The ID protection mode used to establish a secure channel. Valid values:
aggressive
,main
. - mode
Cfg String - Enable/disable configuration method. Valid values:
disable
,enable
. - mode
Cfg StringAllow Client Selector - Enable/disable mode-cfg client to use custom phase2 selectors. Valid values:
disable
,enable
. - monitor String
- IPsec interface as backup for primary interface.
- monitor
Hold NumberDown Delay - Time to wait in seconds before recovery once primary re-establishes.
- monitor
Hold StringDown Time - Time of day at which to fail back to primary after it re-establishes.
- monitor
Hold StringDown Type - Recovery time method when primary interface re-establishes. Valid values:
immediate
,delay
,time
. - monitor
Hold StringDown Weekday - Day of the week to recover once primary re-establishes. Valid values:
everyday
,sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - monitor
Min Number - Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
- name String
- IPsec remote gateway name.
- nattraversal String
- Enable/disable NAT traversal. Valid values:
enable
,disable
,forced
. - negotiate
Timeout Number - IKE SA negotiation timeout in seconds (1 - 300).
- net
Device String - Enable/disable kernel device creation. Valid values:
enable
,disable
. - network
Id Number - VPN gateway network ID.
- network
Overlay String - Enable/disable network overlays. Valid values:
disable
,enable
. - npu
Offload String - Enable/disable offloading NPU. Valid values:
enable
,disable
. - packet
Redistribution String - Enable/disable packet distribution (RPS) on the IPsec interface. Valid values:
enable
,disable
. - passive
Mode String - Enable/disable IPsec passive mode for static tunnels. Valid values:
enable
,disable
. - peer String
- Accept this peer certificate.
- peergrp String
- Accept this peer certificate group.
- peerid String
- Accept this peer identity.
- peertype String
- Accept this peer type. Valid values:
any
,one
,dialup
,peer
,peergrp
. - ppk String
- Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values:
disable
,allow
,require
. - ppk
Identity String - IKEv2 Postquantum Preshared Key Identity.
- ppk
Secret String - IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
- priority Number
- Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
- proposal String
- Phase1 proposal. Valid values:
des-md5
,des-sha1
,des-sha256
,des-sha384
,des-sha512
,3des-md5
,3des-sha1
,3des-sha256
,3des-sha384
,3des-sha512
,aes128-md5
,aes128-sha1
,aes128-sha256
,aes128-sha384
,aes128-sha512
,aes128gcm-prfsha1
,aes128gcm-prfsha256
,aes128gcm-prfsha384
,aes128gcm-prfsha512
,aes192-md5
,aes192-sha1
,aes192-sha256
,aes192-sha384
,aes192-sha512
,aes256-md5
,aes256-sha1
,aes256-sha256
,aes256-sha384
,aes256-sha512
,aes256gcm-prfsha1
,aes256gcm-prfsha256
,aes256gcm-prfsha384
,aes256gcm-prfsha512
,chacha20poly1305-prfsha1
,chacha20poly1305-prfsha256
,chacha20poly1305-prfsha384
,chacha20poly1305-prfsha512
,aria128-md5
,aria128-sha1
,aria128-sha256
,aria128-sha384
,aria128-sha512
,aria192-md5
,aria192-sha1
,aria192-sha256
,aria192-sha384
,aria192-sha512
,aria256-md5
,aria256-sha1
,aria256-sha256
,aria256-sha384
,aria256-sha512
,seed-md5
,seed-sha1
,seed-sha256
,seed-sha384
,seed-sha512
. - psksecret String
- Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- psksecret
Remote String - Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
- qkd String
- Enable/disable use of Quantum Key Distribution (QKD) server. Valid values:
disable
,allow
,require
. - qkd
Profile String - Quantum Key Distribution (QKD) server profile.
- reauth String
- Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values:
disable
,enable
. - rekey String
- Enable/disable phase1 rekey. Valid values:
enable
,disable
. - remote
Gw String - IPv4 address of the remote gateway's external interface.
- remote
Gw6 String - IPv6 address of the remote gateway's external interface.
- remote
Gw6Country String - IPv6 addresses associated to a specific country.
- remote
Gw6End StringIp - Last IPv6 address in the range.
- remote
Gw6Match String - Set type of IPv6 remote gateway address matching. Valid values:
any
,ipprefix
,iprange
,geography
. - remote
Gw6Start StringIp - First IPv6 address in the range.
- remote
Gw6Subnet String - IPv6 address and prefix.
- remote
Gw StringCountry - IPv4 addresses associated to a specific country.
- remote
Gw StringEnd Ip - Last IPv4 address in the range.
- remote
Gw StringMatch - Set type of IPv4 remote gateway address matching. Valid values:
any
,ipmask
,iprange
,geography
. - remote
Gw StringStart Ip - First IPv4 address in the range.
- remote
Gw StringSubnet - IPv4 address and subnet mask.
- remotegw
Ddns String - Domain name of remote gateway. For example, name.ddns.com.
- rsa
Signature StringFormat - Digital Signature Authentication RSA signature format. Valid values:
pkcs1
,pss
. - rsa
Signature StringHash Override - Enable/disable IKEv2 RSA signature hash algorithm override. Valid values:
enable
,disable
. - save
Password String - Enable/disable saving XAuth username and password on VPN clients. Valid values:
disable
,enable
. - send
Cert StringChain - Enable/disable sending certificate chain. Valid values:
enable
,disable
. - signature
Hash StringAlg - Digital Signature Authentication hash algorithms. Valid values:
sha1
,sha2-256
,sha2-384
,sha2-512
. - split
Include StringService - Split-include services.
- suite
B String - Use Suite-B. Valid values:
disable
,suite-b-gcm-128
,suite-b-gcm-256
. - transport String
- Set IKE transport protocol. Valid values:
udp
,udp-fallback-tcp
,tcp
. - tunnel
Search String - Tunnel search method for when the interface is shared. Valid values:
selectors
,nexthop
. - type String
- Remote gateway type. Valid values:
static
,dynamic
,ddns
. - unity
Support String - Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values:
disable
,enable
. - usrgrp String
- User group name for dialup peers.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vni Number
- VNI of VXLAN tunnel.
- wizard
Type String - GUI VPN Wizard Type.
- xauthtype String
- XAuth type. Valid values:
disable
,client
,pap
,chap
,auto
.
Supporting Types
Phase1interfaceBackupGateway, Phase1interfaceBackupGatewayArgs
- Address string
- Address of backup gateway.
- Address string
- Address of backup gateway.
- address String
- Address of backup gateway.
- address string
- Address of backup gateway.
- address str
- Address of backup gateway.
- address String
- Address of backup gateway.
Phase1interfaceCertificate, Phase1interfaceCertificateArgs
- Name string
- Certificate name.
- Name string
- Certificate name.
- name String
- Certificate name.
- name string
- Certificate name.
- name str
- Certificate name.
- name String
- Certificate name.
Phase1interfaceInternalDomainList, Phase1interfaceInternalDomainListArgs
- Domain
Name string Domain name.
The
ipv4_exclude_range
block supports:
- Domain
Name string Domain name.
The
ipv4_exclude_range
block supports:
- domain
Name String Domain name.
The
ipv4_exclude_range
block supports:
- domain
Name string Domain name.
The
ipv4_exclude_range
block supports:
- domain_
name str Domain name.
The
ipv4_exclude_range
block supports:
- domain
Name String Domain name.
The
ipv4_exclude_range
block supports:
Phase1interfaceIpv4ExcludeRange, Phase1interfaceIpv4ExcludeRangeArgs
Phase1interfaceIpv6ExcludeRange, Phase1interfaceIpv6ExcludeRangeArgs
Import
VpnIpsec Phase1Interface can be imported using any of these accepted formats:
$ pulumi import fortios:vpn/ipsec/phase1interface:Phase1interface labelname {{name}}
If you do not want to import arguments of block:
$ export “FORTIOS_IMPORT_TABLE”=“false”
$ pulumi import fortios:vpn/ipsec/phase1interface:Phase1interface labelname {{name}}
$ unset “FORTIOS_IMPORT_TABLE”
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- fortios pulumiverse/pulumi-fortios
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
fortios
Terraform Provider.