====== Fortinet ======
Firmware upgrade from cli
execute restore image tftp nas-2.i.cfns.net
Useful commands
^ Command ^ Notes ^
| | |
===== VTI Tunnel =====
Configuration for a dynamic client behind a NAT
//**NOTE:** The tunnel will not come up unless there is a Policy that allows traffic on the tunnel interface to somewhere//
==== Server Side ====
config vpn ipsec phase1-interface
edit "VTI-1"
set type ddns
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid ""
set dhgrp 21
set nattraversal disable
set remotegw-ddns ""
set psksecret
set comments "Server Side VTI"
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set auto-negotiate enable
set comments "Server Side"
next
end
config system interface VTI-1
edit "VTI-1"
set vdom "root"
set ip 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip 255.255.255.255
set interface "wan1"
next
end
==== Client Side ====
config vpn ipsec phase1-interface
edit "VTI-1"
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid ""
set dpd on-idle
set dhgrp 21
set nattraversal disable
set remote-gw 66.37.4.14
set psksecret
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set comments "Client Side"
next
end
config system interface
edit "VTI-1"
set vdom "root"
set ip 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip 255.255.255.255
set interface "wan1"
next
end
==== Diagnostics =====
config system np6xlite
edit "np6xlite_0"
set fastpath disable
next
end
Bypass NPU:
diagnose npu fastpath-sniffer enable
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 ....
diagnose vpn ike log-filter src-addr4 ....
diagnose debug application ike -1
diagnose debug enable