Firmware upgrade from cli
execute restore image tftp <filename> 10.29.0.7
Useful commands
| Command | Notes |
|---|---|
Configuration for a dynamic client behind a NAT
NOTE: The tunnel will not come up unless there is a Policy that allows traffic on the tunnel interface to somewhere
config vpn ipsec phase1-interface
edit "VTI-1"
set type ddns
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "<ip address>"
set dhgrp 21
set nattraversal disable
set remotegw-ddns "<fqdn>"
set psksecret <password>
set comments "Server Side VTI"
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set auto-negotiate enable
set comments "Server Side"
next
end
config system interface VTI-1
edit "VTI-1"
set vdom "root"
set ip <local ip> 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip <remote ip> 255.255.255.255
set interface "wan1"
next
end
config vpn ipsec phase1-interface
edit "VTI-1"
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "<fqdn>"
set dpd on-idle
set dhgrp 21
set nattraversal disable
set remote-gw 66.37.4.14
set psksecret <password>
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set comments "Client Side"
next
end
config system interface
edit "VTI-1"
set vdom "root"
set ip <local ip> 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip <remote ip> 255.255.255.255
set interface "wan1"
next
end
config system np6xlite
edit "np6xlite_0"
set fastpath disable
next
end
Bypass NPU:
diagnose npu <xxx> fastpath-sniffer enable <port(s)_number>
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 ....
diagnose vpn ike log-filter src-addr4 ....
diagnose debug application ike -1
diagnose debug enable