Table of Contents
Fortinet
Firmware upgrade from cli
execute restore image tftp <filename> nas-2.i.cfns.net
Useful commands
Command | Notes |
---|---|
VTI Tunnel
Configuration for a dynamic client behind a NAT
NOTE: The tunnel will not come up unless there is a Policy that allows traffic on the tunnel interface to somewhere
Server Side
config vpn ipsec phase1-interface edit "VTI-1" set type ddns set interface "wan1" set ike-version 2 set keylife 43200 set peertype any set net-device disable set proposal aes256-sha256 set localid "<ip address>" set dhgrp 21 set nattraversal disable set remotegw-ddns "<fqdn>" set psksecret <password> set comments "Server Side VTI" next end config vpn ipsec phase2-interface edit "VTI-1" set phase1name "VTI-1" set proposal aes256-sha256 set pfs disable set auto-negotiate enable set comments "Server Side" next end config system interface VTI-1 edit "VTI-1" set vdom "root" set ip <local ip> 255.255.255.255 set allowaccess ping ssh set type tunnel set remote-ip <remote ip> 255.255.255.255 set interface "wan1" next end
Client Side
config vpn ipsec phase1-interface edit "VTI-1" set interface "wan1" set ike-version 2 set keylife 43200 set peertype any set net-device disable set proposal aes256-sha256 set localid "<fqdn>" set dpd on-idle set dhgrp 21 set nattraversal disable set remote-gw 66.37.4.14 set psksecret <password> set dpd-retryinterval 10 next end config vpn ipsec phase2-interface edit "VTI-1" set phase1name "VTI-1" set proposal aes256-sha256 set pfs disable set comments "Client Side" next end config system interface edit "VTI-1" set vdom "root" set ip <local ip> 255.255.255.255 set allowaccess ping ssh set type tunnel set remote-ip <remote ip> 255.255.255.255 set interface "wan1" next end
Diagnostics
config system np6xlite edit "np6xlite_0" set fastpath disable next end Bypass NPU: diagnose npu <xxx> fastpath-sniffer enable <port(s)_number> diagnose vpn ike log-filter clear diagnose vpn ike log-filter dst-addr4 .... diagnose vpn ike log-filter src-addr4 .... diagnose debug application ike -1 diagnose debug enable