Table of Contents
Fortinet
Firmware upgrade from cli
execute restore image tftp <filename> nas-2.i.cfns.net
Useful commands
| Command | Notes |
|---|---|
VTI Tunnel
Configuration for a dynamic client behind a NAT
NOTE: The tunnel will not come up unless there is a Policy that allows traffic on the tunnel interface to somewhere
Server Side
config vpn ipsec phase1-interface
edit "VTI-1"
set type ddns
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "<ip address>"
set dhgrp 21
set nattraversal disable
set remotegw-ddns "<fqdn>"
set psksecret <password>
set comments "Server Side VTI"
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set auto-negotiate enable
set comments "Server Side"
next
end
config system interface VTI-1
edit "VTI-1"
set vdom "root"
set ip <local ip> 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip <remote ip> 255.255.255.255
set interface "wan1"
next
end
Client Side
config vpn ipsec phase1-interface
edit "VTI-1"
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "<fqdn>"
set dpd on-idle
set dhgrp 21
set nattraversal disable
set remote-gw 66.37.4.14
set psksecret <password>
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set comments "Client Side"
next
end
config system interface
edit "VTI-1"
set vdom "root"
set ip <local ip> 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip <remote ip> 255.255.255.255
set interface "wan1"
next
end
Diagnostics
Bypass NPU: diagnose npu <xxx> fastpath-sniffer enable <port(s)_number> diagnose vpn ike log-filter clear diagnose vpn ike log-filter dst-addr4 .... diagnose vpn ike log-filter src-addr4 .... diagnose debug application ike -1 diagnose debug enable
