Cli configuration, Ipsec phase1, Command syntax pattern – Fortinet 100A User Manual

Page 269

Advertising
background image

VPN

ipsec phase1

FortiGate-100A Administration Guide

01-28007-0068-20041203

269

CLI configuration

This section provides information about features that must be configured through CLI
commands. CLI commands provide additional network options that cannot be
configured through the web-based manager. For complete descriptions and examples
of how to use CLI commands, see the FortiGate CLI Reference Guide.

ipsec phase1

In the web-based manager, the Dead Peer Detection option can be enabled when you
define advanced Phase 1 options. The config vpn ipsec phase1 CLI command

supports additional options for specifying a long and short idle time, a retry count, and
a retry interval.

Command syntax pattern

config vpn ipsec phase1

edit <name_str>

set <keyword> <variable>

end

config vpn ipsec phase1

edit <name_str>

unset <keyword>

end

ipsec phase1 command keywords and variables

Keywords and
variables

Description

Default

Availability

dpd-idlecleanup
<seconds_integer>

The DPD long idle setting when dpd is set

to enable. Set the time, in seconds, that a

link must remain unused before the local

VPN peer pro-actively probes its state. After

this period of time expires, the local peer

will send a DPD probe to determine the

status of the link even if there is no traffic

between the local peer and the remote

peer. The dpd-idlecleanup range is 100

to 28 800 and must be greater than the

dpd-idleworry setting.

300

seconds

All models.
dpd must

be set to

enable.

dpd-idleworry
<seconds_integer>

The DPD short idle setting when dpd is set

to enable. Set the time, in seconds, that a

link must remain unused before the local

VPN peer considers it to be idle. After this

period of time expires, whenever the local

peer sends traffic to the remote VPN peer it

will also send a DPD probe to determine

the status of the link. The dpd-idleworry

range is 1 to 300.
To control the length of time that the

FortiGate unit takes to detect a dead peer

with DPD probes, use the dpdretrycount

and dpd-retryinterval keywords.

10

seconds

All models.
dpd must

be set to

enable.

Advertising
Popular Brands
Popular manuals