add vpn site

Description

Adds a new remote VPN site for Site-to-Site VPN.

Syntax

add vpn site name <name> remote-site-link-selection connection-initiated-only-from-remote-site auth-method

preshared-secret password <password>

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

certificate

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

add vpn site name <name> remote-site-link-selection high-availability link-selection-multiple-addrs addr <link-selection-multiple-addrs addr> auth-method

preshared-secret password <password>

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

certificate

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

add vpn site name <name> remote-site-link-selection host-name remote-site-host-name <remote-site-host-name> auth-method

preshared-secret password <password>

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

certificate

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

add vpn site name <name> remote-site-link-selection ip-address remote-site-ip-address <remote-site-ip-address> is-site-behind-static-nat false

add vpn site name <name> remote-site-link-selection ip-address remote-site-ip-address <remote-site-ip-address> is-site-behind-static-nat true static-nat-ip <static-nat-ip> auth-method

preshared-secret password <password>

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ remote-site-ipv6-address <remote-site-ipv6-address> ]

[ use-trusted-ca {internal_ca | anyCa} ]

certificate

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} [ remote-site-ipv6-address <remote-site-ipv6-address> ] ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

add vpn site name <name> remote-site-link-selection load-sharing link-selection-multiple-addrs addr <link-selection-multiple-addrs addr> auth-method

preshared-secret password <password>

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { true [ enable-permanent-vpn-tunnel {true | false} ] | false } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

certificate

[ aggressive-mode-enabled false ]

[ aggressive-mode-enabled true aggressive-mode-DH-group <aggressive-mode-DH-group> ]

[ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type {domain-name | user-name} aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

[ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type {domain-name | user-name} aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

[ disable-nat {true | false} ]

[ enabled {true | false} ]

[ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

[ enc-method <enc-method> ]

[ enc-profile <enc-profile> ]

[ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

[ link-selection-probing-method {ongoing | one-time} ]

[ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

[ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

[ match-cert-ip {true | false} ]

[ phase1-reneg-interval <phase1-reneg-interval> ]

[ phase2-reneg-interval <phase2-reneg-interval> ]

[ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

[ use-trusted-ca {internal_ca | anyCa} ]

Parameters

Parameter	Description
aggressive-mode-DH-group	Configures the strength of the key when aggressive mode is enabled
aggressive-mode-enable-gateway-id	Indicates if gateway ID matching will be used. This adds a layer of security to aggressive mode.
aggressive-mode-enable-peer-id	Indicates if peer ID matching will be used. This adds a layer of security to the aggressive mode.
aggressive-mode-enabled	Main mode is used. It is less recommended if the remote site supports IPSec main mode.
aggressive-mode-gateway-id	Configures the gateway ID that will be used for matching when configured to
aggressive-mode-gateway-id-type	Configures the type of gateway ID that will be used for matching when configured.
aggressive-mode-peer-id	Configures the peer ID that will be used for matching when configured to
aggressive-mode-peer-id-type	Configures the type of peer ID that will be used for matching when configured
auth-method	Configures the type of authentication used when connecting to the remote site Press the TAB key to see the available options.
disable-nat	Disables NAT for traffic to/from the remote site. Useful when one of the internal networks contains a server
enable-perfect-forward-secrecy	Ensures that a session key will not be compromised if one of the (long-term) private keys is compromised in the future.
enable-permanent-vpn-tunnel	VPN Tunnels are constantly kept active and as a result, make it easier to recognize malfunctions and connectivity problems
enabled	Configures whether or not the remote site is enabled
enc-method	Configures the encryption method: `ike-v1` `ike-v2` `prefer-ike-v2`
enc-profile	Specifies the encryption profile (one of predefined profiles or custom)
is-check-point-site	Specifies the if the remote site is a Check Point Security Gateway
is-site-behind-static-nat	Specifies if the remote site is behind static NAT
link-selection-multiple-addrs addr	Configures the IP address
link-selection-probing-method	Configures the type of probing used for link selection when multiple IP addresses are configured for the remote site
match-cert-dn	Specifies if certificate matching should match the DN string in the certificate to the configured DN string
match-cert-dn-string	Configures the configured DN string for certificate matching
match-cert-e-mail	Specifies if certificate matching should match the E-mail string in the certificate to the configured E-mail string
match-cert-e-mail-string	Configures the E-mail string for certificate matching
match-cert-ip	Specifies if certificate matching should match IP address in the certificate to the site's IP address
name	Configures the Site name. A string that begins with a letter and contain up to 32 characters without spaces, of this set: `a-z` (lower-case letters) `A-Z` (upper-case letters) `0-9` (digits) '`.`' (period) '`-`' (minus) '`_`' (underscore)
password	Configures the preshared secret (minimum 6 characters) to be used when authentication method is configured as such
phase1-reneg-interval	Configures the period (from 5 to 70000 minutes) between each IKE SA renegotiation
phase2-dh	Determine the strength of the key used for the IPsec (Phase 2) key exchange process. The higher the group number, the stronger and more secure the key is.
phase2-reneg-interval	Configures the period (from 120 to 86400 seconds) between each IPSec SA renegotiation.
remote-site-enc-dom-type	Configures the method of defining the remote site's encryption domain Options: `enc-dom-hidden-behind-remote-site` `manually-defined-enc-dom` `route-all-traffic-to-site` `route-based-vpn`
remote-site-host-name	Configures the host name of the remote site
remote-site-ip-address	Configures the IPv4 address of the remote site
remote-site-ipv6-address	Configures the IPv6 address of the remote site
remote-site-link-selection	Configures the method of determining the destination IP address/s of the remote site Press the TAB key to see the available options.
static-nat-ip	Configures the external IP address through static NAT used by the remote site
use-trusted-ca	Specifies if a specific trusted CA is used for matching the remote site's certificate or all configured trusted CAs

Example

add vpn site name site17 remote-site-link-selection host-name remote-site-host-name myHost.com auth-method preshared-secret password vpnPassword enabled true remote-site-enc-dom-type manually-defined-enc-dom enc-profile custom phase1-reneg-interval 15 phase2-reneg-interval 15 enable-perfect-forward-secrecy true phase2-dh Group1 is-check-point-site true enable-permanent-vpn-tunnel true disable-nat true aggressive-mode-enabled true aggressive-mode-DH-group Group1 aggressive-mode-enable-peer-id true aggressive-mode-peer-id-type domain-name aggressive-mode-peer-id vpnAggressiveModePeerId enc-method ike-v1 use-trusted-ca TEXT match-cert-ip true match-cert-dn true match-cert-dn-string mycert match-cert-e-mail true match-cert-e-mail-string MyEmail@mail.com link-selection-probing-method ongoing enabled true remote-site-enc-dom-type manually-defined-enc-dom enc-profile custom phase1-reneg-interval 15 phase2-reneg-interval 15 enable-perfect-forward-secrecy true phase2-dh Group1 is-check-point-site true enable-permanent-vpn-tunnel true disable-nat true aggressive-mode-enabled true aggressive-mode-DH-group Group1 aggressive-mode-enable-peer-id true aggressive-mode-peer-id-type domain-name aggressive-mode-peer-id vpnAggressiveModePeerId enc-method ike-v1 use-trusted-ca internal-ca match-cert-ip true match-cert-dn true match-cert-dn-string mycert match-cert-e-mail true match-cert-e-mail-string MyEmail@mail.com link-selection-probing-method ongoing auth-method preshared-secret password vpnPassword enabled true remote-site-enc-dom-type manually-defined-enc-dom enc-profile custom phase1-reneg-interval 15 phase2-reneg-interval 15 enable-perfect-forward-secrecy true phase2-dh Group1 is-check-point-site true enable-permanent-vpn-tunnel true disable-nat true aggressive-mode-enabled true aggressive-mode-DH-group Group1 aggressive-mode-enable-peer-id true aggressive-mode-peer-id-type domain-name aggressive-mode-peer-id vpnAggressiveModePeerId enc-method ike-v1 use-trusted-ca TEXT match-cert-ip true match-cert-dn true match-cert-dn-string TEXT match-cert-e-mail true match-cert-e-mail-string MyEmail@mail.com link-selection-probing-method ongoing enabled true remote-site-enc-dom-type manually-defined-enc-dom enc-profile custom phase1-reneg-interval 15 phase2-reneg-interval 15 enable-perfect-forward-secrecy true phase2-dh Group1 is-check-point-site true enable-permanent-vpn-tunnel true disable-nat true aggressive-mode-enabled true aggressive-mode-DH-group Group1 aggressive-mode-enable-peer-id true aggressive-mode-peer-id-type domain-name aggressive-mode-peer-id vpnAggressiveModePeerId enc-method ike-v1 use-trusted-ca TEXT match-cert-ip true match-cert-dn true match-cert-dn-string mycert match-cert-e-mail true match-cert-e-mail-string MyEmail@mail.com link-selection-probing-method ongoing