set vpn site

In the R81.10.X releases, this command is available starting from the R81.10.00 version.

Description

Configures an existing Site-to-Site VPN object.

Enter this command and press the TAB key to see the available options:

set vpn site <VPN-site-name>

Syntax

set vpn site <VPN-site-name>

      [ aggressive-mode-enable-gateway-id { false | true aggressive-mode-gateway-id-type <aggressive-mode-gateway-id-type> aggressive-mode-gateway-id <aggressive-mode-gateway-id> } ]

      [ aggressive-mode-enable-peer-id { false | true aggressive-mode-peer-id-type <aggressive-mode-peer-id-type> aggressive-mode-peer-id <aggressive-mode-peer-id> } ]

      [ aggressive-mode-enabled { false | true aggressive-mode-DH-group <aggressive-mode-DH-group> } ]

      [ auth-method { certificate | preshared-secret password <password> } ]

      [ disable-nat {true | false} ]

      [ enabled {true | false} ]

      [ enable-perfect-forward-secrecy { false | true [ phase2-dh <phase2-dh> ] } ]

      [ enc-method <enc-method> ]

      [ enc-profile <enc-profile> ]

      [ ike-v2-use-identifiers { false | true ike-v2-peer-id <ike-v2-peer-id> gateway-id-source { override-global-identifier ike-v2-gateway-id-override <ike-v2-gateway-id-override> | use-global-identifier } } ]

      [ is-check-point-site { false | true [ enable-permanent-vpn-tunnel {true | false} ] } ]

      [ is-site-behind-static-nat {true | false} ]

      [ link-selection-primary-addr <link-selection-primary-addr> ]

      [ link-selection-probing-method <link-selection-probing-method> ]

      [ match-cert-dn { false | true match-cert-dn-string <match-cert-dn-string> } ]

      [ match-cert-e-mail { false | true match-cert-e-mail-string <match-cert-e-mail-string> } ]

      [ match-cert-ip {true | false} ]

      [ name <name> ]

      [ phase1-reneg-interval 5-70000 ]

      [ phase2-reneg-interval 120-86400 ]

      [ remote-site-enc-dom-type <remote-site-enc-dom-type> ]

      [ remote-site-host-name <remote-site-host-name> ]

      [ remote-site-ip-address <remote-site-ipv4-address> ]

      [ remote-site-ipv6-address <remote-site-ipv6-address> ]

      [ remote-site-link-selection <remote-site-link-selection> ]

      [ static-nat-ip <static-nat-ip> ]

      [ use-trusted-ca <use-trusted-ca> ]

Parameters

Parameter

Description

aggressive-mode-DH-group

Determine the strength of the key when aggressive mode is enabled

The higher the group number, the stronger and more secure the key is

Press the TAB key to see the available options:

  • Group1 - Group 1 (768 bit)

  • Group2 - Group 2 (1024 bit)

  • Group5 - Group 5 (1536 bit)

  • Group14 - Group 14 (2048 bit)

  • Group19 - Group 19 (256-bit ECP)

  • Group20 - Group 20 (384-bit ECP)

aggressive-mode-enable-gateway-id

Indicates whether to use (true) or not (false) the gateway ID matching

This adds a layer of security to aggressive mode

This parameter is mutually exclusive with the parameter "aggressive-mode-enable-peer-id"

aggressive-mode-enable-peer-id

Indicates whether to use (true) or not (false) the peer ID matching

This adds a layer of security to aggressive mode

This parameter is mutually exclusive with the parameter "aggressive-mode-enable-gateway-id"

aggressive-mode-enabled

Indicates if aggressive mode, a less secure negotiation protocol compared to the Main mode, is used

It is less recommended if the remote VPN site supports IPSec main mode

aggressive-mode-gateway-id

The gateway ID that will be used for matching when configured to

aggressive-mode-gateway-id-type

Indicates the type of gateway ID that will be used for matching when configured:

  • domain-name

  • user-name

aggressive-mode-peer-id

The peer ID that will be used for matching when configured to

aggressive-mode-peer-id-type

Indicates the type of peer ID that will be used for matching when configured:

  • domain-name

  • user-name

auth-method

Indicates the type of authentication used when connecting to the remote VPN site

Press TAB to see available options

disable-nat

Disables (true) or enables (false) the NAT for traffic to or from the remote VPN site

Useful when one of the internal networks contains a server

enable-perfect-forward-secrecy

Enables (true) or disables (false) the Perfect Forward Secrecy

When enabled, it makes that a session key will not be compromised if one of the (long-term) private keys is compromised in the future

enable-permanent-vpn-tunnel

Controls whether to constantly keep the VPN Tunnels active (true) or not (false)

If a VPN Tunnel is active, it is easier to recognize malfunctions and connectivity problems

enabled

Indicates whether the remote VPN site is enabled (true) or not (false)

enc-method

Indicates which encryption method is used:

  • ike-v1

  • ike-v2

  • prefer-ike-v2

enc-profile

Encryption profile (one of predefined profiles or custom)

gateway-id-source

Indicates whether the gateway ID in the IKEv2 encryption protocol is the global Gateway ID or an overridden one

Press TAB to see available options

ike-v2-gateway-id-override

The gateway ID when overriding the global gateway ID in the IKEv2 encryption protocol

ike-v2-peer-id

The peer ID used in the IKEv2 encryption protocol

ike-v2-use-identifiers

Indicates whether the IKEv2 encryption protocol should use peer ID and gateway ID identifiers

is-check-point-site

Controls whether the remote VPN site is connected through a Check Point Security Gateway (true) or not (false)

is-site-behind-static-nat

When connection type is IP address, this indicates if it is behind a static NAT (true) or not (false)

link-selection-primary-addr

Specifies the primary IP address for the link selection

link-selection-probing-method

The type of probing used for link selection when multiple IP addresses are configured for the remote VPN site

  • ongoing

  • one-time

match-cert-dn

Specifies if certificate matching should (true) or should not (false) match the DN string in the certificate to the configured DN string

match-cert-dn-string

Specifies the configured DN string for certificate matching

match-cert-e-mail

Indicates if certificate matching should (true) or should not (false) match the E-mail string in the certificate to the configured E-mail string

match-cert-e-mail-string

Specifies the configured E-mail string for certificate matching

match-cert-ip

Indicates if certificate matching should (true) or should not (false) match IP address in the certificate to the site's IP address

name

Configures the new VPN site name

password

Pre-shared secret (minimum 6 characters) to be used when authentication method is configured as such

phase2-dh

Determine the strength of the key used for the IPsec (Phase 2) key exchange process.

The higher the group number, the stronger and more secure the key is

Press the TAB key to see the available options:

  • Group1 - Group 1 (768 bit)

  • Group2 - Group 2 (1024 bit)

  • Group5 - Group 5 (1536 bit)

  • Group14 - Group 14 (2048 bit)

  • Group19 - Group 19 (256-bit ECP)

  • Group20 - Group 20 (384-bit ECP)

phase2-reneg-interval

The period (between 120 and 86400 minutes, default 3600) between each IPsec SA renegotiation

phase1-reneg-interval

The period (between 5 and 70000 minutes, default 1440) between each IKE SA renegotiation

remote-site-enc-dom-type

The method of defining the remote VPN site's encryption domain.

Press the TAB key to see the available options:

  • enc-dom-hidden-behind-remote-site

  • manually-defined-enc-dom

  • route-all-traffic-to-site

  • route-based-vpn

remote-site-host-name

Indicates the remote VPN site's host name when the link selection method is configured as such

remote-site-ip-address

Indicates the remote VPN site's single IPv4 address when the link selection method is configured as such

remote-site-ipv6-address

Indicates the remote VPN site's single IPv6 address when the link selection method is configured as such

remote-site-link-selection

Indicates the method of determining the destination IP address(es) of the remote VPN site:

  • connection-initiated-only-from-remote-site

  • high-availability

  • host-name

  • ip-address

  • load-sharing

site

Name of the existing VPN site

Press the TAB key to see the available options.

static-nat-ip

Indicates an external routable IP address via static NAT used by the remote VPN site, when configured as such

use-trusted-ca

Indicates whether to use an Internal Certificate Authority or any configured Certificate Authority

for matching the remote VPN site's certificate:

  • internal_ca

  • anyCa

Example Command

set vpn site site17 enabled true remote-site-enc-dom-type manually-defined-enc-dom enc-profile virtual phase1-reneg-interval 3600 phase2-reneg-interval 7200 enable-perfect-forward-secrecy true phase2-dh Group1 is-check-point-site true enable-permanent-vpn-tunnel true disable-nat true aggressive-mode-enabled true aggressive-mode-DH-group Group1 aggressive-mode-enable-peer-id true aggressive-mode-peer-id-type domain-name aggressive-mode-peer-id vpnAggressiveModePeerId ike-v2-use-identifiers true ike-v2-peer-id vpnAggressiveModePeerId gateway-id-source override-global-identifier ike-v2-gateway-id-override vpnAggressiveModePeerId enc-method ike-v1 use-trusted-ca internal_ca match-cert-ip true match-cert-dn true match-cert-dn-string mycert match-cert-e-mail true match-cert-e-mail-string MyEmail@mail.com link-selection-probing-method ongoing name site17 remote-site-link-selection ip-address remote-site-host-name myHost.com remote-site-ip-address 192.168.1.1 remote-site-ipv6-address 2001:db8:3333:4444:5555:6666:7777:8888 is-site-behind-static-nat true static-nat-ip 192.168.20.30 auth-method preshared-secret password 12345678 link-selection-primary-addr 192.168.20.30