Fortios v0.0.6, Jul 9 24

Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse

fortios.vpn/ipsec.Phase1interface

Explore with Pulumi AI

Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse

Example Usage

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as fortios from "@pulumiverse/fortios";

const trname2 = new fortios.vpn.ipsec.Phase1interface("trname2", {
    acctVerify: "disable",
    addGwRoute: "disable",
    addRoute: "enable",
    assignIp: "enable",
    assignIpFrom: "range",
    authmethod: "psk",
    autoDiscoveryForwarder: "disable",
    autoDiscoveryPsk: "disable",
    autoDiscoveryReceiver: "disable",
    autoDiscoverySender: "disable",
    autoNegotiate: "enable",
    certIdValidation: "enable",
    childlessIke: "disable",
    clientAutoNegotiate: "disable",
    clientKeepAlive: "disable",
    defaultGw: "0.0.0.0",
    defaultGwPriority: 0,
    dhgrp: "14 5",
    digitalSignatureAuth: "disable",
    distance: 15,
    dnsMode: "manual",
    dpd: "on-demand",
    dpdRetrycount: 3,
    dpdRetryinterval: "20",
    eap: "disable",
    eapIdentity: "use-id-payload",
    encapLocalGw4: "0.0.0.0",
    encapLocalGw6: "::",
    encapRemoteGw4: "0.0.0.0",
    encapRemoteGw6: "::",
    encapsulation: "none",
    encapsulationAddress: "ike",
    enforceUniqueId: "disable",
    exchangeInterfaceIp: "disable",
    exchangeIpAddr4: "0.0.0.0",
    exchangeIpAddr6: "::",
    forticlientEnforcement: "disable",
    fragmentation: "enable",
    fragmentationMtu: 1200,
    groupAuthentication: "disable",
    haSyncEspSeqno: "enable",
    idleTimeout: "disable",
    idleTimeoutinterval: 15,
    ikeVersion: "1",
    includeLocalLan: "disable",
    "interface": "port3",
    ipVersion: "4",
    ipv4DnsServer1: "0.0.0.0",
    ipv4DnsServer2: "0.0.0.0",
    ipv4DnsServer3: "0.0.0.0",
    ipv4EndIp: "0.0.0.0",
    ipv4Netmask: "255.255.255.255",
    ipv4StartIp: "0.0.0.0",
    ipv4WinsServer1: "0.0.0.0",
    ipv4WinsServer2: "0.0.0.0",
    ipv6DnsServer1: "::",
    ipv6DnsServer2: "::",
    ipv6DnsServer3: "::",
    ipv6EndIp: "::",
    ipv6Prefix: 128,
    ipv6StartIp: "::",
    keepalive: 10,
    keylife: 86400,
    localGw: "0.0.0.0",
    localGw6: "::",
    localidType: "auto",
    meshSelectorType: "disable",
    mode: "main",
    modeCfg: "disable",
    monitorHoldDownDelay: 0,
    monitorHoldDownTime: "00:00",
    monitorHoldDownType: "immediate",
    monitorHoldDownWeekday: "sunday",
    nattraversal: "enable",
    negotiateTimeout: 30,
    netDevice: "disable",
    passiveMode: "disable",
    peertype: "any",
    ppk: "disable",
    priority: 0,
    proposal: "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
    psksecret: "eweeeeeeeecee",
    reauth: "disable",
    rekey: "enable",
    remoteGw: "102.2.2.12",
    remoteGw6: "::",
    rsaSignatureFormat: "pkcs1",
    savePassword: "disable",
    sendCertChain: "enable",
    signatureHashAlg: "sha2-512 sha2-384 sha2-256 sha1",
    suiteB: "disable",
    tunnelSearch: "selectors",
    type: "static",
    unitySupport: "enable",
    wizardType: "custom",
    xauthtype: "disable",
});

import pulumi
import pulumiverse_fortios as fortios

trname2 = fortios.vpn.ipsec.Phase1interface("trname2",
    acct_verify="disable",
    add_gw_route="disable",
    add_route="enable",
    assign_ip="enable",
    assign_ip_from="range",
    authmethod="psk",
    auto_discovery_forwarder="disable",
    auto_discovery_psk="disable",
    auto_discovery_receiver="disable",
    auto_discovery_sender="disable",
    auto_negotiate="enable",
    cert_id_validation="enable",
    childless_ike="disable",
    client_auto_negotiate="disable",
    client_keep_alive="disable",
    default_gw="0.0.0.0",
    default_gw_priority=0,
    dhgrp="14 5",
    digital_signature_auth="disable",
    distance=15,
    dns_mode="manual",
    dpd="on-demand",
    dpd_retrycount=3,
    dpd_retryinterval="20",
    eap="disable",
    eap_identity="use-id-payload",
    encap_local_gw4="0.0.0.0",
    encap_local_gw6="::",
    encap_remote_gw4="0.0.0.0",
    encap_remote_gw6="::",
    encapsulation="none",
    encapsulation_address="ike",
    enforce_unique_id="disable",
    exchange_interface_ip="disable",
    exchange_ip_addr4="0.0.0.0",
    exchange_ip_addr6="::",
    forticlient_enforcement="disable",
    fragmentation="enable",
    fragmentation_mtu=1200,
    group_authentication="disable",
    ha_sync_esp_seqno="enable",
    idle_timeout="disable",
    idle_timeoutinterval=15,
    ike_version="1",
    include_local_lan="disable",
    interface="port3",
    ip_version="4",
    ipv4_dns_server1="0.0.0.0",
    ipv4_dns_server2="0.0.0.0",
    ipv4_dns_server3="0.0.0.0",
    ipv4_end_ip="0.0.0.0",
    ipv4_netmask="255.255.255.255",
    ipv4_start_ip="0.0.0.0",
    ipv4_wins_server1="0.0.0.0",
    ipv4_wins_server2="0.0.0.0",
    ipv6_dns_server1="::",
    ipv6_dns_server2="::",
    ipv6_dns_server3="::",
    ipv6_end_ip="::",
    ipv6_prefix=128,
    ipv6_start_ip="::",
    keepalive=10,
    keylife=86400,
    local_gw="0.0.0.0",
    local_gw6="::",
    localid_type="auto",
    mesh_selector_type="disable",
    mode="main",
    mode_cfg="disable",
    monitor_hold_down_delay=0,
    monitor_hold_down_time="00:00",
    monitor_hold_down_type="immediate",
    monitor_hold_down_weekday="sunday",
    nattraversal="enable",
    negotiate_timeout=30,
    net_device="disable",
    passive_mode="disable",
    peertype="any",
    ppk="disable",
    priority=0,
    proposal="aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
    psksecret="eweeeeeeeecee",
    reauth="disable",
    rekey="enable",
    remote_gw="102.2.2.12",
    remote_gw6="::",
    rsa_signature_format="pkcs1",
    save_password="disable",
    send_cert_chain="enable",
    signature_hash_alg="sha2-512 sha2-384 sha2-256 sha1",
    suite_b="disable",
    tunnel_search="selectors",
    type="static",
    unity_support="enable",
    wizard_type="custom",
    xauthtype="disable")

package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/vpn"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := vpn.NewPhase1interface(ctx, "trname2", &vpn.Phase1interfaceArgs{
			AcctVerify:             pulumi.String("disable"),
			AddGwRoute:             pulumi.String("disable"),
			AddRoute:               pulumi.String("enable"),
			AssignIp:               pulumi.String("enable"),
			AssignIpFrom:           pulumi.String("range"),
			Authmethod:             pulumi.String("psk"),
			AutoDiscoveryForwarder: pulumi.String("disable"),
			AutoDiscoveryPsk:       pulumi.String("disable"),
			AutoDiscoveryReceiver:  pulumi.String("disable"),
			AutoDiscoverySender:    pulumi.String("disable"),
			AutoNegotiate:          pulumi.String("enable"),
			CertIdValidation:       pulumi.String("enable"),
			ChildlessIke:           pulumi.String("disable"),
			ClientAutoNegotiate:    pulumi.String("disable"),
			ClientKeepAlive:        pulumi.String("disable"),
			DefaultGw:              pulumi.String("0.0.0.0"),
			DefaultGwPriority:      pulumi.Int(0),
			Dhgrp:                  pulumi.String("14 5"),
			DigitalSignatureAuth:   pulumi.String("disable"),
			Distance:               pulumi.Int(15),
			DnsMode:                pulumi.String("manual"),
			Dpd:                    pulumi.String("on-demand"),
			DpdRetrycount:          pulumi.Int(3),
			DpdRetryinterval:       pulumi.String("20"),
			Eap:                    pulumi.String("disable"),
			EapIdentity:            pulumi.String("use-id-payload"),
			EncapLocalGw4:          pulumi.String("0.0.0.0"),
			EncapLocalGw6:          pulumi.String("::"),
			EncapRemoteGw4:         pulumi.String("0.0.0.0"),
			EncapRemoteGw6:         pulumi.String("::"),
			Encapsulation:          pulumi.String("none"),
			EncapsulationAddress:   pulumi.String("ike"),
			EnforceUniqueId:        pulumi.String("disable"),
			ExchangeInterfaceIp:    pulumi.String("disable"),
			ExchangeIpAddr4:        pulumi.String("0.0.0.0"),
			ExchangeIpAddr6:        pulumi.String("::"),
			ForticlientEnforcement: pulumi.String("disable"),
			Fragmentation:          pulumi.String("enable"),
			FragmentationMtu:       pulumi.Int(1200),
			GroupAuthentication:    pulumi.String("disable"),
			HaSyncEspSeqno:         pulumi.String("enable"),
			IdleTimeout:            pulumi.String("disable"),
			IdleTimeoutinterval:    pulumi.Int(15),
			IkeVersion:             pulumi.String("1"),
			IncludeLocalLan:        pulumi.String("disable"),
			Interface:              pulumi.String("port3"),
			IpVersion:              pulumi.String("4"),
			Ipv4DnsServer1:         pulumi.String("0.0.0.0"),
			Ipv4DnsServer2:         pulumi.String("0.0.0.0"),
			Ipv4DnsServer3:         pulumi.String("0.0.0.0"),
			Ipv4EndIp:              pulumi.String("0.0.0.0"),
			Ipv4Netmask:            pulumi.String("255.255.255.255"),
			Ipv4StartIp:            pulumi.String("0.0.0.0"),
			Ipv4WinsServer1:        pulumi.String("0.0.0.0"),
			Ipv4WinsServer2:        pulumi.String("0.0.0.0"),
			Ipv6DnsServer1:         pulumi.String("::"),
			Ipv6DnsServer2:         pulumi.String("::"),
			Ipv6DnsServer3:         pulumi.String("::"),
			Ipv6EndIp:              pulumi.String("::"),
			Ipv6Prefix:             pulumi.Int(128),
			Ipv6StartIp:            pulumi.String("::"),
			Keepalive:              pulumi.Int(10),
			Keylife:                pulumi.Int(86400),
			LocalGw:                pulumi.String("0.0.0.0"),
			LocalGw6:               pulumi.String("::"),
			LocalidType:            pulumi.String("auto"),
			MeshSelectorType:       pulumi.String("disable"),
			Mode:                   pulumi.String("main"),
			ModeCfg:                pulumi.String("disable"),
			MonitorHoldDownDelay:   pulumi.Int(0),
			MonitorHoldDownTime:    pulumi.String("00:00"),
			MonitorHoldDownType:    pulumi.String("immediate"),
			MonitorHoldDownWeekday: pulumi.String("sunday"),
			Nattraversal:           pulumi.String("enable"),
			NegotiateTimeout:       pulumi.Int(30),
			NetDevice:              pulumi.String("disable"),
			PassiveMode:            pulumi.String("disable"),
			Peertype:               pulumi.String("any"),
			Ppk:                    pulumi.String("disable"),
			Priority:               pulumi.Int(0),
			Proposal:               pulumi.String("aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"),
			Psksecret:              pulumi.String("eweeeeeeeecee"),
			Reauth:                 pulumi.String("disable"),
			Rekey:                  pulumi.String("enable"),
			RemoteGw:               pulumi.String("102.2.2.12"),
			RemoteGw6:              pulumi.String("::"),
			RsaSignatureFormat:     pulumi.String("pkcs1"),
			SavePassword:           pulumi.String("disable"),
			SendCertChain:          pulumi.String("enable"),
			SignatureHashAlg:       pulumi.String("sha2-512 sha2-384 sha2-256 sha1"),
			SuiteB:                 pulumi.String("disable"),
			TunnelSearch:           pulumi.String("selectors"),
			Type:                   pulumi.String("static"),
			UnitySupport:           pulumi.String("enable"),
			WizardType:             pulumi.String("custom"),
			Xauthtype:              pulumi.String("disable"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortios = Pulumiverse.Fortios;

return await Deployment.RunAsync(() => 
{
    var trname2 = new Fortios.Vpn.Ipsec.Phase1interface("trname2", new()
    {
        AcctVerify = "disable",
        AddGwRoute = "disable",
        AddRoute = "enable",
        AssignIp = "enable",
        AssignIpFrom = "range",
        Authmethod = "psk",
        AutoDiscoveryForwarder = "disable",
        AutoDiscoveryPsk = "disable",
        AutoDiscoveryReceiver = "disable",
        AutoDiscoverySender = "disable",
        AutoNegotiate = "enable",
        CertIdValidation = "enable",
        ChildlessIke = "disable",
        ClientAutoNegotiate = "disable",
        ClientKeepAlive = "disable",
        DefaultGw = "0.0.0.0",
        DefaultGwPriority = 0,
        Dhgrp = "14 5",
        DigitalSignatureAuth = "disable",
        Distance = 15,
        DnsMode = "manual",
        Dpd = "on-demand",
        DpdRetrycount = 3,
        DpdRetryinterval = "20",
        Eap = "disable",
        EapIdentity = "use-id-payload",
        EncapLocalGw4 = "0.0.0.0",
        EncapLocalGw6 = "::",
        EncapRemoteGw4 = "0.0.0.0",
        EncapRemoteGw6 = "::",
        Encapsulation = "none",
        EncapsulationAddress = "ike",
        EnforceUniqueId = "disable",
        ExchangeInterfaceIp = "disable",
        ExchangeIpAddr4 = "0.0.0.0",
        ExchangeIpAddr6 = "::",
        ForticlientEnforcement = "disable",
        Fragmentation = "enable",
        FragmentationMtu = 1200,
        GroupAuthentication = "disable",
        HaSyncEspSeqno = "enable",
        IdleTimeout = "disable",
        IdleTimeoutinterval = 15,
        IkeVersion = "1",
        IncludeLocalLan = "disable",
        Interface = "port3",
        IpVersion = "4",
        Ipv4DnsServer1 = "0.0.0.0",
        Ipv4DnsServer2 = "0.0.0.0",
        Ipv4DnsServer3 = "0.0.0.0",
        Ipv4EndIp = "0.0.0.0",
        Ipv4Netmask = "255.255.255.255",
        Ipv4StartIp = "0.0.0.0",
        Ipv4WinsServer1 = "0.0.0.0",
        Ipv4WinsServer2 = "0.0.0.0",
        Ipv6DnsServer1 = "::",
        Ipv6DnsServer2 = "::",
        Ipv6DnsServer3 = "::",
        Ipv6EndIp = "::",
        Ipv6Prefix = 128,
        Ipv6StartIp = "::",
        Keepalive = 10,
        Keylife = 86400,
        LocalGw = "0.0.0.0",
        LocalGw6 = "::",
        LocalidType = "auto",
        MeshSelectorType = "disable",
        Mode = "main",
        ModeCfg = "disable",
        MonitorHoldDownDelay = 0,
        MonitorHoldDownTime = "00:00",
        MonitorHoldDownType = "immediate",
        MonitorHoldDownWeekday = "sunday",
        Nattraversal = "enable",
        NegotiateTimeout = 30,
        NetDevice = "disable",
        PassiveMode = "disable",
        Peertype = "any",
        Ppk = "disable",
        Priority = 0,
        Proposal = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1",
        Psksecret = "eweeeeeeeecee",
        Reauth = "disable",
        Rekey = "enable",
        RemoteGw = "102.2.2.12",
        RemoteGw6 = "::",
        RsaSignatureFormat = "pkcs1",
        SavePassword = "disable",
        SendCertChain = "enable",
        SignatureHashAlg = "sha2-512 sha2-384 sha2-256 sha1",
        SuiteB = "disable",
        TunnelSearch = "selectors",
        Type = "static",
        UnitySupport = "enable",
        WizardType = "custom",
        Xauthtype = "disable",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortios.vpn.Phase1interface;
import com.pulumi.fortios.vpn.Phase1interfaceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var trname2 = new Phase1interface("trname2", Phase1interfaceArgs.builder()
            .acctVerify("disable")
            .addGwRoute("disable")
            .addRoute("enable")
            .assignIp("enable")
            .assignIpFrom("range")
            .authmethod("psk")
            .autoDiscoveryForwarder("disable")
            .autoDiscoveryPsk("disable")
            .autoDiscoveryReceiver("disable")
            .autoDiscoverySender("disable")
            .autoNegotiate("enable")
            .certIdValidation("enable")
            .childlessIke("disable")
            .clientAutoNegotiate("disable")
            .clientKeepAlive("disable")
            .defaultGw("0.0.0.0")
            .defaultGwPriority(0)
            .dhgrp("14 5")
            .digitalSignatureAuth("disable")
            .distance(15)
            .dnsMode("manual")
            .dpd("on-demand")
            .dpdRetrycount(3)
            .dpdRetryinterval("20")
            .eap("disable")
            .eapIdentity("use-id-payload")
            .encapLocalGw4("0.0.0.0")
            .encapLocalGw6("::")
            .encapRemoteGw4("0.0.0.0")
            .encapRemoteGw6("::")
            .encapsulation("none")
            .encapsulationAddress("ike")
            .enforceUniqueId("disable")
            .exchangeInterfaceIp("disable")
            .exchangeIpAddr4("0.0.0.0")
            .exchangeIpAddr6("::")
            .forticlientEnforcement("disable")
            .fragmentation("enable")
            .fragmentationMtu(1200)
            .groupAuthentication("disable")
            .haSyncEspSeqno("enable")
            .idleTimeout("disable")
            .idleTimeoutinterval(15)
            .ikeVersion("1")
            .includeLocalLan("disable")
            .interface_("port3")
            .ipVersion("4")
            .ipv4DnsServer1("0.0.0.0")
            .ipv4DnsServer2("0.0.0.0")
            .ipv4DnsServer3("0.0.0.0")
            .ipv4EndIp("0.0.0.0")
            .ipv4Netmask("255.255.255.255")
            .ipv4StartIp("0.0.0.0")
            .ipv4WinsServer1("0.0.0.0")
            .ipv4WinsServer2("0.0.0.0")
            .ipv6DnsServer1("::")
            .ipv6DnsServer2("::")
            .ipv6DnsServer3("::")
            .ipv6EndIp("::")
            .ipv6Prefix(128)
            .ipv6StartIp("::")
            .keepalive(10)
            .keylife(86400)
            .localGw("0.0.0.0")
            .localGw6("::")
            .localidType("auto")
            .meshSelectorType("disable")
            .mode("main")
            .modeCfg("disable")
            .monitorHoldDownDelay(0)
            .monitorHoldDownTime("00:00")
            .monitorHoldDownType("immediate")
            .monitorHoldDownWeekday("sunday")
            .nattraversal("enable")
            .negotiateTimeout(30)
            .netDevice("disable")
            .passiveMode("disable")
            .peertype("any")
            .ppk("disable")
            .priority(0)
            .proposal("aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1")
            .psksecret("eweeeeeeeecee")
            .reauth("disable")
            .rekey("enable")
            .remoteGw("102.2.2.12")
            .remoteGw6("::")
            .rsaSignatureFormat("pkcs1")
            .savePassword("disable")
            .sendCertChain("enable")
            .signatureHashAlg("sha2-512 sha2-384 sha2-256 sha1")
            .suiteB("disable")
            .tunnelSearch("selectors")
            .type("static")
            .unitySupport("enable")
            .wizardType("custom")
            .xauthtype("disable")
            .build());

    }
}

resources:
  trname2:
    type: fortios:vpn/ipsec:Phase1interface
    properties:
      acctVerify: disable
      addGwRoute: disable
      addRoute: enable
      assignIp: enable
      assignIpFrom: range
      authmethod: psk
      autoDiscoveryForwarder: disable
      autoDiscoveryPsk: disable
      autoDiscoveryReceiver: disable
      autoDiscoverySender: disable
      autoNegotiate: enable
      certIdValidation: enable
      childlessIke: disable
      clientAutoNegotiate: disable
      clientKeepAlive: disable
      defaultGw: 0.0.0.0
      defaultGwPriority: 0
      dhgrp: 14 5
      digitalSignatureAuth: disable
      distance: 15
      dnsMode: manual
      dpd: on-demand
      dpdRetrycount: 3
      dpdRetryinterval: '20'
      eap: disable
      eapIdentity: use-id-payload
      encapLocalGw4: 0.0.0.0
      encapLocalGw6: '::'
      encapRemoteGw4: 0.0.0.0
      encapRemoteGw6: '::'
      encapsulation: none
      encapsulationAddress: ike
      enforceUniqueId: disable
      exchangeInterfaceIp: disable
      exchangeIpAddr4: 0.0.0.0
      exchangeIpAddr6: '::'
      forticlientEnforcement: disable
      fragmentation: enable
      fragmentationMtu: 1200
      groupAuthentication: disable
      haSyncEspSeqno: enable
      idleTimeout: disable
      idleTimeoutinterval: 15
      ikeVersion: '1'
      includeLocalLan: disable
      interface: port3
      ipVersion: '4'
      ipv4DnsServer1: 0.0.0.0
      ipv4DnsServer2: 0.0.0.0
      ipv4DnsServer3: 0.0.0.0
      ipv4EndIp: 0.0.0.0
      ipv4Netmask: 255.255.255.255
      ipv4StartIp: 0.0.0.0
      ipv4WinsServer1: 0.0.0.0
      ipv4WinsServer2: 0.0.0.0
      ipv6DnsServer1: '::'
      ipv6DnsServer2: '::'
      ipv6DnsServer3: '::'
      ipv6EndIp: '::'
      ipv6Prefix: 128
      ipv6StartIp: '::'
      keepalive: 10
      keylife: 86400
      localGw: 0.0.0.0
      localGw6: '::'
      localidType: auto
      meshSelectorType: disable
      mode: main
      modeCfg: disable
      monitorHoldDownDelay: 0
      monitorHoldDownTime: 00:00
      monitorHoldDownType: immediate
      monitorHoldDownWeekday: sunday
      nattraversal: enable
      negotiateTimeout: 30
      netDevice: disable
      passiveMode: disable
      peertype: any
      ppk: disable
      priority: 0
      proposal: aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
      psksecret: eweeeeeeeecee
      reauth: disable
      rekey: enable
      remoteGw: 102.2.2.12
      remoteGw6: '::'
      rsaSignatureFormat: pkcs1
      savePassword: disable
      sendCertChain: enable
      signatureHashAlg: sha2-512 sha2-384 sha2-256 sha1
      suiteB: disable
      tunnelSearch: selectors
      type: static
      unitySupport: enable
      wizardType: custom
      xauthtype: disable

Create Phase1interface Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new Phase1interface(name: string, args: Phase1interfaceArgs, opts?: CustomResourceOptions);

@overload
def Phase1interface(resource_name: str,
                    args: Phase1interfaceArgs,
                    opts: Optional[ResourceOptions] = None)

@overload
def Phase1interface(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    interface: Optional[str] = None,
                    proposal: Optional[str] = None,
                    acct_verify: Optional[str] = None,
                    add_gw_route: Optional[str] = None,
                    add_route: Optional[str] = None,
                    aggregate_member: Optional[str] = None,
                    aggregate_weight: Optional[int] = None,
                    assign_ip: Optional[str] = None,
                    assign_ip_from: Optional[str] = None,
                    authmethod: Optional[str] = None,
                    authmethod_remote: Optional[str] = None,
                    authpasswd: Optional[str] = None,
                    authusr: Optional[str] = None,
                    authusrgrp: Optional[str] = None,
                    auto_discovery_crossover: Optional[str] = None,
                    auto_discovery_forwarder: Optional[str] = None,
                    auto_discovery_offer_interval: Optional[int] = None,
                    auto_discovery_psk: Optional[str] = None,
                    auto_discovery_receiver: Optional[str] = None,
                    auto_discovery_sender: Optional[str] = None,
                    auto_discovery_shortcuts: Optional[str] = None,
                    auto_negotiate: Optional[str] = None,
                    azure_ad_autoconnect: Optional[str] = None,
                    backup_gateways: Optional[Sequence[Phase1interfaceBackupGatewayArgs]] = None,
                    banner: Optional[str] = None,
                    cert_id_validation: Optional[str] = None,
                    cert_peer_username_strip: Optional[str] = None,
                    cert_peer_username_validation: Optional[str] = None,
                    cert_trust_store: Optional[str] = None,
                    certificates: Optional[Sequence[Phase1interfaceCertificateArgs]] = None,
                    childless_ike: Optional[str] = None,
                    client_auto_negotiate: Optional[str] = None,
                    client_keep_alive: Optional[str] = None,
                    client_resume: Optional[str] = None,
                    client_resume_interval: Optional[int] = None,
                    comments: Optional[str] = None,
                    default_gw: Optional[str] = None,
                    default_gw_priority: Optional[int] = None,
                    dev_id: Optional[str] = None,
                    dev_id_notification: Optional[str] = None,
                    dhcp6_ra_linkaddr: Optional[str] = None,
                    dhcp_ra_giaddr: Optional[str] = None,
                    dhgrp: Optional[str] = None,
                    digital_signature_auth: Optional[str] = None,
                    distance: Optional[int] = None,
                    dns_mode: Optional[str] = None,
                    domain: Optional[str] = None,
                    dpd: Optional[str] = None,
                    dpd_retrycount: Optional[int] = None,
                    dpd_retryinterval: Optional[str] = None,
                    dynamic_sort_subtable: Optional[str] = None,
                    eap: Optional[str] = None,
                    eap_cert_auth: Optional[str] = None,
                    eap_exclude_peergrp: Optional[str] = None,
                    eap_identity: Optional[str] = None,
                    ems_sn_check: Optional[str] = None,
                    encap_local_gw4: Optional[str] = None,
                    encap_local_gw6: Optional[str] = None,
                    encap_remote_gw4: Optional[str] = None,
                    encap_remote_gw6: Optional[str] = None,
                    encapsulation: Optional[str] = None,
                    encapsulation_address: Optional[str] = None,
                    enforce_unique_id: Optional[str] = None,
                    esn: Optional[str] = None,
                    exchange_fgt_device_id: Optional[str] = None,
                    exchange_interface_ip: Optional[str] = None,
                    exchange_ip_addr4: Optional[str] = None,
                    exchange_ip_addr6: Optional[str] = None,
                    fallback_tcp_threshold: Optional[int] = None,
                    fec_base: Optional[int] = None,
                    fec_codec: Optional[int] = None,
                    fec_codec_string: Optional[str] = None,
                    fec_egress: Optional[str] = None,
                    fec_health_check: Optional[str] = None,
                    fec_ingress: Optional[str] = None,
                    fec_mapping_profile: Optional[str] = None,
                    fec_receive_timeout: Optional[int] = None,
                    fec_redundant: Optional[int] = None,
                    fec_send_timeout: Optional[int] = None,
                    fgsp_sync: Optional[str] = None,
                    forticlient_enforcement: Optional[str] = None,
                    fortinet_esp: Optional[str] = None,
                    fragmentation: Optional[str] = None,
                    fragmentation_mtu: Optional[int] = None,
                    get_all_tables: Optional[str] = None,
                    group_authentication: Optional[str] = None,
                    group_authentication_secret: Optional[str] = None,
                    ha_sync_esp_seqno: Optional[str] = None,
                    idle_timeout: Optional[str] = None,
                    idle_timeoutinterval: Optional[int] = None,
                    ike_version: Optional[str] = None,
                    inbound_dscp_copy: Optional[str] = None,
                    include_local_lan: Optional[str] = None,
                    internal_domain_lists: Optional[Sequence[Phase1interfaceInternalDomainListArgs]] = None,
                    ip_delay_interval: Optional[int] = None,
                    ip_fragmentation: Optional[str] = None,
                    ip_version: Optional[str] = None,
                    ipv4_dns_server1: Optional[str] = None,
                    ipv4_dns_server2: Optional[str] = None,
                    ipv4_dns_server3: Optional[str] = None,
                    ipv4_end_ip: Optional[str] = None,
                    ipv4_exclude_ranges: Optional[Sequence[Phase1interfaceIpv4ExcludeRangeArgs]] = None,
                    ipv4_name: Optional[str] = None,
                    ipv4_netmask: Optional[str] = None,
                    ipv4_split_exclude: Optional[str] = None,
                    ipv4_split_include: Optional[str] = None,
                    ipv4_start_ip: Optional[str] = None,
                    ipv4_wins_server1: Optional[str] = None,
                    ipv4_wins_server2: Optional[str] = None,
                    ipv6_dns_server1: Optional[str] = None,
                    ipv6_dns_server2: Optional[str] = None,
                    ipv6_dns_server3: Optional[str] = None,
                    ipv6_end_ip: Optional[str] = None,
                    ipv6_exclude_ranges: Optional[Sequence[Phase1interfaceIpv6ExcludeRangeArgs]] = None,
                    ipv6_name: Optional[str] = None,
                    ipv6_prefix: Optional[int] = None,
                    ipv6_split_exclude: Optional[str] = None,
                    ipv6_split_include: Optional[str] = None,
                    ipv6_start_ip: Optional[str] = None,
                    keepalive: Optional[int] = None,
                    keylife: Optional[int] = None,
                    kms: Optional[str] = None,
                    link_cost: Optional[int] = None,
                    local_gw: Optional[str] = None,
                    local_gw6: Optional[str] = None,
                    localid: Optional[str] = None,
                    localid_type: Optional[str] = None,
                    loopback_asymroute: Optional[str] = None,
                    mesh_selector_type: Optional[str] = None,
                    mode: Optional[str] = None,
                    mode_cfg: Optional[str] = None,
                    mode_cfg_allow_client_selector: Optional[str] = None,
                    monitor: Optional[str] = None,
                    monitor_hold_down_delay: Optional[int] = None,
                    monitor_hold_down_time: Optional[str] = None,
                    monitor_hold_down_type: Optional[str] = None,
                    monitor_hold_down_weekday: Optional[str] = None,
                    monitor_min: Optional[int] = None,
                    name: Optional[str] = None,
                    nattraversal: Optional[str] = None,
                    negotiate_timeout: Optional[int] = None,
                    net_device: Optional[str] = None,
                    network_id: Optional[int] = None,
                    network_overlay: Optional[str] = None,
                    npu_offload: Optional[str] = None,
                    packet_redistribution: Optional[str] = None,
                    passive_mode: Optional[str] = None,
                    peer: Optional[str] = None,
                    peergrp: Optional[str] = None,
                    peerid: Optional[str] = None,
                    peertype: Optional[str] = None,
                    ppk: Optional[str] = None,
                    ppk_identity: Optional[str] = None,
                    ppk_secret: Optional[str] = None,
                    priority: Optional[int] = None,
                    psksecret: Optional[str] = None,
                    psksecret_remote: Optional[str] = None,
                    qkd: Optional[str] = None,
                    qkd_profile: Optional[str] = None,
                    reauth: Optional[str] = None,
                    rekey: Optional[str] = None,
                    remote_gw: Optional[str] = None,
                    remote_gw6: Optional[str] = None,
                    remote_gw6_country: Optional[str] = None,
                    remote_gw6_end_ip: Optional[str] = None,
                    remote_gw6_match: Optional[str] = None,
                    remote_gw6_start_ip: Optional[str] = None,
                    remote_gw6_subnet: Optional[str] = None,
                    remote_gw_country: Optional[str] = None,
                    remote_gw_end_ip: Optional[str] = None,
                    remote_gw_match: Optional[str] = None,
                    remote_gw_start_ip: Optional[str] = None,
                    remote_gw_subnet: Optional[str] = None,
                    remotegw_ddns: Optional[str] = None,
                    rsa_signature_format: Optional[str] = None,
                    rsa_signature_hash_override: Optional[str] = None,
                    save_password: Optional[str] = None,
                    send_cert_chain: Optional[str] = None,
                    signature_hash_alg: Optional[str] = None,
                    split_include_service: Optional[str] = None,
                    suite_b: Optional[str] = None,
                    transport: Optional[str] = None,
                    tunnel_search: Optional[str] = None,
                    type: Optional[str] = None,
                    unity_support: Optional[str] = None,
                    usrgrp: Optional[str] = None,
                    vdomparam: Optional[str] = None,
                    vni: Optional[int] = None,
                    wizard_type: Optional[str] = None,
                    xauthtype: Optional[str] = None)

func NewPhase1interface(ctx *Context, name string, args Phase1interfaceArgs, opts ...ResourceOption) (*Phase1interface, error)

public Phase1interface(string name, Phase1interfaceArgs args, CustomResourceOptions? opts = null)

public Phase1interface(String name, Phase1interfaceArgs args)
public Phase1interface(String name, Phase1interfaceArgs args, CustomResourceOptions options)

type: fortios:vpn/ipsec/phase1interface:Phase1interface
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args Phase1interfaceArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args Phase1interfaceArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args Phase1interfaceArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args Phase1interfaceArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args Phase1interfaceArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Phase1interface Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Phase1interface resource accepts the following input properties:

Interface string: Local physical, aggregate, or VLAN outgoing interface.
Proposal string: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
AcctVerify string: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
AddGwRoute string: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
AddRoute string: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
AggregateMember string: Enable/disable use as an aggregate member. Valid values: enable, disable.
AggregateWeight int: Link weight for aggregate.
AssignIp string: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
AssignIpFrom string: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
Authmethod string: Authentication method. Valid values: psk, signature.
AuthmethodRemote string: Authentication method (remote side). Valid values: psk, signature.
Authpasswd string: XAuth password (max 35 characters).
Authusr string: XAuth user name.
Authusrgrp string: Authentication user group.
AutoDiscoveryCrossover string: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
AutoDiscoveryForwarder string: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoveryOfferInterval int: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
AutoDiscoveryPsk string: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
AutoDiscoveryReceiver string: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoverySender string: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoveryShortcuts string: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
AutoNegotiate string: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
AzureAdAutoconnect string: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
BackupGateways List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceBackupGateway>: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
Banner string: Message that unity client should display after connecting.
CertIdValidation string: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
CertPeerUsernameStrip string: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
CertPeerUsernameValidation string: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
CertTrustStore string: CA certificate trust store. Valid values: local, ems.
Certificates List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceCertificate>: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
ChildlessIke string: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
ClientAutoNegotiate string: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
ClientKeepAlive string: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
ClientResume string: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
ClientResumeInterval int: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
Comments string: Comment.
DefaultGw string: IPv4 address of default route gateway to use for traffic exiting the interface.
DefaultGwPriority int: Priority for default gateway route. A higher priority number signifies a less preferred route.
DevId string: Device ID carried by the device ID notification.
DevIdNotification string: Enable/disable device ID notification. Valid values: disable, enable.
Dhcp6RaLinkaddr string: Relay agent IPv6 link address to use in DHCP6 requests.
DhcpRaGiaddr string: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
Dhgrp string: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
DigitalSignatureAuth string: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
Distance int: Distance for routes added by IKE (1 - 255).
DnsMode string: DNS server mode. Valid values: manual, auto.
Domain string: Instruct unity clients about the default DNS domain.
Dpd string: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
DpdRetrycount int: Number of DPD retry attempts.
DpdRetryinterval string: DPD retry interval.
DynamicSortSubtable string: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
Eap string: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
EapCertAuth string: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
EapExcludePeergrp string: Peer group excluded from EAP authentication.
EapIdentity string: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
EmsSnCheck string: Enable/disable verification of EMS serial number. Valid values: enable, disable.
EncapLocalGw4 string: Local IPv4 address of GRE/VXLAN tunnel.
EncapLocalGw6 string: Local IPv6 address of GRE/VXLAN tunnel.
EncapRemoteGw4 string: Remote IPv4 address of GRE/VXLAN tunnel.
EncapRemoteGw6 string: Remote IPv6 address of GRE/VXLAN tunnel.
Encapsulation string: Enable/disable GRE/VXLAN encapsulation.
EncapsulationAddress string: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
EnforceUniqueId string: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
Esn string: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
ExchangeFgtDeviceId string: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
ExchangeInterfaceIp string: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
ExchangeIpAddr4 string: IPv4 address to exchange with peers.
ExchangeIpAddr6 string: IPv6 address to exchange with peers
FallbackTcpThreshold int: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
FecBase int: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
FecCodec int: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
FecCodecString string: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
FecEgress string: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
FecHealthCheck string: SD-WAN health check.
FecIngress string: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
FecMappingProfile string: Forward Error Correction (FEC) mapping profile.
FecReceiveTimeout int: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
FecRedundant int: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
FecSendTimeout int: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
FgspSync string: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
ForticlientEnforcement string: Enable/disable FortiClient enforcement. Valid values: enable, disable.
FortinetEsp string: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
Fragmentation string: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
FragmentationMtu int: IKE fragmentation MTU (500 - 16000).
GetAllTables string: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
GroupAuthentication string: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
GroupAuthenticationSecret string: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
HaSyncEspSeqno string: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
IdleTimeout string: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
IdleTimeoutinterval int: IPsec tunnel idle timeout in minutes (5 - 43200).
IkeVersion string: IKE protocol version. Valid values: 1, 2.
InboundDscpCopy string: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
IncludeLocalLan string: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
InternalDomainLists List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceInternalDomainList>: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
IpDelayInterval int: IP address reuse delay interval in seconds (0 - 28800).
IpFragmentation string: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
IpVersion string: IP version to use for VPN interface. Valid values: 4, 6.
Ipv4DnsServer1 string: IPv4 DNS server 1.
Ipv4DnsServer2 string: IPv4 DNS server 2.
Ipv4DnsServer3 string: IPv4 DNS server 3.
Ipv4EndIp string: End of IPv4 range.
Ipv4ExcludeRanges List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceIpv4ExcludeRange>: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
Ipv4Name string: IPv4 address name.
Ipv4Netmask string: IPv4 Netmask.
Ipv4SplitExclude string: IPv4 subnets that should not be sent over the IPsec tunnel.
Ipv4SplitInclude string: IPv4 split-include subnets.
Ipv4StartIp string: Start of IPv4 range.
Ipv4WinsServer1 string: WINS server 1.
Ipv4WinsServer2 string: WINS server 2.
Ipv6DnsServer1 string: IPv6 DNS server 1.
Ipv6DnsServer2 string: IPv6 DNS server 2.
Ipv6DnsServer3 string: IPv6 DNS server 3.
Ipv6EndIp string: End of IPv6 range.
Ipv6ExcludeRanges List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceIpv6ExcludeRange>: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
Ipv6Name string: IPv6 address name.
Ipv6Prefix int: IPv6 prefix.
Ipv6SplitExclude string: IPv6 subnets that should not be sent over the IPsec tunnel.
Ipv6SplitInclude string: IPv6 split-include subnets.
Ipv6StartIp string: Start of IPv6 range.
Keepalive int: NAT-T keep alive interval.
Keylife int: Time to wait in seconds before phase 1 encryption key expires.
Kms string: Key Management Services server.
LinkCost int: VPN tunnel underlay link cost.
LocalGw string: IPv4 address of the local gateway's external interface.
LocalGw6 string: IPv6 address of the local gateway's external interface.
Localid string: Local ID.
LocalidType string: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
LoopbackAsymroute string: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
MeshSelectorType string: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
Mode string: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
ModeCfg string: Enable/disable configuration method. Valid values: disable, enable.
ModeCfgAllowClientSelector string: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
Monitor string: IPsec interface as backup for primary interface.
MonitorHoldDownDelay int: Time to wait in seconds before recovery once primary re-establishes.
MonitorHoldDownTime string: Time of day at which to fail back to primary after it re-establishes.
MonitorHoldDownType string: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
MonitorHoldDownWeekday string: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
MonitorMin int: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
Name string: IPsec remote gateway name.
Nattraversal string: Enable/disable NAT traversal. Valid values: enable, disable, forced.
NegotiateTimeout int: IKE SA negotiation timeout in seconds (1 - 300).
NetDevice string: Enable/disable kernel device creation. Valid values: enable, disable.
NetworkId int: VPN gateway network ID.
NetworkOverlay string: Enable/disable network overlays. Valid values: disable, enable.
NpuOffload string: Enable/disable offloading NPU. Valid values: enable, disable.
PacketRedistribution string: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
PassiveMode string: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
Peer string: Accept this peer certificate.
Peergrp string: Accept this peer certificate group.
Peerid string: Accept this peer identity.
Peertype string: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
Ppk string: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
PpkIdentity string: IKEv2 Postquantum Preshared Key Identity.
PpkSecret string: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
Priority int: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
Psksecret string: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
PsksecretRemote string: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
Qkd string: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
QkdProfile string: Quantum Key Distribution (QKD) server profile.
Reauth string: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
Rekey string: Enable/disable phase1 rekey. Valid values: enable, disable.
RemoteGw string: IPv4 address of the remote gateway's external interface.
RemoteGw6 string: IPv6 address of the remote gateway's external interface.
RemoteGw6Country string: IPv6 addresses associated to a specific country.
RemoteGw6EndIp string: Last IPv6 address in the range.
RemoteGw6Match string: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
RemoteGw6StartIp string: First IPv6 address in the range.
RemoteGw6Subnet string: IPv6 address and prefix.
RemoteGwCountry string: IPv4 addresses associated to a specific country.
RemoteGwEndIp string: Last IPv4 address in the range.
RemoteGwMatch string: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
RemoteGwStartIp string: First IPv4 address in the range.
RemoteGwSubnet string: IPv4 address and subnet mask.
RemotegwDdns string: Domain name of remote gateway. For example, name.ddns.com.
RsaSignatureFormat string: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
RsaSignatureHashOverride string: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
SavePassword string: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
SendCertChain string: Enable/disable sending certificate chain. Valid values: enable, disable.
SignatureHashAlg string: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
SplitIncludeService string: Split-include services.
SuiteB string: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
Transport string: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
TunnelSearch string: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
Type string: Remote gateway type. Valid values: static, dynamic, ddns.
UnitySupport string: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
Usrgrp string: User group name for dialup peers.
Vdomparam string: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
Vni int: VNI of VXLAN tunnel.
WizardType string: GUI VPN Wizard Type.
Xauthtype string: XAuth type. Valid values: disable, client, pap, chap, auto.

Interface string: Local physical, aggregate, or VLAN outgoing interface.
Proposal string: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
AcctVerify string: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
AddGwRoute string: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
AddRoute string: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
AggregateMember string: Enable/disable use as an aggregate member. Valid values: enable, disable.
AggregateWeight int: Link weight for aggregate.
AssignIp string: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
AssignIpFrom string: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
Authmethod string: Authentication method. Valid values: psk, signature.
AuthmethodRemote string: Authentication method (remote side). Valid values: psk, signature.
Authpasswd string: XAuth password (max 35 characters).
Authusr string: XAuth user name.
Authusrgrp string: Authentication user group.
AutoDiscoveryCrossover string: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
AutoDiscoveryForwarder string: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoveryOfferInterval int: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
AutoDiscoveryPsk string: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
AutoDiscoveryReceiver string: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoverySender string: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoveryShortcuts string: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
AutoNegotiate string: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
AzureAdAutoconnect string: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
BackupGateways []Phase1interfaceBackupGatewayArgs: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
Banner string: Message that unity client should display after connecting.
CertIdValidation string: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
CertPeerUsernameStrip string: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
CertPeerUsernameValidation string: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
CertTrustStore string: CA certificate trust store. Valid values: local, ems.
Certificates []Phase1interfaceCertificateArgs: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
ChildlessIke string: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
ClientAutoNegotiate string: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
ClientKeepAlive string: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
ClientResume string: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
ClientResumeInterval int: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
Comments string: Comment.
DefaultGw string: IPv4 address of default route gateway to use for traffic exiting the interface.
DefaultGwPriority int: Priority for default gateway route. A higher priority number signifies a less preferred route.
DevId string: Device ID carried by the device ID notification.
DevIdNotification string: Enable/disable device ID notification. Valid values: disable, enable.
Dhcp6RaLinkaddr string: Relay agent IPv6 link address to use in DHCP6 requests.
DhcpRaGiaddr string: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
Dhgrp string: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
DigitalSignatureAuth string: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
Distance int: Distance for routes added by IKE (1 - 255).
DnsMode string: DNS server mode. Valid values: manual, auto.
Domain string: Instruct unity clients about the default DNS domain.
Dpd string: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
DpdRetrycount int: Number of DPD retry attempts.
DpdRetryinterval string: DPD retry interval.
DynamicSortSubtable string: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
Eap string: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
EapCertAuth string: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
EapExcludePeergrp string: Peer group excluded from EAP authentication.
EapIdentity string: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
EmsSnCheck string: Enable/disable verification of EMS serial number. Valid values: enable, disable.
EncapLocalGw4 string: Local IPv4 address of GRE/VXLAN tunnel.
EncapLocalGw6 string: Local IPv6 address of GRE/VXLAN tunnel.
EncapRemoteGw4 string: Remote IPv4 address of GRE/VXLAN tunnel.
EncapRemoteGw6 string: Remote IPv6 address of GRE/VXLAN tunnel.
Encapsulation string: Enable/disable GRE/VXLAN encapsulation.
EncapsulationAddress string: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
EnforceUniqueId string: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
Esn string: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
ExchangeFgtDeviceId string: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
ExchangeInterfaceIp string: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
ExchangeIpAddr4 string: IPv4 address to exchange with peers.
ExchangeIpAddr6 string: IPv6 address to exchange with peers
FallbackTcpThreshold int: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
FecBase int: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
FecCodec int: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
FecCodecString string: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
FecEgress string: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
FecHealthCheck string: SD-WAN health check.
FecIngress string: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
FecMappingProfile string: Forward Error Correction (FEC) mapping profile.
FecReceiveTimeout int: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
FecRedundant int: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
FecSendTimeout int: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
FgspSync string: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
ForticlientEnforcement string: Enable/disable FortiClient enforcement. Valid values: enable, disable.
FortinetEsp string: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
Fragmentation string: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
FragmentationMtu int: IKE fragmentation MTU (500 - 16000).
GetAllTables string: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
GroupAuthentication string: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
GroupAuthenticationSecret string: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
HaSyncEspSeqno string: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
IdleTimeout string: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
IdleTimeoutinterval int: IPsec tunnel idle timeout in minutes (5 - 43200).
IkeVersion string: IKE protocol version. Valid values: 1, 2.
InboundDscpCopy string: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
IncludeLocalLan string: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
InternalDomainLists []Phase1interfaceInternalDomainListArgs: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
IpDelayInterval int: IP address reuse delay interval in seconds (0 - 28800).
IpFragmentation string: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
IpVersion string: IP version to use for VPN interface. Valid values: 4, 6.
Ipv4DnsServer1 string: IPv4 DNS server 1.
Ipv4DnsServer2 string: IPv4 DNS server 2.
Ipv4DnsServer3 string: IPv4 DNS server 3.
Ipv4EndIp string: End of IPv4 range.
Ipv4ExcludeRanges []Phase1interfaceIpv4ExcludeRangeArgs: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
Ipv4Name string: IPv4 address name.
Ipv4Netmask string: IPv4 Netmask.
Ipv4SplitExclude string: IPv4 subnets that should not be sent over the IPsec tunnel.
Ipv4SplitInclude string: IPv4 split-include subnets.
Ipv4StartIp string: Start of IPv4 range.
Ipv4WinsServer1 string: WINS server 1.
Ipv4WinsServer2 string: WINS server 2.
Ipv6DnsServer1 string: IPv6 DNS server 1.
Ipv6DnsServer2 string: IPv6 DNS server 2.
Ipv6DnsServer3 string: IPv6 DNS server 3.
Ipv6EndIp string: End of IPv6 range.
Ipv6ExcludeRanges []Phase1interfaceIpv6ExcludeRangeArgs: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
Ipv6Name string: IPv6 address name.
Ipv6Prefix int: IPv6 prefix.
Ipv6SplitExclude string: IPv6 subnets that should not be sent over the IPsec tunnel.
Ipv6SplitInclude string: IPv6 split-include subnets.
Ipv6StartIp string: Start of IPv6 range.
Keepalive int: NAT-T keep alive interval.
Keylife int: Time to wait in seconds before phase 1 encryption key expires.
Kms string: Key Management Services server.
LinkCost int: VPN tunnel underlay link cost.
LocalGw string: IPv4 address of the local gateway's external interface.
LocalGw6 string: IPv6 address of the local gateway's external interface.
Localid string: Local ID.
LocalidType string: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
LoopbackAsymroute string: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
MeshSelectorType string: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
Mode string: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
ModeCfg string: Enable/disable configuration method. Valid values: disable, enable.
ModeCfgAllowClientSelector string: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
Monitor string: IPsec interface as backup for primary interface.
MonitorHoldDownDelay int: Time to wait in seconds before recovery once primary re-establishes.
MonitorHoldDownTime string: Time of day at which to fail back to primary after it re-establishes.
MonitorHoldDownType string: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
MonitorHoldDownWeekday string: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
MonitorMin int: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
Name string: IPsec remote gateway name.
Nattraversal string: Enable/disable NAT traversal. Valid values: enable, disable, forced.
NegotiateTimeout int: IKE SA negotiation timeout in seconds (1 - 300).
NetDevice string: Enable/disable kernel device creation. Valid values: enable, disable.
NetworkId int: VPN gateway network ID.
NetworkOverlay string: Enable/disable network overlays. Valid values: disable, enable.
NpuOffload string: Enable/disable offloading NPU. Valid values: enable, disable.
PacketRedistribution string: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
PassiveMode string: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
Peer string: Accept this peer certificate.
Peergrp string: Accept this peer certificate group.
Peerid string: Accept this peer identity.
Peertype string: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
Ppk string: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
PpkIdentity string: IKEv2 Postquantum Preshared Key Identity.
PpkSecret string: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
Priority int: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
Psksecret string: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
PsksecretRemote string: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
Qkd string: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
QkdProfile string: Quantum Key Distribution (QKD) server profile.
Reauth string: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
Rekey string: Enable/disable phase1 rekey. Valid values: enable, disable.
RemoteGw string: IPv4 address of the remote gateway's external interface.
RemoteGw6 string: IPv6 address of the remote gateway's external interface.
RemoteGw6Country string: IPv6 addresses associated to a specific country.
RemoteGw6EndIp string: Last IPv6 address in the range.
RemoteGw6Match string: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
RemoteGw6StartIp string: First IPv6 address in the range.
RemoteGw6Subnet string: IPv6 address and prefix.
RemoteGwCountry string: IPv4 addresses associated to a specific country.
RemoteGwEndIp string: Last IPv4 address in the range.
RemoteGwMatch string: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
RemoteGwStartIp string: First IPv4 address in the range.
RemoteGwSubnet string: IPv4 address and subnet mask.
RemotegwDdns string: Domain name of remote gateway. For example, name.ddns.com.
RsaSignatureFormat string: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
RsaSignatureHashOverride string: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
SavePassword string: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
SendCertChain string: Enable/disable sending certificate chain. Valid values: enable, disable.
SignatureHashAlg string: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
SplitIncludeService string: Split-include services.
SuiteB string: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
Transport string: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
TunnelSearch string: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
Type string: Remote gateway type. Valid values: static, dynamic, ddns.
UnitySupport string: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
Usrgrp string: User group name for dialup peers.
Vdomparam string: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
Vni int: VNI of VXLAN tunnel.
WizardType string: GUI VPN Wizard Type.
Xauthtype string: XAuth type. Valid values: disable, client, pap, chap, auto.

interface_ String: Local physical, aggregate, or VLAN outgoing interface.
proposal String: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
acctVerify String: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
addGwRoute String: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
addRoute String: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
aggregateMember String: Enable/disable use as an aggregate member. Valid values: enable, disable.
aggregateWeight Integer: Link weight for aggregate.
assignIp String: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
assignIpFrom String: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
authmethod String: Authentication method. Valid values: psk, signature.
authmethodRemote String: Authentication method (remote side). Valid values: psk, signature.
authpasswd String: XAuth password (max 35 characters).
authusr String: XAuth user name.
authusrgrp String: Authentication user group.
autoDiscoveryCrossover String: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
autoDiscoveryForwarder String: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryOfferInterval Integer: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
autoDiscoveryPsk String: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
autoDiscoveryReceiver String: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoverySender String: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryShortcuts String: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
autoNegotiate String: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
azureAdAutoconnect String: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
backupGateways List<Phase1interfaceBackupGateway>: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
banner String: Message that unity client should display after connecting.
certIdValidation String: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
certPeerUsernameStrip String: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
certPeerUsernameValidation String: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
certTrustStore String: CA certificate trust store. Valid values: local, ems.
certificates List<Phase1interfaceCertificate>: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
childlessIke String: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
clientAutoNegotiate String: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
clientKeepAlive String: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
clientResume String: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
clientResumeInterval Integer: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
comments String: Comment.
defaultGw String: IPv4 address of default route gateway to use for traffic exiting the interface.
defaultGwPriority Integer: Priority for default gateway route. A higher priority number signifies a less preferred route.
devId String: Device ID carried by the device ID notification.
devIdNotification String: Enable/disable device ID notification. Valid values: disable, enable.
dhcp6RaLinkaddr String: Relay agent IPv6 link address to use in DHCP6 requests.
dhcpRaGiaddr String: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
dhgrp String: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
digitalSignatureAuth String: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
distance Integer: Distance for routes added by IKE (1 - 255).
dnsMode String: DNS server mode. Valid values: manual, auto.
domain String: Instruct unity clients about the default DNS domain.
dpd String: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
dpdRetrycount Integer: Number of DPD retry attempts.
dpdRetryinterval String: DPD retry interval.
dynamicSortSubtable String: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
eap String: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
eapCertAuth String: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
eapExcludePeergrp String: Peer group excluded from EAP authentication.
eapIdentity String: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
emsSnCheck String: Enable/disable verification of EMS serial number. Valid values: enable, disable.
encapLocalGw4 String: Local IPv4 address of GRE/VXLAN tunnel.
encapLocalGw6 String: Local IPv6 address of GRE/VXLAN tunnel.
encapRemoteGw4 String: Remote IPv4 address of GRE/VXLAN tunnel.
encapRemoteGw6 String: Remote IPv6 address of GRE/VXLAN tunnel.
encapsulation String: Enable/disable GRE/VXLAN encapsulation.
encapsulationAddress String: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
enforceUniqueId String: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
esn String: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
exchangeFgtDeviceId String: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
exchangeInterfaceIp String: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
exchangeIpAddr4 String: IPv4 address to exchange with peers.
exchangeIpAddr6 String: IPv6 address to exchange with peers
fallbackTcpThreshold Integer: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
fecBase Integer: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
fecCodec Integer: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
fecCodecString String: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
fecEgress String: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
fecHealthCheck String: SD-WAN health check.
fecIngress String: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
fecMappingProfile String: Forward Error Correction (FEC) mapping profile.
fecReceiveTimeout Integer: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
fecRedundant Integer: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
fecSendTimeout Integer: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
fgspSync String: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
forticlientEnforcement String: Enable/disable FortiClient enforcement. Valid values: enable, disable.
fortinetEsp String: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
fragmentation String: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
fragmentationMtu Integer: IKE fragmentation MTU (500 - 16000).
getAllTables String: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
groupAuthentication String: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
groupAuthenticationSecret String: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
haSyncEspSeqno String: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
idleTimeout String: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
idleTimeoutinterval Integer: IPsec tunnel idle timeout in minutes (5 - 43200).
ikeVersion String: IKE protocol version. Valid values: 1, 2.
inboundDscpCopy String: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
includeLocalLan String: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
internalDomainLists List<Phase1interfaceInternalDomainList>: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
ipDelayInterval Integer: IP address reuse delay interval in seconds (0 - 28800).
ipFragmentation String: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
ipVersion String: IP version to use for VPN interface. Valid values: 4, 6.
ipv4DnsServer1 String: IPv4 DNS server 1.
ipv4DnsServer2 String: IPv4 DNS server 2.
ipv4DnsServer3 String: IPv4 DNS server 3.
ipv4EndIp String: End of IPv4 range.
ipv4ExcludeRanges List<Phase1interfaceIpv4ExcludeRange>: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
ipv4Name String: IPv4 address name.
ipv4Netmask String: IPv4 Netmask.
ipv4SplitExclude String: IPv4 subnets that should not be sent over the IPsec tunnel.
ipv4SplitInclude String: IPv4 split-include subnets.
ipv4StartIp String: Start of IPv4 range.
ipv4WinsServer1 String: WINS server 1.
ipv4WinsServer2 String: WINS server 2.
ipv6DnsServer1 String: IPv6 DNS server 1.
ipv6DnsServer2 String: IPv6 DNS server 2.
ipv6DnsServer3 String: IPv6 DNS server 3.
ipv6EndIp String: End of IPv6 range.
ipv6ExcludeRanges List<Phase1interfaceIpv6ExcludeRange>: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
ipv6Name String: IPv6 address name.
ipv6Prefix Integer: IPv6 prefix.
ipv6SplitExclude String: IPv6 subnets that should not be sent over the IPsec tunnel.
ipv6SplitInclude String: IPv6 split-include subnets.
ipv6StartIp String: Start of IPv6 range.
keepalive Integer: NAT-T keep alive interval.
keylife Integer: Time to wait in seconds before phase 1 encryption key expires.
kms String: Key Management Services server.
linkCost Integer: VPN tunnel underlay link cost.
localGw String: IPv4 address of the local gateway's external interface.
localGw6 String: IPv6 address of the local gateway's external interface.
localid String: Local ID.
localidType String: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
loopbackAsymroute String: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
meshSelectorType String: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
mode String: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
modeCfg String: Enable/disable configuration method. Valid values: disable, enable.
modeCfgAllowClientSelector String: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
monitor String: IPsec interface as backup for primary interface.
monitorHoldDownDelay Integer: Time to wait in seconds before recovery once primary re-establishes.
monitorHoldDownTime String: Time of day at which to fail back to primary after it re-establishes.
monitorHoldDownType String: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
monitorHoldDownWeekday String: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
monitorMin Integer: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
name String: IPsec remote gateway name.
nattraversal String: Enable/disable NAT traversal. Valid values: enable, disable, forced.
negotiateTimeout Integer: IKE SA negotiation timeout in seconds (1 - 300).
netDevice String: Enable/disable kernel device creation. Valid values: enable, disable.
networkId Integer: VPN gateway network ID.
networkOverlay String: Enable/disable network overlays. Valid values: disable, enable.
npuOffload String: Enable/disable offloading NPU. Valid values: enable, disable.
packetRedistribution String: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
passiveMode String: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
peer String: Accept this peer certificate.
peergrp String: Accept this peer certificate group.
peerid String: Accept this peer identity.
peertype String: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
ppk String: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
ppkIdentity String: IKEv2 Postquantum Preshared Key Identity.
ppkSecret String: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
priority Integer: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
psksecret String: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
psksecretRemote String: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
qkd String: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
qkdProfile String: Quantum Key Distribution (QKD) server profile.
reauth String: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
rekey String: Enable/disable phase1 rekey. Valid values: enable, disable.
remoteGw String: IPv4 address of the remote gateway's external interface.
remoteGw6 String: IPv6 address of the remote gateway's external interface.
remoteGw6Country String: IPv6 addresses associated to a specific country.
remoteGw6EndIp String: Last IPv6 address in the range.
remoteGw6Match String: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
remoteGw6StartIp String: First IPv6 address in the range.
remoteGw6Subnet String: IPv6 address and prefix.
remoteGwCountry String: IPv4 addresses associated to a specific country.
remoteGwEndIp String: Last IPv4 address in the range.
remoteGwMatch String: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
remoteGwStartIp String: First IPv4 address in the range.
remoteGwSubnet String: IPv4 address and subnet mask.
remotegwDdns String: Domain name of remote gateway. For example, name.ddns.com.
rsaSignatureFormat String: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
rsaSignatureHashOverride String: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
savePassword String: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
sendCertChain String: Enable/disable sending certificate chain. Valid values: enable, disable.
signatureHashAlg String: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
splitIncludeService String: Split-include services.
suiteB String: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
transport String: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
tunnelSearch String: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
type String: Remote gateway type. Valid values: static, dynamic, ddns.
unitySupport String: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
usrgrp String: User group name for dialup peers.
vdomparam String: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
vni Integer: VNI of VXLAN tunnel.
wizardType String: GUI VPN Wizard Type.
xauthtype String: XAuth type. Valid values: disable, client, pap, chap, auto.

interface string: Local physical, aggregate, or VLAN outgoing interface.
proposal string: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
acctVerify string: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
addGwRoute string: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
addRoute string: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
aggregateMember string: Enable/disable use as an aggregate member. Valid values: enable, disable.
aggregateWeight number: Link weight for aggregate.
assignIp string: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
assignIpFrom string: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
authmethod string: Authentication method. Valid values: psk, signature.
authmethodRemote string: Authentication method (remote side). Valid values: psk, signature.
authpasswd string: XAuth password (max 35 characters).
authusr string: XAuth user name.
authusrgrp string: Authentication user group.
autoDiscoveryCrossover string: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
autoDiscoveryForwarder string: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryOfferInterval number: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
autoDiscoveryPsk string: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
autoDiscoveryReceiver string: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoverySender string: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryShortcuts string: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
autoNegotiate string: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
azureAdAutoconnect string: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
backupGateways Phase1interfaceBackupGateway[]: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
banner string: Message that unity client should display after connecting.
certIdValidation string: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
certPeerUsernameStrip string: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
certPeerUsernameValidation string: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
certTrustStore string: CA certificate trust store. Valid values: local, ems.
certificates Phase1interfaceCertificate[]: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
childlessIke string: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
clientAutoNegotiate string: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
clientKeepAlive string: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
clientResume string: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
clientResumeInterval number: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
comments string: Comment.
defaultGw string: IPv4 address of default route gateway to use for traffic exiting the interface.
defaultGwPriority number: Priority for default gateway route. A higher priority number signifies a less preferred route.
devId string: Device ID carried by the device ID notification.
devIdNotification string: Enable/disable device ID notification. Valid values: disable, enable.
dhcp6RaLinkaddr string: Relay agent IPv6 link address to use in DHCP6 requests.
dhcpRaGiaddr string: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
dhgrp string: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
digitalSignatureAuth string: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
distance number: Distance for routes added by IKE (1 - 255).
dnsMode string: DNS server mode. Valid values: manual, auto.
domain string: Instruct unity clients about the default DNS domain.
dpd string: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
dpdRetrycount number: Number of DPD retry attempts.
dpdRetryinterval string: DPD retry interval.
dynamicSortSubtable string: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
eap string: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
eapCertAuth string: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
eapExcludePeergrp string: Peer group excluded from EAP authentication.
eapIdentity string: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
emsSnCheck string: Enable/disable verification of EMS serial number. Valid values: enable, disable.
encapLocalGw4 string: Local IPv4 address of GRE/VXLAN tunnel.
encapLocalGw6 string: Local IPv6 address of GRE/VXLAN tunnel.
encapRemoteGw4 string: Remote IPv4 address of GRE/VXLAN tunnel.
encapRemoteGw6 string: Remote IPv6 address of GRE/VXLAN tunnel.
encapsulation string: Enable/disable GRE/VXLAN encapsulation.
encapsulationAddress string: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
enforceUniqueId string: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
esn string: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
exchangeFgtDeviceId string: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
exchangeInterfaceIp string: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
exchangeIpAddr4 string: IPv4 address to exchange with peers.
exchangeIpAddr6 string: IPv6 address to exchange with peers
fallbackTcpThreshold number: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
fecBase number: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
fecCodec number: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
fecCodecString string: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
fecEgress string: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
fecHealthCheck string: SD-WAN health check.
fecIngress string: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
fecMappingProfile string: Forward Error Correction (FEC) mapping profile.
fecReceiveTimeout number: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
fecRedundant number: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
fecSendTimeout number: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
fgspSync string: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
forticlientEnforcement string: Enable/disable FortiClient enforcement. Valid values: enable, disable.
fortinetEsp string: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
fragmentation string: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
fragmentationMtu number: IKE fragmentation MTU (500 - 16000).
getAllTables string: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
groupAuthentication string: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
groupAuthenticationSecret string: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
haSyncEspSeqno string: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
idleTimeout string: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
idleTimeoutinterval number: IPsec tunnel idle timeout in minutes (5 - 43200).
ikeVersion string: IKE protocol version. Valid values: 1, 2.
inboundDscpCopy string: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
includeLocalLan string: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
internalDomainLists Phase1interfaceInternalDomainList[]: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
ipDelayInterval number: IP address reuse delay interval in seconds (0 - 28800).
ipFragmentation string: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
ipVersion string: IP version to use for VPN interface. Valid values: 4, 6.
ipv4DnsServer1 string: IPv4 DNS server 1.
ipv4DnsServer2 string: IPv4 DNS server 2.
ipv4DnsServer3 string: IPv4 DNS server 3.
ipv4EndIp string: End of IPv4 range.
ipv4ExcludeRanges Phase1interfaceIpv4ExcludeRange[]: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
ipv4Name string: IPv4 address name.
ipv4Netmask string: IPv4 Netmask.
ipv4SplitExclude string: IPv4 subnets that should not be sent over the IPsec tunnel.
ipv4SplitInclude string: IPv4 split-include subnets.
ipv4StartIp string: Start of IPv4 range.
ipv4WinsServer1 string: WINS server 1.
ipv4WinsServer2 string: WINS server 2.
ipv6DnsServer1 string: IPv6 DNS server 1.
ipv6DnsServer2 string: IPv6 DNS server 2.
ipv6DnsServer3 string: IPv6 DNS server 3.
ipv6EndIp string: End of IPv6 range.
ipv6ExcludeRanges Phase1interfaceIpv6ExcludeRange[]: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
ipv6Name string: IPv6 address name.
ipv6Prefix number: IPv6 prefix.
ipv6SplitExclude string: IPv6 subnets that should not be sent over the IPsec tunnel.
ipv6SplitInclude string: IPv6 split-include subnets.
ipv6StartIp string: Start of IPv6 range.
keepalive number: NAT-T keep alive interval.
keylife number: Time to wait in seconds before phase 1 encryption key expires.
kms string: Key Management Services server.
linkCost number: VPN tunnel underlay link cost.
localGw string: IPv4 address of the local gateway's external interface.
localGw6 string: IPv6 address of the local gateway's external interface.
localid string: Local ID.
localidType string: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
loopbackAsymroute string: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
meshSelectorType string: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
mode string: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
modeCfg string: Enable/disable configuration method. Valid values: disable, enable.
modeCfgAllowClientSelector string: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
monitor string: IPsec interface as backup for primary interface.
monitorHoldDownDelay number: Time to wait in seconds before recovery once primary re-establishes.
monitorHoldDownTime string: Time of day at which to fail back to primary after it re-establishes.
monitorHoldDownType string: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
monitorHoldDownWeekday string: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
monitorMin number: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
name string: IPsec remote gateway name.
nattraversal string: Enable/disable NAT traversal. Valid values: enable, disable, forced.
negotiateTimeout number: IKE SA negotiation timeout in seconds (1 - 300).
netDevice string: Enable/disable kernel device creation. Valid values: enable, disable.
networkId number: VPN gateway network ID.
networkOverlay string: Enable/disable network overlays. Valid values: disable, enable.
npuOffload string: Enable/disable offloading NPU. Valid values: enable, disable.
packetRedistribution string: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
passiveMode string: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
peer string: Accept this peer certificate.
peergrp string: Accept this peer certificate group.
peerid string: Accept this peer identity.
peertype string: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
ppk string: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
ppkIdentity string: IKEv2 Postquantum Preshared Key Identity.
ppkSecret string: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
priority number: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
psksecret string: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
psksecretRemote string: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
qkd string: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
qkdProfile string: Quantum Key Distribution (QKD) server profile.
reauth string: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
rekey string: Enable/disable phase1 rekey. Valid values: enable, disable.
remoteGw string: IPv4 address of the remote gateway's external interface.
remoteGw6 string: IPv6 address of the remote gateway's external interface.
remoteGw6Country string: IPv6 addresses associated to a specific country.
remoteGw6EndIp string: Last IPv6 address in the range.
remoteGw6Match string: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
remoteGw6StartIp string: First IPv6 address in the range.
remoteGw6Subnet string: IPv6 address and prefix.
remoteGwCountry string: IPv4 addresses associated to a specific country.
remoteGwEndIp string: Last IPv4 address in the range.
remoteGwMatch string: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
remoteGwStartIp string: First IPv4 address in the range.
remoteGwSubnet string: IPv4 address and subnet mask.
remotegwDdns string: Domain name of remote gateway. For example, name.ddns.com.
rsaSignatureFormat string: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
rsaSignatureHashOverride string: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
savePassword string: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
sendCertChain string: Enable/disable sending certificate chain. Valid values: enable, disable.
signatureHashAlg string: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
splitIncludeService string: Split-include services.
suiteB string: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
transport string: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
tunnelSearch string: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
type string: Remote gateway type. Valid values: static, dynamic, ddns.
unitySupport string: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
usrgrp string: User group name for dialup peers.
vdomparam string: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
vni number: VNI of VXLAN tunnel.
wizardType string: GUI VPN Wizard Type.
xauthtype string: XAuth type. Valid values: disable, client, pap, chap, auto.

interface str: Local physical, aggregate, or VLAN outgoing interface.
proposal str: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
acct_verify str: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
add_gw_route str: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
add_route str: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
aggregate_member str: Enable/disable use as an aggregate member. Valid values: enable, disable.
aggregate_weight int: Link weight for aggregate.
assign_ip str: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
assign_ip_from str: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
authmethod str: Authentication method. Valid values: psk, signature.
authmethod_remote str: Authentication method (remote side). Valid values: psk, signature.
authpasswd str: XAuth password (max 35 characters).
authusr str: XAuth user name.
authusrgrp str: Authentication user group.
auto_discovery_crossover str: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
auto_discovery_forwarder str: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
auto_discovery_offer_interval int: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
auto_discovery_psk str: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
auto_discovery_receiver str: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
auto_discovery_sender str: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
auto_discovery_shortcuts str: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
auto_negotiate str: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
azure_ad_autoconnect str: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
backup_gateways Sequence[Phase1interfaceBackupGatewayArgs]: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
banner str: Message that unity client should display after connecting.
cert_id_validation str: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
cert_peer_username_strip str: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
cert_peer_username_validation str: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
cert_trust_store str: CA certificate trust store. Valid values: local, ems.
certificates Sequence[Phase1interfaceCertificateArgs]: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
childless_ike str: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
client_auto_negotiate str: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
client_keep_alive str: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
client_resume str: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
client_resume_interval int: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
comments str: Comment.
default_gw str: IPv4 address of default route gateway to use for traffic exiting the interface.
default_gw_priority int: Priority for default gateway route. A higher priority number signifies a less preferred route.
dev_id str: Device ID carried by the device ID notification.
dev_id_notification str: Enable/disable device ID notification. Valid values: disable, enable.
dhcp6_ra_linkaddr str: Relay agent IPv6 link address to use in DHCP6 requests.
dhcp_ra_giaddr str: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
dhgrp str: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
digital_signature_auth str: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
distance int: Distance for routes added by IKE (1 - 255).
dns_mode str: DNS server mode. Valid values: manual, auto.
domain str: Instruct unity clients about the default DNS domain.
dpd str: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
dpd_retrycount int: Number of DPD retry attempts.
dpd_retryinterval str: DPD retry interval.
dynamic_sort_subtable str: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
eap str: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
eap_cert_auth str: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
eap_exclude_peergrp str: Peer group excluded from EAP authentication.
eap_identity str: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
ems_sn_check str: Enable/disable verification of EMS serial number. Valid values: enable, disable.
encap_local_gw4 str: Local IPv4 address of GRE/VXLAN tunnel.
encap_local_gw6 str: Local IPv6 address of GRE/VXLAN tunnel.
encap_remote_gw4 str: Remote IPv4 address of GRE/VXLAN tunnel.
encap_remote_gw6 str: Remote IPv6 address of GRE/VXLAN tunnel.
encapsulation str: Enable/disable GRE/VXLAN encapsulation.
encapsulation_address str: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
enforce_unique_id str: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
esn str: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
exchange_fgt_device_id str: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
exchange_interface_ip str: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
exchange_ip_addr4 str: IPv4 address to exchange with peers.
exchange_ip_addr6 str: IPv6 address to exchange with peers
fallback_tcp_threshold int: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
fec_base int: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
fec_codec int: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
fec_codec_string str: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
fec_egress str: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
fec_health_check str: SD-WAN health check.
fec_ingress str: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
fec_mapping_profile str: Forward Error Correction (FEC) mapping profile.
fec_receive_timeout int: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
fec_redundant int: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
fec_send_timeout int: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
fgsp_sync str: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
forticlient_enforcement str: Enable/disable FortiClient enforcement. Valid values: enable, disable.
fortinet_esp str: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
fragmentation str: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
fragmentation_mtu int: IKE fragmentation MTU (500 - 16000).
get_all_tables str: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
group_authentication str: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
group_authentication_secret str: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
ha_sync_esp_seqno str: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
idle_timeout str: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
idle_timeoutinterval int: IPsec tunnel idle timeout in minutes (5 - 43200).
ike_version str: IKE protocol version. Valid values: 1, 2.
inbound_dscp_copy str: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
include_local_lan str: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
internal_domain_lists Sequence[Phase1interfaceInternalDomainListArgs]: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
ip_delay_interval int: IP address reuse delay interval in seconds (0 - 28800).
ip_fragmentation str: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
ip_version str: IP version to use for VPN interface. Valid values: 4, 6.
ipv4_dns_server1 str: IPv4 DNS server 1.
ipv4_dns_server2 str: IPv4 DNS server 2.
ipv4_dns_server3 str: IPv4 DNS server 3.
ipv4_end_ip str: End of IPv4 range.
ipv4_exclude_ranges Sequence[Phase1interfaceIpv4ExcludeRangeArgs]: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
ipv4_name str: IPv4 address name.
ipv4_netmask str: IPv4 Netmask.
ipv4_split_exclude str: IPv4 subnets that should not be sent over the IPsec tunnel.
ipv4_split_include str: IPv4 split-include subnets.
ipv4_start_ip str: Start of IPv4 range.
ipv4_wins_server1 str: WINS server 1.
ipv4_wins_server2 str: WINS server 2.
ipv6_dns_server1 str: IPv6 DNS server 1.
ipv6_dns_server2 str: IPv6 DNS server 2.
ipv6_dns_server3 str: IPv6 DNS server 3.
ipv6_end_ip str: End of IPv6 range.
ipv6_exclude_ranges Sequence[Phase1interfaceIpv6ExcludeRangeArgs]: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
ipv6_name str: IPv6 address name.
ipv6_prefix int: IPv6 prefix.
ipv6_split_exclude str: IPv6 subnets that should not be sent over the IPsec tunnel.
ipv6_split_include str: IPv6 split-include subnets.
ipv6_start_ip str: Start of IPv6 range.
keepalive int: NAT-T keep alive interval.
keylife int: Time to wait in seconds before phase 1 encryption key expires.
kms str: Key Management Services server.
link_cost int: VPN tunnel underlay link cost.
local_gw str: IPv4 address of the local gateway's external interface.
local_gw6 str: IPv6 address of the local gateway's external interface.
localid str: Local ID.
localid_type str: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
loopback_asymroute str: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
mesh_selector_type str: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
mode str: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
mode_cfg str: Enable/disable configuration method. Valid values: disable, enable.
mode_cfg_allow_client_selector str: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
monitor str: IPsec interface as backup for primary interface.
monitor_hold_down_delay int: Time to wait in seconds before recovery once primary re-establishes.
monitor_hold_down_time str: Time of day at which to fail back to primary after it re-establishes.
monitor_hold_down_type str: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
monitor_hold_down_weekday str: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
monitor_min int: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
name str: IPsec remote gateway name.
nattraversal str: Enable/disable NAT traversal. Valid values: enable, disable, forced.
negotiate_timeout int: IKE SA negotiation timeout in seconds (1 - 300).
net_device str: Enable/disable kernel device creation. Valid values: enable, disable.
network_id int: VPN gateway network ID.
network_overlay str: Enable/disable network overlays. Valid values: disable, enable.
npu_offload str: Enable/disable offloading NPU. Valid values: enable, disable.
packet_redistribution str: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
passive_mode str: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
peer str: Accept this peer certificate.
peergrp str: Accept this peer certificate group.
peerid str: Accept this peer identity.
peertype str: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
ppk str: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
ppk_identity str: IKEv2 Postquantum Preshared Key Identity.
ppk_secret str: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
priority int: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
psksecret str: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
psksecret_remote str: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
qkd str: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
qkd_profile str: Quantum Key Distribution (QKD) server profile.
reauth str: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
rekey str: Enable/disable phase1 rekey. Valid values: enable, disable.
remote_gw str: IPv4 address of the remote gateway's external interface.
remote_gw6 str: IPv6 address of the remote gateway's external interface.
remote_gw6_country str: IPv6 addresses associated to a specific country.
remote_gw6_end_ip str: Last IPv6 address in the range.
remote_gw6_match str: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
remote_gw6_start_ip str: First IPv6 address in the range.
remote_gw6_subnet str: IPv6 address and prefix.
remote_gw_country str: IPv4 addresses associated to a specific country.
remote_gw_end_ip str: Last IPv4 address in the range.
remote_gw_match str: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
remote_gw_start_ip str: First IPv4 address in the range.
remote_gw_subnet str: IPv4 address and subnet mask.
remotegw_ddns str: Domain name of remote gateway. For example, name.ddns.com.
rsa_signature_format str: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
rsa_signature_hash_override str: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
save_password str: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
send_cert_chain str: Enable/disable sending certificate chain. Valid values: enable, disable.
signature_hash_alg str: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
split_include_service str: Split-include services.
suite_b str: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
transport str: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
tunnel_search str: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
type str: Remote gateway type. Valid values: static, dynamic, ddns.
unity_support str: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
usrgrp str: User group name for dialup peers.
vdomparam str: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
vni int: VNI of VXLAN tunnel.
wizard_type str: GUI VPN Wizard Type.
xauthtype str: XAuth type. Valid values: disable, client, pap, chap, auto.

interface String: Local physical, aggregate, or VLAN outgoing interface.
proposal String: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
acctVerify String: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
addGwRoute String: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
addRoute String: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
aggregateMember String: Enable/disable use as an aggregate member. Valid values: enable, disable.
aggregateWeight Number: Link weight for aggregate.
assignIp String: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
assignIpFrom String: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
authmethod String: Authentication method. Valid values: psk, signature.
authmethodRemote String: Authentication method (remote side). Valid values: psk, signature.
authpasswd String: XAuth password (max 35 characters).
authusr String: XAuth user name.
authusrgrp String: Authentication user group.
autoDiscoveryCrossover String: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
autoDiscoveryForwarder String: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryOfferInterval Number: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
autoDiscoveryPsk String: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
autoDiscoveryReceiver String: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoverySender String: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryShortcuts String: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
autoNegotiate String: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
azureAdAutoconnect String: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
backupGateways List<Property Map>: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
banner String: Message that unity client should display after connecting.
certIdValidation String: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
certPeerUsernameStrip String: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
certPeerUsernameValidation String: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
certTrustStore String: CA certificate trust store. Valid values: local, ems.
certificates List<Property Map>: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
childlessIke String: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
clientAutoNegotiate String: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
clientKeepAlive String: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
clientResume String: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
clientResumeInterval Number: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
comments String: Comment.
defaultGw String: IPv4 address of default route gateway to use for traffic exiting the interface.
defaultGwPriority Number: Priority for default gateway route. A higher priority number signifies a less preferred route.
devId String: Device ID carried by the device ID notification.
devIdNotification String: Enable/disable device ID notification. Valid values: disable, enable.
dhcp6RaLinkaddr String: Relay agent IPv6 link address to use in DHCP6 requests.
dhcpRaGiaddr String: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
dhgrp String: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
digitalSignatureAuth String: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
distance Number: Distance for routes added by IKE (1 - 255).
dnsMode String: DNS server mode. Valid values: manual, auto.
domain String: Instruct unity clients about the default DNS domain.
dpd String: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
dpdRetrycount Number: Number of DPD retry attempts.
dpdRetryinterval String: DPD retry interval.
dynamicSortSubtable String: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
eap String: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
eapCertAuth String: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
eapExcludePeergrp String: Peer group excluded from EAP authentication.
eapIdentity String: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
emsSnCheck String: Enable/disable verification of EMS serial number. Valid values: enable, disable.
encapLocalGw4 String: Local IPv4 address of GRE/VXLAN tunnel.
encapLocalGw6 String: Local IPv6 address of GRE/VXLAN tunnel.
encapRemoteGw4 String: Remote IPv4 address of GRE/VXLAN tunnel.
encapRemoteGw6 String: Remote IPv6 address of GRE/VXLAN tunnel.
encapsulation String: Enable/disable GRE/VXLAN encapsulation.
encapsulationAddress String: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
enforceUniqueId String: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
esn String: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
exchangeFgtDeviceId String: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
exchangeInterfaceIp String: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
exchangeIpAddr4 String: IPv4 address to exchange with peers.
exchangeIpAddr6 String: IPv6 address to exchange with peers
fallbackTcpThreshold Number: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
fecBase Number: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
fecCodec Number: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
fecCodecString String: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
fecEgress String: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
fecHealthCheck String: SD-WAN health check.
fecIngress String: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
fecMappingProfile String: Forward Error Correction (FEC) mapping profile.
fecReceiveTimeout Number: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
fecRedundant Number: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
fecSendTimeout Number: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
fgspSync String: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
forticlientEnforcement String: Enable/disable FortiClient enforcement. Valid values: enable, disable.
fortinetEsp String: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
fragmentation String: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
fragmentationMtu Number: IKE fragmentation MTU (500 - 16000).
getAllTables String: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
groupAuthentication String: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
groupAuthenticationSecret String: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
haSyncEspSeqno String: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
idleTimeout String: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
idleTimeoutinterval Number: IPsec tunnel idle timeout in minutes (5 - 43200).
ikeVersion String: IKE protocol version. Valid values: 1, 2.
inboundDscpCopy String: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
includeLocalLan String: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
internalDomainLists List<Property Map>: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
ipDelayInterval Number: IP address reuse delay interval in seconds (0 - 28800).
ipFragmentation String: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
ipVersion String: IP version to use for VPN interface. Valid values: 4, 6.
ipv4DnsServer1 String: IPv4 DNS server 1.
ipv4DnsServer2 String: IPv4 DNS server 2.
ipv4DnsServer3 String: IPv4 DNS server 3.
ipv4EndIp String: End of IPv4 range.
ipv4ExcludeRanges List<Property Map>: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
ipv4Name String: IPv4 address name.
ipv4Netmask String: IPv4 Netmask.
ipv4SplitExclude String: IPv4 subnets that should not be sent over the IPsec tunnel.
ipv4SplitInclude String: IPv4 split-include subnets.
ipv4StartIp String: Start of IPv4 range.
ipv4WinsServer1 String: WINS server 1.
ipv4WinsServer2 String: WINS server 2.
ipv6DnsServer1 String: IPv6 DNS server 1.
ipv6DnsServer2 String: IPv6 DNS server 2.
ipv6DnsServer3 String: IPv6 DNS server 3.
ipv6EndIp String: End of IPv6 range.
ipv6ExcludeRanges List<Property Map>: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
ipv6Name String: IPv6 address name.
ipv6Prefix Number: IPv6 prefix.
ipv6SplitExclude String: IPv6 subnets that should not be sent over the IPsec tunnel.
ipv6SplitInclude String: IPv6 split-include subnets.
ipv6StartIp String: Start of IPv6 range.
keepalive Number: NAT-T keep alive interval.
keylife Number: Time to wait in seconds before phase 1 encryption key expires.
kms String: Key Management Services server.
linkCost Number: VPN tunnel underlay link cost.
localGw String: IPv4 address of the local gateway's external interface.
localGw6 String: IPv6 address of the local gateway's external interface.
localid String: Local ID.
localidType String: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
loopbackAsymroute String: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
meshSelectorType String: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
mode String: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
modeCfg String: Enable/disable configuration method. Valid values: disable, enable.
modeCfgAllowClientSelector String: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
monitor String: IPsec interface as backup for primary interface.
monitorHoldDownDelay Number: Time to wait in seconds before recovery once primary re-establishes.
monitorHoldDownTime String: Time of day at which to fail back to primary after it re-establishes.
monitorHoldDownType String: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
monitorHoldDownWeekday String: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
monitorMin Number: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
name String: IPsec remote gateway name.
nattraversal String: Enable/disable NAT traversal. Valid values: enable, disable, forced.
negotiateTimeout Number: IKE SA negotiation timeout in seconds (1 - 300).
netDevice String: Enable/disable kernel device creation. Valid values: enable, disable.
networkId Number: VPN gateway network ID.
networkOverlay String: Enable/disable network overlays. Valid values: disable, enable.
npuOffload String: Enable/disable offloading NPU. Valid values: enable, disable.
packetRedistribution String: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
passiveMode String: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
peer String: Accept this peer certificate.
peergrp String: Accept this peer certificate group.
peerid String: Accept this peer identity.
peertype String: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
ppk String: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
ppkIdentity String: IKEv2 Postquantum Preshared Key Identity.
ppkSecret String: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
priority Number: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
psksecret String: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
psksecretRemote String: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
qkd String: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
qkdProfile String: Quantum Key Distribution (QKD) server profile.
reauth String: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
rekey String: Enable/disable phase1 rekey. Valid values: enable, disable.
remoteGw String: IPv4 address of the remote gateway's external interface.
remoteGw6 String: IPv6 address of the remote gateway's external interface.
remoteGw6Country String: IPv6 addresses associated to a specific country.
remoteGw6EndIp String: Last IPv6 address in the range.
remoteGw6Match String: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
remoteGw6StartIp String: First IPv6 address in the range.
remoteGw6Subnet String: IPv6 address and prefix.
remoteGwCountry String: IPv4 addresses associated to a specific country.
remoteGwEndIp String: Last IPv4 address in the range.
remoteGwMatch String: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
remoteGwStartIp String: First IPv4 address in the range.
remoteGwSubnet String: IPv4 address and subnet mask.
remotegwDdns String: Domain name of remote gateway. For example, name.ddns.com.
rsaSignatureFormat String: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
rsaSignatureHashOverride String: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
savePassword String: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
sendCertChain String: Enable/disable sending certificate chain. Valid values: enable, disable.
signatureHashAlg String: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
splitIncludeService String: Split-include services.
suiteB String: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
transport String: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
tunnelSearch String: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
type String: Remote gateway type. Valid values: static, dynamic, ddns.
unitySupport String: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
usrgrp String: User group name for dialup peers.
vdomparam String: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
vni Number: VNI of VXLAN tunnel.
wizardType String: GUI VPN Wizard Type.
xauthtype String: XAuth type. Valid values: disable, client, pap, chap, auto.

Outputs

All input properties are implicitly available as output properties. Additionally, the Phase1interface resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing Phase1interface Resource

Get an existing Phase1interface resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: Phase1interfaceState, opts?: CustomResourceOptions): Phase1interface

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        acct_verify: Optional[str] = None,
        add_gw_route: Optional[str] = None,
        add_route: Optional[str] = None,
        aggregate_member: Optional[str] = None,
        aggregate_weight: Optional[int] = None,
        assign_ip: Optional[str] = None,
        assign_ip_from: Optional[str] = None,
        authmethod: Optional[str] = None,
        authmethod_remote: Optional[str] = None,
        authpasswd: Optional[str] = None,
        authusr: Optional[str] = None,
        authusrgrp: Optional[str] = None,
        auto_discovery_crossover: Optional[str] = None,
        auto_discovery_forwarder: Optional[str] = None,
        auto_discovery_offer_interval: Optional[int] = None,
        auto_discovery_psk: Optional[str] = None,
        auto_discovery_receiver: Optional[str] = None,
        auto_discovery_sender: Optional[str] = None,
        auto_discovery_shortcuts: Optional[str] = None,
        auto_negotiate: Optional[str] = None,
        azure_ad_autoconnect: Optional[str] = None,
        backup_gateways: Optional[Sequence[Phase1interfaceBackupGatewayArgs]] = None,
        banner: Optional[str] = None,
        cert_id_validation: Optional[str] = None,
        cert_peer_username_strip: Optional[str] = None,
        cert_peer_username_validation: Optional[str] = None,
        cert_trust_store: Optional[str] = None,
        certificates: Optional[Sequence[Phase1interfaceCertificateArgs]] = None,
        childless_ike: Optional[str] = None,
        client_auto_negotiate: Optional[str] = None,
        client_keep_alive: Optional[str] = None,
        client_resume: Optional[str] = None,
        client_resume_interval: Optional[int] = None,
        comments: Optional[str] = None,
        default_gw: Optional[str] = None,
        default_gw_priority: Optional[int] = None,
        dev_id: Optional[str] = None,
        dev_id_notification: Optional[str] = None,
        dhcp6_ra_linkaddr: Optional[str] = None,
        dhcp_ra_giaddr: Optional[str] = None,
        dhgrp: Optional[str] = None,
        digital_signature_auth: Optional[str] = None,
        distance: Optional[int] = None,
        dns_mode: Optional[str] = None,
        domain: Optional[str] = None,
        dpd: Optional[str] = None,
        dpd_retrycount: Optional[int] = None,
        dpd_retryinterval: Optional[str] = None,
        dynamic_sort_subtable: Optional[str] = None,
        eap: Optional[str] = None,
        eap_cert_auth: Optional[str] = None,
        eap_exclude_peergrp: Optional[str] = None,
        eap_identity: Optional[str] = None,
        ems_sn_check: Optional[str] = None,
        encap_local_gw4: Optional[str] = None,
        encap_local_gw6: Optional[str] = None,
        encap_remote_gw4: Optional[str] = None,
        encap_remote_gw6: Optional[str] = None,
        encapsulation: Optional[str] = None,
        encapsulation_address: Optional[str] = None,
        enforce_unique_id: Optional[str] = None,
        esn: Optional[str] = None,
        exchange_fgt_device_id: Optional[str] = None,
        exchange_interface_ip: Optional[str] = None,
        exchange_ip_addr4: Optional[str] = None,
        exchange_ip_addr6: Optional[str] = None,
        fallback_tcp_threshold: Optional[int] = None,
        fec_base: Optional[int] = None,
        fec_codec: Optional[int] = None,
        fec_codec_string: Optional[str] = None,
        fec_egress: Optional[str] = None,
        fec_health_check: Optional[str] = None,
        fec_ingress: Optional[str] = None,
        fec_mapping_profile: Optional[str] = None,
        fec_receive_timeout: Optional[int] = None,
        fec_redundant: Optional[int] = None,
        fec_send_timeout: Optional[int] = None,
        fgsp_sync: Optional[str] = None,
        forticlient_enforcement: Optional[str] = None,
        fortinet_esp: Optional[str] = None,
        fragmentation: Optional[str] = None,
        fragmentation_mtu: Optional[int] = None,
        get_all_tables: Optional[str] = None,
        group_authentication: Optional[str] = None,
        group_authentication_secret: Optional[str] = None,
        ha_sync_esp_seqno: Optional[str] = None,
        idle_timeout: Optional[str] = None,
        idle_timeoutinterval: Optional[int] = None,
        ike_version: Optional[str] = None,
        inbound_dscp_copy: Optional[str] = None,
        include_local_lan: Optional[str] = None,
        interface: Optional[str] = None,
        internal_domain_lists: Optional[Sequence[Phase1interfaceInternalDomainListArgs]] = None,
        ip_delay_interval: Optional[int] = None,
        ip_fragmentation: Optional[str] = None,
        ip_version: Optional[str] = None,
        ipv4_dns_server1: Optional[str] = None,
        ipv4_dns_server2: Optional[str] = None,
        ipv4_dns_server3: Optional[str] = None,
        ipv4_end_ip: Optional[str] = None,
        ipv4_exclude_ranges: Optional[Sequence[Phase1interfaceIpv4ExcludeRangeArgs]] = None,
        ipv4_name: Optional[str] = None,
        ipv4_netmask: Optional[str] = None,
        ipv4_split_exclude: Optional[str] = None,
        ipv4_split_include: Optional[str] = None,
        ipv4_start_ip: Optional[str] = None,
        ipv4_wins_server1: Optional[str] = None,
        ipv4_wins_server2: Optional[str] = None,
        ipv6_dns_server1: Optional[str] = None,
        ipv6_dns_server2: Optional[str] = None,
        ipv6_dns_server3: Optional[str] = None,
        ipv6_end_ip: Optional[str] = None,
        ipv6_exclude_ranges: Optional[Sequence[Phase1interfaceIpv6ExcludeRangeArgs]] = None,
        ipv6_name: Optional[str] = None,
        ipv6_prefix: Optional[int] = None,
        ipv6_split_exclude: Optional[str] = None,
        ipv6_split_include: Optional[str] = None,
        ipv6_start_ip: Optional[str] = None,
        keepalive: Optional[int] = None,
        keylife: Optional[int] = None,
        kms: Optional[str] = None,
        link_cost: Optional[int] = None,
        local_gw: Optional[str] = None,
        local_gw6: Optional[str] = None,
        localid: Optional[str] = None,
        localid_type: Optional[str] = None,
        loopback_asymroute: Optional[str] = None,
        mesh_selector_type: Optional[str] = None,
        mode: Optional[str] = None,
        mode_cfg: Optional[str] = None,
        mode_cfg_allow_client_selector: Optional[str] = None,
        monitor: Optional[str] = None,
        monitor_hold_down_delay: Optional[int] = None,
        monitor_hold_down_time: Optional[str] = None,
        monitor_hold_down_type: Optional[str] = None,
        monitor_hold_down_weekday: Optional[str] = None,
        monitor_min: Optional[int] = None,
        name: Optional[str] = None,
        nattraversal: Optional[str] = None,
        negotiate_timeout: Optional[int] = None,
        net_device: Optional[str] = None,
        network_id: Optional[int] = None,
        network_overlay: Optional[str] = None,
        npu_offload: Optional[str] = None,
        packet_redistribution: Optional[str] = None,
        passive_mode: Optional[str] = None,
        peer: Optional[str] = None,
        peergrp: Optional[str] = None,
        peerid: Optional[str] = None,
        peertype: Optional[str] = None,
        ppk: Optional[str] = None,
        ppk_identity: Optional[str] = None,
        ppk_secret: Optional[str] = None,
        priority: Optional[int] = None,
        proposal: Optional[str] = None,
        psksecret: Optional[str] = None,
        psksecret_remote: Optional[str] = None,
        qkd: Optional[str] = None,
        qkd_profile: Optional[str] = None,
        reauth: Optional[str] = None,
        rekey: Optional[str] = None,
        remote_gw: Optional[str] = None,
        remote_gw6: Optional[str] = None,
        remote_gw6_country: Optional[str] = None,
        remote_gw6_end_ip: Optional[str] = None,
        remote_gw6_match: Optional[str] = None,
        remote_gw6_start_ip: Optional[str] = None,
        remote_gw6_subnet: Optional[str] = None,
        remote_gw_country: Optional[str] = None,
        remote_gw_end_ip: Optional[str] = None,
        remote_gw_match: Optional[str] = None,
        remote_gw_start_ip: Optional[str] = None,
        remote_gw_subnet: Optional[str] = None,
        remotegw_ddns: Optional[str] = None,
        rsa_signature_format: Optional[str] = None,
        rsa_signature_hash_override: Optional[str] = None,
        save_password: Optional[str] = None,
        send_cert_chain: Optional[str] = None,
        signature_hash_alg: Optional[str] = None,
        split_include_service: Optional[str] = None,
        suite_b: Optional[str] = None,
        transport: Optional[str] = None,
        tunnel_search: Optional[str] = None,
        type: Optional[str] = None,
        unity_support: Optional[str] = None,
        usrgrp: Optional[str] = None,
        vdomparam: Optional[str] = None,
        vni: Optional[int] = None,
        wizard_type: Optional[str] = None,
        xauthtype: Optional[str] = None) -> Phase1interface

func GetPhase1interface(ctx *Context, name string, id IDInput, state *Phase1interfaceState, opts ...ResourceOption) (*Phase1interface, error)

public static Phase1interface Get(string name, Input<string> id, Phase1interfaceState? state, CustomResourceOptions? opts = null)

public static Phase1interface get(String name, Output<String> id, Phase1interfaceState state, CustomResourceOptions options)

resources:  _:    type: fortios:vpn/ipsec/phase1interface:Phase1interface    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AcctVerify string: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
AddGwRoute string: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
AddRoute string: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
AggregateMember string: Enable/disable use as an aggregate member. Valid values: enable, disable.
AggregateWeight int: Link weight for aggregate.
AssignIp string: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
AssignIpFrom string: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
Authmethod string: Authentication method. Valid values: psk, signature.
AuthmethodRemote string: Authentication method (remote side). Valid values: psk, signature.
Authpasswd string: XAuth password (max 35 characters).
Authusr string: XAuth user name.
Authusrgrp string: Authentication user group.
AutoDiscoveryCrossover string: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
AutoDiscoveryForwarder string: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoveryOfferInterval int: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
AutoDiscoveryPsk string: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
AutoDiscoveryReceiver string: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoverySender string: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoveryShortcuts string: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
AutoNegotiate string: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
AzureAdAutoconnect string: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
BackupGateways List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceBackupGateway>: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
Banner string: Message that unity client should display after connecting.
CertIdValidation string: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
CertPeerUsernameStrip string: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
CertPeerUsernameValidation string: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
CertTrustStore string: CA certificate trust store. Valid values: local, ems.
Certificates List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceCertificate>: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
ChildlessIke string: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
ClientAutoNegotiate string: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
ClientKeepAlive string: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
ClientResume string: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
ClientResumeInterval int: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
Comments string: Comment.
DefaultGw string: IPv4 address of default route gateway to use for traffic exiting the interface.
DefaultGwPriority int: Priority for default gateway route. A higher priority number signifies a less preferred route.
DevId string: Device ID carried by the device ID notification.
DevIdNotification string: Enable/disable device ID notification. Valid values: disable, enable.
Dhcp6RaLinkaddr string: Relay agent IPv6 link address to use in DHCP6 requests.
DhcpRaGiaddr string: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
Dhgrp string: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
DigitalSignatureAuth string: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
Distance int: Distance for routes added by IKE (1 - 255).
DnsMode string: DNS server mode. Valid values: manual, auto.
Domain string: Instruct unity clients about the default DNS domain.
Dpd string: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
DpdRetrycount int: Number of DPD retry attempts.
DpdRetryinterval string: DPD retry interval.
DynamicSortSubtable string: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
Eap string: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
EapCertAuth string: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
EapExcludePeergrp string: Peer group excluded from EAP authentication.
EapIdentity string: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
EmsSnCheck string: Enable/disable verification of EMS serial number. Valid values: enable, disable.
EncapLocalGw4 string: Local IPv4 address of GRE/VXLAN tunnel.
EncapLocalGw6 string: Local IPv6 address of GRE/VXLAN tunnel.
EncapRemoteGw4 string: Remote IPv4 address of GRE/VXLAN tunnel.
EncapRemoteGw6 string: Remote IPv6 address of GRE/VXLAN tunnel.
Encapsulation string: Enable/disable GRE/VXLAN encapsulation.
EncapsulationAddress string: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
EnforceUniqueId string: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
Esn string: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
ExchangeFgtDeviceId string: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
ExchangeInterfaceIp string: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
ExchangeIpAddr4 string: IPv4 address to exchange with peers.
ExchangeIpAddr6 string: IPv6 address to exchange with peers
FallbackTcpThreshold int: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
FecBase int: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
FecCodec int: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
FecCodecString string: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
FecEgress string: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
FecHealthCheck string: SD-WAN health check.
FecIngress string: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
FecMappingProfile string: Forward Error Correction (FEC) mapping profile.
FecReceiveTimeout int: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
FecRedundant int: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
FecSendTimeout int: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
FgspSync string: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
ForticlientEnforcement string: Enable/disable FortiClient enforcement. Valid values: enable, disable.
FortinetEsp string: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
Fragmentation string: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
FragmentationMtu int: IKE fragmentation MTU (500 - 16000).
GetAllTables string: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
GroupAuthentication string: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
GroupAuthenticationSecret string: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
HaSyncEspSeqno string: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
IdleTimeout string: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
IdleTimeoutinterval int: IPsec tunnel idle timeout in minutes (5 - 43200).
IkeVersion string: IKE protocol version. Valid values: 1, 2.
InboundDscpCopy string: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
IncludeLocalLan string: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
Interface string: Local physical, aggregate, or VLAN outgoing interface.
InternalDomainLists List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceInternalDomainList>: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
IpDelayInterval int: IP address reuse delay interval in seconds (0 - 28800).
IpFragmentation string: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
IpVersion string: IP version to use for VPN interface. Valid values: 4, 6.
Ipv4DnsServer1 string: IPv4 DNS server 1.
Ipv4DnsServer2 string: IPv4 DNS server 2.
Ipv4DnsServer3 string: IPv4 DNS server 3.
Ipv4EndIp string: End of IPv4 range.
Ipv4ExcludeRanges List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceIpv4ExcludeRange>: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
Ipv4Name string: IPv4 address name.
Ipv4Netmask string: IPv4 Netmask.
Ipv4SplitExclude string: IPv4 subnets that should not be sent over the IPsec tunnel.
Ipv4SplitInclude string: IPv4 split-include subnets.
Ipv4StartIp string: Start of IPv4 range.
Ipv4WinsServer1 string: WINS server 1.
Ipv4WinsServer2 string: WINS server 2.
Ipv6DnsServer1 string: IPv6 DNS server 1.
Ipv6DnsServer2 string: IPv6 DNS server 2.
Ipv6DnsServer3 string: IPv6 DNS server 3.
Ipv6EndIp string: End of IPv6 range.
Ipv6ExcludeRanges List<Pulumiverse.Fortios.Vpn.Ipsec.Inputs.Phase1interfaceIpv6ExcludeRange>: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
Ipv6Name string: IPv6 address name.
Ipv6Prefix int: IPv6 prefix.
Ipv6SplitExclude string: IPv6 subnets that should not be sent over the IPsec tunnel.
Ipv6SplitInclude string: IPv6 split-include subnets.
Ipv6StartIp string: Start of IPv6 range.
Keepalive int: NAT-T keep alive interval.
Keylife int: Time to wait in seconds before phase 1 encryption key expires.
Kms string: Key Management Services server.
LinkCost int: VPN tunnel underlay link cost.
LocalGw string: IPv4 address of the local gateway's external interface.
LocalGw6 string: IPv6 address of the local gateway's external interface.
Localid string: Local ID.
LocalidType string: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
LoopbackAsymroute string: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
MeshSelectorType string: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
Mode string: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
ModeCfg string: Enable/disable configuration method. Valid values: disable, enable.
ModeCfgAllowClientSelector string: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
Monitor string: IPsec interface as backup for primary interface.
MonitorHoldDownDelay int: Time to wait in seconds before recovery once primary re-establishes.
MonitorHoldDownTime string: Time of day at which to fail back to primary after it re-establishes.
MonitorHoldDownType string: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
MonitorHoldDownWeekday string: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
MonitorMin int: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
Name string: IPsec remote gateway name.
Nattraversal string: Enable/disable NAT traversal. Valid values: enable, disable, forced.
NegotiateTimeout int: IKE SA negotiation timeout in seconds (1 - 300).
NetDevice string: Enable/disable kernel device creation. Valid values: enable, disable.
NetworkId int: VPN gateway network ID.
NetworkOverlay string: Enable/disable network overlays. Valid values: disable, enable.
NpuOffload string: Enable/disable offloading NPU. Valid values: enable, disable.
PacketRedistribution string: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
PassiveMode string: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
Peer string: Accept this peer certificate.
Peergrp string: Accept this peer certificate group.
Peerid string: Accept this peer identity.
Peertype string: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
Ppk string: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
PpkIdentity string: IKEv2 Postquantum Preshared Key Identity.
PpkSecret string: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
Priority int: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
Proposal string: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
Psksecret string: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
PsksecretRemote string: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
Qkd string: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
QkdProfile string: Quantum Key Distribution (QKD) server profile.
Reauth string: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
Rekey string: Enable/disable phase1 rekey. Valid values: enable, disable.
RemoteGw string: IPv4 address of the remote gateway's external interface.
RemoteGw6 string: IPv6 address of the remote gateway's external interface.
RemoteGw6Country string: IPv6 addresses associated to a specific country.
RemoteGw6EndIp string: Last IPv6 address in the range.
RemoteGw6Match string: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
RemoteGw6StartIp string: First IPv6 address in the range.
RemoteGw6Subnet string: IPv6 address and prefix.
RemoteGwCountry string: IPv4 addresses associated to a specific country.
RemoteGwEndIp string: Last IPv4 address in the range.
RemoteGwMatch string: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
RemoteGwStartIp string: First IPv4 address in the range.
RemoteGwSubnet string: IPv4 address and subnet mask.
RemotegwDdns string: Domain name of remote gateway. For example, name.ddns.com.
RsaSignatureFormat string: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
RsaSignatureHashOverride string: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
SavePassword string: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
SendCertChain string: Enable/disable sending certificate chain. Valid values: enable, disable.
SignatureHashAlg string: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
SplitIncludeService string: Split-include services.
SuiteB string: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
Transport string: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
TunnelSearch string: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
Type string: Remote gateway type. Valid values: static, dynamic, ddns.
UnitySupport string: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
Usrgrp string: User group name for dialup peers.
Vdomparam string: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
Vni int: VNI of VXLAN tunnel.
WizardType string: GUI VPN Wizard Type.
Xauthtype string: XAuth type. Valid values: disable, client, pap, chap, auto.

AcctVerify string: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
AddGwRoute string: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
AddRoute string: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
AggregateMember string: Enable/disable use as an aggregate member. Valid values: enable, disable.
AggregateWeight int: Link weight for aggregate.
AssignIp string: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
AssignIpFrom string: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
Authmethod string: Authentication method. Valid values: psk, signature.
AuthmethodRemote string: Authentication method (remote side). Valid values: psk, signature.
Authpasswd string: XAuth password (max 35 characters).
Authusr string: XAuth user name.
Authusrgrp string: Authentication user group.
AutoDiscoveryCrossover string: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
AutoDiscoveryForwarder string: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoveryOfferInterval int: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
AutoDiscoveryPsk string: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
AutoDiscoveryReceiver string: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoverySender string: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
AutoDiscoveryShortcuts string: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
AutoNegotiate string: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
AzureAdAutoconnect string: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
BackupGateways []Phase1interfaceBackupGatewayArgs: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
Banner string: Message that unity client should display after connecting.
CertIdValidation string: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
CertPeerUsernameStrip string: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
CertPeerUsernameValidation string: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
CertTrustStore string: CA certificate trust store. Valid values: local, ems.
Certificates []Phase1interfaceCertificateArgs: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
ChildlessIke string: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
ClientAutoNegotiate string: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
ClientKeepAlive string: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
ClientResume string: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
ClientResumeInterval int: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
Comments string: Comment.
DefaultGw string: IPv4 address of default route gateway to use for traffic exiting the interface.
DefaultGwPriority int: Priority for default gateway route. A higher priority number signifies a less preferred route.
DevId string: Device ID carried by the device ID notification.
DevIdNotification string: Enable/disable device ID notification. Valid values: disable, enable.
Dhcp6RaLinkaddr string: Relay agent IPv6 link address to use in DHCP6 requests.
DhcpRaGiaddr string: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
Dhgrp string: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
DigitalSignatureAuth string: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
Distance int: Distance for routes added by IKE (1 - 255).
DnsMode string: DNS server mode. Valid values: manual, auto.
Domain string: Instruct unity clients about the default DNS domain.
Dpd string: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
DpdRetrycount int: Number of DPD retry attempts.
DpdRetryinterval string: DPD retry interval.
DynamicSortSubtable string: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
Eap string: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
EapCertAuth string: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
EapExcludePeergrp string: Peer group excluded from EAP authentication.
EapIdentity string: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
EmsSnCheck string: Enable/disable verification of EMS serial number. Valid values: enable, disable.
EncapLocalGw4 string: Local IPv4 address of GRE/VXLAN tunnel.
EncapLocalGw6 string: Local IPv6 address of GRE/VXLAN tunnel.
EncapRemoteGw4 string: Remote IPv4 address of GRE/VXLAN tunnel.
EncapRemoteGw6 string: Remote IPv6 address of GRE/VXLAN tunnel.
Encapsulation string: Enable/disable GRE/VXLAN encapsulation.
EncapsulationAddress string: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
EnforceUniqueId string: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
Esn string: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
ExchangeFgtDeviceId string: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
ExchangeInterfaceIp string: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
ExchangeIpAddr4 string: IPv4 address to exchange with peers.
ExchangeIpAddr6 string: IPv6 address to exchange with peers
FallbackTcpThreshold int: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
FecBase int: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
FecCodec int: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
FecCodecString string: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
FecEgress string: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
FecHealthCheck string: SD-WAN health check.
FecIngress string: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
FecMappingProfile string: Forward Error Correction (FEC) mapping profile.
FecReceiveTimeout int: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
FecRedundant int: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
FecSendTimeout int: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
FgspSync string: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
ForticlientEnforcement string: Enable/disable FortiClient enforcement. Valid values: enable, disable.
FortinetEsp string: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
Fragmentation string: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
FragmentationMtu int: IKE fragmentation MTU (500 - 16000).
GetAllTables string: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
GroupAuthentication string: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
GroupAuthenticationSecret string: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
HaSyncEspSeqno string: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
IdleTimeout string: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
IdleTimeoutinterval int: IPsec tunnel idle timeout in minutes (5 - 43200).
IkeVersion string: IKE protocol version. Valid values: 1, 2.
InboundDscpCopy string: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
IncludeLocalLan string: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
Interface string: Local physical, aggregate, or VLAN outgoing interface.
InternalDomainLists []Phase1interfaceInternalDomainListArgs: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
IpDelayInterval int: IP address reuse delay interval in seconds (0 - 28800).
IpFragmentation string: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
IpVersion string: IP version to use for VPN interface. Valid values: 4, 6.
Ipv4DnsServer1 string: IPv4 DNS server 1.
Ipv4DnsServer2 string: IPv4 DNS server 2.
Ipv4DnsServer3 string: IPv4 DNS server 3.
Ipv4EndIp string: End of IPv4 range.
Ipv4ExcludeRanges []Phase1interfaceIpv4ExcludeRangeArgs: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
Ipv4Name string: IPv4 address name.
Ipv4Netmask string: IPv4 Netmask.
Ipv4SplitExclude string: IPv4 subnets that should not be sent over the IPsec tunnel.
Ipv4SplitInclude string: IPv4 split-include subnets.
Ipv4StartIp string: Start of IPv4 range.
Ipv4WinsServer1 string: WINS server 1.
Ipv4WinsServer2 string: WINS server 2.
Ipv6DnsServer1 string: IPv6 DNS server 1.
Ipv6DnsServer2 string: IPv6 DNS server 2.
Ipv6DnsServer3 string: IPv6 DNS server 3.
Ipv6EndIp string: End of IPv6 range.
Ipv6ExcludeRanges []Phase1interfaceIpv6ExcludeRangeArgs: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
Ipv6Name string: IPv6 address name.
Ipv6Prefix int: IPv6 prefix.
Ipv6SplitExclude string: IPv6 subnets that should not be sent over the IPsec tunnel.
Ipv6SplitInclude string: IPv6 split-include subnets.
Ipv6StartIp string: Start of IPv6 range.
Keepalive int: NAT-T keep alive interval.
Keylife int: Time to wait in seconds before phase 1 encryption key expires.
Kms string: Key Management Services server.
LinkCost int: VPN tunnel underlay link cost.
LocalGw string: IPv4 address of the local gateway's external interface.
LocalGw6 string: IPv6 address of the local gateway's external interface.
Localid string: Local ID.
LocalidType string: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
LoopbackAsymroute string: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
MeshSelectorType string: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
Mode string: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
ModeCfg string: Enable/disable configuration method. Valid values: disable, enable.
ModeCfgAllowClientSelector string: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
Monitor string: IPsec interface as backup for primary interface.
MonitorHoldDownDelay int: Time to wait in seconds before recovery once primary re-establishes.
MonitorHoldDownTime string: Time of day at which to fail back to primary after it re-establishes.
MonitorHoldDownType string: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
MonitorHoldDownWeekday string: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
MonitorMin int: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
Name string: IPsec remote gateway name.
Nattraversal string: Enable/disable NAT traversal. Valid values: enable, disable, forced.
NegotiateTimeout int: IKE SA negotiation timeout in seconds (1 - 300).
NetDevice string: Enable/disable kernel device creation. Valid values: enable, disable.
NetworkId int: VPN gateway network ID.
NetworkOverlay string: Enable/disable network overlays. Valid values: disable, enable.
NpuOffload string: Enable/disable offloading NPU. Valid values: enable, disable.
PacketRedistribution string: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
PassiveMode string: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
Peer string: Accept this peer certificate.
Peergrp string: Accept this peer certificate group.
Peerid string: Accept this peer identity.
Peertype string: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
Ppk string: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
PpkIdentity string: IKEv2 Postquantum Preshared Key Identity.
PpkSecret string: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
Priority int: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
Proposal string: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
Psksecret string: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
PsksecretRemote string: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
Qkd string: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
QkdProfile string: Quantum Key Distribution (QKD) server profile.
Reauth string: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
Rekey string: Enable/disable phase1 rekey. Valid values: enable, disable.
RemoteGw string: IPv4 address of the remote gateway's external interface.
RemoteGw6 string: IPv6 address of the remote gateway's external interface.
RemoteGw6Country string: IPv6 addresses associated to a specific country.
RemoteGw6EndIp string: Last IPv6 address in the range.
RemoteGw6Match string: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
RemoteGw6StartIp string: First IPv6 address in the range.
RemoteGw6Subnet string: IPv6 address and prefix.
RemoteGwCountry string: IPv4 addresses associated to a specific country.
RemoteGwEndIp string: Last IPv4 address in the range.
RemoteGwMatch string: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
RemoteGwStartIp string: First IPv4 address in the range.
RemoteGwSubnet string: IPv4 address and subnet mask.
RemotegwDdns string: Domain name of remote gateway. For example, name.ddns.com.
RsaSignatureFormat string: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
RsaSignatureHashOverride string: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
SavePassword string: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
SendCertChain string: Enable/disable sending certificate chain. Valid values: enable, disable.
SignatureHashAlg string: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
SplitIncludeService string: Split-include services.
SuiteB string: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
Transport string: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
TunnelSearch string: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
Type string: Remote gateway type. Valid values: static, dynamic, ddns.
UnitySupport string: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
Usrgrp string: User group name for dialup peers.
Vdomparam string: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
Vni int: VNI of VXLAN tunnel.
WizardType string: GUI VPN Wizard Type.
Xauthtype string: XAuth type. Valid values: disable, client, pap, chap, auto.

acctVerify String: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
addGwRoute String: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
addRoute String: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
aggregateMember String: Enable/disable use as an aggregate member. Valid values: enable, disable.
aggregateWeight Integer: Link weight for aggregate.
assignIp String: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
assignIpFrom String: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
authmethod String: Authentication method. Valid values: psk, signature.
authmethodRemote String: Authentication method (remote side). Valid values: psk, signature.
authpasswd String: XAuth password (max 35 characters).
authusr String: XAuth user name.
authusrgrp String: Authentication user group.
autoDiscoveryCrossover String: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
autoDiscoveryForwarder String: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryOfferInterval Integer: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
autoDiscoveryPsk String: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
autoDiscoveryReceiver String: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoverySender String: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryShortcuts String: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
autoNegotiate String: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
azureAdAutoconnect String: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
backupGateways List<Phase1interfaceBackupGateway>: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
banner String: Message that unity client should display after connecting.
certIdValidation String: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
certPeerUsernameStrip String: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
certPeerUsernameValidation String: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
certTrustStore String: CA certificate trust store. Valid values: local, ems.
certificates List<Phase1interfaceCertificate>: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
childlessIke String: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
clientAutoNegotiate String: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
clientKeepAlive String: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
clientResume String: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
clientResumeInterval Integer: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
comments String: Comment.
defaultGw String: IPv4 address of default route gateway to use for traffic exiting the interface.
defaultGwPriority Integer: Priority for default gateway route. A higher priority number signifies a less preferred route.
devId String: Device ID carried by the device ID notification.
devIdNotification String: Enable/disable device ID notification. Valid values: disable, enable.
dhcp6RaLinkaddr String: Relay agent IPv6 link address to use in DHCP6 requests.
dhcpRaGiaddr String: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
dhgrp String: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
digitalSignatureAuth String: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
distance Integer: Distance for routes added by IKE (1 - 255).
dnsMode String: DNS server mode. Valid values: manual, auto.
domain String: Instruct unity clients about the default DNS domain.
dpd String: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
dpdRetrycount Integer: Number of DPD retry attempts.
dpdRetryinterval String: DPD retry interval.
dynamicSortSubtable String: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
eap String: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
eapCertAuth String: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
eapExcludePeergrp String: Peer group excluded from EAP authentication.
eapIdentity String: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
emsSnCheck String: Enable/disable verification of EMS serial number. Valid values: enable, disable.
encapLocalGw4 String: Local IPv4 address of GRE/VXLAN tunnel.
encapLocalGw6 String: Local IPv6 address of GRE/VXLAN tunnel.
encapRemoteGw4 String: Remote IPv4 address of GRE/VXLAN tunnel.
encapRemoteGw6 String: Remote IPv6 address of GRE/VXLAN tunnel.
encapsulation String: Enable/disable GRE/VXLAN encapsulation.
encapsulationAddress String: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
enforceUniqueId String: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
esn String: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
exchangeFgtDeviceId String: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
exchangeInterfaceIp String: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
exchangeIpAddr4 String: IPv4 address to exchange with peers.
exchangeIpAddr6 String: IPv6 address to exchange with peers
fallbackTcpThreshold Integer: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
fecBase Integer: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
fecCodec Integer: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
fecCodecString String: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
fecEgress String: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
fecHealthCheck String: SD-WAN health check.
fecIngress String: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
fecMappingProfile String: Forward Error Correction (FEC) mapping profile.
fecReceiveTimeout Integer: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
fecRedundant Integer: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
fecSendTimeout Integer: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
fgspSync String: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
forticlientEnforcement String: Enable/disable FortiClient enforcement. Valid values: enable, disable.
fortinetEsp String: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
fragmentation String: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
fragmentationMtu Integer: IKE fragmentation MTU (500 - 16000).
getAllTables String: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
groupAuthentication String: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
groupAuthenticationSecret String: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
haSyncEspSeqno String: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
idleTimeout String: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
idleTimeoutinterval Integer: IPsec tunnel idle timeout in minutes (5 - 43200).
ikeVersion String: IKE protocol version. Valid values: 1, 2.
inboundDscpCopy String: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
includeLocalLan String: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
interface_ String: Local physical, aggregate, or VLAN outgoing interface.
internalDomainLists List<Phase1interfaceInternalDomainList>: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
ipDelayInterval Integer: IP address reuse delay interval in seconds (0 - 28800).
ipFragmentation String: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
ipVersion String: IP version to use for VPN interface. Valid values: 4, 6.
ipv4DnsServer1 String: IPv4 DNS server 1.
ipv4DnsServer2 String: IPv4 DNS server 2.
ipv4DnsServer3 String: IPv4 DNS server 3.
ipv4EndIp String: End of IPv4 range.
ipv4ExcludeRanges List<Phase1interfaceIpv4ExcludeRange>: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
ipv4Name String: IPv4 address name.
ipv4Netmask String: IPv4 Netmask.
ipv4SplitExclude String: IPv4 subnets that should not be sent over the IPsec tunnel.
ipv4SplitInclude String: IPv4 split-include subnets.
ipv4StartIp String: Start of IPv4 range.
ipv4WinsServer1 String: WINS server 1.
ipv4WinsServer2 String: WINS server 2.
ipv6DnsServer1 String: IPv6 DNS server 1.
ipv6DnsServer2 String: IPv6 DNS server 2.
ipv6DnsServer3 String: IPv6 DNS server 3.
ipv6EndIp String: End of IPv6 range.
ipv6ExcludeRanges List<Phase1interfaceIpv6ExcludeRange>: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
ipv6Name String: IPv6 address name.
ipv6Prefix Integer: IPv6 prefix.
ipv6SplitExclude String: IPv6 subnets that should not be sent over the IPsec tunnel.
ipv6SplitInclude String: IPv6 split-include subnets.
ipv6StartIp String: Start of IPv6 range.
keepalive Integer: NAT-T keep alive interval.
keylife Integer: Time to wait in seconds before phase 1 encryption key expires.
kms String: Key Management Services server.
linkCost Integer: VPN tunnel underlay link cost.
localGw String: IPv4 address of the local gateway's external interface.
localGw6 String: IPv6 address of the local gateway's external interface.
localid String: Local ID.
localidType String: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
loopbackAsymroute String: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
meshSelectorType String: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
mode String: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
modeCfg String: Enable/disable configuration method. Valid values: disable, enable.
modeCfgAllowClientSelector String: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
monitor String: IPsec interface as backup for primary interface.
monitorHoldDownDelay Integer: Time to wait in seconds before recovery once primary re-establishes.
monitorHoldDownTime String: Time of day at which to fail back to primary after it re-establishes.
monitorHoldDownType String: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
monitorHoldDownWeekday String: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
monitorMin Integer: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
name String: IPsec remote gateway name.
nattraversal String: Enable/disable NAT traversal. Valid values: enable, disable, forced.
negotiateTimeout Integer: IKE SA negotiation timeout in seconds (1 - 300).
netDevice String: Enable/disable kernel device creation. Valid values: enable, disable.
networkId Integer: VPN gateway network ID.
networkOverlay String: Enable/disable network overlays. Valid values: disable, enable.
npuOffload String: Enable/disable offloading NPU. Valid values: enable, disable.
packetRedistribution String: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
passiveMode String: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
peer String: Accept this peer certificate.
peergrp String: Accept this peer certificate group.
peerid String: Accept this peer identity.
peertype String: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
ppk String: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
ppkIdentity String: IKEv2 Postquantum Preshared Key Identity.
ppkSecret String: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
priority Integer: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
proposal String: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
psksecret String: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
psksecretRemote String: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
qkd String: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
qkdProfile String: Quantum Key Distribution (QKD) server profile.
reauth String: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
rekey String: Enable/disable phase1 rekey. Valid values: enable, disable.
remoteGw String: IPv4 address of the remote gateway's external interface.
remoteGw6 String: IPv6 address of the remote gateway's external interface.
remoteGw6Country String: IPv6 addresses associated to a specific country.
remoteGw6EndIp String: Last IPv6 address in the range.
remoteGw6Match String: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
remoteGw6StartIp String: First IPv6 address in the range.
remoteGw6Subnet String: IPv6 address and prefix.
remoteGwCountry String: IPv4 addresses associated to a specific country.
remoteGwEndIp String: Last IPv4 address in the range.
remoteGwMatch String: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
remoteGwStartIp String: First IPv4 address in the range.
remoteGwSubnet String: IPv4 address and subnet mask.
remotegwDdns String: Domain name of remote gateway. For example, name.ddns.com.
rsaSignatureFormat String: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
rsaSignatureHashOverride String: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
savePassword String: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
sendCertChain String: Enable/disable sending certificate chain. Valid values: enable, disable.
signatureHashAlg String: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
splitIncludeService String: Split-include services.
suiteB String: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
transport String: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
tunnelSearch String: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
type String: Remote gateway type. Valid values: static, dynamic, ddns.
unitySupport String: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
usrgrp String: User group name for dialup peers.
vdomparam String: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
vni Integer: VNI of VXLAN tunnel.
wizardType String: GUI VPN Wizard Type.
xauthtype String: XAuth type. Valid values: disable, client, pap, chap, auto.

acctVerify string: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
addGwRoute string: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
addRoute string: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
aggregateMember string: Enable/disable use as an aggregate member. Valid values: enable, disable.
aggregateWeight number: Link weight for aggregate.
assignIp string: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
assignIpFrom string: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
authmethod string: Authentication method. Valid values: psk, signature.
authmethodRemote string: Authentication method (remote side). Valid values: psk, signature.
authpasswd string: XAuth password (max 35 characters).
authusr string: XAuth user name.
authusrgrp string: Authentication user group.
autoDiscoveryCrossover string: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
autoDiscoveryForwarder string: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryOfferInterval number: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
autoDiscoveryPsk string: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
autoDiscoveryReceiver string: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoverySender string: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryShortcuts string: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
autoNegotiate string: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
azureAdAutoconnect string: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
backupGateways Phase1interfaceBackupGateway[]: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
banner string: Message that unity client should display after connecting.
certIdValidation string: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
certPeerUsernameStrip string: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
certPeerUsernameValidation string: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
certTrustStore string: CA certificate trust store. Valid values: local, ems.
certificates Phase1interfaceCertificate[]: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
childlessIke string: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
clientAutoNegotiate string: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
clientKeepAlive string: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
clientResume string: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
clientResumeInterval number: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
comments string: Comment.
defaultGw string: IPv4 address of default route gateway to use for traffic exiting the interface.
defaultGwPriority number: Priority for default gateway route. A higher priority number signifies a less preferred route.
devId string: Device ID carried by the device ID notification.
devIdNotification string: Enable/disable device ID notification. Valid values: disable, enable.
dhcp6RaLinkaddr string: Relay agent IPv6 link address to use in DHCP6 requests.
dhcpRaGiaddr string: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
dhgrp string: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
digitalSignatureAuth string: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
distance number: Distance for routes added by IKE (1 - 255).
dnsMode string: DNS server mode. Valid values: manual, auto.
domain string: Instruct unity clients about the default DNS domain.
dpd string: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
dpdRetrycount number: Number of DPD retry attempts.
dpdRetryinterval string: DPD retry interval.
dynamicSortSubtable string: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
eap string: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
eapCertAuth string: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
eapExcludePeergrp string: Peer group excluded from EAP authentication.
eapIdentity string: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
emsSnCheck string: Enable/disable verification of EMS serial number. Valid values: enable, disable.
encapLocalGw4 string: Local IPv4 address of GRE/VXLAN tunnel.
encapLocalGw6 string: Local IPv6 address of GRE/VXLAN tunnel.
encapRemoteGw4 string: Remote IPv4 address of GRE/VXLAN tunnel.
encapRemoteGw6 string: Remote IPv6 address of GRE/VXLAN tunnel.
encapsulation string: Enable/disable GRE/VXLAN encapsulation.
encapsulationAddress string: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
enforceUniqueId string: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
esn string: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
exchangeFgtDeviceId string: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
exchangeInterfaceIp string: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
exchangeIpAddr4 string: IPv4 address to exchange with peers.
exchangeIpAddr6 string: IPv6 address to exchange with peers
fallbackTcpThreshold number: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
fecBase number: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
fecCodec number: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
fecCodecString string: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
fecEgress string: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
fecHealthCheck string: SD-WAN health check.
fecIngress string: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
fecMappingProfile string: Forward Error Correction (FEC) mapping profile.
fecReceiveTimeout number: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
fecRedundant number: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
fecSendTimeout number: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
fgspSync string: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
forticlientEnforcement string: Enable/disable FortiClient enforcement. Valid values: enable, disable.
fortinetEsp string: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
fragmentation string: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
fragmentationMtu number: IKE fragmentation MTU (500 - 16000).
getAllTables string: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
groupAuthentication string: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
groupAuthenticationSecret string: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
haSyncEspSeqno string: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
idleTimeout string: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
idleTimeoutinterval number: IPsec tunnel idle timeout in minutes (5 - 43200).
ikeVersion string: IKE protocol version. Valid values: 1, 2.
inboundDscpCopy string: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
includeLocalLan string: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
interface string: Local physical, aggregate, or VLAN outgoing interface.
internalDomainLists Phase1interfaceInternalDomainList[]: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
ipDelayInterval number: IP address reuse delay interval in seconds (0 - 28800).
ipFragmentation string: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
ipVersion string: IP version to use for VPN interface. Valid values: 4, 6.
ipv4DnsServer1 string: IPv4 DNS server 1.
ipv4DnsServer2 string: IPv4 DNS server 2.
ipv4DnsServer3 string: IPv4 DNS server 3.
ipv4EndIp string: End of IPv4 range.
ipv4ExcludeRanges Phase1interfaceIpv4ExcludeRange[]: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
ipv4Name string: IPv4 address name.
ipv4Netmask string: IPv4 Netmask.
ipv4SplitExclude string: IPv4 subnets that should not be sent over the IPsec tunnel.
ipv4SplitInclude string: IPv4 split-include subnets.
ipv4StartIp string: Start of IPv4 range.
ipv4WinsServer1 string: WINS server 1.
ipv4WinsServer2 string: WINS server 2.
ipv6DnsServer1 string: IPv6 DNS server 1.
ipv6DnsServer2 string: IPv6 DNS server 2.
ipv6DnsServer3 string: IPv6 DNS server 3.
ipv6EndIp string: End of IPv6 range.
ipv6ExcludeRanges Phase1interfaceIpv6ExcludeRange[]: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
ipv6Name string: IPv6 address name.
ipv6Prefix number: IPv6 prefix.
ipv6SplitExclude string: IPv6 subnets that should not be sent over the IPsec tunnel.
ipv6SplitInclude string: IPv6 split-include subnets.
ipv6StartIp string: Start of IPv6 range.
keepalive number: NAT-T keep alive interval.
keylife number: Time to wait in seconds before phase 1 encryption key expires.
kms string: Key Management Services server.
linkCost number: VPN tunnel underlay link cost.
localGw string: IPv4 address of the local gateway's external interface.
localGw6 string: IPv6 address of the local gateway's external interface.
localid string: Local ID.
localidType string: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
loopbackAsymroute string: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
meshSelectorType string: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
mode string: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
modeCfg string: Enable/disable configuration method. Valid values: disable, enable.
modeCfgAllowClientSelector string: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
monitor string: IPsec interface as backup for primary interface.
monitorHoldDownDelay number: Time to wait in seconds before recovery once primary re-establishes.
monitorHoldDownTime string: Time of day at which to fail back to primary after it re-establishes.
monitorHoldDownType string: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
monitorHoldDownWeekday string: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
monitorMin number: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
name string: IPsec remote gateway name.
nattraversal string: Enable/disable NAT traversal. Valid values: enable, disable, forced.
negotiateTimeout number: IKE SA negotiation timeout in seconds (1 - 300).
netDevice string: Enable/disable kernel device creation. Valid values: enable, disable.
networkId number: VPN gateway network ID.
networkOverlay string: Enable/disable network overlays. Valid values: disable, enable.
npuOffload string: Enable/disable offloading NPU. Valid values: enable, disable.
packetRedistribution string: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
passiveMode string: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
peer string: Accept this peer certificate.
peergrp string: Accept this peer certificate group.
peerid string: Accept this peer identity.
peertype string: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
ppk string: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
ppkIdentity string: IKEv2 Postquantum Preshared Key Identity.
ppkSecret string: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
priority number: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
proposal string: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
psksecret string: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
psksecretRemote string: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
qkd string: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
qkdProfile string: Quantum Key Distribution (QKD) server profile.
reauth string: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
rekey string: Enable/disable phase1 rekey. Valid values: enable, disable.
remoteGw string: IPv4 address of the remote gateway's external interface.
remoteGw6 string: IPv6 address of the remote gateway's external interface.
remoteGw6Country string: IPv6 addresses associated to a specific country.
remoteGw6EndIp string: Last IPv6 address in the range.
remoteGw6Match string: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
remoteGw6StartIp string: First IPv6 address in the range.
remoteGw6Subnet string: IPv6 address and prefix.
remoteGwCountry string: IPv4 addresses associated to a specific country.
remoteGwEndIp string: Last IPv4 address in the range.
remoteGwMatch string: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
remoteGwStartIp string: First IPv4 address in the range.
remoteGwSubnet string: IPv4 address and subnet mask.
remotegwDdns string: Domain name of remote gateway. For example, name.ddns.com.
rsaSignatureFormat string: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
rsaSignatureHashOverride string: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
savePassword string: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
sendCertChain string: Enable/disable sending certificate chain. Valid values: enable, disable.
signatureHashAlg string: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
splitIncludeService string: Split-include services.
suiteB string: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
transport string: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
tunnelSearch string: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
type string: Remote gateway type. Valid values: static, dynamic, ddns.
unitySupport string: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
usrgrp string: User group name for dialup peers.
vdomparam string: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
vni number: VNI of VXLAN tunnel.
wizardType string: GUI VPN Wizard Type.
xauthtype string: XAuth type. Valid values: disable, client, pap, chap, auto.

acct_verify str: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
add_gw_route str: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
add_route str: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
aggregate_member str: Enable/disable use as an aggregate member. Valid values: enable, disable.
aggregate_weight int: Link weight for aggregate.
assign_ip str: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
assign_ip_from str: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
authmethod str: Authentication method. Valid values: psk, signature.
authmethod_remote str: Authentication method (remote side). Valid values: psk, signature.
authpasswd str: XAuth password (max 35 characters).
authusr str: XAuth user name.
authusrgrp str: Authentication user group.
auto_discovery_crossover str: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
auto_discovery_forwarder str: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
auto_discovery_offer_interval int: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
auto_discovery_psk str: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
auto_discovery_receiver str: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
auto_discovery_sender str: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
auto_discovery_shortcuts str: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
auto_negotiate str: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
azure_ad_autoconnect str: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
backup_gateways Sequence[Phase1interfaceBackupGatewayArgs]: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
banner str: Message that unity client should display after connecting.
cert_id_validation str: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
cert_peer_username_strip str: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
cert_peer_username_validation str: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
cert_trust_store str: CA certificate trust store. Valid values: local, ems.
certificates Sequence[Phase1interfaceCertificateArgs]: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
childless_ike str: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
client_auto_negotiate str: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
client_keep_alive str: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
client_resume str: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
client_resume_interval int: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
comments str: Comment.
default_gw str: IPv4 address of default route gateway to use for traffic exiting the interface.
default_gw_priority int: Priority for default gateway route. A higher priority number signifies a less preferred route.
dev_id str: Device ID carried by the device ID notification.
dev_id_notification str: Enable/disable device ID notification. Valid values: disable, enable.
dhcp6_ra_linkaddr str: Relay agent IPv6 link address to use in DHCP6 requests.
dhcp_ra_giaddr str: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
dhgrp str: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
digital_signature_auth str: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
distance int: Distance for routes added by IKE (1 - 255).
dns_mode str: DNS server mode. Valid values: manual, auto.
domain str: Instruct unity clients about the default DNS domain.
dpd str: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
dpd_retrycount int: Number of DPD retry attempts.
dpd_retryinterval str: DPD retry interval.
dynamic_sort_subtable str: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
eap str: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
eap_cert_auth str: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
eap_exclude_peergrp str: Peer group excluded from EAP authentication.
eap_identity str: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
ems_sn_check str: Enable/disable verification of EMS serial number. Valid values: enable, disable.
encap_local_gw4 str: Local IPv4 address of GRE/VXLAN tunnel.
encap_local_gw6 str: Local IPv6 address of GRE/VXLAN tunnel.
encap_remote_gw4 str: Remote IPv4 address of GRE/VXLAN tunnel.
encap_remote_gw6 str: Remote IPv6 address of GRE/VXLAN tunnel.
encapsulation str: Enable/disable GRE/VXLAN encapsulation.
encapsulation_address str: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
enforce_unique_id str: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
esn str: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
exchange_fgt_device_id str: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
exchange_interface_ip str: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
exchange_ip_addr4 str: IPv4 address to exchange with peers.
exchange_ip_addr6 str: IPv6 address to exchange with peers
fallback_tcp_threshold int: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
fec_base int: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
fec_codec int: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
fec_codec_string str: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
fec_egress str: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
fec_health_check str: SD-WAN health check.
fec_ingress str: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
fec_mapping_profile str: Forward Error Correction (FEC) mapping profile.
fec_receive_timeout int: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
fec_redundant int: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
fec_send_timeout int: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
fgsp_sync str: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
forticlient_enforcement str: Enable/disable FortiClient enforcement. Valid values: enable, disable.
fortinet_esp str: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
fragmentation str: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
fragmentation_mtu int: IKE fragmentation MTU (500 - 16000).
get_all_tables str: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
group_authentication str: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
group_authentication_secret str: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
ha_sync_esp_seqno str: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
idle_timeout str: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
idle_timeoutinterval int: IPsec tunnel idle timeout in minutes (5 - 43200).
ike_version str: IKE protocol version. Valid values: 1, 2.
inbound_dscp_copy str: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
include_local_lan str: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
interface str: Local physical, aggregate, or VLAN outgoing interface.
internal_domain_lists Sequence[Phase1interfaceInternalDomainListArgs]: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
ip_delay_interval int: IP address reuse delay interval in seconds (0 - 28800).
ip_fragmentation str: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
ip_version str: IP version to use for VPN interface. Valid values: 4, 6.
ipv4_dns_server1 str: IPv4 DNS server 1.
ipv4_dns_server2 str: IPv4 DNS server 2.
ipv4_dns_server3 str: IPv4 DNS server 3.
ipv4_end_ip str: End of IPv4 range.
ipv4_exclude_ranges Sequence[Phase1interfaceIpv4ExcludeRangeArgs]: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
ipv4_name str: IPv4 address name.
ipv4_netmask str: IPv4 Netmask.
ipv4_split_exclude str: IPv4 subnets that should not be sent over the IPsec tunnel.
ipv4_split_include str: IPv4 split-include subnets.
ipv4_start_ip str: Start of IPv4 range.
ipv4_wins_server1 str: WINS server 1.
ipv4_wins_server2 str: WINS server 2.
ipv6_dns_server1 str: IPv6 DNS server 1.
ipv6_dns_server2 str: IPv6 DNS server 2.
ipv6_dns_server3 str: IPv6 DNS server 3.
ipv6_end_ip str: End of IPv6 range.
ipv6_exclude_ranges Sequence[Phase1interfaceIpv6ExcludeRangeArgs]: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
ipv6_name str: IPv6 address name.
ipv6_prefix int: IPv6 prefix.
ipv6_split_exclude str: IPv6 subnets that should not be sent over the IPsec tunnel.
ipv6_split_include str: IPv6 split-include subnets.
ipv6_start_ip str: Start of IPv6 range.
keepalive int: NAT-T keep alive interval.
keylife int: Time to wait in seconds before phase 1 encryption key expires.
kms str: Key Management Services server.
link_cost int: VPN tunnel underlay link cost.
local_gw str: IPv4 address of the local gateway's external interface.
local_gw6 str: IPv6 address of the local gateway's external interface.
localid str: Local ID.
localid_type str: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
loopback_asymroute str: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
mesh_selector_type str: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
mode str: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
mode_cfg str: Enable/disable configuration method. Valid values: disable, enable.
mode_cfg_allow_client_selector str: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
monitor str: IPsec interface as backup for primary interface.
monitor_hold_down_delay int: Time to wait in seconds before recovery once primary re-establishes.
monitor_hold_down_time str: Time of day at which to fail back to primary after it re-establishes.
monitor_hold_down_type str: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
monitor_hold_down_weekday str: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
monitor_min int: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
name str: IPsec remote gateway name.
nattraversal str: Enable/disable NAT traversal. Valid values: enable, disable, forced.
negotiate_timeout int: IKE SA negotiation timeout in seconds (1 - 300).
net_device str: Enable/disable kernel device creation. Valid values: enable, disable.
network_id int: VPN gateway network ID.
network_overlay str: Enable/disable network overlays. Valid values: disable, enable.
npu_offload str: Enable/disable offloading NPU. Valid values: enable, disable.
packet_redistribution str: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
passive_mode str: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
peer str: Accept this peer certificate.
peergrp str: Accept this peer certificate group.
peerid str: Accept this peer identity.
peertype str: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
ppk str: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
ppk_identity str: IKEv2 Postquantum Preshared Key Identity.
ppk_secret str: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
priority int: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
proposal str: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
psksecret str: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
psksecret_remote str: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
qkd str: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
qkd_profile str: Quantum Key Distribution (QKD) server profile.
reauth str: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
rekey str: Enable/disable phase1 rekey. Valid values: enable, disable.
remote_gw str: IPv4 address of the remote gateway's external interface.
remote_gw6 str: IPv6 address of the remote gateway's external interface.
remote_gw6_country str: IPv6 addresses associated to a specific country.
remote_gw6_end_ip str: Last IPv6 address in the range.
remote_gw6_match str: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
remote_gw6_start_ip str: First IPv6 address in the range.
remote_gw6_subnet str: IPv6 address and prefix.
remote_gw_country str: IPv4 addresses associated to a specific country.
remote_gw_end_ip str: Last IPv4 address in the range.
remote_gw_match str: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
remote_gw_start_ip str: First IPv4 address in the range.
remote_gw_subnet str: IPv4 address and subnet mask.
remotegw_ddns str: Domain name of remote gateway. For example, name.ddns.com.
rsa_signature_format str: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
rsa_signature_hash_override str: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
save_password str: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
send_cert_chain str: Enable/disable sending certificate chain. Valid values: enable, disable.
signature_hash_alg str: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
split_include_service str: Split-include services.
suite_b str: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
transport str: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
tunnel_search str: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
type str: Remote gateway type. Valid values: static, dynamic, ddns.
unity_support str: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
usrgrp str: User group name for dialup peers.
vdomparam str: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
vni int: VNI of VXLAN tunnel.
wizard_type str: GUI VPN Wizard Type.
xauthtype str: XAuth type. Valid values: disable, client, pap, chap, auto.

acctVerify String: Enable/disable verification of RADIUS accounting record. Valid values: enable, disable.
addGwRoute String: Enable/disable automatically add a route to the remote gateway. Valid values: enable, disable.
addRoute String: Enable/disable control addition of a route to peer destination selector. Valid values: disable, enable.
aggregateMember String: Enable/disable use as an aggregate member. Valid values: enable, disable.
aggregateWeight Number: Link weight for aggregate.
assignIp String: Enable/disable assignment of IP to IPsec interface via configuration method. Valid values: disable, enable.
assignIpFrom String: Method by which the IP address will be assigned. Valid values: range, usrgrp, dhcp, name.
authmethod String: Authentication method. Valid values: psk, signature.
authmethodRemote String: Authentication method (remote side). Valid values: psk, signature.
authpasswd String: XAuth password (max 35 characters).
authusr String: XAuth user name.
authusrgrp String: Authentication user group.
autoDiscoveryCrossover String: Allow/block set-up of short-cut tunnels between different network IDs. Valid values: allow, block.
autoDiscoveryForwarder String: Enable/disable forwarding auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryOfferInterval Number: Interval between shortcut offer messages in seconds (1 - 300, default = 5).
autoDiscoveryPsk String: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. Valid values: enable, disable.
autoDiscoveryReceiver String: Enable/disable accepting auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoverySender String: Enable/disable sending auto-discovery short-cut messages. Valid values: enable, disable.
autoDiscoveryShortcuts String: Control deletion of child short-cut tunnels when the parent tunnel goes down. Valid values: independent, dependent.
autoNegotiate String: Enable/disable automatic initiation of IKE SA negotiation. Valid values: enable, disable.
azureAdAutoconnect String: Enable/disable Azure AD Auto-Connect for FortiClient. Valid values: enable, disable.
backupGateways List<Property Map>: Instruct unity clients about the backup gateway address(es). The structure of backup_gateway block is documented below.
banner String: Message that unity client should display after connecting.
certIdValidation String: Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945. Valid values: enable, disable.
certPeerUsernameStrip String: Enable/disable domain stripping on certificate identity. Valid values: disable, enable.
certPeerUsernameValidation String: Enable/disable cross validation of peer username and the identity in the peer's certificate. Valid values: none, othername, rfc822name, cn.
certTrustStore String: CA certificate trust store. Valid values: local, ems.
certificates List<Property Map>: The names of up to 4 signed personal certificates. The structure of certificate block is documented below.
childlessIke String: Enable/disable childless IKEv2 initiation (RFC 6023). Valid values: enable, disable.
clientAutoNegotiate String: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. Valid values: disable, enable.
clientKeepAlive String: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. Valid values: disable, enable.
clientResume String: Enable/disable resumption of offline FortiClient sessions. When a FortiClient enabled laptop is closed or enters sleep/hibernate mode, enabling this feature allows FortiClient to keep the tunnel during this period, and allows users to immediately resume using the IPsec tunnel when the device wakes up. Valid values: enable, disable.
clientResumeInterval Number: Maximum time in seconds during which a VPN client may resume using a tunnel after a client PC has entered sleep mode or temporarily lost its network connection (120 - 172800, default = 1800).
comments String: Comment.
defaultGw String: IPv4 address of default route gateway to use for traffic exiting the interface.
defaultGwPriority Number: Priority for default gateway route. A higher priority number signifies a less preferred route.
devId String: Device ID carried by the device ID notification.
devIdNotification String: Enable/disable device ID notification. Valid values: disable, enable.
dhcp6RaLinkaddr String: Relay agent IPv6 link address to use in DHCP6 requests.
dhcpRaGiaddr String: Relay agent gateway IP address to use in the giaddr field of DHCP requests.
dhgrp String: DH group. Valid values: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, 32.
digitalSignatureAuth String: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). Valid values: enable, disable.
distance Number: Distance for routes added by IKE (1 - 255).
dnsMode String: DNS server mode. Valid values: manual, auto.
domain String: Instruct unity clients about the default DNS domain.
dpd String: Dead Peer Detection mode. Valid values: disable, on-idle, on-demand.
dpdRetrycount Number: Number of DPD retry attempts.
dpdRetryinterval String: DPD retry interval.
dynamicSortSubtable String: Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
eap String: Enable/disable IKEv2 EAP authentication. Valid values: enable, disable.
eapCertAuth String: Enable/disable peer certificate authentication in addition to EAP if peer is a FortiClient endpoint. Valid values: enable, disable.
eapExcludePeergrp String: Peer group excluded from EAP authentication.
eapIdentity String: IKEv2 EAP peer identity type. Valid values: use-id-payload, send-request.
emsSnCheck String: Enable/disable verification of EMS serial number. Valid values: enable, disable.
encapLocalGw4 String: Local IPv4 address of GRE/VXLAN tunnel.
encapLocalGw6 String: Local IPv6 address of GRE/VXLAN tunnel.
encapRemoteGw4 String: Remote IPv4 address of GRE/VXLAN tunnel.
encapRemoteGw6 String: Remote IPv6 address of GRE/VXLAN tunnel.
encapsulation String: Enable/disable GRE/VXLAN encapsulation.
encapsulationAddress String: Source for GRE/VXLAN tunnel address. Valid values: ike, ipv4, ipv6.
enforceUniqueId String: Enable/disable peer ID uniqueness check. Valid values: disable, keep-new, keep-old.
esn String: Extended sequence number (ESN) negotiation. Valid values: require, allow, disable.
exchangeFgtDeviceId String: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. Valid values: enable, disable.
exchangeInterfaceIp String: Enable/disable exchange of IPsec interface IP address. Valid values: enable, disable.
exchangeIpAddr4 String: IPv4 address to exchange with peers.
exchangeIpAddr6 String: IPv6 address to exchange with peers
fallbackTcpThreshold Number: Timeout in seconds before falling back IKE/IPsec traffic to tcp.
fecBase Number: Number of base Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 100. On FortiOS versions >= 7.0.2: 1 - 20.
fecCodec Number: ipsec fec encoding/decoding algorithm (0: reed-solomon, 1: xor). Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec_string.
fecCodecString String: Forward Error Correction encoding/decoding algorithm. Due to the data type change of API, for other versions of FortiOS, please check variable fec-codec. Valid values: rs, xor.
fecEgress String: Enable/disable Forward Error Correction for egress IPsec traffic. Valid values: enable, disable.
fecHealthCheck String: SD-WAN health check.
fecIngress String: Enable/disable Forward Error Correction for ingress IPsec traffic. Valid values: enable, disable.
fecMappingProfile String: Forward Error Correction (FEC) mapping profile.
fecReceiveTimeout Number: Timeout in milliseconds before dropping Forward Error Correction packets. On FortiOS versions 6.2.4-7.0.1: 1 - 10000. On FortiOS versions >= 7.0.2: 1 - 1000.
fecRedundant Number: Number of redundant Forward Error Correction packets. On FortiOS versions 6.2.4-6.2.6: 0 - 100, when fec-codec is reed-solomon or 1 when fec-codec is xor. On FortiOS versions >= 7.0.2: 1 - 5 for reed-solomon, 1 for xor.
fecSendTimeout Number: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).
fgspSync String: Enable/disable IPsec syncing of tunnels for FGSP IPsec. Valid values: enable, disable.
forticlientEnforcement String: Enable/disable FortiClient enforcement. Valid values: enable, disable.
fortinetEsp String: Enable/disable Fortinet ESP encapsulaton. Valid values: enable, disable.
fragmentation String: Enable/disable fragment IKE message on re-transmission. Valid values: enable, disable.
fragmentationMtu Number: IKE fragmentation MTU (500 - 16000).
getAllTables String: Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
groupAuthentication String: Enable/disable IKEv2 IDi group authentication. Valid values: enable, disable.
groupAuthenticationSecret String: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.
haSyncEspSeqno String: Enable/disable sequence number jump ahead for IPsec HA. Valid values: enable, disable.
idleTimeout String: Enable/disable IPsec tunnel idle timeout. Valid values: enable, disable.
idleTimeoutinterval Number: IPsec tunnel idle timeout in minutes (5 - 43200).
ikeVersion String: IKE protocol version. Valid values: 1, 2.
inboundDscpCopy String: Enable/disable copy the dscp in the ESP header to the inner IP Header. Valid values: enable, disable.
includeLocalLan String: Enable/disable allow local LAN access on unity clients. Valid values: disable, enable.
interface String: Local physical, aggregate, or VLAN outgoing interface.
internalDomainLists List<Property Map>: One or more internal domain names in quotes separated by spaces. The structure of internal_domain_list block is documented below.
ipDelayInterval Number: IP address reuse delay interval in seconds (0 - 28800).
ipFragmentation String: Determine whether IP packets are fragmented before or after IPsec encapsulation. Valid values: pre-encapsulation, post-encapsulation.
ipVersion String: IP version to use for VPN interface. Valid values: 4, 6.
ipv4DnsServer1 String: IPv4 DNS server 1.
ipv4DnsServer2 String: IPv4 DNS server 2.
ipv4DnsServer3 String: IPv4 DNS server 3.
ipv4EndIp String: End of IPv4 range.
ipv4ExcludeRanges List<Property Map>: Configuration Method IPv4 exclude ranges. The structure of ipv4_exclude_range block is documented below.
ipv4Name String: IPv4 address name.
ipv4Netmask String: IPv4 Netmask.
ipv4SplitExclude String: IPv4 subnets that should not be sent over the IPsec tunnel.
ipv4SplitInclude String: IPv4 split-include subnets.
ipv4StartIp String: Start of IPv4 range.
ipv4WinsServer1 String: WINS server 1.
ipv4WinsServer2 String: WINS server 2.
ipv6DnsServer1 String: IPv6 DNS server 1.
ipv6DnsServer2 String: IPv6 DNS server 2.
ipv6DnsServer3 String: IPv6 DNS server 3.
ipv6EndIp String: End of IPv6 range.
ipv6ExcludeRanges List<Property Map>: Configuration method IPv6 exclude ranges. The structure of ipv6_exclude_range block is documented below.
ipv6Name String: IPv6 address name.
ipv6Prefix Number: IPv6 prefix.
ipv6SplitExclude String: IPv6 subnets that should not be sent over the IPsec tunnel.
ipv6SplitInclude String: IPv6 split-include subnets.
ipv6StartIp String: Start of IPv6 range.
keepalive Number: NAT-T keep alive interval.
keylife Number: Time to wait in seconds before phase 1 encryption key expires.
kms String: Key Management Services server.
linkCost Number: VPN tunnel underlay link cost.
localGw String: IPv4 address of the local gateway's external interface.
localGw6 String: IPv6 address of the local gateway's external interface.
localid String: Local ID.
localidType String: Local ID type. Valid values: auto, fqdn, user-fqdn, keyid, address, asn1dn.
loopbackAsymroute String: Enable/disable asymmetric routing for IKE traffic on loopback interface. Valid values: enable, disable.
meshSelectorType String: Add selectors containing subsets of the configuration depending on traffic. Valid values: disable, subnet, host.
mode String: The ID protection mode used to establish a secure channel. Valid values: aggressive, main.
modeCfg String: Enable/disable configuration method. Valid values: disable, enable.
modeCfgAllowClientSelector String: Enable/disable mode-cfg client to use custom phase2 selectors. Valid values: disable, enable.
monitor String: IPsec interface as backup for primary interface.
monitorHoldDownDelay Number: Time to wait in seconds before recovery once primary re-establishes.
monitorHoldDownTime String: Time of day at which to fail back to primary after it re-establishes.
monitorHoldDownType String: Recovery time method when primary interface re-establishes. Valid values: immediate, delay, time.
monitorHoldDownWeekday String: Day of the week to recover once primary re-establishes. Valid values: everyday, sunday, monday, tuesday, wednesday, thursday, friday, saturday.
monitorMin Number: Minimum number of links to become degraded before activating this interface. Zero (0) means all links must be down before activating this interface.
name String: IPsec remote gateway name.
nattraversal String: Enable/disable NAT traversal. Valid values: enable, disable, forced.
negotiateTimeout Number: IKE SA negotiation timeout in seconds (1 - 300).
netDevice String: Enable/disable kernel device creation. Valid values: enable, disable.
networkId Number: VPN gateway network ID.
networkOverlay String: Enable/disable network overlays. Valid values: disable, enable.
npuOffload String: Enable/disable offloading NPU. Valid values: enable, disable.
packetRedistribution String: Enable/disable packet distribution (RPS) on the IPsec interface. Valid values: enable, disable.
passiveMode String: Enable/disable IPsec passive mode for static tunnels. Valid values: enable, disable.
peer String: Accept this peer certificate.
peergrp String: Accept this peer certificate group.
peerid String: Accept this peer identity.
peertype String: Accept this peer type. Valid values: any, one, dialup, peer, peergrp.
ppk String: Enable/disable IKEv2 Postquantum Preshared Key (PPK). Valid values: disable, allow, require.
ppkIdentity String: IKEv2 Postquantum Preshared Key Identity.
ppkSecret String: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).
priority Number: Priority for routes added by IKE. On FortiOS versions 6.2.0-7.0.3: 0 - 4294967295. On FortiOS versions >= 7.0.4: 1 - 65535.
proposal String: Phase1 proposal. Valid values: des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes128gcm-prfsha1, aes128gcm-prfsha256, aes128gcm-prfsha384, aes128gcm-prfsha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aes256gcm-prfsha1, aes256gcm-prfsha256, aes256gcm-prfsha384, aes256gcm-prfsha512, chacha20poly1305-prfsha1, chacha20poly1305-prfsha256, chacha20poly1305-prfsha384, chacha20poly1305-prfsha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512.
psksecret String: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
psksecretRemote String: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).
qkd String: Enable/disable use of Quantum Key Distribution (QKD) server. Valid values: disable, allow, require.
qkdProfile String: Quantum Key Distribution (QKD) server profile.
reauth String: Enable/disable re-authentication upon IKE SA lifetime expiration. Valid values: disable, enable.
rekey String: Enable/disable phase1 rekey. Valid values: enable, disable.
remoteGw String: IPv4 address of the remote gateway's external interface.
remoteGw6 String: IPv6 address of the remote gateway's external interface.
remoteGw6Country String: IPv6 addresses associated to a specific country.
remoteGw6EndIp String: Last IPv6 address in the range.
remoteGw6Match String: Set type of IPv6 remote gateway address matching. Valid values: any, ipprefix, iprange, geography.
remoteGw6StartIp String: First IPv6 address in the range.
remoteGw6Subnet String: IPv6 address and prefix.
remoteGwCountry String: IPv4 addresses associated to a specific country.
remoteGwEndIp String: Last IPv4 address in the range.
remoteGwMatch String: Set type of IPv4 remote gateway address matching. Valid values: any, ipmask, iprange, geography.
remoteGwStartIp String: First IPv4 address in the range.
remoteGwSubnet String: IPv4 address and subnet mask.
remotegwDdns String: Domain name of remote gateway. For example, name.ddns.com.
rsaSignatureFormat String: Digital Signature Authentication RSA signature format. Valid values: pkcs1, pss.
rsaSignatureHashOverride String: Enable/disable IKEv2 RSA signature hash algorithm override. Valid values: enable, disable.
savePassword String: Enable/disable saving XAuth username and password on VPN clients. Valid values: disable, enable.
sendCertChain String: Enable/disable sending certificate chain. Valid values: enable, disable.
signatureHashAlg String: Digital Signature Authentication hash algorithms. Valid values: sha1, sha2-256, sha2-384, sha2-512.
splitIncludeService String: Split-include services.
suiteB String: Use Suite-B. Valid values: disable, suite-b-gcm-128, suite-b-gcm-256.
transport String: Set IKE transport protocol. Valid values: udp, udp-fallback-tcp, tcp.
tunnelSearch String: Tunnel search method for when the interface is shared. Valid values: selectors, nexthop.
type String: Remote gateway type. Valid values: static, dynamic, ddns.
unitySupport String: Enable/disable support for Cisco UNITY Configuration Method extensions. Valid values: disable, enable.
usrgrp String: User group name for dialup peers.
vdomparam String: Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
vni Number: VNI of VXLAN tunnel.
wizardType String: GUI VPN Wizard Type.
xauthtype String: XAuth type. Valid values: disable, client, pap, chap, auto.

Supporting Types

Phase1interfaceBackupGateway
, Phase1interfaceBackupGatewayArgs

Address string: Address of backup gateway.

Address string: Address of backup gateway.

address String: Address of backup gateway.

address string: Address of backup gateway.

address str: Address of backup gateway.

address String: Address of backup gateway.

Phase1interfaceCertificate
, Phase1interfaceCertificateArgs

Name string: Certificate name.

Name string: Certificate name.

name String: Certificate name.

name string: Certificate name.

name str: Certificate name.

name String: Certificate name.