Command Reference Guide
Chapter 3. Command Reference
72 X Family CLI Reference V 2.5.1
auto-connect-phase2 < enable | disable >
enables phase 2 auto-connect. Use auto-connect if you want to initiate the VPN on
startup with IKE phase 2 proposals automatically established.
ca-cert < any | certificate-name >
specifies the name of the CA certificate, if you are using certificates for
authentication.
dpd < enable | disable >
enables dead peer detection.
local-id-type < ip | email | domain | dn >
configures the identifier that the device will use for validation purposes. Use this if
you are using pre-shared key with aggressive mode. This identifier must match the
remote Peer ID Type.
local-x509-cert certificate-name
specifies the name of the local certificate if you are using certificates for
authentication.
nat-t < enable | disable >
enables NAT-Transversal. Use NAT-Transversal if there is a NAT device between the
two VPN devices.
peer-id-type < ip | email | domain | dn >
selects the identifier for the device to use for validation purposes, either IP address,
email address or domain name. This must match the local ID type.
pfs < enable | disable >
enables or disables Perfect Forward Secrecy.
phase1-dh-group < 1 | 2 | 5 >
selects the Diffie-Hellman group number for IKE phase 1.
phase1-encryption < des-cbc | 3des-cbc | aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 >
configures encryption for IKE phase 1. Some options are only valid on the High
Encryption agent, which can be downloaded from the TMC.
phase1-integrity < md5 | sha1 >
configures integrity for IKE phase 1.
Note: To enable phase 2 auto-connect, phase 1 autoconnect (auto-connect
enable) must also be enabled.
Note: The local IDs for the email address and domain name types are configured
in the IKE Proposal. The local ID for the IP address type is the WAN IP address.