config vpn ipsec phase1-interface
edit "To-HQ"
set interface "wan1" # Local WAN interface
set ike-version 2 # IKEv2 (1 or 2)
set peertype static # Peer type: static/dynamic
set remote-gw 203.1.1.1 # Remote VPN gateway IP
set local-gw 222.1.1.2 # Optional: local public IP
set psksecret ENC <encrypted-key> # Pre-shared key (PSK)
set proposal aes256-sha256 # Encryption & authentication proposal
set dpd on-idle # Dead Peer Detection mode
set dpd-retrycount 3 # DPD retry count
set dpd-retryinterval 5 # DPD retry interval (sec)
set localid "Branch1" # Local ID for IKE auth
set peerid "HQ" # Remote peer ID
set nattraversal enable # Enable NAT-T (UDP 4500)
set keylife 28800 # Lifetime in seconds (8h)
set keepalive enable # Optional keepalive
set autonegotiate enable # Auto start tunnel
set add-route enable # Auto add route when tunnel up
set dpd-retryinterval 5
set dpd-retrycount 3
set cert-enable disable # Certificate auth disable
set dhgrp 14 # Diffie-Hellman group (modp2048)
set comments "VPN tunnel to HQ"
next
end
config vpn ipsec phase2-interface
edit "To-HQ"
set phase1name "To-HQ" # Bind to Phase1
set proposal aes256-sha256 # Encryption/auth for data channel
set src-subnet 192.168.10.0 255.255.255.0 # Local protected subnet
set dst-subnet 10.10.10.0 255.255.255.0 # Remote protected subnet
set keylifeseconds 3600 # Lifetime (1h)
set replay enable # Anti-replay check
set pfs enable # Perfect Forward Secrecy
set dhgrp 14 # PFS DH group
set auto-negotiate enable # Auto start SA
set comments "Branch1 to HQ IPSec SA"
next
end
{{ $t('index.defaultHeader.chromeBrowserTip') }}