VPN IPSEC Auto Key
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 289
Mode Select Main or Aggressive:
• In Main mode, the phase 1 parameters are exchanged in multiple
rounds with encrypted authentication information.
• In Aggressive mode, the phase 1 parameters are exchanged in
single message with authentication information that is not
encrypted.
When the remote VPN peer or client has a dynamic IP address, or
the remote VPN peer or client will be authenticated using an
identifier (local ID), you must select Aggressive mode if there is more
than one dialup phase 1 configuration for the interface IP address.
Peer Options settings may require a particular mode. See Peer
Options, below.
Authentication
Method
Select Preshared Key or RSA Signature.
Pre-shared Key If Pre-shared Key is selected, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at least 6
printable characters and should only be known by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Certificate Name If RSA Signature is selected, select the name of the server certificate
that the FortiGate unit will use to authenticate itself to the remote
peer or dialup client during phase 1 negotiations. To obtain and load
the required server certificate, see the FortiGate Certificate
Management User Guide.
Peer Options One or more of the following options are available to authenticate
VPN peers or clients, depending on the Remote Gateway and
Authentication Method settings.
Accept any
peer ID
Accept the local ID of any remote VPN peer or client. The FortiGate
unit does not check identifiers (local IDs). Mode can be set to
Aggressive or Main.
Accept this
peer ID
Authenticate remote peers based on a particular identifier. Enter the
identifier in the field. The remote peer must be configured with the
same identifier. This option is available only if the remote peer has a
dynamic IP address.
If the remote peer is a FortiGate unit, the identifier must be specified
in the Local ID field of the phase 1 configuration. For FortiClient
dialup clients, select Config in the Policy section of the Advanced
Settings for the connection and specify the identifier in the Local ID
field.
Accept peer ID
in dialup group
Authenticate multiple FortiGate or FortiClient dialup clients that use
unique identifiers and unique pre-shared keys (or unique pre-shared
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
See “User group” on page 327. Select the group from the list
adjacent to the Accept peer ID in dialup group option.
To configure FortiGate dialup clients, refer to the FortiGate IPSec
VPN User Guide. To configure FortiClient dialup clients, refer to the
Authenticating FortiClient Dialup Clients Technical Note.
Mode must be set to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
To Next Page
Loading...
