FortiGate Version 3.0 MR4 Administration Guide
290 01-30004-0203-20070102
Auto Key VPN IPSEC
Defining phase 1 advanced settings
The advanced P1 Proposal parameters select the encryption and authentication
algorithms that the FortiGate unit uses to generate keys for the IKE exchange.
Additional advanced phase 1 settings can be selected to ensure the smooth
operation of phase 1 negotiations.
To modify IPSec phase 1 advanced parameters, go to VPN > IPSEC >
Auto Key (IKE), select Create Phase 1, and then select Advanced.
Figure 177:Phase 1 advanced settings
Accept this
peer certificate
only
Authenticate remote peers or dialup clients using a security
certificate. Select the certificate from the list adjacent to the option.
You must add peer certificates to the FortiGate configuration through
the User > PKI page before you can select them here. For more
information, see PKI Certificates.
If the remote VPN peer or client has a dynamic IP address, set Mode
to Aggressive.
This option is available when Authentication Method is set to RSA
Signature.
Accept this
peer certificate
group only
Use a certificate group to authenticate dialup clients that have
dynamic IP addresses and use unique certificates.
Select the name of the peer group from the list. You must first create
the group through the config user peergrp CLI command
before you can select it. For more information, see the “user” chapter
of the FortiGate CLI Reference. Members of the peer group must be
certificates added through the User > PKI page or the config
user peer CLI command.
If the remote VPN peer or client has a dynamic IP address, set Mode
to Aggressive.
This option is available when Authentication Method is set to RSA
Signature and Remote Gateway is set to Dialup User.
Advanced Define advanced phase 1 parameters. See “Defining phase 1
advanced settings” on page 290.
Add
To Next Page
Loading...
Need help?
General