VPN IPSEC Auto Key
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 291
Enable IPSec
Interface Mode
Create a virtual interface for the local end of the VPN tunnel.
This is not available in Transparent mode.
Local Gateway IP If you selected Enable IPSec Interface Mode, you need to specify an
IP address for the local end of the VPN tunnel. Select one of the
following:
• Main Interface IP - the FortiGate unit obtains the IP address of the
interface from System > Network > Interface settings (see
“Interface” on page 69)
• Specify - specify an IP address. The IP address is assigned to the
physical, aggregate, or VLAN interface selected in the phase 1
Local Interface field (see “Local Interface” on page 288).
You cannot configure Interface mode in a Transparent mode VDOM.
P1 Proposal Select the encryption and authentication algorithms used to generate
keys for protecting negotiations.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The
remote peer or client must be configured to use at least one of the
proposals that you define.
You can select any of the following symmetric-key algorithms:
• DES-Digital Encryption Standard, a 64-bit block algorithm that
uses a 56-bit key.
• 3DES-Triple-DES, in which plain text is encrypted three times by
three keys.
• AES128-A 128-bit block algorithm that uses a 128-bit key.
• AES192-A 128-bit block algorithm that uses a 192-bit key.
• AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the
authenticity of messages during phase 1 negotiations:
• MD5-Message Digest 5, the hash algorithm developed by RSA
Data Security.
• SHA1-Secure Hash Algorithm 1, which produces a 160-bit
message digest.
To specify a third combination, use the Add button beside the fields
for the second combination.
DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When using aggressive mode, DH groups cannot be negotiated.
• If both VPN peers (or a VPN server and its client) have static IP
addresses and use aggressive mode, select a single DH group.
The setting on the FortiGate unit must be identical to the setting
on the remote peer or dialup client.
• When the remote VPN peer or client has a dynamic IP address
and uses aggressive mode, select up to three DH groups on the
FortiGate unit and one DH group on the remote peer or dialup
client. The setting on the remote peer or client must be identical to
one of the selections on the FortiGate unit.
• If the VPN peer or client employs main mode, you can select
multiple DH groups. At least one of the settings on the remote
peer or client must be identical to the selections on the FortiGate
unit.
Keylife Type the length of time (in seconds) until the IKE encryption key
expires. When the key expires, a new key is generated without
interrupting service. The keylife can be from 120 to 172800 seconds.
To Next Page
Loading...
Need help?
General