260 01-28006-0010-20041105 Fortinet Inc.
Phase 2 VPN
Phase 2 advanced options
Figure 125:Phase 2 advanced settings
P2 Proposal Add or delete encryption and message digests. Select a minimum of one and
a maximum of three combinations. The remote peer must be configured to
use at least one of the proposals that you define.
You can select any of the following symmetric-key encryption algorithms:
• NULL-Do not use an encryption algorithm.
• DES-Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
• 3DES-Triple-DES, in which plain text is encrypted three times by three
keys.
• AES128-A 128-bit block algorithm that uses a 128-bit key.
• AES192-A 128-bit block algorithm that uses a 192-bit key.
• AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
• NULL-Do not use a message digest.
• MD5-Message Digest 5, the hash algorithm developed by RSA Data
Security.
• SHA1-Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify one combination only, set the Encryption and Authentication
options of the second combination to NULL. To specify a third combination,
use the add button beside the fields for the second combination.
Enable replay
detection
Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPSec packets and replays them
back into the tunnel. Enable replay detection to check the sequence number
of every IPSec packet to see if it has been received before. If packets arrive
out of sequence, the FortiGate unit discards them.
You can configure the FortiGate unit to send an alert email when it detects a
replay packet. For more information, see “Alert E-mail options” on page 362.
Enable perfect
forward
secrecy (PFS)
Perfect forward secrecy (PFS) improves security by forcing a new
Diffie-Hellman exchange whenever keylife expires.
To Next Page
Loading...
Need help?
General