Auto Key IPSec VPN
FortiGate Version 4.0 MR1 Administration Guide
618 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Select either of the following message digests to check the authenticity
of messages during phase 1 negotiations:
MD5 — Message Digest 5, the hash algorithm developed by RSA Data
Security.
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify a third combination, use the Add button beside the fields for
the second combination.
DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14.
At least one of the DH Group settings on the remote peer or client must
match one the selections on the FortiGate unit.
Keylife Type the time (in seconds) that must pass before the IKE encryption key
expires. When the key expires, a new key is generated without
interrupting service. The keylife can be from 120 to 172 800 seconds.
Local ID If the FortiGate unit will act as a VPN client and you are using peer IDs
for authentication purposes, enter the identifier that the FortiGate unit
will supply to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security
certificates for authentication, select the distinguished name (DN) of the
local server certificate that the FortiGate unit will use for authentication
purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel with
other dialup clients (that is, the tunnel will be dedicated to this FortiGate
dialup client), set Mode to Aggressive.
XAuth This option supports the authentication of dialup clients. It is available for
IKE v1 only.
Disable — Select if you do not use XAuth.
Enable as Client — If the FortiGate unit is a dialup client, type the user
name and password that the FortiGate unit will need to authenticate
itself to the remote XAuth server.
Enable as Server — This is available only if Remote Gateway is set to
Dialup User. Dialup clients authenticate as members of a dialup user
group. You must first create a user group for the dialup clients that need
access to the network behind the FortiGate unit. For more information,
see “Configuring a user group” on page 669.
You must also configure the FortiGate unit to forward authentication
requests to an external RADIUS or LDAP authentication server. For
information about these topics, see “Configuring a RADIUS server” on
page 656 or “Configuring an LDAP server” on page 658.
Select a Server Type setting to determine the type of encryption method
to use between the FortiGate unit, the XAuth client and the external
authentication server, and then select the user group from the User
Group list.
Nat-traversal Select the check box if a NAT device exists between the local FortiGate
unit and the VPN peer or client. The local FortiGate unit and the VPN
peer or client must have the same NAT traversal setting (both selected
or both cleared) to connect reliably.
Keepalive Frequency If you enabled NAT-traversal, enter a keepalive frequency setting. The
value represents an interval ranging from 10 to 900 seconds.
Dead Peer Detection Select this check box to reestablish VPN tunnels on idle connections and
clean up dead IKE peers if required. You can use this option to receive
notification whenever a tunnel goes up or down, or to keep the tunnel
connection open when no traffic is being generated inside the tunnel.
(For example, in scenarios where a dialup client or dynamic DNS peer
connects from an IP address that changes periodically, traffic may be
suspended while the IP address changes).
With
Dead Peer Detection selected, you can use the config vpn
ipsec phase1 (tunnel mode) or config vpn ipsec phase1-
interface (interface mode) CLI command to optionally specify a retry
count and a retry interval. For more information, see the FortiGate CLI
Reference.
To Next Page
Loading...
Need help?
General
