IPSec IPSec set up
Remote IP
Type the IP address of remote FortiWAN's WAN port used to
establish the IPSec VPN tunnel with the local FortiWAN unit.
Packets of IKE negotiations (Both Phase 1 and Phase 2) and IPSec
VPN communications are transferred through the WAN port on the
remote side. Note that only static IP address is supported, please
make sure the WAN link type is Routing Mode, Bridge Mode:
One Static IP or Bridge Mode: Multiple Static IP.
The remote IP address must equal to the Local IP on the opposite
unit that the local unit establish the IPSec VPN with.
l Please make sure the entered IP address is equal to the IP address of the WAN port that you would like to
employ to establish the IPSec VPN, system will not run error checking on this. Incorrect IP address
causes the negotiations to go to failure.
l
A duplicate of Remote IP (or pair of Local IP and Remote IP) of a Phase 1 configuration is not
acceptable to other Phase 1 configurations. Please make sure each Phase 1 configuration is
incompatible with others on the Remote IP. See "Limitation in the IPSec deployment" for details.
l In Transport mode, the Local IP and Remote IP of a Phase 1 configuration must be equal to the Local IP
and Remote IP of a TR tunnel that IPSec provides protection to, so that TR packets match the ISAKMP
SA and are protected by ESP encapsulation. See "Tunnel Routing".
l Additional routing policies are necessary for system to route the packets of IKE negotiations and IPSec
VPN communications to the IP address (WAN port) you defined here (See "Define routing policies for an
IPSec VPN").
Authentication Method
Only Pre-Shared Key is supported. Enter the pre-shared key in the
field "Input key" next to the drop-down menu. The pre-shared key is
used to authenticate the identity to each other, the local and remote
FortiWAN units, during IKE Phase 1 negotiations. Make sure both
the local and remote units are defined an equal key. For stronger
protection against currently known attacks, a key consisting of a min-
imum of 16 randomly chosen alphanumeric characters is suggested.
Mode
Main mode: the Phase 1 parameters are exchanged in six
messages with securer authentication by a encryption with the
negotiated secret key.
Dead Peer Detection
Check to enable the monitoring of current existence and availability
of the remote unit. PDP sends a detection message periodically to
remote unit every specified time interval. The IPSec tunnel will be
considered down if local unit sends the detection message without a
response from the remote unit for five consecutive times. When a
disconnection is recognized, the active ISAKMP SA (and the
correspondent IPSec SAs) are removed immediately whether the
secret keys expire or not (a renegotiation would not be performed
automatically).
Delay: Set the time interval that PDP sends periodically the
detection message.
188 FortiWAN Handbook
Fortinet Technologies Inc.
To Next Page
Loading...
