topology
| 1- Select the encryption and authentication algorithms used to gen-
EncryptionAuthentication erate keys for protecting negotiations and add encryption and 2- authentication algorithms as required. EncryptionAuthentication You need to select a minimum of one and a maximum of three 3-Encryp- combinations. The remote peer or client must be configured to tionAuthentication use at least one of the proposals that you define. Select one of the following symmetric-key encryption algorithms: l DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key. l 3DES: Triple-DES, in which plain text is encrypted three times by three keys. l AES128: A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. l AES192: A128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. l AES256: A128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Select either of the following authentication message digests to check the authenticity of messages during phase 1 negotiations: l MD5: Message Digest 5, the hash algorithm developed by RSA Data Security. l SHA1: Secure Hash Algorithm 1, which produces a 160bit message digest. l SHA256: Secure Hash Algorithm 2, which produces a 256-bit message digest. To specify a third combination, use the Add button beside the fields for the second combination. |
| DH Group Select one or more Diffie-Hellman groups from DH group 1,
2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. |
| Exchange Mode | Select either Aggressive orMain (ID Protection).
The FortiGate unit and the remote peer or dialup client exchange phase 1 parameters in either Main mode or Aggressive mode. This choice does not apply if you use IKE version 2, which is available only for route-based configurations. l In Main mode, the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information l In Aggressive mode, the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted. Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup Phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier local ID). Descriptions of the peer options in this guide indicate whether Main or Aggressive mode is required. |
| Key Life | Type the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172800 seconds. |
| Enable dead peer detection | Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes. |
| IKE Phase 2 | Define the IKE Phase 2 proposal settings.
When you define phase 2 parameters, you can choose any set of phase 1 parameters to set up a secure connection for the tunnel and authenticate the remote peer. Auto Key configuration applies to both tunnel-mode and interface-mode VPNs. |
topology
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!