| 1-Encryption
Authentication 2-Encryption Authentication 3-Encryption Authentication |
Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.
You need to select a minimum of one and a maximum of three combinations. The remote peer or client must be configured to use at least one of the proposals that you define. It is invalid to set both Encryption and Authentication to NULL. Select one of the following symmetric-key encryption algorithms: l NULL: Do not use an encryption algorithm. l DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key. l 3DES: Triple-DES, in which plain text is encrypted three times by three keys. l AES128: A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. l AES192: A128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. l AES256: A128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Select either of the following authentication message digests to check the authenticity of messages during phase 1 negotiations: l NULL: Do not use a message digest. l MD5: Message Digest 5, the hash algorithm developed by RSA Data Security. l SHA1: Secure Hash Algorithm 1, which produces a 160bit message digest. l SHA256: Secure Hash Algorithm 2, which produces a 256-bit message digest. To specify a third combination, use the Add button beside the fields for the second combination. |
| DH Group | Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14.
At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. |
| Enable replay detection | Select to enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. |
| Enable perfect forward secrecy (PFS) | Select to enable or disable perfect forward secrecy (PFS). Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. |
| Key Life | Select the PFS key life. Select Second, Kbytes, orBoth from the drop-down list and type the value in the text field. |
| Enable autokey keep
alive |
Select to enable or disable autokey keep alive.
The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. |
| Enable auto-negotiate | Select to enable or disable auto-negotiation. |
| Advanced | |
| Enable NAT Traversal | Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. |
| NAT Traversal Keep-alive Frequency | If you enabled NAT-traversal, type a keep-alive frequency setting (10-900 seconds). |
| Authentication | The FortiGate unit implements the Encapsulated Security Payload (ESP) protocol. Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates. As an option, you can specify manual keys. Interface mode, supported in NAT mode only, creates a virtual interface for the local end of a VPN tunnel. |
| Pre-shared Key | If you selected Pre-shared Key, type the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must define the same key at the remote peer or client. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.
Alternatively, you can select to generate a random pre-shared key. |
| Certificates | If you selected Certificates, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. For information about obtaining and loading the required server certificate, see the FortiOS UserAuthentication guide. |
| Advanced-Options | For more information on advanced option, see the FortiOS 5.2 CLI Reference. |
| fcc-enforcement | Select to enable or disable FCC enforcement. |
| ike-version | Select the version of IKE to use. This is available only if IPsec Interface Mode is enabled. For more information about IKE v2, refer to RFC 4306.
IKE v2 is not available if Exchange Mode is Aggressive. When IKE Version is set to 2, Mode and XAUTH are not available. |
| inter-vdom | Select to enable or disable the inter-vdom setting. |
| loccalid-type | Select the local ID type from the drop-down list. Select one of:
l auto: Select type automatically l fqdn: Fully Qualified Domain name l user-fqdn: User Fully Qualified Domain Name l keyid: Key Identifier ID l address: IP Address l asn1dn: ASN.1 Distinguished Name |
| negotiate-timeout | Type the negotiation timeout value. The default is 30 seconds. |
Once you have created your VPN topology, you can select to create a new managed gateway or external gateway for the topology.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!