Auto Key IPSec VPN
FortiGate Version 4.0 MR1 Administration Guide
614 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Creating a new phase 1 configuration
In phase 1, two VPN peers (or a FortiGate dialup server and a VPN client) authenticate
each other and exchange keys to establish a secure communication channel between
them. The basic phase 1 settings associate IPSec phase 1 parameters with a remote
gateway and determine:
• whether the various phase 1 parameters will be exchanged in multiple rounds with
encrypted authentication information (main mode) or in a single message with
authentication information that is not encrypted (Aggressive mode)
• whether a pre-shared key or digital certificates will be used to authenticate the
identities of the two VPN peers (or a VPN server and its client)
• whether a special identifier, certificate distinguished name, or group name will be used
to identify the remote VPN peer or client when a connection attempt is made.
To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and
select Create Phase 1. For information about how to choose the correct phase 1 settings
for your particular situation, see the FortiGate IPSec VPN User Guide.
Figure 378: New Phase 1
Name Type a name to represent the phase 1 definition. The maximum
name length is 15 characters for an interface mode VPN, 35
characters for a policy-based VPN. If Remote Gateway is Dialup
User, the maximum name length is further reduced depending on the
number of dialup tunnels that can be established: by 2 for up to 9
tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on.
For a tunnel mode VPN, the name should reflect where the remote
connection originates. For a route-based tunnel, the FortiGate unit
also uses the name for the virtual IPSec interface that it creates
automatically.
Remote Gateway Select the category of the remote connection:
Static IP Address — If the remote peer has a static IP address.
Dialup User — If one or more FortiClient or FortiGate dialup clients
with dynamic IP addresses will connect to the FortiGate unit.
Dynamic DNS — If a remote peer that has a domain name and
subscribes to a dynamic DNS service will connect to the FortiGate
unit.
IP Address If you selected Static IP Address, type the IP address of the remote
peer.
Dynamic DNS If you selected Dynamic DNS, type the domain name of the remote
peer.
To Next Page
Loading...
Need help?
General