Auto Key IPSec VPN
FortiGate Version 4.0 MR1 Administration Guide
616 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Defining phase 1 advanced settings
You use the advanced P1 Proposal parameters to select the encryption and
authentication algorithms that the FortiGate unit uses to generate keys for the IKE
exchange. You can also select these advanced settings to ensure the smooth operation of
phase 1 negotiations.
To modify IPSec phase 1 advanced parameters, go to VPN > IPSEC > Auto Key (IKE),
select Create Phase 1, and then select Advanced. For information about how to choose
the correct advanced phase 1 settings for your particular situation, see the FortiGate
IPSec VPN User Guide.
Accept peer ID in dialup
group
Authenticate multiple FortiGate or FortiClient dialup clients that use
unique identifiers and unique pre-shared keys (or unique pre-shared
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
(For more information, see “User Group” on page 666.) Select the
group from the list next to the Accept peer ID in dialup group option.
For more information about configuring FortiGate dialup clients, see
the FortiGate IPSec VPN User Guide. For more information about
configuring FortiClient dialup clients, see the Authenticating
FortiClient Dialup Clients Technical Note.
You must set Mode to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
Accept this peer
certificate only
This option is available when Authentication Method is set to
RSA Signature.
Authenticate remote peers or dialup clients that use a security
certificate. Select the certificate from the list next to the option.
You must add peer certificates to the FortiGate configuration before
you can select them here. For more information, see “PKI” on
page 664.
Accept this peer
certificate group only
This option is available when Authentication Method is set to
RSA Signature and Remote Gateway is set to Dialup User.
Use a certificate group to authenticate dialup clients that have
dynamic IP addresses and use unique certificates.
Select the name of the peer group from the list. You must first create
the group through the config user peergrp CLI command
before you can select it. For more information, see the “user” chapter
of the FortiGate CLI Reference. Members of the peer group must be
certificates added by using the config user peer CLI command.
You can also add peer certificates using the web-based manager.
For more information, see “PKI” on page 664.
Advanced Define advanced phase 1 parameters. For more information, see
“Defining phase 1 advanced settings” on page 616.
To Next Page
Loading...
Need help?
General