What’s new in FortiOS Version 4.0 MR1 IPsec protocol improvements
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 67
http://docs.fortinet.com/ • Feedback
All dashboard widgets are available for use in the VDOM dashboard except for License
Information, Alert Message Console, Top Viruses, and Top Attacks. The available widgets
differ from their global equivalents as follows:
IPsec protocol improvements
FortiOS 4.0 MR1 will support IKEv2. Previous versions of FortiOS supported only IKEv1.
Support for IKE v2
FortiOS 4.0 MR1 supports IKEv2 (RFC 4306) for route-based VPNs only. Most IKEv1
configurations also work using IKEv2, except that:
• Extensible Authentication Protocol (XAUTH) is not available.
• Except for dialup server configurations, “selector narrowing” is not supported.
• IKEv2 has no equivalent of aggressive mode. It cannot match the gateway by ID.
Also, FortiGate HA does not provide stateful failover for IKEv2. VPNs must reconnect.
In the web-based manager, the IKE Version selection is visible in Phase 1 advanced
settings when Enable IPsec Interface Mode is enabled.
In the CLI, you select the IKE version as follows:
config vpn ipsec phase1-interface
edit <gateway_name>
set ike-version {1 | 2}
end
The ike-version keyword is not available if mode is aggressive. When
ike-version is 2, the mode, mode-cfg, and xauthtype keywords are not available.
Support for DH-2048 (Group 14)
In Phase 1 and Phase 2 auto-key IPsec VPN configurations, Diffie-Hellman Group 14 is
available. This provides a key strength of 2048 bits. In previous releases of FortiOS,
group 14 was available only in FIPS-CC mode.
In the web-based manager, you go to VPN > IPsec > Auto Key to create Phase 1 or
Phase 2 configurations. For both Phase 1 and Phase 2, the Diffie-Hellman groups
selection is part of the Advanced settings.
In the CLI, the dhgrp keyword now accepts the value 14 when you edit a VPN
configuration in any of the following commands:
config vpn ipsec phase1
config vpn ipsec phase1-interface
Table 3: Differences between global and VDOM dashboard widgets
Widget Differences with global widget
System information Cannot enable/disable Virtual Domains.
No listing of current administrators.
CLI Console User is logged into the current VDOM and cannot access global
configurations.
Unit Operation Unit reboot and shutdown are not available.
Cannot configure management service or FortiAnalyzer unit.
No information about network ports.
Top Sessions Shows only sessions for this VDOM.
Traffic History Can select only interfaces or VLANs belonging to this VDOM.
To Next Page
Loading...
Need help?
General