266
01-28011-0254-20051115
Fortinet Inc.
Phase 2
VPN
Phase 2
You configure phase 2 settings to specify the parameters for creating and maintaining
a VPN tunnel between the FortiGate unit and the remote peer or client. In most cases,
you only need to configure the basic phase 2 settings.
DH Group
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When using aggressive mode, DH groups cannot be negotiated.
•
If both VPN peers have static IP addresses and use aggressive mode,
select a single DH group. The setting on the FortiGate unit must be
identical to the setting on the remote peer or client.
•
When the VPN peer or client has a dynamic IP address and uses
aggressive mode, select up to three DH groups on the FortiGate unit and
one DH group on the remote peer or dialup client. The setting on the
remote peer or client must be identical to one of the selections on the
FortiGate unit.
•
If the VPN peer or client employs main mode, you can select multiple DH
groups. At least one of the settings on the remote peer or client must be
identical to the selections on the FortiGate unit.
Keylife
Type the amount of time (in seconds) that will be allowed to pass before the
IKE encryption key expires. When the key expires, a new key is generated
without interrupting service. The keylife can be from 120 to 172800 seconds.
Local ID
If the FortiGate unit will act as a VPN client and you are using peer IDs for
authentication purposes, enter the identifier that the FortiGate unit will supply
to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security
certificates for authentication, select the distinguished name (DN) of the local
server certificate that the FortiGate unit will use for authentication purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel with other
dialup clients (that is, the tunnel will be dedicated to this FortiGate dialup
client), set Mode to Aggressive.
XAuth
This option is provided to support the authentication of dialup clients.
If the FortiGate unit is a dialup client and you select Enable as Client, type the
user name and password that the FortiGate unit will need to authenticate itself
to the remote XAuth server.
If Remote Gateway is set to Dialup User and dialup clients will authenticate as
members of a dialup group, the FortiGate unit can act as an XAuth server. To
select Enable as Server, you must first create user groups to identify the
dialup clients that need access to the network behind the FortiGate unit. You
must also configure the FortiGate unit to forward authentication requests to an
external RADIUS or LDAP authentication server. For information about these
topics, see
“User” on page 249
. Select a Server Type setting to determine the
type of encryption method to use between the FortiGate unit, the XAuth client
and the external authentication server, and then select the user group from
the User Group list.
Nat-traversal
Enable this option if a NAT device exists between the local FortiGate unit and
the VPN peer or client. The local FortiGate unit and the VPN peer or client
must have the same NAT traversal setting (both selected or both cleared).
Keepalive
Frequency
If you enabled NAT traversal, enter a keepalive frequency setting. The value
represents an interval from 0 to 900 seconds.
Dead Peer
Detection
Enable this option to reestablish VPN tunnels on idle connections and clean
up dead IKE peers if required.
Summary of Contents for FortiGate 1000A
Page 80: ...80 01 28011 0254 20051115 Fortinet Inc FortiGate IPv6 support System Network ...
Page 88: ...88 01 28011 0254 20051115 Fortinet Inc Dynamic IP System DHCP ...
Page 122: ...122 01 28011 0254 20051115 Fortinet Inc FortiManager System Config ...
Page 248: ...248 01 28011 0254 20051115 Fortinet Inc Protection profile Firewall ...
Page 260: ...260 01 28011 0254 20051115 Fortinet Inc CLI configuration User ...
Page 380: ...380 01 28011 0254 20051115 Fortinet Inc CLI configuration Log Report ...
Page 392: ...392 01 28011 0254 20051115 Fortinet Inc Glossary ...