fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configuring IKE Mode Config Supporting IKE Mode config clients<br />
Configuring IKE Mode Config<br />
IKE Mode Config is configured with the CLI command vpn <strong>ipsec</strong> phase1interface.<br />
The mode-cfg variable enables IKE Mode Config. The type field<br />
determines whether you are creating an IKE Mode Config server or a client. Setting type<br />
to dynamic creates a server configuration, otherwise the configuration is a client.<br />
Configuring an IKE Mode Config client<br />
If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE<br />
Mode Config, the relevant vpn <strong>ipsec</strong> phase1-interface variables are as follows:<br />
Variable Description<br />
ike-version 1 IKE v1 is the default for FortiGate IPsec VPNs.<br />
IKE Mode Config is not compatible with IKE v2.<br />
mode-cfg enable Enable IKE Mode Config.<br />
type {ddns | static} If you set type to dynamic, an IKE Mode Config<br />
server is created.<br />
assign-ip<br />
{enable | disable}<br />
Enable to request an IP address from the server.<br />
interface<br />
This is a regular IPsec VPN field. Specify the physical,<br />
aggregate, or VLAN interface to which the IPsec tunnel<br />
will be bound.<br />
proposal<br />
This is a regular IPsec VPN field that determines the<br />
<br />
will accept. For more information, see “Defining IKE<br />
negotiation parameters” on page 49.<br />
mode-cfg-ip-version Select if the Method client receives an IPv4 or IPv6 IP<br />
{4|6}<br />
address. The default is 4. the ip-version setting<br />
matches this variable’s value.<br />
ip-version This is a regular IPsec VPN field. By default, IPsec<br />
VPNs use IPv4 addressing. You can set ip-version<br />
to 6 to create a VPN with IPv6 addressing.<br />
Configuring an IKE Mode Config server<br />
If the FortiGate unit will accept connection requests from dialup clients that support IKE<br />
Mode Config, the following vpn <strong>ipsec</strong> phase1-interface settings are required<br />
before any other configuration is attempted:<br />
Variable Description<br />
ike-version 1 IKE v1 is the default for FortiGate IPsec VPNs.<br />
IKE Mode Config is not compatible with IKE v2.<br />
mode-cfg enable Enable IKE Mode Config.<br />
type dynamic Any other setting creates an IKE Mode Config client.<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
142 01-434-112804-20120111<br />
http://docs.fortinet.com/