fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
L2TP and IPsec (Microsoft VPN) Configuring the FortiGate unit<br />
Configuring phase 1 - CLI<br />
To create a phase 1 configuration called dialup_p1 on a FortiGate unit that has port1<br />
connected to the Internet, you would enter:<br />
config vpn <strong>ipsec</strong> phase1<br />
edit dialup_p1<br />
set type dynamic<br />
set interface port1<br />
set mode main<br />
set psksecret ********<br />
set proposal aes256-md5 3des-sha1 aes192-sha1<br />
set dhgrp 2<br />
set nattraversal enable<br />
set dpd enable<br />
end<br />
Configuring phase 2 - web-based manager<br />
1 Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 2.<br />
2 Enter the following information and then select OK.<br />
Name Enter a name for this phase 2 configuration.<br />
Phase 1 Select the name of the phase 1 configuration.<br />
Advanced Select Advanced to enter the following information.<br />
P2 Proposal<br />
Enter the following Encryption/Authentication pairs:<br />
AES256-MD5, 3DES-SHA1, AES192-SHA1<br />
Enable replay<br />
detection<br />
Enable<br />
Enable perfect<br />
forward secrecy (PFS)<br />
Disable<br />
Keylife 3600 seconds<br />
3 Make this a transport-mode VPN. You must use the CLI to do this. If your phase 2<br />
name is dialup_p2, you would enter:<br />
config vpn <strong>ipsec</strong> phase2<br />
edit dialup_p2<br />
set encapsulation transport-mode<br />
end<br />
Configuring phase 2 - CLI<br />
To configure a phase 2 to work with your phase_1 configuration, you would enter:<br />
config vpn <strong>ipsec</strong> phase2<br />
edit dialup_p2<br />
set phase1name dialup_p1<br />
set proposal aes256-md5 3des-sha1 aes192-sha1<br />
set replay enable<br />
set pfs disable<br />
set keylifeseconds 3600<br />
set encapsulation transport-mode<br />
end<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 203<br />
http://docs.fortinet.com/