fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
FortiOS Handbook<br />
Auto Key phase 1 parameters<br />
Overview<br />
This chapter provides detailed step-by-step procedures for configuring a FortiGate unit<br />
to accept a connection from a remote peer or dialup client. The phase 1 parameters<br />
identify the remote peer or clients and support authentication through preshared keys or<br />
digital certificates. You can increase access security further using peer identifiers,<br />
certificate distinguished names, group names, or the FortiGate extended authentication<br />
(XAuth) option for authentication purposes.<br />
For more information on phase 1 parameters in the web-based manager, see “Phase 1<br />
configuration” on page 26.<br />
The information and procedures in this section do not apply to VPN peers that perform<br />
negotiations using manual keys. Refer to “Manual-key configurations” on page 183<br />
instead.<br />
The following topics are included in this section:<br />
Overview<br />
Defining the tunnel ends<br />
Choosing main mode or aggressive mode<br />
Authenticating the FortiGate unit<br />
Authenticating remote peers and clients<br />
Defining IKE negotiation parameters<br />
Using XAuth authentication<br />
To configure IPsec phase 1 settings, go to VPN > IPsec > Auto Key (IKE) and select<br />
Create Phase 1. IPsec phase 1 settings define:<br />
the remote and local ends of the IPsec tunnel<br />
if phase 1 parameters are exchanged in multiple rounds with encrypted authentication<br />
information (main mode) or in a single message with authentication information that is<br />
not encrypted (aggressive mode)<br />
if a preshared key or digital certificates will be used to authenticate the FortiGate unit<br />
to the VPN peer or dialup client<br />
if the VPN peer or dialup client is required to authenticate to the FortiGate unit. A<br />
remote peer or dialup client can authenticate by peer ID or, if the FortiGate unit<br />
authenticates by certificate, it can authenticate by peer certificate.<br />
the IKE negotiation proposals for encryption and authentication<br />
optional XAuth authentication, which requires the remote user to enter a user name<br />
and password. A FortiGate VPN server can act as an XAuth server to authenticate<br />
dialup users. A FortiGate unit that is a dialup client can also be configured as an XAuth<br />
client to authenticate itself to the VPN server.<br />
For all the phase 1 web-based manager fields, see “Phase 1 configuration” on page 26.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 39<br />
http://docs.fortinet.com/