fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Defining the tunnel ends Auto Key phase 1 parameters<br />
Defining the tunnel ends<br />
If you want to control how the IKE negotiation process controls traffic when there is no<br />
traffic, as well as the length of time the unit waits for negotiations to occur, use the<br />
negotiation-timeout and auto-negotiation commands in the CLI.<br />
To begin defining the phase 1 configuration, go to VPN > IPsec > Auto Key (IKE) and<br />
select Create Phase 1. Enter a descriptive name for the VPN tunnel. This is particularly<br />
important if you will create several tunnels.<br />
The phase 1 configuration mainly defines the ends of the IPsec tunnel. The remote end is<br />
the remote gateway with which the FortiGate unit exchanges IPsec packets. The local<br />
end is the FortiGate interface that sends and receives IPsec packets.<br />
The remote gateway can be:<br />
a static IP address<br />
a domain name with a dynamic IP address<br />
a dialup client<br />
A statically addressed remote gateway is the simplest to configure. You specify the IP<br />
address. Unless restricted in the security policy, either the remote peer or a peer on the<br />
network behind the FortiGate unit can bring up the tunnel.<br />
If the remote peer has a domain name and subscribes to a dynamic DNS service, you<br />
need to specify only the domain name. The FortiGate unit performs a DNS query to<br />
determine the appropriate IP address. Unless restricted in the security policy, either the<br />
remote peer or a peer on the network behind the FortiGate unit can bring up the tunnel.<br />
If the remote peer is a dialup client, only the dialup client can bring up the tunnel. The IP<br />
address of the client is not known until it connects to the FortiGate unit. This<br />
configuration is a typical way to provide a VPN for client PCs running VPN client software<br />
such as the FortiClient Endpoint Security application.<br />
The local end of the VPN tunnel, the Local Interface, is the FortiGate interface that sends<br />
and receives the IPsec packets. This is usually the public interface of the FortiGate unit<br />
that is connected to the Internet. Packets from this interface pass to the private network<br />
through a security policy.<br />
The local Interface for a Phase 1 cannot not be a loopback interface. By design, the IPSec<br />
tunnel will not be established if this happens.<br />
By default, the local VPN gateway is the IP address of the selected Local Interface. If you<br />
are configuring an interface mode VPN, you can optionally use a secondary IP address of<br />
the Local Interface as the local gateway.<br />
Choosing main mode or aggressive mode<br />
The FortiGate unit and the remote peer or dialup client exchange phase 1 parameters in<br />
either Main mode or Aggressive mode. This choice does not apply if you use IKE<br />
version 2, which is available only for route-based configurations.<br />
In Main mode, the phase 1 parameters are exchanged in multiple rounds with<br />
encrypted authentication information<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
<strong>40</strong> 01-434-112804-20120111<br />
http://docs.fortinet.com/