fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Auto Key phase 1 parameters Authenticating the FortiGate unit<br />
If you use pre-shared key authentication alone, all remote peers and dialup clients must<br />
be configured with the same pre-shared key. Optionally, you can configure remote peers<br />
and dialup clients with unique pre-shared keys. On the FortiGate unit, these are<br />
configured in user accounts, not in the phase_1 settings. For more information, see<br />
“Enabling VPN access with user accounts and pre-shared keys” on page 47.<br />
The pre-shared key must contain at least 6 printable characters and best practices<br />
dictate that it be known only to network administrators. For optimum protection against<br />
currently known attacks, the key must consist of a minimum of 16 randomly chosen<br />
alphanumeric characters.<br />
If you authenticate the FortiGate unit using a pre-shared key, you can require remote<br />
peers or dialup clients to authenticate using peer IDs, but not client certificates.<br />
To authenticate the FortiGate unit with a pre-shared key<br />
1 Go to VPN > IPsec > Auto Key (IKE).<br />
2 Create a new phase 1 configuration or edit an existing phase 1 configuration.<br />
3 Include appropriate entries as follows:<br />
Name<br />
Remote Gateway<br />
Local Interface<br />
Enter a name that reflects the origination of the remote<br />
connection.<br />
Select the nature of the remote connection. For more<br />
information, see “Defining the tunnel ends” on page <strong>40</strong>.<br />
Select the interface that is the local end of the IPsec<br />
tunnel. For more information, see “Defining the tunnel<br />
ends” on page <strong>40</strong>.<br />
Select Main or Aggressive mode.<br />
In Main mode, the phase 1 parameters are exchanged<br />
in multiple rounds with encrypted authentication<br />
information.<br />
In Aggressive mode, the phase 1 parameters are<br />
exchanged in single message with authentication<br />
information that is not encrypted.<br />
Mode<br />
When the remote VPN peer or client has a dynamic IP<br />
address, or the remote VPN peer or client will be<br />
authenticated using an identifier (local ID), you must select<br />
Aggressive mode if there is more than one dialup phase 1<br />
configuration for the interface IP address.<br />
For more information, see “Choosing main mode or<br />
aggressive mode” on page <strong>40</strong>.<br />
Authentication Method Select Pre-shared Key.<br />
Pre-shared Key<br />
Enter the preshared key that the FortiGate unit will use to<br />
authenticate itself to the remote peer or dialup client<br />
during phase 1 negotiations. You must define the same<br />
value at the remote peer or client. The key must contain at<br />
least 6 printable characters and best practices dictate that<br />
it only be known by network administrators. For optimum<br />
protection against currently known attacks, the key must<br />
consist of a minimum of 16 randomly chosen<br />
alphanumeric characters.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 43<br />
http://docs.fortinet.com/