fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Authenticating remote peers and clients Auto Key phase 1 parameters<br />
4 From the Certificate Name list, select the name of the server certificate that the<br />
FortiGate unit will use to authenticate itself to the remote peer or dialup client<br />
5 Under Peer Options, select one of these options:<br />
To accept a specific certificate holder, select Accept this peer certificate only and<br />
select the name of the certificate that belongs to the remote peer or dialup client.<br />
The certificate DN must be added to the FortiGate configuration through CLI<br />
commands before it can be selected here. See “Before you begin” on page 44.<br />
To accept dialup clients who are members of a certificate group, select Accept this<br />
peer certificate group only and select the name of the group. The group must be<br />
added to the FortiGate configuration through CLI commands before it can be<br />
selected here. See “Before you begin” on page 44.<br />
6 If you want the FortiGate VPN server to supply the DN of a local server certificate for<br />
authentication purposes, select Advanced and then from the Local ID list, select the<br />
DN of the certificate that the FortiGate VPN server is to use.<br />
7 Select OK.<br />
Enabling VPN access by peer identifier<br />
Whether you use certificates or pre-shared keys to authenticate the FortiGate unit, you<br />
can require that remote peers or clients have a particular peer ID. This adds another piece<br />
of information that is required to gain access to the VPN. More than one<br />
FortiGate/FortiClient dialup client may connect through the same VPN tunnel when the<br />
dialup clients share a preshared key and assume the same identifier.<br />
A peer ID, also called local ID, can be up to 63 characters long containing standard<br />
regular expression characters. Local ID is set in phase1 Aggressive Mode configuration.<br />
You cannot require a peer ID for a remote peer or client that uses a pre-shared key and<br />
has a static IP address.<br />
To authenticate remote peers or dialup clients using one peer ID<br />
1 At the FortiGate VPN server, go to VPN > IPsec > Auto Key (IKE).<br />
2 In the list, select a phase 1 configuration and edit its parameters.<br />
3 Select Aggressive mode in any of the following cases:<br />
the FortiGate VPN server authenticates a FortiGate dialup client that uses a<br />
dedicated tunnel<br />
a FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS<br />
service<br />
FortiGate/FortiClient dialup clients sharing the same preshared key and local ID<br />
connect through the same VPN tunnel<br />
4 Select Accept this peer ID and type the identifier into the corresponding field.<br />
5 Select OK.<br />
To assign an identifier (local ID) to a FortiGate unit<br />
Use this procedure to assign a peer ID to a FortiGate unit that acts as a remote peer or<br />
dialup client.<br />
1 Go to VPN > IPsec > Auto Key (IKE).<br />
2 In the list, select a phase 1 configuration and edit its parameters.<br />
3 Select Advanced.<br />
4 In the Local ID field, type the identifier that the FortiGate unit will use to identify itself.<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
46 01-434-112804-20120111<br />
http://docs.fortinet.com/