fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Phase 2 parameters Advanced phase 2 settings<br />
Autokey Keep Alive<br />
DHCP-IPsec<br />
When enabled, auto-negotiate initiates the phase 2 SA negotiation automatically,<br />
repeating every five seconds until the SA is established.<br />
The auto-negotiate feature is available only through the Command Line Interface (CLI).<br />
Use the following commands to enable it.<br />
config vpn <strong>ipsec</strong> phase2<br />
edit <br />
set auto-negotiate enable<br />
end<br />
If the tunnel goes down, the auto-negotiate feature will attempt to re-establish it.<br />
However, the Autokey Keep Alive feature is a better method to ensure your VPN remains<br />
up.<br />
The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry,<br />
a new SA is negotiated and the VPN switches to the new SA without interruption. If there<br />
is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be<br />
generated until there is traffic.<br />
The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no<br />
traffic so that the VPN tunnel stays up.<br />
Select this option if the FortiGate unit assigns VIP addresses to FortiClient dialup clients<br />
through a DHCP server or relay. This option is available only if the Remote Gateway in the<br />
phase 1 configuration is set to Dialup User and it works only on policy-based VPNs.<br />
With the DHCP-IPsec option, the FortiGate dialup server acts as a proxy for FortiClient<br />
dialup clients that have VIP addresses on the subnet of the private network behind the<br />
FortiGate unit. In this case, the FortiGate dialup server acts as a proxy on the local private<br />
network for the FortiClient dialup client. When a host on the network behind the dialup<br />
server issues an ARP request that corresponds to the device MAC address of the<br />
FortiClient host (when a remote server sends an ARP to the local FortiClient dialup client),<br />
the FortiGate unit answers the ARP request on behalf of the FortiClient host and forwards<br />
the associated traffic to the FortiClient host through the tunnel.<br />
This feature prevents the VIP address assigned to the FortiClient dialup client from<br />
causing possible arp broadcast problems—the normal and VIP addresses can confuse<br />
some network switches by two addresses having the same MAC address.<br />
Quick mode selectors<br />
Quick Mode selectors determine which IP addresses can perform IKE negotiations to<br />
establish a tunnel. By only allowing authorized IP addresses access to the VPN tunnel,<br />
the network is more secure.<br />
The default settings are as broad as possible: any IP address or configured address<br />
group, using any protocol, on any port. This enables configurations in which multiple<br />
subnets at each end of the tunnel can communicate, limited only by the security policies<br />
at each end.<br />
When configuring Quick Mode selector Source Address and Destination address, valid<br />
options include IPv4 and IPv6 single addresses, IPv4 firewall address or group name,<br />
IPv4 range, IPv6 range, IPv4 subnet, or IPv6 subnet. For more information on IPv6 IPsec<br />
VPN, see “Overview of IPv6 IPsec support” on page 187.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 59<br />
http://docs.fortinet.com/