FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Auto Key phase 1 parameters<br />
Overview<br />
Auto Key phase 1 parameters<br />
This section provides detailed step-by-step procedures for configuring a <strong>FortiGate</strong><br />
unit to accept a connection from a remote peer or dialup client. The phase 1<br />
parameters identify the remote peer or clients and support authentication through<br />
preshared keys or digital certificates. You can increase access security further<br />
using peer identifiers, certificate distinguished names, group names, or the<br />
<strong>FortiGate</strong> extended authentication (XAuth) option for authentication purposes.<br />
Note: The information and procedures in this section do not apply to <strong>VPN</strong> peers that<br />
perform negotiations using manual keys. Refer to “Manual-key configurations” on page 111<br />
instead.<br />
The following topics are included in this section:<br />
• Overview<br />
• Defining the tunnel ends<br />
• Choosing main mode or aggressive mode<br />
• Authenticating the <strong>FortiGate</strong> unit<br />
• Authenticating remote peers and clients<br />
• Defining IKE negotiation parameters<br />
• Defining the remaining phase 1 options<br />
• Using XAuth authentication<br />
Overview<br />
<strong>IPSec</strong> phase 1 settings define:<br />
• the ends of the <strong>IPSec</strong> tunnel, remote and local<br />
• whether the various phase 1 parameters are exchanged in multiple rounds<br />
with encrypted authentication information (main mode) or in a single message<br />
with authentication information that is not encrypted (aggressive mode)<br />
• whether a preshared key or digital certificates will be used to authenticate the<br />
<strong>FortiGate</strong> unit to the <strong>VPN</strong> peer or dialup client<br />
• whether the <strong>VPN</strong> peer or dialup client is required to authenticate to the<br />
<strong>FortiGate</strong> unit. A remote peer or dialup client can authenticate by peer ID or, if<br />
the <strong>FortiGate</strong> unit authenticates by certificate, it can authenticate by peer<br />
certificate.<br />
• the IKE negotiation proposals for encryption and authentication<br />
• optional XAuth authentication, which requires the remote user to enter a user<br />
name and password. A <strong>FortiGate</strong> <strong>VPN</strong> server can act as an XAuth server to<br />
authenticate dialup users. A <strong>FortiGate</strong> unit that is a dialup client can also be<br />
configured as an XAuth client to authenticate itself to the <strong>VPN</strong> server.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 127