FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Defining the tunnel ends<br />
Auto Key phase 1 parameters<br />
Defining the tunnel ends<br />
To begin defining the phase 1 configuration, you go to <strong>VPN</strong> > IPSEC > Auto Key<br />
and select Create Phase 1. Enter a descriptive name for the <strong>VPN</strong> tunnel. This is<br />
particularly important if you will create several tunnels.<br />
The phase 1 configuration mainly defines the ends of the <strong>IPSec</strong> tunnel. The<br />
remote end is the remote gateway with which the <strong>FortiGate</strong> unit exchanges <strong>IPSec</strong><br />
packets. The local end is <strong>FortiGate</strong> interface that sends and receives <strong>IPSec</strong><br />
packets.<br />
The remote gateway can be any of the following:<br />
• a static IP address<br />
• a domain name with a dynamic IP address<br />
• a dialup client<br />
A statically addressed remote gateway is the simplest to configure. You specify<br />
the IP address. Unless restricted in the firewall policy, either the remote peer or a<br />
peer on the network behind the <strong>FortiGate</strong> unit can bring up the tunnel.<br />
If the remote peer has a domain name and subscribes to a dynamic DNS service,<br />
you need to specify only the domain name. The <strong>FortiGate</strong> unit performs a DNS<br />
query to determine the appropriate IP address. Unless restricted in the firewall<br />
policy, either the remote peer or a peer on the network behind the <strong>FortiGate</strong> unit<br />
can bring up the tunnel.<br />
If the remote peer is a dialup client, only the dialup client can bring up the tunnel.<br />
The IP address of the client is not known until it connects to the <strong>FortiGate</strong> unit.<br />
This configuration is a typical way to provide a <strong>VPN</strong> for client PCs running <strong>VPN</strong><br />
client software such as the FortiClient Host Security application.<br />
The local end of the <strong>VPN</strong> tunnel, the Local Interface, is the <strong>FortiGate</strong> interface that<br />
sends and receives the <strong>IPSec</strong> packets. This is usually the public interface of the<br />
<strong>FortiGate</strong> unit that is connected to the Internet. Packets from this interface pass to<br />
the private network through a firewall policy. If you are configuring an interface<br />
mode <strong>VPN</strong>, in the Advanced phase 1 settings you can optionally specify a unique<br />
address for the <strong>FortiGate</strong> end of the tunnel. By default, the <strong>FortiGate</strong> unit uses the<br />
IP address of the selected Local Interface taken from the System > Network ><br />
Interface settings.<br />
Choosing main mode or aggressive mode<br />
The <strong>FortiGate</strong> unit and the remote peer or dialup client exchange phase 1<br />
parameter in either Main mode or Aggressive mode.<br />
• In Main mode, the phase 1 parameters are exchanged in multiple rounds with<br />
encrypted authentication information<br />
• In Aggressive mode, the phase 1 parameters are exchanged in single<br />
message with authentication information that is not encrypted.<br />
Main mode is more secure, but you must select Aggressive mode if there is more<br />
than one dialup phase 1 configuration for the interface IP address and the remote<br />
<strong>VPN</strong> peer or client is authenticated using an identifier (local ID). Descriptions of<br />
the peer options in this guide indicate if either Main or Aggressive mode is<br />
required.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
128 01-30005-0065-20070716