FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Auto Key phase 1 parameters<br />
Authenticating the <strong>FortiGate</strong> unit<br />
Authenticating the <strong>FortiGate</strong> unit<br />
The <strong>FortiGate</strong> unit can authenticate itself to remote peers or dialup clients using<br />
either a pre-shared key or an RSA Signature (certificate).<br />
Authenticating the <strong>FortiGate</strong> unit with digital certificates<br />
To authenticate the <strong>FortiGate</strong> unit using digital certificates, you must have the<br />
required certificates installed on the remote peer and on the <strong>FortiGate</strong> unit. The<br />
signed server certificate on one peer is validated by the presence of the root<br />
certificate installed on the other peer. If you use certificates to authenticate the<br />
<strong>FortiGate</strong> unit, you can also require the remote peers or dialup clients to<br />
authenticate using certificates.<br />
For more information about obtaining and installing certificates, see the <strong>FortiGate</strong><br />
Certificate Management <strong>User</strong> <strong>Guide</strong>.<br />
To authenticate the <strong>FortiGate</strong> unit using digital certificates<br />
1 Go to <strong>VPN</strong> > IPSEC > Auto Key.<br />
2 Select Create Phase 1 to add a new phase 1 configuration or select the Edit<br />
button beside an existing Phase 1 configuration.<br />
3 Include appropriate entries as follows:<br />
Name<br />
Remote Gateway<br />
Local Interface<br />
Mode<br />
Authentication Method<br />
Certificate Name<br />
Enter a name that reflects the origination of the remote<br />
connection.<br />
Select the nature of the remote connection:<br />
• Static IP Address.<br />
• Dialup <strong>User</strong>.<br />
• Dynamic DNS.<br />
For more information, see “Defining the tunnel ends” on<br />
page 128.<br />
Select the interface that is the local end of the <strong>IPSec</strong> tunnel.<br />
For more information, see “Defining the tunnel ends” on<br />
page 128.<br />
Select Main or Aggressive mode.<br />
• In Main mode, the phase 1 parameters are exchanged in<br />
multiple rounds with encrypted authentication information.<br />
• In Aggressive mode, the phase 1 parameters are<br />
exchanged in single message with authentication<br />
information that is not encrypted.<br />
When the remote <strong>VPN</strong> peer or client has a dynamic IP<br />
address, or the remote <strong>VPN</strong> peer or client will be<br />
authenticated using an identifier (local ID), you must select<br />
Aggressive mode if there is more than one dialup phase 1<br />
configuration for the interface IP address.<br />
For more information, see “Choosing main mode or<br />
aggressive mode” on page 128.<br />
Select RSA Signature.<br />
Select the name of the server certificate that the <strong>FortiGate</strong><br />
unit will use to authenticate itself to the remote peer or dialup<br />
client during phase 1 negotiations. To obtain and load the<br />
required server certificate, see the <strong>FortiGate</strong> Certificate<br />
Management <strong>User</strong> <strong>Guide</strong>.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 129