FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Authenticating the FortiGate unit Auto Key phase 1 parameters Peer Options Advanced Peer options define the authentication requirements for remote peers or dialup clients, not for the FortiGate unit itself. For more information, see “Authenticating remote peers and clients” on page 131. You can retain the default settings unless changes are needed to meet your specific requirements. See “Defining IKE negotiation parameters” on page 137. 4 If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters. See “Using the FortiGate unit as an XAuth server” on page 141. 5 Select OK. Authenticating the FortiGate unit with a pre-shared key The simplest way to authenticate a FortiGate unit to its remote peers or dialup clients is by means of a pre-shared key. This is less secure than using certificates, especially if it used alone, without requiring peer IDs or extended authentication (XAuth). Also, you need to have a secure way to distribute the pre-shared key to the peers. If you use pre-shared key authentication alone, all remote peers and dialup clients must be configured with the same pre-shared key. Optionally, you can configure remote peers and dialup clients with unique pre-shared keys. On the FortiGate unit, these are configured in user accounts, not in the phase_1 settings. For more information, see “Enabling VPN access using user accounts and pre-shared keys” on page 135. The pre-shared key must contain at least 6 printable characters and should be known only to network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. If you authenticate the FortiGate unit using a pre-shared key, you can require remote peers or dialup clients to authenticate using peer IDs, but not client certificates. To authenticate the FortiGate unit with a pre-shared key 1 Go to VPN > IPSEC > Auto Key. 2 Select Create Phase 1 to add a new phase 1 configuration or select the Edit button beside an existing configuration. 3 Include appropriate entries as follows: Name Remote Gateway Local Interface Enter a name that reflects the origination of the remote connection. Select the nature of the remote connection: • Static IP Address. • Dialup User. • Dynamic DNS. For more information, see “Defining the tunnel ends” on page 128. Select the interface that is the local end of the IPSec tunnel. For more information, see “Defining the tunnel ends” on page 128. FortiGate IPSec VPN Version 3.0 User Guide 130 01-30005-0065-20070716
Auto Key phase 1 parameters Authenticating remote peers and clients Mode Authentication Method Pre-shared Key Peer options Advanced Select Main or Aggressive mode. • In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. • In Aggressive mode, the phase 1 parameters are exchanged in single message with authentication information that is not encrypted. When the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID), you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address. For more information, see “Choosing main mode or aggressive mode” on page 128. Select Pre-shared Key. Enter the preshared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. Peer options define the authentication requirements for remote peers or dialup clients, not for the FortiGate unit itself. You can require the use of peer IDs, but not client certificates. For more information, see “Authenticating remote peers and clients” on page 131. You can retain the default settings unless changes are needed to meet your specific requirements. See “Defining IKE negotiation parameters” on page 137. 4 If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters. See “Using the FortiGate unit as an XAuth server” on page 141. 5 Select OK. Authenticating remote peers and clients Certificates or pre-shared keys restrict who can access the VPN tunnel, but they do not identify or authenticate the remote peers or dialup clients. You have the following options for authentication: • You can permit access only for remote peers or clients who use certificates that you recognize. This is available only if the FortiGate unit authenticates using certificates. See “Enabling VPN access for specific certificate holders” on page 132. • You can permit access only for remote peers or clients that have certain peer identifier (local ID) value configured. This is available with both certificate and preshared key authentication. See “Enabling VPN access by peer identifier” on page 134. • You can permit access to remote peers or dialup clients who each have a unique preshared key. Each peer or client must have a user account on the FortiGate unit. See “Enabling VPN access using user accounts and pre-shared keys” on page 135. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 131
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32:
Gateway-to-gateway configurations H
Page 33 and 34:
Hub-and-spoke configurations Config
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Hub-and-spoke configurations Dynami
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Dynamic DNS configurations Configur
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
FortiClient dialup-client configura
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
FortiGate dialup-client configurati
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129: Auto Key phase 1 parameters Authent
Page 133 and 134: Auto Key phase 1 parameters Authent
Page 135 and 136: Auto Key phase 1 parameters Authent
Page 137 and 138: Auto Key phase 1 parameters Definin
Page 139 and 140: Auto Key phase 1 parameters Definin
Page 141 and 142: Auto Key phase 1 parameters Using X
Page 143 and 144: Phase 2 parameters Basic phase 2 se
Page 145: Phase 2 parameters Advanced phase 2
Page 148 and 149: Configure the phase 2 parameters Ph
Page 150 and 151: Defining firewall policies Defining
Page 156 and 157: Monitoring VPN connections Monitori
Page 158 and 159: Logging VPN events Monitoring and t
Page 160 and 161: VPN troubleshooting tips Monitoring
Page 162 and 163: Index Encryption Algorithm, Manual
Page 164 and 165: Index remote peer authenticating wi
Page 166: www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?