FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Authenticating the <strong>FortiGate</strong> unit<br />
Auto Key phase 1 parameters<br />
Peer Options<br />
Advanced<br />
Peer options define the authentication requirements for<br />
remote peers or dialup clients, not for the <strong>FortiGate</strong> unit itself.<br />
For more information, see “Authenticating remote peers and<br />
clients” on page 131.<br />
You can retain the default settings unless changes are<br />
needed to meet your specific requirements. See “Defining<br />
IKE negotiation parameters” on page 137.<br />
4 If you are configuring authentication parameters for a dialup user group, optionally<br />
define extended authentication (XAuth) parameters. See “Using the <strong>FortiGate</strong> unit<br />
as an XAuth server” on page 141.<br />
5 Select OK.<br />
Authenticating the <strong>FortiGate</strong> unit with a pre-shared key<br />
The simplest way to authenticate a <strong>FortiGate</strong> unit to its remote peers or dialup<br />
clients is by means of a pre-shared key. This is less secure than using certificates,<br />
especially if it used alone, without requiring peer IDs or extended authentication<br />
(XAuth). Also, you need to have a secure way to distribute the pre-shared key to<br />
the peers.<br />
If you use pre-shared key authentication alone, all remote peers and dialup clients<br />
must be configured with the same pre-shared key. Optionally, you can configure<br />
remote peers and dialup clients with unique pre-shared keys. On the <strong>FortiGate</strong><br />
unit, these are configured in user accounts, not in the phase_1 settings. For more<br />
information, see “Enabling <strong>VPN</strong> access using user accounts and pre-shared keys”<br />
on page 135.<br />
The pre-shared key must contain at least 6 printable characters and should be<br />
known only to network administrators. For optimum protection against currently<br />
known attacks, the key should consist of a minimum of 16 randomly chosen<br />
alphanumeric characters.<br />
If you authenticate the <strong>FortiGate</strong> unit using a pre-shared key, you can require<br />
remote peers or dialup clients to authenticate using peer IDs, but not client<br />
certificates.<br />
To authenticate the <strong>FortiGate</strong> unit with a pre-shared key<br />
1 Go to <strong>VPN</strong> > IPSEC > Auto Key.<br />
2 Select Create Phase 1 to add a new phase 1 configuration or select the Edit<br />
button beside an existing configuration.<br />
3 Include appropriate entries as follows:<br />
Name<br />
Remote Gateway<br />
Local Interface<br />
Enter a name that reflects the origination of the remote<br />
connection.<br />
Select the nature of the remote connection:<br />
• Static IP Address.<br />
• Dialup <strong>User</strong>.<br />
• Dynamic DNS.<br />
For more information, see “Defining the tunnel ends” on<br />
page 128.<br />
Select the interface that is the local end of the <strong>IPSec</strong> tunnel.<br />
For more information, see “Defining the tunnel ends” on<br />
page 128.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
130 01-30005-0065-20070716