FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Defining IKE negotiation parameters<br />
Auto Key phase 1 parameters<br />
Note: You can enable or disable automatic rekeying between IKE peers through the<br />
phase1-rekey attribute of the config system global CLI <strong>com</strong>mand. For more<br />
information, see the “system” chapter of the <strong>FortiGate</strong> CLI Reference.<br />
When you use a preshared key (shared secret) to set up two-party authentication,<br />
the remote <strong>VPN</strong> peer or client and the <strong>FortiGate</strong> unit must both be configured with<br />
the same preshared key. Each party uses a session key derived from the Diffie-<br />
Hellman exchange to create an authentication key, which is used to sign a known<br />
<strong>com</strong>bination of inputs using an authentication algorithm (such as HMAC-MD5 or<br />
HMAC-SHA-1). Each party signs a different <strong>com</strong>bination of inputs and the other<br />
party verifies that the same result can be <strong>com</strong>puted.<br />
Note: When you use preshared keys to authenticate <strong>VPN</strong> peers or clients, you must<br />
distribute matching information to all <strong>VPN</strong> peers and/or clients whenever the preshared key<br />
changes.<br />
As an alternative, the remote peer or dialup client and <strong>FortiGate</strong> unit can<br />
exchange digital signatures to validate each other’s identity with respect to their<br />
public keys. In this case, the required digital certificates (see the <strong>FortiGate</strong><br />
Certificate Management <strong>User</strong> <strong>Guide</strong>) must be installed on the remote peer and on<br />
the <strong>FortiGate</strong> unit. By exchanging certificate DNs, the signed server certificate on<br />
one peer is validated by the presence of the root certificate installed on the other<br />
peer.<br />
The following procedure assumes that you already have a phase 1 definition that<br />
describes how remote <strong>VPN</strong> peers and clients will be authenticated when they<br />
attempt to connect to a local <strong>FortiGate</strong> unit. For information about the Local ID and<br />
XAuth options, see “Enabling <strong>VPN</strong> access using user accounts and pre-shared<br />
keys” on page 135 and “Using the <strong>FortiGate</strong> unit as an XAuth server” on<br />
page 141. Follow this procedure to add IKE negotiation parameters to the existing<br />
definition.<br />
Defining IKE negotiation parameters<br />
1 Go to <strong>VPN</strong> > IPSEC > Auto Key (IKE).<br />
2 In the list, select the Edit button to edit the phase 1 parameters for a particular<br />
remote gateway.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
138 01-30005-0065-20070716