184
Fortinet Inc.
AutoIKE IPSec VPNs
IPSec VPN
4
Select a Remote Gateway address type.
• If the remote VPN peer has a static IP address, select Static IP Address.
• If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE),
or if the remote VPN peer has a static IP address that is not required in the peer
identification process, select Dialup User.
Depending on the Remote Gateway address type you selected, other fields become
available.
5
Select Aggressive or Main (ID Protection) mode.
When using aggressive mode, the VPN peers exchange identifying information in the
clear. When using main mode, identifying information is hidden.
The VPN peers must use the same mode.
6
Configure the P1 Proposal.
Select up to three encryption and authentication algorithm combinations to propose
for phase 1.
The VPN peers must use the same P1 proposal settings.
7
Select the DH Group(s).
Select one or more Diffie-Hellman groups to propose for phase 1.
As a general rule, the VPN peers should use the same DH Group settings.
8
Enter the Keylife.
The keylife is the amount of time in seconds before the phase 1 encryption key
expires. When the key expires, a new key is generated without interrupting service.
P1 proposal keylife can be from 120 to 172,800 seconds.
9
For Authentication Method, select Preshared Key or RSA Signature.
• Preshared Key: Enter a key that is shared by the VPN peers. The key must contain
at least 6 printable characters and should only be known by network
administrators. For optimum protection against currently known attacks, make sure
the key consists of a minimum of 16 randomly chosen alphanumeric characters.
• RSA Signature: Select a local certificate that has been digitally signed by the
certificate authority (CA). To add a local certificate to the FortiGate unit, see
“Obtaining a signed local certificate” on page 190
.
Remote Gateway: Static IP Address
IP Address
If you select Static IP Address, the IP Address field appears. Enter the IP
address of the remote IPSec VPN gateway or client that can connect to the
FortiGate unit. This is a mandatory entry.
Remote Gateway: Dialup User
Peer Options
If you select Dialup User, the Peer Options become available under
Advanced Options. Use the Peer Options to authenticate remote VPN
peers with peer IDs during phase 1 negotiations.
Summary of Contents for FortiGate 50A
Page 12: ...Contents 12 Fortinet Inc ...
Page 32: ...32 Fortinet Inc Next steps Getting started ...
Page 40: ...40 Fortinet Inc Completing the configuration NAT Route mode installation ...
Page 72: ...72 Fortinet Inc Session list System status ...
Page 112: ...112 Fortinet Inc Configuring the modem interface Network configuration ...
Page 120: ...120 Fortinet Inc Adding RIP filters RIP configuration ...
Page 170: ...170 Fortinet Inc Content profiles Firewall configuration ...
Page 224: ...224 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS ...
Page 230: ...230 Fortinet Inc Viewing the virus list Antivirus protection ...
Page 244: ...244 Fortinet Inc Exempt URL list Web filtering ...
Page 262: ...262 Fortinet Inc Glossary ...
Page 272: ...272 Fortinet Inc Index ...