IPSec VPN
Auto Key
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
535
•
Local Interface
This option is available in NAT/Route mode only. Select the name of
the interface through which remote peers or dialup clients connect to
the FortiGate unit.
By default, the local VPN gateway IP address is the IP address of
the interface that you selected. Optionally, you can specify a unique
IP address for the VPN gateway in the
Advanced
settings. For more
information, see
“Local Gateway IP” on page 537
.
Mode
Select
Main
or
Aggressive
:
•
In Main mode, the phase 1 parameters are exchanged in multiple
rounds with encrypted authentication information.
•
In Aggressive mode, the phase 1 parameters are exchanged in
single message with authentication information that is not
encrypted.
When the remote VPN peer has a dynamic IP address and is
authenticated by a pre-shared key, you must select Aggressive
mode if there is more than one dialup phase1 configuration for the
interface IP address.
When the remote VPN peer has a dynamic IP address and is
authenticated by a certificate, you must select Aggressive mode if
there is more than one phase 1 configuration for the interface IP
address and these phase 1 configurations use different proposals.
Peer Options settings may require a particular mode. See
Peer
Options
, below.
Authentication Method
Select
Preshared Key
or
RSA Signature
.
Pre-shared Key
If you selected
Pre-shared Key
, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at least 6
printable characters and should be known only by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Certificate Name
If you selected
RSA Signature
, select the name of the server
certificate that the FortiGate unit will use to authenticate itself to the
remote peer or dialup client during phase 1 negotiations. For
information about obtaining and loading the required server
certificate, see the
FortiGate Certificate Management User Guide
Peer Options
One or more of the following options are available to authenticate
VPN peers or clients, depending on the
Remote Gateway
and
Authentication Method
settings.
Accept any peer ID
Accept the local ID of any remote VPN peer or client. The FortiGate
unit does not check identifiers (local IDs). You can set
Mode
to
Aggressive
or
Main
.
You can use this option with RSA Signature authentication. But, for
highest security, you should configure a PKI user/group for the peer
and set
Peer Options
to
Accept this peer certificate only
.
Accept this peer ID
This option is available only if the remote peer has a dynamic IP
address. Enter the identifier that is used to authenticate the remote
peer. This identifier must match the identifier that the remote peer’s
administrator has configured.
If the remote peer is a FortiGate unit, the identifier is specified in the
Local ID
field of the phase 1 configuration.
If the remote peer is a FortiClient dialup client, the identifier is
specified in the
Local ID
field, accessed by selecting
Config
in the
Policy
section of the VPN connection’s
Advanced Settings
.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...