VPN
Configuring XAuth
FortiGate-100A Administration Guide
01-28006-0068-20041105
249
Configuring XAuth
XAuth authenticates users in a separate exchange held between Phases 1 and 2.
Encryption
The FortiGate unit supports the following encryption methods:
DES
3DES
AES128
AES192
AES256
Authentication
The FortiGate unit supports the following authentication methods:
MD5
SHA1
DH Group
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When the VPN peers have static IP addresses and use aggressive mode,
select a single matching DH group.
When the VPN peers use aggressive mode in a dialup configuration, select up
to three DH groups for the dialup server and select one DH group for the
dialup user (client or gateway).
When the VPN peers employ main mode, you can select multiple DH groups.
Keylife
The keylife is the amount of time in seconds before the IKE encryption key
expires. When the key expires, a new key is generated without interrupting
service. P1 proposal keylife can be from 120 to 172,800 seconds.
Local ID
If you are using peer IDs for authentication, enter the peer ID that the
FortiGate unit will use to authenticate itself to remote VPN peers.
If you are using certificates for authentication, enter the distinguished name
(DN) of the local certificate.
XAuth
You can configure the FortiGate unit as an Extended Authentication (XAuth)
client or an XAuth server. For more information, see
“Configuring XAuth” on
page 249
.
Nat-traversal
Enable this option if you expect the IPSec VPN traffic to go through a gateway
that performs NAT. If no NAT device is detected, enabling NAT traversal has
no effect. Both ends of the VPN must have the same NAT traversal setting. If
you enable NAT traversal you can set the keepalive frequency. NAT traversal
is enabled by default.
Keepalive
Frequency
If NAT Traversal is selected, enter the Keepalive Frequency in seconds.
The keepalive frequency specifies how frequently empty UDP packets are
sent through the NAT device to ensure that the NAT mapping does not change
until the IKE and IPSec keylife expires.
The keepalive frequency can be from 0 to 900 seconds.
Dead Peer
Detection
Enable this option to clean up dead VPN connections and establish new VPN
connections. You can specify additional Dead Peer Detection (DPD) settings
such as long idle, short idle, retry count and retry interval through the CLI. See
“ipsec phase1” on page 273
.
XAuth: Enable as Client
Username
Enter the user name the local VPN peer uses to authenticate itself to the
remote VPN peer.
Password
Enter the password the local VPN peer uses to authenticate itself to the
remote VPN peer.
Содержание FortiGate FortiGate-100A
Страница 24: ...24 01 28006 0068 20041105 Fortinet Inc FortiLog documentation Introduction...
Страница 46: ...46 01 28006 0068 20041105 Fortinet Inc Installing and using a backup firmware image System status...
Страница 72: ...72 01 28006 0068 20041105 Fortinet Inc Transparent mode VLAN settings System network...
Страница 80: ...80 01 28006 0068 20041105 Fortinet Inc DHCP IP MAC binding settings System DHCP...
Страница 114: ...114 01 28006 0068 20041105 Fortinet Inc Access profile options System administration...
Страница 232: ...232 01 28006 0068 20041105 Fortinet Inc CLI configuration Firewall...
Страница 244: ...244 01 28006 0068 20041105 Fortinet Inc peergrp Users and authentication...
Страница 320: ...320 01 28006 0068 20041105 Fortinet Inc service smtp Antivirus...
Страница 366: ...366 01 28006 0068 20041105 Fortinet Inc syslogd setting Log Report...
Страница 380: ...380 01 28006 0068 20041105 Fortinet Inc Glossary...
Страница 388: ...388 01 28006 0068 20041105 Fortinet Inc Index...