252
01-28006-0012-20041105
Fortinet Inc.
Phase 2
VPN
Phase 2 advanced options
Figure 125:Phase 2 advanced settings
P2 Proposal
Add or delete encryption and message digests. Select a minimum of one and
a maximum of three combinations. The remote peer must be configured to
use at least one of the proposals that you define.
You can select any of the following symmetric-key encryption algorithms:
•
NULL-Do not use an encryption algorithm.
•
DES-Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
•
3DES-Triple-DES, in which plain text is encrypted three times by three
keys.
•
AES128-A 128-bit block algorithm that uses a 128-bit key.
•
AES192-A 128-bit block algorithm that uses a 192-bit key.
•
AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
•
NULL-Do not use a message digest.
•
MD5-Message Digest 5, the hash algorithm developed by RSA Data
Security.
•
SHA1-Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify one combination only, set the Encryption and Authentication
options of the second combination to NULL. To specify a third combination,
use the add button beside the fields for the second combination.
Enable replay
detection
Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPSec packets and replays them
back into the tunnel. Enable replay detection to check the sequence number
of every IPSec packet to see if it has been received before. If packets arrive
out of sequence, the FortiGate unit discards them.
You can configure the FortiGate unit to send an alert email when it detects a
replay packet. For more information, see
“Alert E-mail options” on page 354
.
Enable perfect
forward
secrecy (PFS)
Perfect forward secrecy (PFS) improves security by forcing a new
Diffie-Hellman exchange whenever keylife expires.
Содержание FortiGate FortiGate-4000
Страница 46: ...46 01 28006 0012 20041105 Fortinet Inc Changing the FortiGate firmware System status...
Страница 72: ...72 01 28006 0012 20041105 Fortinet Inc FortiGate IPv6 support System network...
Страница 80: ...80 01 28006 0012 20041105 Fortinet Inc Dynamic IP System DHCP...
Страница 114: ...114 01 28006 0012 20041105 Fortinet Inc Access profiles System administration...
Страница 232: ...232 01 28006 0012 20041105 Fortinet Inc Protection profile Firewall...
Страница 244: ...244 01 28006 0012 20041105 Fortinet Inc CLI configuration Users and authentication...
Страница 382: ...382 01 28006 0012 20041105 Fortinet Inc Glossary...
Страница 390: ...390 01 28006 0012 20041105 Fortinet Inc Index...