Auto Key
IPSec VPN
FortiGate Version 4.0 Administration Guide
538
01-400-89802-20090424
Creating a new phase 2 configuration
After IPSec phase 1 negotiations end successfully, you begin phase 2. You configure the
phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt
and transfer data for the remainder of the session. During phase 2, you select specific
IPSec security associations needed to implement security services and establish a tunnel.
The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1
configuration that specifies the remote end point of the VPN tunnel. In most cases, you
need to configure only basic phase 2 settings.
DH Group
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5. At
least one of the
DH Group
settings on the remote peer or client must
match one the selections on the FortiGate unit.
Keylife
Type the time (in seconds) that must pass before the IKE encryption key
expires. When the key expires, a new key is generated without
interrupting service. The keylife can be from 120 to 172 800 seconds.
Local ID
If the FortiGate unit will act as a VPN client and you are using peer IDs
for authentication purposes, enter the identifier that the FortiGate unit
will supply to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security
certificates for authentication, select the distinguished name (DN) of the
local server certificate that the FortiGate unit will use for authentication
purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel with
other dialup clients (that is, the tunnel will be dedicated to this FortiGate
dialup client), set
Mode
to
Aggressive
.
XAuth
This option supports the authentication of dialup clients.
Disable
— Select if you do not use XAuth.
Enable as Client
— If the FortiGate unit is a dialup client, type the user
name and password that the FortiGate unit will need to authenticate
itself to the remote XAuth server.
Enable as Server
— This is available only if
Remote Gateway
is set to
Dialup User
. Dialup clients authenticate as members of a dialup user
group. You must first create a user group for the dialup clients that need
access to the network behind the FortiGate unit. For more information,
see
“Configuring a user group” on page 586
.
You must also configure the FortiGate unit to forward authentication
requests to an external RADIUS or LDAP authentication server. For
information about these topics, see
“Configuring a RADIUS server” on
“Configuring an LDAP server” on page 575
Select a
Server Type
setting to determine the type of encryption method
to use between the FortiGate unit, the XAuth client and the external
authentication server, and then select the user group from the User
Group list.
Nat-traversal
Select the check box if a NAT device exists between the local FortiGate
unit and the VPN peer or client. The local FortiGate unit and the VPN
peer or client must have the same NAT traversal setting (both selected
or both cleared) to connect reliably.
Keepalive Frequency
If you enabled
NAT-traversal
, enter a keepalive frequency setting. The
value represents an interval ranging from 10 to 900 seconds.
Dead Peer Detection
Select this check box to reestablish VPN tunnels on idle connections and
clean up dead IKE peers if required. You can use this option to receive
notification whenever a tunnel goes up or down, or to keep the tunnel
connection open when no traffic is being generated inside the tunnel.
(For example, in scenarios where a dialup client or dynamic DNS peer
connects from an IP address that changes periodically, traffic may be
suspended while the IP address changes).
With
Dead Peer Detection
selected, you can use the
config vpn
ipsec phase1
(tunnel mode) or
config vpn ipsec phase1-
interface
(interface mode) CLI command to optionally specify a retry
count and a retry interval. For more information, see the
Содержание Gate 60D
Страница 678: ...Reports Log Report FortiGate Version 4 0 Administration Guide 678 01 400 89802 20090424 http docs fortinet com Feedback...
Страница 704: ...Index FortiGate Version 4 0 Administration Guide 704 01 400 89802 20090424 http docs fortinet com Feedback...
Страница 705: ...www fortinet com...
Страница 706: ...www fortinet com...