Fortinet FortiGate FortiGate-1000A Administration Manual page 264

Phase 1
264
Pre-shared Key
Certificate Name
Peer Options
Advanced
01-28011-0254-20051115
If Pre-shared Key is selected, type the preshared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the
same value at the remote peer or client. The key must contain at
least 6 printable characters and should only be known by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly
chosen alphanumeric characters.
If RSA Signature is selected, select the name of the server
certificate that the FortiGate unit will use to authenticate itself to
the remote peer or dialup client during phase 1 negotiations. To
obtain and load the required server certificate, see
on page 279.
To accept connections without checking peer IDs, select Accept
any peer ID.
To grant access to one or more remote peers or FortiGate dialup
clients based on a peer ID, select Accept this peer ID and type
the identifier. This value must be identical to the value in the
Local ID field of the phase 1 remote gateway configuration on the
remote peer or FortiGate dialup client. For details, see the
"Enabling VPN peer identification" section of the
Guide. If you are configuring authentication parameters for
FortiClient dialup clients, refer to the
Dialup Clients Technical
To grant access to dialup users based on the name of a dialup
group, select Accept peer ID in dialup group and select the name
of the group from the list. You must create the user group before
it can be selected here. See
information about using peer IDs to authenticate dialup users,
see the "Enabling VPN peer identification" section of the
FortiGate VPN Guide.
To authenticate one (or more) remote peers or dialup clients
based on a particular (or shared) security certificate, select
Accept this peer certificate only and select the name of the
certificate from the list. For details, see the "Enabling VPN access
for specific certificate holders" section of the
Guide. The certificate must be added to the FortiGate
configuration through the config user peer CLI command
before it can be selected here. For more information, see the
"config user" chapter of the
remote VPN peer or client has a dynamic IP address, set Mode to
Aggressive.
Select Accept this peer certificate group only to use a certificate
group to authenticate remote peers and dialup clients that have
dynamic IP addresses and use unique certificates. Select the
name of the group from the list. For details, see the "Enabling
VPN access for specific certificate holders" section of the
FortiGate VPN Guide. The group must be added to the FortiGate
configuration through the config user peer and config
user peergrp CLI commands before it can be selected here.
For more information, see the "config user" chapter of the
FortiGate CLI Reference
clients have dynamic IP addresses, you must set Mode to
Aggressive.
You may retain the default settings unless changes are needed to
meet your specific requirements. See the "Defining IKE
negotiation parameters" and "Configuring the phase 1 IKE
exchange" sections of the
FortiGate VPN
Authenticating FortiClient
Note.
"User" on page 249. For more
FortiGate VPN
FortiGate CLI Reference
Guide. When the remote peers and
FortiGate VPN Guide.
VPN
"Certificates"
Guide. If the
Fortinet Inc.