Phase 2 - Fortinet FortiGate FortiGate-1000A Administration Manual

Phase 2

Phase 2
266
DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When using aggressive mode, DH groups cannot be negotiated.
• If both VPN peers have static IP addresses and use aggressive mode,
select a single DH group. The setting on the FortiGate unit must be
identical to the setting on the remote peer or client.
• When the VPN peer or client has a dynamic IP address and uses
aggressive mode, select up to three DH groups on the FortiGate unit and
one DH group on the remote peer or dialup client. The setting on the
remote peer or client must be identical to one of the selections on the
FortiGate unit.
• If the VPN peer or client employs main mode, you can select multiple DH
groups. At least one of the settings on the remote peer or client must be
identical to the selections on the FortiGate unit.
Keylife Type the amount of time (in seconds) that will be allowed to pass before the
IKE encryption key expires. When the key expires, a new key is generated
without interrupting service. The keylife can be from 120 to 172800 seconds.
Local ID If the FortiGate unit will act as a VPN client and you are using peer IDs for
authentication purposes, enter the identifier that the FortiGate unit will supply
to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security
certificates for authentication, select the distinguished name (DN) of the local
server certificate that the FortiGate unit will use for authentication purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel with other
dialup clients (that is, the tunnel will be dedicated to this FortiGate dialup
client), set Mode to Aggressive.
XAuth This option is provided to support the authentication of dialup clients.
If the FortiGate unit is a dialup client and you select Enable as Client, type the
user name and password that the FortiGate unit will need to authenticate itself
to the remote XAuth server.
If Remote Gateway is set to Dialup User and dialup clients will authenticate as
members of a dialup group, the FortiGate unit can act as an XAuth server. To
select Enable as Server, you must first create user groups to identify the
dialup clients that need access to the network behind the FortiGate unit. You
must also configure the FortiGate unit to forward authentication requests to an
external RADIUS or LDAP authentication server. For information about these
topics, see
type of encryption method to use between the FortiGate unit, the XAuth client
and the external authentication server, and then select the user group from
the User Group list.
Nat-traversal Enable this option if a NAT device exists between the local FortiGate unit and
the VPN peer or client. The local FortiGate unit and the VPN peer or client
must have the same NAT traversal setting (both selected or both cleared).
Keepalive If you enabled NAT traversal, enter a keepalive frequency setting. The value
represents an interval from 0 to 900 seconds.
Frequency
Dead Peer Enable this option to reestablish VPN tunnels on idle connections and clean
up dead IKE peers if required.
Detection
You configure phase 2 settings to specify the parameters for creating and maintaining
a VPN tunnel between the FortiGate unit and the remote peer or client. In most cases,
you only need to configure the basic phase 2 settings.
01-28011-0254-20051115
"User" on page 249. Select a Server Type setting to determine the
VPN
Fortinet Inc.