Fortinet FortiGate FortiGate-1000A Administration Manual page 269
Fortinet fortigate fortigate-1000a: user guide
Hide thumbs
Also See for FortiGate FortiGate-1000A:
- Install manual (58 pages) ,
- Quick start manual (2 pages) ,
- Administration manual (458 pages)
Table of Contents
Advertisement
VPN
FortiGate-1000A/FA2 Administration Guide
P2 Proposal
Select the encryption and authentication algorithms that will be used to
change data into encrypted code.
Add or delete encryption and authentication algorithms as required. Select a
minimum of one and a maximum of three combinations. The remote peer
must be configured to use at least one of the proposals that you define.
You can select any of the following symmetric-key algorithms:
•
NULL-Do not use an encryption algorithm.
•
DES-Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
•
3DES-Triple-DES, in which plain text is encrypted three times by three
keys.
•
AES128-A 128-bit block algorithm that uses a 128-bit key.
•
AES192-A 128-bit block algorithm that uses a 192-bit key.
•
AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
•
NULL-Do not use a message digest.
•
MD5-Message Digest 5, the hash algorithm developed by RSA Data
Security.
•
SHA1-Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify one combination only, set the Encryption and Authentication
options of the second combination to NULL. To specify a third combination,
use the Add button beside the fields for the second combination.
Enable replay
Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPSec packets and replays them
detection
back into the tunnel.
Enable perfect
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forcing a new Diffie-Hellman exchange whenever keylife expires.
forward
secrecy (PFS)
DH Group
Select one Diffie-Hellman group (1, 2, or 5). The remote peer or client must be
configured to use the same group.
Keylife
Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep
Enable the option if you want the tunnel to remain active when no data is
being processed.
Alive
DHCP-IPSec
Select Enable if the FortiGate unit acts as a dialup server and FortiGate
DHCP relay will be used to assign VIP addresses to FortiClient dialup clients.
Do not select this option on FortiGate units that act as dialup clients. The
DHCP relay parameters must be configured separately. For more information,
see
"System DHCP" on page
01-28011-0254-20051115
81.
Phase 2
269
Advertisement
Table of Contents
