Configuring Xauth - Fortinet FortiGate FortiGate-3000 Administration Manual

VPN

Configuring XAuth

FortiGate-3000 Administration Guide
Encryption The FortiGate unit supports the following encryption methods:
DES
3DES
AES128
AES192
AES256
Authentication The FortiGate unit supports the following authentication methods:
MD5
SHA1
DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When the VPN peers have static IP addresses and use aggressive mode,
select a single matching DH group.
When the VPN peers use aggressive mode in a dialup configuration, select up
to three DH groups for the dialup server and select one DH group for the
dialup user (client or gateway).
When the VPN peers employ main mode, you can select multiple DH groups.
Keylife The keylife is the amount of time in seconds before the IKE encryption key
expires. When the key expires, a new key is generated without interrupting
service. P1 proposal keylife can be from 120 to 172,800 seconds.
Local ID If you are using peer IDs for authentication, enter the peer ID that the
FortiGate unit will use to authenticate itself to remote VPN peers.
If you are using certificates for authentication, enter the distinguished name
(DN) of the local certificate.
XAuth You can configure the FortiGate unit as an Extended Authentication (XAuth)
client or an XAuth server. For more information, see
page 257.
Nat-traversal Enable this option if you expect the IPSec VPN traffic to go through a gateway
that performs NAT. If no NAT device is detected, enabling NAT traversal has
no effect. Both ends of the VPN must have the same NAT traversal setting. If
you enable NAT traversal you can set the keepalive frequency. NAT traversal
is enabled by default.
Keepalive If NAT Traversal is selected, enter the Keepalive Frequency in seconds.
Frequency The keepalive frequency specifies how frequently empty UDP packets are
sent through the NAT device to ensure that the NAT mapping does not change
until the IKE and IPSec keylife expires.
The keepalive frequency can be from 0 to 900 seconds.
Dead Peer Enable this option to clean up dead VPN connections and establish new VPN
connections. You can specify additional Dead Peer Detection (DPD) settings
Detection
such as long idle, short idle, retry count and retry interval through the CLI. See
"ipsec phase1" on page
XAuth authenticates users in a separate exchange held between Phases 1 and 2.
XAuth: Enable as Client
Username Enter the user name the local VPN peer uses to authenticate itself to the
remote VPN peer.
Password Enter the password the local VPN peer uses to authenticate itself to the
remote VPN peer.
01-28006-0010-20041105
281.
Phase 1
"Configuring XAuth" on
257