Fortinet Fortigate-5000 series Administration Manual page 294

Auto Key
294
P2 Proposal Select the encryption and authentication algorithms that will be used to
change data into encrypted code.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The
remote peer must be configured to use at least one of the proposals that
you define.
You can select any of the following symmetric-key algorithms:
• NULL-Do not use an encryption algorithm.
• DES-Digital Encryption Standard, a 64-bit block algorithm that uses a
56-bit key.
• 3DES-Triple-DES, in which plain text is encrypted three times by
three keys.
• AES128-A 128-bit block algorithm that uses a 128-bit key.
• AES192-A 128-bit block algorithm that uses a 192-bit key.
• AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
• NULL-Do not use a message digest.
• MD5-Message Digest 5, the hash algorithm developed by RSA Data
Security.
• SHA1-Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify one combination only, set the Encryption and Authentication
options of the second combination to NULL. To specify a third
combination, use the Add button beside the fields for the second
combination.
Enable replay Optionally enable or disable replay detection. Replay attacks occur when
an unauthorized party intercepts a series of IPSec packets and replays
detection
them back into the tunnel.
Enable perfect Enable or disable PFS. Perfect forward secrecy (PFS) improves security
by forcing a new Diffie-Hellman exchange whenever keylife expires.
forward
secrecy (PFS)
DH Group Select one Diffie-Hellman group (1, 2, or 5). The remote peer or dialup
client must be configured to use the same group.
Keylife Select the method for determining when the phase 2 key expires:
Seconds, KBytes, or Both. If you select both, the key expires when either
the time has passed or the number of KB have been processed. The
range is from 120 to 172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep Enable the option if you want the tunnel to remain active when no data is
being processed.
Alive
DHCP-IPSec Select Enable if the FortiGate unit acts as a dialup server and FortiGate
DHCP relay will be used to assign VIP addresses to FortiClient dialup
clients. The DHCP relay parameters must be configured separately. For
more information, see
If the FortiGate unit acts as a dialup server and you manually assigned
FortiClient dialup clients VIP addresses that match the network behind
the dialup server, select Enable to cause the FortiGate unit to act as a
proxy for the dialup clients.
This is available only for tunnel mode phase 2 configurations associated
with a dialup phase 1 configuration.
Note: You can enable VPN users to browse the Internet through the FortiGate unit. See
"Internet browsing configuration" on page
"System DHCP" on page 113.
295.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC