Fortinet FortiGate Series Administration Manual page 615

IPSec VPN
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Local Interface
Mode
Authentication Method
Pre-shared Key
Certificate Name
Peer Options
Accept any peer ID
Accept this peer ID
This option is available in NAT/Route mode only. Select the name of
the interface through which remote peers or dialup clients connect to
the FortiGate unit.
By default, the local VPN gateway IP address is the IP address of
the interface that you selected. Optionally, you can specify a unique
IP address for the VPN gateway in the Advanced settings. For more
information, see "Local Gateway IP" on page
Select Main or Aggressive:
• In Main mode, the phase 1 parameters are exchanged in multiple
rounds with encrypted authentication information.
• In Aggressive mode, the phase 1 parameters are exchanged in
single message with authentication information that is not
encrypted.
When the remote VPN peer has a dynamic IP address and is
authenticated by a pre-shared key, you must select Aggressive
mode if there is more than one dialup phase1 configuration for the
interface IP address.
When the remote VPN peer has a dynamic IP address and is
authenticated by a certificate, you must select Aggressive mode if
there is more than one phase 1 configuration for the interface IP
address and these phase 1 configurations use different proposals.
Peer Options settings may require a particular mode. See
Options, below.
Select Preshared Key or RSA Signature.
If you selected Pre-shared Key, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at least 6
printable characters and should be known only by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
If you selected RSA Signature, select the name of the server
certificate that the FortiGate unit will use to authenticate itself to the
remote peer or dialup client during phase 1 negotiations. For
information about obtaining and loading the required server
certificate, see the FortiGate Certificate Management User
One or more of the following options are available to authenticate
VPN peers or clients, depending on the Remote Gateway and
Authentication Method settings.
Accept the local ID of any remote VPN peer or client. The FortiGate
unit does not check identifiers (local IDs). You can set Mode to
Aggressive or Main.
You can use this option with RSA Signature authentication. But, for
highest security, you should configure a PKI user/group for the peer
and set Peer Options to Accept this peer certificate only.
This option is available only if the remote peer has a dynamic IP
address. Enter the identifier that is used to authenticate the remote
peer. This identifier must match the identifier that the remote peer's
administrator has configured.
If the remote peer is a FortiGate unit, the identifier is specified in the
Local ID field of the phase 1 configuration.
If the remote peer is a FortiClient dialup client, the identifier is
specified in the Local ID field, accessed by selecting Config in the
Policy section of the VPN connection's Advanced Settings.
Auto Key
617.
Peer
Guide.
615