Defining Phase 1 Advanced Settings - Fortinet FortiGate Series Administration Manual

Auto Key

Defining phase 1 advanced settings

616
Accept peer ID in dialup
group
Accept this peer
certificate only
Accept this peer
certificate group only
Advanced
You use the advanced P1 Proposal parameters to select the encryption and
authentication algorithms that the FortiGate unit uses to generate keys for the IKE
exchange. You can also select these advanced settings to ensure the smooth operation of
phase 1 negotiations.
To modify IPSec phase 1 advanced parameters, go to VPN > IPSEC > Auto Key (IKE),
select Create Phase 1, and then select Advanced. For information about how to choose
the correct advanced phase 1 settings for your particular situation, see the
IPSec VPN User Guide.
Authenticate multiple FortiGate or FortiClient dialup clients that use
unique identifiers and unique pre-shared keys (or unique pre-shared
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
(For more information, see "User Group" on page
group from the list next to the Accept peer ID in dialup group option.
For more information about configuring FortiGate dialup clients, see
the FortiGate IPSec VPN User
configuring FortiClient dialup clients, see the
FortiClient Dialup Clients Technical
You must set Mode to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
This option is available when Authentication Method is set to
RSA Signature.
Authenticate remote peers or dialup clients that use a security
certificate. Select the certificate from the list next to the option.
You must add peer certificates to the FortiGate configuration before
you can select them here. For more information, see
page 664.
This option is available when Authentication Method is set to
RSA Signature and Remote Gateway is set to Dialup User.
Use a certificate group to authenticate dialup clients that have
dynamic IP addresses and use unique certificates.
Select the name of the peer group from the list. You must first create
the group through the config user peergrp CLI command
before you can select it. For more information, see the "user" chapter
of the FortiGate CLI Reference. Members of the peer group must be
certificates added by using the config user peer CLI command.
You can also add peer certificates using the web-based manager.
For more information, see "PKI" on page
Define advanced phase 1 parameters. For more information, see
"Defining phase 1 advanced settings" on page
FortiGate Version 4.0 MR1 Administration Guide
666.) Select the
Guide. For more information about
Authenticating
Note.
"PKI" on
664.
616.
FortiGate
01-410-89802-20090903
http://docs.fortinet.com/
IPSec VPN
• Feedback