Fortinet FortiGate Series Administration Manual page 620
Hide thumbs
Also See for FortiGate Series:
- Administration manual (60 pages) ,
- Install manual (51 pages) ,
- Quick start manual (14 pages)
Table of Contents
Advertisement
Auto Key
620
Figure 381: Phase 2 advanced settings
P2 Proposal
Select the encryption and authentication algorithms that will be proposed to
the remote VPN peer. You can specify up to three proposals. To establish a
VPN connection, at least one of the proposals that you specify must match
configuration on the remote peer.
Initially there are two proposals. Add and Delete icons are next to the
second Authentication field. To specify only one proposal, select Delete to
remove the second proposal. To specify a third proposal, select Add.
It is invalid to set both Encryption and Authentication to NULL.
Encryption
Select one of the following symmetric-key algorithms:
NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
3DES — Triple-DES, in which plain text is encrypted three times by three
keys.
AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 128-bit key.
AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 192-bit key.
AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 256-bit key.
Authentication
Select one of the following message digests to check the authenticity of
messages during an encrypted session:
NULL — Do not use a message digest.
MD5 — Message Digest 5, the hash algorithm developed by RSA Data
Security.
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message
digest.
SHA256 — Secure Hash Algorithm 2, which produces a 256-bit message
digest.
Enable replay
Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPSec packets and replays them
detection
back into the tunnel.
Enable perfect
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forcing a new Diffie-Hellman exchange whenever keylife expires.
forward secrecy
(PFS)
DH Group
Select one Diffie-Hellman group (1, 2, 5 or 14). This must match the DH
Group that the remote peer or dialup client uses.
Keylife
Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select Both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172 800 seconds, or from 5120 to 2 147 483 648 KB.
Add
Delete
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/
IPSec VPN
•
Feedback
Advertisement
Table of Contents
