Fortinet FortiGate Series Administration Manual page 621

IPSec VPN
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is
being processed.
DHCP-IPSec Provide IP addresses dynamically to VPN clients. This is available for
phase 2 configurations associated with a dialup phase 1 configuration.
You also need configure a DHCP server or relay on the private network
interface. You must configure the DHCP parameters separately. For more
information, see
If you configure the DHCP server to assign IP addresses based on RADIUS
user group attributes, you must also set the Phase 1 Peer Options to Accept
peer ID in dialup group and select the appropriate user group. See
a new phase 1 configuration" on page
If the FortiGate unit acts as a dialup server and you manually assigned
FortiClient dialup clients VIP addresses that match the network behind the
dialup server, selecting the check box will cause the FortiGate unit to act as
a proxy for the dialup clients.
Note: You can configure settings so that VPN users can browse the Internet through the
FortiGate unit. For more information, see
Quick Mode Optionally specify the source and destination IP addresses to be used as selectors
for IKE negotiations. If the FortiGate unit is a dialup server, you should keep the
Selector
default value 0.0.0.0/0 unless you need to circumvent problems caused by
ambiguous IP addresses between one or more of the private networks making up
the VPN. You can specify a single host IP address, an IP address range, or a
network address. You may optionally specify source and destination port numbers
and a protocol number.
If you are editing an existing phase 2 configuration, the Source address and
Destination address fields are unavailable if the tunnel has been configured to use
firewall addresses as selectors. This option exists only in the CLI. For more
information, see the dst-addr-type, dst-name, src-addr-type and src-
name keywords for the vpn ipsec phase2 command in the
Reference.
Source address
Source port
Destination
address
Destination port
Protocol
"System DHCP" on page
614.
"Internet browsing configuration" on page
If the FortiGate unit is a dialup server, type the source IP
address that corresponds to the local senders or network
behind the local VPN peer (for example, 172.16.5.0/24 or
172.16.5.0/255.255.255.0 for a subnet, or
172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a
server or host, or 192.168.10.[80-100] or
192.168.10.80-192.168.10.100 for an address range).
A value of 0.0.0.0/0 means all IP addresses behind the
local VPN peer.
If the FortiGate unit is a dialup client, source address must
refer to the private network behind the FortiGate dialup client.
Type the port number that the local VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Type the destination IP address that corresponds to the
recipients or network behind the remote VPN peer (for
example, 192.168.20.0/24 for a subnet, or
172.16.5.1/32 for a server or host, or 192.168.10.[80-
100] for an address range). A value of 0.0.0.0/0 means all
IP addresses behind the remote VPN peer.
Type the port number that the remote VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Type the IP protocol number of the service. The range is from
0 to 255. To specify all services, type 0.
227.
"Creating
624.
FortiGate CLI
Auto Key
621