Ipsec Protocol Improvements; Support For Ike V2; Support For Dh-2048 (Group 14) - Fortinet FortiGate Series Administration Manual
Hide thumbs
Also See for FortiGate Series:
- Administration manual (60 pages) ,
- Install manual (51 pages) ,
- Quick start manual (14 pages)
Table of Contents
Advertisement
What's new in FortiOS Version 4.0 MR1
IPsec protocol improvements
Support for IKE v2
Support for DH-2048 (Group 14)
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/
•
Feedback
All dashboard widgets are available for use in the VDOM dashboard except for License
Information, Alert Message Console, Top Viruses, and Top Attacks. The available widgets
differ from their global equivalents as follows:
Table 3: Differences between global and VDOM dashboard widgets
Widget
Differences with global widget
System information
Cannot enable/disable Virtual Domains.
No listing of current administrators.
CLI Console
User is logged into the current VDOM and cannot access global
configurations.
Unit Operation
Unit reboot and shutdown are not available.
Cannot configure management service or FortiAnalyzer unit.
No information about network ports.
Top Sessions
Shows only sessions for this VDOM.
Traffic History
Can select only interfaces or VLANs belonging to this VDOM.
FortiOS 4.0 MR1 will support IKEv2. Previous versions of FortiOS supported only IKEv1.
FortiOS 4.0 MR1 supports IKEv2 (RFC 4306) for route-based VPNs only. Most IKEv1
configurations also work using IKEv2, except that:
•
Extensible Authentication Protocol (XAUTH) is not available.
•
Except for dialup server configurations, "selector narrowing" is not supported.
•
IKEv2 has no equivalent of aggressive mode. It cannot match the gateway by ID.
Also, FortiGate HA does not provide stateful failover for IKEv2. VPNs must reconnect.
In the web-based manager, the IKE Version selection is visible in Phase 1 advanced
settings when Enable IPsec Interface Mode is enabled.
In the CLI, you select the IKE version as follows:
config vpn ipsec phase1-interface
edit <gateway_name>
set ike-version {1 | 2}
end
The ike-version keyword is not available if mode is aggressive. When
ike-version is 2, the mode, mode-cfg, and xauthtype keywords are not available.
In Phase 1 and Phase 2 auto-key IPsec VPN configurations, Diffie-Hellman Group 14 is
available. This provides a key strength of 2048 bits. In previous releases of FortiOS,
group 14 was available only in FIPS-CC mode.
In the web-based manager, you go to VPN > IPsec > Auto Key to create Phase 1 or
Phase 2 configurations. For both Phase 1 and Phase 2, the Diffie-Hellman groups
selection is part of the Advanced settings.
In the CLI, the dhgrp keyword now accepts the value 14 when you edit a VPN
configuration in any of the following commands:
config vpn ipsec phase1
config vpn ipsec phase1-interface
IPsec protocol improvements
67
Advertisement
Table of Contents
