IPsec protocol improvements
Support for SHA256
68
config vpn ipsec phase2
config vpn ipsec phase2-interface
In FortiOS 4.0 MR1, you can use the SHA256 authentication digest, which is more secure
than the SHA1 and MD5 algorithms. The SHA256 option is available in the web-based
manager locations:
•
P1 Proposal, Authentication in VPN > IPsec > Auto Key (IKE) > Create Phase 1
•
P2 Proposal, Authentication in VPN > IPsec > Auto Key (IKE) > Create Phase 2
•
Authentication Algorithm, in VPN > IPsec > Manual Key > Create New
The equivalent settings in the CLI are:
•
config vpn ipsec phase1 or config vpn ipsec phase1-interface
edit <gateway_name>
set proposal <encryption_combination>
You can set the authentication portion of <encryption_combination> to SHA256,
for example 3des-sha256.
•
config vpn ipsec phase2 or config vpn ipsec phase2-interface
edit <tunnel_name>
set proposal <encryption_combination>
You can set the authentication portion of <encryption_combination> to SHA256,
for example 3des-sha256.
•
config vpn ipsec manualkey
edit <tunnel_name>
set authentication <authentication_algorithm>
You can set <authentication_algorithm> to sha256.
•
config vpn ipsec manualkey-interface
edit <tunnel_name>
set auth-alg <authentication_algorithm>
You can set <authentication_algorithm> to sha256.
What's new in FortiOS Version 4.0 MR1
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/
•
Feedback