Adding a phase 1 configuration for an AutoIKE VPN | IPSec VPN |
|
|
3Enter a Gateway Name for the remote VPN peer.
The remote VPN peer can be either a gateway to another network or an individual client on the Internet.
The name can contain numbers
4Select a Remote Gateway address type.
•If the remote VPN peer has a static IP address, select Static IP Address.
•If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), or if the remote VPN peer has a static IP address that is not required in the peer identification process, select Dialup User.
Depending upon the Remote Gateway address type you have selected, other fields become available.
Remote Gateway: Static IP Address
IP Address If you select Static IP Address, the IP Address field appears. Enter the IP address of the remote IPSec VPN gateway or client that can connect to the FortiGate unit. This is a mandatory entry.
Remote Gateway: Dialup User
Peer Options f you select Dialup User, the Peer Options become available under Advanced Options. Use the Peer Options to authenticate remote VPN peers with peer IDs during phase 1 negotiations. For details, see step 2.
5Select Aggressive or Main (ID Protection) mode.
When using aggressive mode, the VPN peers exchange identifying information in the clear. When using main mode, identifying information is hidden.
The VPN peers must use the same mode.
6Configure the P1 Proposal.
Select up to three encryption and authentication algorithm combinations to propose for phase 1.
The VPN peers must use the same P1 proposal settings.
7Select the DH Group(s).
Select one or more
As a general rule, the VPN peers should use the same DH Group settings.
8Enter the Keylife.
The keylife is the amount of time in seconds before the phase 1 encryption key expires. When the key expires, a new key is generated without interrupting service. P1 proposal keylife can be from 120 to 172,800 seconds.
9For Authentication Method, select Preshared Key or RSA Signature.
•If you select Preshared key, enter a that is shared by the VPN peers. The key must contain at least 6 printable characters and should only be known by network administrators. To protect against the
•If you select RSA Signature, select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiGate unit, see “Obtaining a signed local certificate” on page 191.
186 | Fortinet Inc. |