Fortinet 100 - page 187

IPSec VPN Adding a phase 1 configuration for an AutoIKE VPN

FortiGate-100 Installation and Configuration Guide 187

10 Optionally, enter the Local ID of the FortiGate unit.

The entry is required if the FortiGate unit is functioning as a client and uses its local ID

to authenticate itself to the remote VPN peer. (If you do not add a local ID, the

FortiGate unit will transmit its IP address.)

Configure the local ID only with pre-shared keys and aggressive mode. Do not

configure the local ID with certificates or main mode.

Configuring advanced options

1Select Advanced Options.

2Optionally, select a Peer Option.

Use the Peer Options to authenticate remote VPN peers by the ID that they transmit

during phase 1.

3Optionally, configure XAuth.

XAuth (IKE eXtended Authentication) authenticates VPN peers at the user level. If the

the FortiGate unit (the local VPN peer) is configured as an XAuth server, it will

authenticate remote VPN peers by referring to a user group. The users contained in

the user group can be configured locally on the FortiGate unit or on remotely located

LDAP or RADIUS servers. If the FortiGate unit is configured as an XAuth client, it will

provide a user name and password when it is challenged.

Accept any peer ID Select to accept any peer ID (and therefore not authenticate

remote VPN peers by peer ID).

Accept this peer ID Select to authenticate a specific VPN peer or a group of VPN

peers with a shared user name (ID) and password (pre-shared

key). Also add the peer ID. Also add the peer ID.

Accept peer ID in dialup

group

Select to authenticate each remote VPN peer with a unique user

name (ID) and password (pre-shared key). Also select a dialup

group (user group).

Configure the user group prior to configuring this peer option.

XAuth: Enable as a Client

Name Enter the user name the local VPN peer uses to authenticate itself to the

remote VPN peer.

Password Enter the password the local VPN peer uses to authenticate itself to the

remote VPN peer.

XAuth: Enable as a Server

Encryption

method

Select the encryption method used between the XAuth client, the FortiGate

unit and the authentication server.

PAP— Password Authentication Protocol.

CHAP—Challenge-Handshake Authentication Protocol.

MIXED—Select MIXED to use PAP between the XAuth client and the

FortiGate unit, and CHAP between the FortiGate unit and the authentication

server.

Use CHAP whenever possible. Use PAP if the authentication server does not

support CHAP. (Use PAP with all implementations of LDAP and some

implementations of Microsoft RADIUS). Use MIXED if the authentication server

supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet

Remote VPN Client.).

Usergroup Select a group of users to be authenticated by XAuth. The individual users

within the group can be authenticated locally or by one or more LDAP or

RADIUS servers.

The user group must be added to the FortiGate configuration before it can be

selected here.