IPSec VPN

AutoIKE IPSec VPNs

 

 

10Optionally, enter the Local ID of the FortiGate unit.

The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer. (If you do not add a local ID, the FortiGate unit will transmit its IP address.)

Configure the local ID only with pre-shared keys and aggressive mode. Do not configure the local ID with certificates or main mode.

Configuring advanced options

1Select Advanced Options.

2Optionally, select a Peer Option.

Use the Peer Options to authenticate remote VPN peers by the ID that they transmit during phase 1.

Accept any peer ID

Select to accept any peer ID (and therefore not authenticate

 

remote VPN peers by peer ID).

Accept this peer ID

Select to authenticate a specific VPN peer or a group of VPN

 

peers with a shared user name (ID) and password (pre-shared

 

key). Also add the peer ID. Also add the peer ID.

Accept peer ID in dialup group

Select to authenticate each remote VPN peer with a unique user name (ID) and password (pre-shared key). Also select a dialup group (user group).

Configure the user group prior to configuring this peer option.

3Optionally, configure XAuth.

XAuth (IKE eXtended Authentication) authenticates VPN peers at the user level. If the the FortiGate unit (the local VPN peer) is configured as an XAuth server, it will authenticate remote VPN peers by referring to a user group. The users contained in the user group can be configured locally on the FortiGate unit or on remotely located LDAP or RADIUS servers. If the FortiGate unit is configured as an XAuth client, it will provide a user name and password when it is challenged.

 

XAuth: Enable as a Client

Name

Enter the user name the local VPN peer uses to authenticate itself to the

 

remote VPN peer.

Password

Enter the password the local VPN peer uses to authenticate itself to the

 

remote VPN peer.

 

XAuth: Enable as a Server

Encryption

Select the encryption method used between the XAuth client, the FortiGate

method

unit and the authentication server.

 

PAP— Password Authentication Protocol.

 

CHAP—Challenge-Handshake Authentication Protocol.

 

MIXED—Select MIXED to use PAP between the XAuth client and the

 

FortiGate unit, and CHAP between the FortiGate unit and the authentication

 

server.

 

Use CHAP whenever possible. Use PAP if the authentication server does not

 

support CHAP. (Use PAP with all implementations of LDAP and some

 

implementations of Microsoft RADIUS). Use MIXED if the authentication server

 

supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet

 

Remote VPN Client.).

Usergroup

Select a group of users to be authenticated by XAuth. The individual users

 

within the group can be authenticated locally or by one or more LDAP or

 

RADIUS servers.

 

The user group must be added to the FortiGate configuration before it can be

 

selected here.

FortiGate-400 Installation and Configuration Guide

215

Page 214 Page 216
Page 215
Image 215
Fortinet 400 manual 215, Configuring advanced options
Page 214 Page 216
Top Page Image Contents