Chapter 11 IPsec VPN for FortiOS 5.0 : L2TP and IPsec (Microsoft VPN) : Configuring the FortiGate unit : Configuring IPsec
  
Configuring IPsec
The Microsoft VPN client uses IPsec for encryption. The configuration needed on the FortiGate unit is the same as for any other IPsec VPN with the following exceptions.
Transport mode is used instead of tunnel mode.
The encryption and authentication proposals must be compatible with the Microsoft client.
L2TP over IPsec is supported on the FortiGate unit using policy-based, not route-based configurations.
Configuring phase 1 - web-based manager
1. Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1.
2. Enter the following information and then select OK.
Name
Enter a name for this VPN, dialup_p1 for example.
Remote Gateway
Dialup User
Local Interface
Select the network interface that connects to the Internet. For example, port1.
Mode
Main (ID protection)
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key. This key must also be entered in the Microsoft VPN client.
Advanced
Select Advanced to enter the following information.
Enable IPsec Interface Mode
This must not be selected.
P1 Proposal
Enter the following Encryption/Authentication pairs:
AES256-MD5, 3DES-SHA1, AES192-SHA1
DH Group
2
NAT Traversal
Enable
Dead Peer Detection
Enable
Configuring phase 1 - CLI
To create a phase 1 configuration called dialup_p1 on a FortiGate unit that has port1 connected to the Internet, you would enter:
config vpn ipsec phase1
edit dialup_p1
set type dynamic
set interface port1
set mode main
set psksecret ********
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set nattraversal enable
set dpd enable
end
Configuring phase 2 - web-based manager
1. Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 2.
2. Enter the following information and then select OK.
Name
Enter a name for this phase 2 configuration.
Phase 1
Select the name of the phase 1 configuration.
Advanced
Select Advanced to enter the following information.
P2 Proposal
Enter the following Encryption/Authentication pairs:
AES256-MD5, 3DES-SHA1, AES192-SHA1
Enable replay detection
Enable
Enable perfect forward secrecy (PFS)
Disable
Keylife
3600 seconds
3. Make this a transport-mode VPN. You must use the CLI to do this. If your phase 2 name is dialup_p2, you would enter:
config vpn ipsec phase2
edit dialup_p2
set encapsulation transport-mode
end
Configuring phase 2 - CLI
To configure a phase 2 to work with your phase_1 configuration, you would enter:
config vpn ipsec phase2
edit dialup_p2
set phase1name dialup_p1
set proposal aes256-md5 3des-sha1 aes192-sha1
set replay enable
set pfs disable
set keylifeseconds 3600
set encapsulation transport-mode
end