Configuring Phase 1 and Phase 2 for both peers
This procedure applies to both peers. Repeat the procedure on each FortiGate unit, using the correct IP address for each. You may wish to vary the Phase 1 names but this is optional. Otherwise all steps are the same for each peer.
The phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate FortiGate_2 and establish a secure connection. For the purposes of this example, a preshared key will be used to authenticate FortiGate_2. The same preshared key must be specified at both FortiGate units.
Before you define the phase 1 parameters, you need to:
• Reserve a name for the remote gateway.
• Obtain the IP address of the public interface to the remote peer.
• Reserve a unique value for the preshared key.
The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must have a minimum of 16 randomly chosen alphanumeric characters.
At the local FortiGate unit, define the phase 1 configuration needed to establish a secure connection with the remote peer. See
“Phase 1 configuration”.
To create phase 1 to establish a secure connection with the remote peer
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 1.
3. Enter the following information, and select OK.
Name | Enter peer_1. A name to identify the VPN tunnel. This name appears in phase 2 configurations, security policies and the VPN monitor. |
Remote Gateway | Select Static IP Address. |
IP Address | Enter 172.20.0.2 when configuring FortiGate_1. Enter 172.18.0.2 when configuring FortiGate_2. The IP address of the remote peer public interface. |
Local Interface | Select wan1. |
Enable IPsec Interface Mode | Select Advanced to see this setting. Enable IPsec Interface Mode to have the FortiGate unit create a virtual IPsec interface for a route-based VPN. Disable this option to create a policy-based VPN. For more information, see “Comparing policy-based or route-based VPNs”. After selecting OK, you cannot change this setting. |
The basic phase 2 settings associate IPsec phase 2 parameters with the phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the phase 2 parameters, you need to reserve a name for the tunnel. See
“Phase 2 configuration”.
To configure phase 2 settings
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 2.
3. Enter a Name of peer_1_p2.
4. Select peer_1 from the Phase 1 drop-down menu.