Chapter 11 IPsec VPN for FortiOS 5.0 : Gateway-to-gateway configurations : Configuring the two VPN peers : Configuring Phase 1 and Phase 2 for both peers
  
Configuring Phase 1 and Phase 2 for both peers
This procedure applies to both peers. Repeat the procedure on each FortiGate unit, using the correct IP address for each. You may wish to vary the Phase 1 names but this is optional. Otherwise all steps are the same for each peer.
The phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate FortiGate_2 and establish a secure connection. For the purposes of this example, a preshared key will be used to authenticate FortiGate_2. The same preshared key must be specified at both FortiGate units.
Before you define the phase 1 parameters, you need to:
Reserve a name for the remote gateway.
Obtain the IP address of the public interface to the remote peer.
Reserve a unique value for the preshared key.
The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must have a minimum of 16 randomly chosen alphanumeric characters.
At the local FortiGate unit, define the phase 1 configuration needed to establish a secure connection with the remote peer. See “Phase 1 configuration”.
To create phase 1 to establish a secure connection with the remote peer
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 1.
3. Enter the following information, and select OK.
Name
Enter peer_1.
A name to identify the VPN tunnel. This name appears in phase 2 configurations, security policies and the VPN monitor.
Remote Gateway
Select Static IP Address.
IP Address
Enter 172.20.0.2 when configuring FortiGate_1.
Enter 172.18.0.2 when configuring FortiGate_2.
The IP address of the remote peer public interface.
Local Interface
Select wan1.
Enable IPsec Interface Mode
Select Advanced to see this setting.
Enable IPsec Interface Mode to have the FortiGate unit create a virtual IPsec interface for a route-based VPN.
Disable this option to create a policy-based VPN. For more information, see “Comparing policy-based or route-based VPNs”.
After selecting OK, you cannot change this setting.
The basic phase 2 settings associate IPsec phase 2 parameters with the phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the phase 2 parameters, you need to reserve a name for the tunnel. See “Phase 2 configuration”.
To configure phase 2 settings
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 2.
3. Enter a Name of peer_1_p2.
4. Select peer_1 from the Phase 1 drop-down menu.