Chapter 11 IPsec VPN for FortiOS 5.0 : IPsec VPN in the web-based manager : Auto Key (IKE) : Phase 1 configuration
  
Phase 1 configuration
The basic phase 1 settings associate IPsec phase 1 parameters with a remote gateway, if a pre-shared key or digital certificate will be used, and if a special identifier will be used to identify the remote VPN peer or client.
Name
Type a name for the phase 1 definition. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. If Remote Gateway is Dialup User, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on.
For a tunnel mode VPN, the name normally reflects where the remote connection originates. For a route-based tunnel, the FortiGate unit also uses the name for the virtual IPsec interface that it creates automatically.
Remote Gateway
Select the category of the remote connection:
Static IP Address — If the remote peer has a static IP address.
Dialup User — If one or more FortiClient or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit.
Dynamic DNS — If a remote peer that has a domain name and subscribes to a dynamic DNS service will connect to the FortiGate unit.
IP Address
If you selected Static IP Address, enter the IP address of the remote peer.
Dynamic DNS
If you selected Dynamic DNS, enter the domain name of the remote peer.
Local Interface
This option is available in NAT mode only. Select the name of the interface through which remote peers or dialup clients connect to the FortiGate unit.
By default, the local VPN gateway IP address is the IP address of the interface that you selected. Optionally, you can specify a unique IP address for the VPN gateway in the Advanced settings.
Mode
Main mode — the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
Aggressive mode — the phase 1 parameters are exchanged in single message with authentication information that is not encrypted.
When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key, you must select Aggressive mode if there is more than one dialup phase1 configuration for the interface IP address.
When the remote VPN peer has a dynamic IP address and is authenticated by a certificate, you must select Aggressive mode if there is more than one phase 1 configuration for the interface IP address and these phase 1 configurations use different proposals.
Authentication Method
Select Preshared Key or RSA Signature.
Pre-shared Key
If you selected Pre-shared Key, enter the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must define the same key at the remote peer or client. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.
Certificate Name
If you selected RSA Signature, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. For information about obtaining and loading the required server certificate, see the FortiOS User Authentication guide.
Peer Options
Peer options are available to authenticate VPN peers or clients, depending on the Remote Gateway and Authentication Method settings.
Accept any peer ID
Accept the local ID of any remote VPN peer or client. The FortiGate unit does not check identifiers (local IDs). You can set Mode to Aggressive or Main.
You can use this option with RSA Signature authentication. But, for highest security, configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only.
Accept this peer ID
This option is available when Aggressive Mode is enabled. Enter the identifier that is used to authenticate the remote peer. This identifier must match the Local ID that the remote peer’s administrator has configured.
If the remote peer is a FortiGate unit, the identifier is specified in the Local ID field of the Advanced phase 1 configuration.
If the remote peer is a FortiClient user, the identifier is specified in the Local ID field, accessed by selecting Config in the Policy section of the VPN connection’s Advanced Settings.
Accept peer ID in dialup group
Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre‑shared keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes. Select the group from the list next to the Accept peer ID in dialup group option.
You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. If the dialup clients use unique pre-shared keys only, you can set Mode to Main if there is only one dialup phase 1 configuration for this interface IP address.
Advanced
Defines advanced phase 1 parameters. For more information, see Phase 1 advanced configuration settings.