Enable IPsec Interface Mode | This is available in NAT mode only. Create a virtual interface for the local end of the VPN tunnel. Select this option to create a route-based VPN, clear it to create a policy-based VPN. |
IKE Version | Select the version of IKE to use. This is available only if IPsec Interface Mode is enabled. For more information about IKE v2, refer to RFC 4306. IKE v2 is not available if Mode is Aggressive. When IKE Version is 2, Mode and XAUTH are not available. |
IPv6 Version | Select if you want to use IPv6 addresses for the remote gateway and interface IP addresses. This is available only when Enable IPsec Interface Mode is selected and IPv6 Support is enabled in the administrative settings (System > Admin > Settings). |
Local Gateway IP | If you selected Enable IPsec Interface Mode, specify an IP address for the local end of the VPN tunnel. Select one of the following: • Main Interface IP — The FortiGate unit obtains the IP address of the interface from the network interface settings. • Specify — Enter a secondary address of the interface selected in the phase 1 Local Interface field. You cannot configure Interface mode in a transparent mode VDOM. |
P1 Proposal | Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required. You need to select a minimum of one and a maximum of three combinations. The remote peer or client must be configured to use at least one of the proposals that you define. Select one of the following symmetric-key encryption algorithms: • DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key. • 3DES — Triple-DES, in which plain text is encrypted three times by three keys. • AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. • AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. • AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. |
Select either of the following authentication message digests to check the authenticity of messages during phase 1 negotiations: • MD5 — Message Digest 5, the hash algorithm developed by RSA Data Security. • SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message digest. • SHA256 — Secure Hash Algorithm 2, which produces a 256-bit message digest. To specify a third combination, use the Add button beside the fields for the second combination. | |
DH Group | Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. |
Keylife | Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172 800 seconds. |
Local ID | If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the phase 1 exchange. If the FortiGate unit will act as a VPN client, and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes. If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is, the tunnel will be dedicated to this Fortinet dialup client), set Mode to Aggressive. Note that this Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options. |
XAuth | This option supports the authentication of dialup clients. It is available for IKE v1 only. • Disable — Select if you do not use XAuth. • Enable as Client — If the FortiGate unit is a dialup client, enter the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server. • Enable as Server — This is available only if Remote Gateway is set to Dialup User. Dialup clients authenticate as members of a dialup user group. You must first create a user group for the dialup clients that need access to the network behind the FortiGate unit. You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server. Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit, the XAuth client and the external authentication server, and then select the user group from the User Group list. |
Username | Enter the user name that is used for authentication. |
Password | Enter the password that is used for authentication. |
NAT Traversal | Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. |
Keepalive Frequency | If you enabled NAT-traversal, enter a keepalive frequency setting. |
Dead Peer Detection | Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes. With Dead Peer Detection selected, you can use the config vpn ipsec phase1 (tunnel mode) or config vpn ipsec phase1-interface (interface mode) CLI command to optionally specify a retry count and a retry interval. |