Chapter 11 IPsec VPN for FortiOS 5.0 : IPsec VPN in the web-based manager : Auto Key (IKE) : Phase 2 advanced configuration settings
  
Phase 2 advanced configuration settings
In phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). These are called P2 Proposal parameters. The keys are generated automatically using a Diffie-Hellman algorithm.
You can use a number of additional advanced phase 2 settings to enhance the operation of the tunnel.
P2 Proposal
Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
Initially there are two proposals. Add and Delete icons are next to the second Authentication field.
It is invalid to set both Encryption and Authentication to NULL.
Encryption
Select one of the following symmetric-key algorithms:
NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES, in which plain text is encrypted three times by three keys.
AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key.
AES192 — a 128-bit block CBC algorithm that uses a 192-bit key.
AES256 — a 128-bit block CBC algorithm that uses a 256-bit key.
Authentication
Select one of the following message digests to check the authenticity of messages during an encrypted session:
NULL — Do not use a message digest.
MD5 — Message Digest 5, the hash algorithm developed by RSA Data Security.
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message digest.
SHA256 — Secure Hash Algorithm 2, which produces a 256-bit message digest.
SHA384 — Secure Hash Algorithm 2, which produces a 384-bit message digest.
SHA512 — Secure Hash Algorithm 2, which produces a 512-bit message digest.
Enable replay detection
Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.
Enable perfect forward secrecy (PFS)
Perfect forward secrecy (PFS) improves security by forcing a new Diffie‑Hellman exchange whenever keylife expires.
DH Group
Select one Diffie-Hellman group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses.
Keylife
Select the method for determining when the phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed.
Autokey Keep Alive
Select the check box if you want the tunnel to remain active when no data is being processed.
DHCP-IPSec
Provide IP addresses dynamically to VPN clients. This is available for phase 2 configurations associated with a dialup phase 1 configuration.
You also need configure a DHCP server or relay on the private network interface. You must configure the DHCP parameters separately.
If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the Phase 1 Peer Options to Accept peer ID in dialup group and select the appropriate user group. See “Phase 1 configuration”.
If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients.
Quick Mode Selector
Specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, keep the default value of 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and a protocol number.
If you are editing an existing phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI.
Source address
If the FortiGate unit is a dialup server, enter the source IP address that corresponds to the local senders or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer.
If the FortiGate unit is a dialup client, source address must refer to the private network behind the Fortinet dialup client.
Source port
Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0.
Destination address
Enter the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80-100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.
Destination port
Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, enter 0.
Protocol
Enter the IP protocol number of the service. To specify all services, enter 0.