Chapter 11 IPsec VPN for FortiOS 5.0 : Auto Key phase 1 parameters : Overview
  
Overview
To configure IPsec phase 1 settings, go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1. IPsec phase 1 settings define:
the remote and local ends of the IPsec tunnel
if phase 1 parameters are exchanged in multiple rounds with encrypted authentication information (main mode) or in a single message with authentication information that is not encrypted (aggressive mode)
if a preshared key or digital certificates will be used to authenticate the FortiGate unit to the VPN peer or dialup client
if the VPN peer or dialup client is required to authenticate to the FortiGate unit. A remote peer or dialup client can authenticate by peer ID or, if the FortiGate unit authenticates by certificate, it can authenticate by peer certificate.
the IKE negotiation proposals for encryption and authentication
optional XAuth authentication, which requires the remote user to enter a user name and password. A FortiGate VPN server can act as an XAuth server to authenticate dialup users. A FortiGate unit that is a dialup client can also be configured as an XAuth client to authenticate itself to the VPN server.
For all the phase 1 web-based manager fields, see “Phase 1 configuration”.
If you want to control how the IKE negotiation process controls traffic when there is no traffic, as well as the length of time the unit waits for negotiations to occur, use the negotiation-timeout and auto-negotiation commands in the CLI.