Name | Enter a name that reflects the origination of the remote connection. For interface mode, the name can be up to 15 characters long. |
Remote Gateway | Select the nature of the remote connection. Each option changes the available fields you must configure. For more information, see “Defining the tunnel ends”. |
Local Interface | Select the interface that is the local end of the IPsec tunnel. For more information, see “Defining the tunnel ends”. The local interface is typically the WAN1 port. |
Mode | Select a mode. It is easier to use aggressive mode. • In Main mode, parameters are exchanged in multiple encrypted rounds. • In Aggressive mode, parameters are exchanged in a single unencrypted message. Aggressive mode must be used when the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID). For more information, see “Choosing main mode or aggressive mode”. |
Authentication Method | Select RSA Signature. |
Certificate Name | Select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must obtain and load the required server certificate before this selection. See the FortiOS User Authentication guide. If you have not loaded any certificates, use the certificate named Fortinet_Factory. |
Peer Options | Peer options define the authentication requirements for remote peers or dialup clients. They are not for your FortiGate unit itself. |
Advanced | You can use the default settings for most phase 1 configurations. Changes are required only if your network requires them. These settings includes IKE version, DNS server, P1 proposal encryption and authentication settings, and XAuth settings. See “Defining IKE negotiation parameters”. |