Chapter 11 IPsec VPN for FortiOS 5.0 : Auto Key phase 1 parameters : Authenticating the FortiGate unit : Authenticating the FortiGate unit with a pre-shared key
  
Authenticating the FortiGate unit with a pre-shared key
The simplest way to authenticate a FortiGate unit to its remote peers or dialup clients is by means of a pre-shared key. This is less secure than using certificates, especially if it is used alone, without requiring peer IDs or extended authentication (XAuth). Also, you need to have a secure way to distribute the pre-shared key to the peers.
If you use pre-shared key authentication alone, all remote peers and dialup clients must be configured with the same pre-shared key. Optionally, you can configure remote peers and dialup clients with unique pre-shared keys. On the FortiGate unit, these are configured in user accounts, not in the phase_1 settings. For more information, see “Enabling VPN access with user accounts and pre-shared keys”.
The pre-shared key must contain at least 6 printable characters and best practices dictate that it be known only to network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.
If you authenticate the FortiGate unit using a pre-shared key, you can require remote peers or dialup clients to authenticate using peer IDs, but not client certificates.
To authenticate the FortiGate unit with a pre-shared key
1. Go to VPN > IPsec > Auto Key (IKE).
2. Create a new phase 1 configuration or edit an existing phase 1 configuration.
3. Include appropriate entries as follows:
Name
Enter a name that reflects the origination of the remote connection.
Remote Gateway
Select the nature of the remote connection. For more information, see “Defining the tunnel ends”.
Local Interface
Select the interface that is the local end of the IPsec tunnel. For more information, see “Defining the tunnel ends”. The local interface is typically the WAN1 port.
Mode
Select Main or Aggressive mode.
In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
In Aggressive mode, the phase 1 parameters are exchanged in single message with authentication information that is not encrypted.
When the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID), you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address.
For more information, see “Choosing main mode or aggressive mode”.
Authentication Method
Select Pre-shared Key.
Pre-shared Key
Enter the preshared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.
Peer options
Peer options define the authentication requirements for remote peers or dialup clients, not for the FortiGate unit itself. You can require the use of peer IDs, but not client certificates. For more information, see “Authenticating remote peers and clients”.
Advanced
You can retain the default settings unless changes are needed to meet your specific requirements. See “Defining IKE negotiation parameters”.
4. If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters. See “Using the FortiGate unit as an XAuth server”.
5. Select OK.