Defining IKE negotiation parameters
In phase 1, the two peers exchange keys to establish a secure communication channel between them. As part of the phase 1 process, the two peers authenticate each other and negotiate a way to encrypt further communications for the duration of the session. For more information see
“Authenticating remote peers and clients”. The P1 Proposal parameters select the encryption and authentication algorithms that are used to generate keys for protecting negotiations.
The IKE negotiation parameters determine:
• which encryption algorithms may be applied for converting messages into a form that only the intended recipient can read
• which authentication hash may be used for creating a keyed hash from a preshared or private key
• which Diffie-Hellman group (DH Group) will be used to generate a secret session key
Phase 1 negotiations (in main mode or aggressive mode) begin as soon as a remote VPN peer or client attempts to establish a connection with the FortiGate unit. Initially, the remote peer or dialup client sends the FortiGate unit a list of potential cryptographic parameters along with a session ID. The FortiGate unit compares those parameters to its own list of advanced phase 1 parameters and responds with its choice of matching parameters to use for authenticating and encrypting packets. The two peers handle the exchange of encryption keys between them, and authenticate the exchange through a preshared key or a digital signature.