Chapter 11 IPsec VPN for FortiOS 5.0 : Auto Key phase 1 parameters : Defining IKE negotiation parameters : Defining IKE negotiation parameters
  
Defining IKE negotiation parameters
1. Go to VPN > IPsec > Auto Key (IKE).
2. In the list, select the Edit button to edit the phase 1 parameters for a particular remote gateway.
3. Select Advanced and include appropriate entries and select OK:
P1 Proposal
Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations.
Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.
You can select any of these symmetric-key algorithms:
DES-Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES-Triple-DES, in which plain text is encrypted three times by three keys.
AES128-A 128-bit block algorithm that uses a 128-bit key.
AES192-A 128-bit block algorithm that uses a 192-bit key.
AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select one of the following message digests to check the authenticity of messages during phase 1 negotiations:
MD5-Message Digest 5, the hash algorithm developed by RSA Data Security.
SHA1-Secure Hash Algorithm 1, which produces a 160-bit message digest.
SHA-256 Secure Hash Algorithm 256, which produces a 256-bit message digest
SHA-384 Secure Hash Algorithm 384, which produces a 384-bit message digest
SHA-512 Secure Hash Algorithm 512, which produces a 512-bit message digest
To specify a third combination, use the add button beside the fields for the second combination.
SHA-256, SHA-384 and SHA-512 are not accelerated by some FortiASIC processors (including FortiASIC network processors and security processors). As a result, using SHA-256, SHA-384 and SHA-512 may reduce the performance of the FortiGate unit more significantly than SHA-1 which is accelerated by all FortiASIC processors.
DH Group
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5. When using aggressive mode, DH groups cannot be negotiated.
If both VPN peers (or a VPN server and its client) have static IP addresses and use aggressive mode, select a single DH group. The setting on the FortiGate unit must be identical to the setting on the remote peer or dialup client.
When the remote VPN peer or client has a dynamic IP address and uses aggressive mode, select up to three DH groups on the FortiGate unit and one DH group on the remote peer or dialup client. The setting on the remote peer or dialup client must be identical to one of the selections on the FortiGate unit.
If the VPN peer or client employs main mode, you can select multiple DH groups. At least one of the settings on the remote peer or dialup client must be identical to the selections on the FortiGate unit.
Keylife
Type the amount of time (in seconds) that will be allowed to pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172800 seconds.
Nat-traversal
Enable this option if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared). When in doubt, enable NAT-traversal. See “NAT traversal”.
Keepalive Frequency
If you enabled NAT traversal, enter a keepalive frequency setting. The value represents an interval from 0 to 900 seconds where the connection will be maintained with no activity. For additional security this value must be as low as possible. See “NAT keepalive frequency”.
Dead Peer Detection
Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. This feature minimizes the traffic required to check if a VPN peer is available or unavailable (dead). See “Dead peer detection”.