Chapter 11 IPsec VPN for FortiOS 5.0 : Phase 2 parameters : Configure the phase 2 parameters : Specifying the phase 2 parameters
  
Specifying the phase 2 parameters
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 2.
3. Enter a Name for the phase 2 configuration, and select a Phase 1 configuration from the drop-down list.
4 Select Advanced.
5 Include appropriate entries and select OK:
P2 Proposal
Select the encryption and authentication algorithms that will be used to change data into encrypted code.
Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.
It is invalid to set both Encryption and Authentication to null.
Encryption
Select a symmetric-key algorithms:
NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES; plain text is encrypted three times by three keys.
AES128 — A 128-bit block algorithm that uses a 128-bit key.
AES192 — A 128-bit block algorithm that uses a 192-bit key.
AES256 — A 128-bit block algorithm that uses a 256-bit key.
Authentication
You can select either of the following message digests to check the authenticity of messages during an encrypted session:
NULL — Do not use a message digest.
MD5 — Message Digest 5.
SHA1 — Secure Hash Algorithm 1 - a 160-bit message digest.
To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.
Enable replay detection
Optionally enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.
Enable perfect forward secrecy (PFS)
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by forcing a new Diffie‑Hellman exchange whenever keylife expires.
DH Group
Select one Diffie-Hellman group (1, 2, 5, or 14). The remote peer or dialup client must be configured to use the same group.
Keylife
Select the method for determining when the phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed. The range is from 120 to 172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep Alive
Enable the option if you want the tunnel to remain active when no data is being processed.
DHCP-IPsec
Select Enable if the FortiGate unit acts as a dialup server and FortiGate DHCP server or relay will be used to assign VIP addresses to FortiClient dialup clients. The DHCP server or relay parameters must be configured separately.
If the FortiGate unit acts as a dialup server and the FortiClient dialup client VIP addresses match the network behind the dialup server, select Enable to cause the FortiGate unit to act as a proxy for the dialup clients.
This is available only for phase 2 configurations associated with a dialup phase 1 configuration. It works only on policy-based VPNs.
Quick Mode Selector
Optionally specify the source and destination IP address to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, keep the default value 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN.
Note that IKEv1 does not support the use of multiple addresses in selectors. Instead, use the default 0.0.0.0/0 subnet selector and rely on the firewall policy to limit destination addresses. Only use the Addressing objects if they are carried over from earlier versions of FortiOS.
If you are editing an existing phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI. See the dst-addr-type, dst-name, src-addr-type and src-name keywords for the vpn ipsec phase2 command in the FortiGate CLI Reference.
Source address
If the FortiGate unit is a dialup server, type the source IP address that corresponds to the local sender(s) or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer.
If the FortiGate unit is a dialup client, source address must refer to the private network behind the FortiGate dialup client.
Source port
Type the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is 0 to 65535. To specify all ports, type 0.
Destination address
Type the destination IP address that corresponds to the recipient(s) or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80-100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.
Destination port
Type the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). The range is 0 to 65535. To specify all ports, type 0.
Protocol
Type the IP protocol number of the service. The range is 1 to 255. To specify all services, type 0.