Configuring IPsec
The Microsoft VPN client uses IPsec for encryption. The configuration needed on the FortiGate unit is the same as for any other IPsec VPN with the following exceptions.
• Transport mode is used instead of tunnel mode.
• The encryption and authentication proposals must be compatible with the Microsoft client.
L2TP over IPsec is supported on the FortiGate unit using policy-based, not route-based configurations.
Configuring Phase 1 - web-based manager
1. Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
Name | Enter a name for this VPN, dialup_p1 for example. |
Remote Gateway | Dialup User |
Local Interface | Select the network interface that connects to the Internet. For example, port1. |
Mode | Main (ID protection) |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. This key must also be entered in the Microsoft VPN client. |
Advanced | Select Advanced to enter the following information. |
Phase 1 Proposal | Enter the following Encryption/Authentication pairs: AES256-MD5, 3DES-SHA1, AES192-SHA1 |
Diffie-Hellman Group | 2 |
NAT Traversal | Enable |
Dead Peer Detection | Enable |
Configuring Phase 1 - CLI
To create a Phase 1 configuration called dialup_p1 on a FortiGate unit that has port1 connected to the Internet, you would enter:
config vpn ipsec phase1
edit dialup_p1
set type dynamic
set interface port1
set mode main
set psksecret ********
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set nattraversal enable
set dpd enable
end
Configuring Phase 2 - web-based manager
1. Open the Phase 2 Selectors panel.
2. Enter the following information and then select OK.
Phase 2 Proposal | Enter the following Encryption/Authentication pairs: AES256-MD5, 3DES-SHA1, AES192-SHA1 |
Enable replay detection | Enable |
Enable perfect forward secrecy (PFS) | Disable |
Keylife | 3600 seconds |
3. Make this a transport-mode VPN. You must use the CLI to do this. If your Phase 2 name is dialup_p2, you would enter:
config vpn ipsec phase2
edit dialup_p2
set encapsulation transport-mode
end
Configuring Phase 2 - CLI
To configure a Phase 2 to work with your phase_1 configuration, you would enter:
config vpn ipsec phase2
edit dialup_p2
set phase1name dialup_p1
set proposal aes256-md5 3des-sha1 aes192-sha1
set replay enable
set pfs disable
set keylifeseconds 3600
set encapsulation transport-mode
end