Chapter 23 WAN Optimization, Web Cache, Explicit Proxy, and WCCP : Peers and authentication groups : How FortiGate units process tunnel requests for peer authentication
  
How FortiGate units process tunnel requests for peer authentication
When a client-side FortiGate unit attempts to start a WAN optimization tunnel with a peer server-side FortiGate unit, the tunnel request includes the following information:
the client-side local host ID
the name of an authentication group, if included in the rule that initiates the tunnel
if an authentication group is used, the authentication method it specifies: pre-shared key or certificate
the type of tunnel (secure or not).
For information about configuring the local host ID, peers and authentication groups, see “Configuring peers” and “Configuring authentication groups”.
The authentication group is optional unless the tunnel is a secure tunnel. For more information, see “Secure tunneling”.
If the tunnel request includes an authentication group, the authentication will be based on the settings of this group as follows:
The server-side FortiGate unit searches its own configuration for the name of the authentication group in the tunnel request. If no match is found, the authentication fails.
If a match is found, the server-side FortiGate unit compares the authentication method in the client and server authentication groups. If the methods do not match, the authentication fails.
If the authentication methods match, the server-side FortiGate unit tests the peer acceptance settings in its copy of the authentication group.
If the setting is Accept Any Peer, the authentication is successful.
If the setting is Specify Peer, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the peer name in the server-side authentication group. If the names match, authentication is successful. If a match is not found, authentication fails.
If the setting is Accept Defined Peers, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the server-side peer list. If a match is found, authentication is successful. If a match is not found, authentication fails.
If the tunnel request does not include an authentication group, authentication will be based on the client-side local host ID in the tunnel request. The server-side FortiGate unit searches its peer list to match the client-side local host ID in the tunnel request. If a match is found, authentication is successful. If a match is not found, authentication fails.
If the server-side FortiGate unit successfully authenticates the tunnel request, the server-side FortiGate unit sends back a tunnel setup response message. This message includes the server-side local host ID and the authentication group that matches the one in the tunnel request.
The client-side FortiGate unit then performs the same authentication procedure as the server-side FortiGate unit did. If both sides succeed, tunnel setup continues.