Configuring Phase 1 and Phase 2 for both peers

Chapter 10 IPsec VPN : Gateway-to-gateway configurations : Configuring the two VPN peers : Configuring Phase 1 and Phase 2 for both peers

This procedure applies to both peers. Repeat the procedure on each FortiGate unit, using the correct IP address for each. You may wish to vary the Phase 1 names but this is optional. Otherwise all steps are the same for each peer.

The Phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate FortiGate_2 and establish a secure connection. For the purposes of this example, a preshared key will be used to authenticate FortiGate_2. The same preshared key must be specified at both FortiGate units.

Before you define the Phase 1 parameters, you need to:

• Reserve a name for the remote gateway.

• Obtain the IP address of the public interface to the remote peer.

• Reserve a unique value for the preshared key.

The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must have a minimum of 16 randomly chosen alphanumeric characters.

At the local FortiGate unit, define the Phase 1 configuration needed to establish a secure connection with the remote peer. See “Phase 1 configuration”.

To create Phase 1 to establish a secure connection with the remote peer

1. Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK.


Name	Enter peer_1. A name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.
Remote Gateway	Select Static IP Address.
IP Address	Enter 172.20.0.2 when configuring FortiGate_1. Enter 172.18.0.2 when configuring FortiGate_2. The IP address of the remote peer public interface.
Local Interface	Select wan1.

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the Phase 2 parameters, you need to reserve a name for the tunnel. See “Phase 2 configuration”.

To configure Phase 2 settings

1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).

2. Enter a Name of peer_1_p2.

3. Select peer_1 from the Phase 1 drop-down menu.