Overview
To configure IPsec Phase 1 settings, go to VPN > IPsec > Tunnels and edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
IPsec Phase 1 settings define:
• The remote and local ends of the IPsec tunnel
• If Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information (main mode) or in a single message with authentication information that is not encrypted (aggressive mode)
• If a preshared key or digital certificates will be used to authenticate the FortiGate unit to the VPN peer or dialup client
• If the VPN peer or dialup client is required to authenticate to the FortiGate unit. A remote peer or dialup client can authenticate by peer ID or, if the FortiGate unit authenticates by certificate, it can authenticate by peer certificate.
• The IKE negotiation proposals for encryption and authentication
• Optional XAuth authentication, which requires the remote user to enter a user name and password. A FortiGate VPN server can act as an XAuth server to authenticate dialup users. A FortiGate unit that is a dialup client can also be configured as an XAuth client to authenticate itself to the VPN server.
For all the Phase 1 web-based manager fields, see
“Phase 1 configuration”.
If you want to control how IKE is negotiated when there is no traffic, as well as the length of time the unit waits for negotiations to occur, use the negotiation-timeout and auto-negotiate commands in the CLI.