Name | Enter a name that reflects the origination of the remote connection. |
Remote Gateway | Select the nature of the remote connection. For more information, see “Defining the tunnel ends”. |
Local Interface | Select the interface that is the local end of the IPsec tunnel. For more information, see “Defining the tunnel ends”. The local interface is typically the WAN1 port. |
Mode | Select Main or Aggressive mode. • In Main mode, the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. • In Aggressive mode, the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted. When the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID), you must select Aggressive mode if there is more than one dialup Phase 1 configuration for the interface IP address. For more information, see “Choosing Main mode or Aggressive mode”. |
Authentication Method | Select Pre-shared Key. |
Pre-shared Key | Enter the preshared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. |
Peer options | Peer options define the authentication requirements for remote peers or dialup clients, not for the FortiGate unit itself. You can require the use of peer IDs, but not client certificates. For more information, see “Authenticating remote peers and clients”. |
Advanced | You can retain the default settings unless changes are needed to meet your specific requirements. See “Defining IKE negotiation parameters”. |