Chapter 10 IPsec VPN : Phase 2 parameters : Configure the Phase 2 parameters : Specifying the Phase 2 parameters
  
Specifying the Phase 2 parameters
1. Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
3. Enter a Name for the Phase 2 configuration, and select a Phase 1 configuration from the drop-down list.
4 Select Advanced.
5 Include the appropriate entries as follows:
Phase 2 Proposal
Select the encryption and authentication algorithms that will be used to change data into encrypted code.
Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.
It is invalid to set both Encryption and Authentication to null.
Encryption
Select a symmetric-key algorithms:
NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES; plain text is encrypted three times by three keys.
AES128 — A 128-bit block algorithm that uses a 128-bit key.
AES192 — A 128-bit block algorithm that uses a 192-bit key.
AES256 — A 128-bit block algorithm that uses a 256-bit key.
Authentication
You can select either of the following message digests to check the authenticity of messages during an encrypted session:
NULL — Do not use a message digest.
MD5 — Message Digest 5.
SHA1 — Secure Hash Algorithm 1 - a 160-bit message digest.
To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.
SHA-256, SHA-384 and SHA-512 are not accelerated by some FortiASIC processors (including FortiASIC network processors and security processors). As a result, using SHA-256, SHA-384 and SHA-512 may reduce the performance of the FortiGate unit more significantly than SHA-1 which is accelerated by all FortiASIC processors.
Enable replay detection
Optionally enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.
Enable perfect forward secrecy (PFS)
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by forcing a new Diffie‑Hellman exchange whenever keylife expires.
Diffie-Hellman Group
Select one Diffie-Hellman group (1, 2, 5, or 14 through 21). The remote peer or dialup client must be configured to use the same group.
Keylife
Select the method for determining when the Phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed. The range is from 120 to 172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep Alive
Enable the option if you want the tunnel to remain active when no data is being processed.
Auto-negotiate
Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires.
DHCP-IPsec
Select Enable if the FortiGate unit acts as a dialup server and FortiGate DHCP server or relay will be used to assign VIP addresses to FortiClient dialup clients. The DHCP server or relay parameters must be configured separately.
If the FortiGate unit acts as a dialup server and the FortiClient dialup client VIP addresses match the network behind the dialup server, select Enable to cause the FortiGate unit to act as a proxy for the dialup clients.
This is available only for Phase 2 configurations associated with a dialup Phase 1 configuration. It works only on policy-based VPNs.