Authenticating the FortiGate unit
The FortiGate unit can authenticate itself to remote peers or dialup clients using either a pre-shared key or an RSA Signature (certificate).
Authenticating the FortiGate unit with digital certificates
To authenticate the FortiGate unit using digital certificates, you must have the required certificates installed on the remote peer and on the FortiGate unit. The signed server certificate on one peer is validated by the presence of the root certificate installed on the other peer. If you use certificates to authenticate the FortiGate unit, you can also require the remote peers or dialup clients to authenticate using certificates.
For more information about obtaining and installing certificates, see the FortiOS User Authentication guide.
To authenticate the FortiGate unit using digital certificates
- Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
- Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button):
Name | Enter a name that reflects the origination of the remote connection. For interface mode, the name can be up to 15 characters long. |
Remote Gateway | Select the nature of the remote connection. Each option changes the available fields you must configure. For more information, see Authenticating the FortiGate unit. |
Local Interface | Select the interface that is the local end of the IPsec tunnel. For more information, see Authenticating the FortiGate unit. The local interface is typically the WAN1 port. |
Mode | Select a mode. It is easier to use Aggressive mode. In Main mode, parameters are exchanged in multiple encrypted rounds. In Aggressive mode, parameters are exchanged in a single unencrypted message. Aggressive mode must be used when the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID). For more information, see Authenticating the FortiGate unit. |
Authentication Method | Select Signature. |
Certificate Name | Select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must obtain and load the required server certificate before this selection. See the FortiOS User Authentication guide. If you have not loaded any certificates, use the certificate named Fortinet_Factory. |
Peer Options | Peer options define the authentication requirements for remote peers or dialup clients. They are not for your FortiGate unit itself. See Authenticating the FortiGate unit. |
Advanced | You can use the default settings for most Phase 1 configurations. Changes are required only if your network requires them. These settings includes IKE version, DNS server, P1 proposal encryption and authentication settings, and XAuth settings. See Authenticating the FortiGate unit. |
- If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters in the Advanced section. See Authenticating the FortiGate unit.
- Select OK.
Authenticating the FortiGate unit with a pre-shared key
The simplest way to authenticate a FortiGate unit to its remote peers or dialup clients is by means of a pre-shared key. This is less secure than using certificates, especially if it is used alone, without requiring peer IDs or extended authentication (XAuth). Also, you need to have a secure way to distribute the pre-shared key to the peers.
If you use pre-shared key authentication alone, all remote peers and dialup clients must be configured with the same pre-shared key. Optionally, you can configure remote peers and dialup clients with unique pre-shared keys. On the FortiGate unit, these are configured in user accounts, not in the phase_1 settings. For more information, see Authenticating the FortiGate unit.
The pre-shared key must contain at least 6 printable characters and best practices dictate that it be known only to network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.
If you authenticate the FortiGate unit using a pre-shared key, you can require remote peers or dialup clients to authenticate using peer IDs, but not client certificates.
To authenticate the FortiGate unit with a pre-shared key
- Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
- Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button):
Name | Enter a name that reflects the origination of the remote connection. |
Remote Gateway | Select the nature of the remote connection. For more information, see Authenticating the FortiGate unit. |
Local Interface | Select the interface that is the local end of the IPsec tunnel. For more information, see Authenticating the FortiGate unit. The local interface is typically the WAN1 port. |
Mode | Select Main or Aggressive mode. In Main mode, the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. In Aggressive mode, the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted. When the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID), you must select Aggressive mode if there is more than one dialup Phase 1 configuration for the interface IP address. For more information, see Authenticating the FortiGate unit. |
Authentication Method | Select Pre-shared Key. |
Pre-shared Key | Enter the preshared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. |
Peer options | Peer options define the authentication requirements for remote peers or dialup clients, not for the FortiGate unit itself. You can require the use of peer IDs, but not client certificates. For more information, see Authenticating the FortiGate unit. |
Advanced | You can retain the default settings unless changes are needed to meet your specific requirements. See Authenticating the FortiGate unit. |
- If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters. See Authenticating the FortiGate unit.
- Select OK.