beautypg.com

Phase 2 – Fortinet 100A User Manual

Page 250

background image

250

01-28007-0068-20041203

Fortinet Inc.

Phase 1 advanced settings

VPN

Phase 2

You configure phase 2 settings to specify the parameters for creating and maintaining
a VPN tunnel between the FortiGate unit and the remote peer or client. In most cases,
you only need to configure the basic phase 2 settings.

To configure phase 2 settings

1

Go to VPN > IPSEC > Phase 2.

DH Group

Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.

When using aggressive mode, DH groups cannot be negotiated.

If both VPN peers have static IP addresses and use aggressive mode,
select a single DH group. The setting on the FortiGate unit must be
identical to the setting on the remote peer or client.

When the VPN peer or client has a dynamic IP address and uses
aggressive mode, select up to three DH groups on the FortiGate unit and
one DH group on the remote peer or dialup client. The setting on the
remote peer or client must be identical to one of the selections on the
FortiGate unit.

If the VPN peer or client employs main mode, you can select multiple DH
groups. At least one of the settings on the remote peer or client must be
identical to the selections on the FortiGate unit.

Keylife

Type the amount of time (in seconds) that will be allowed to pass before the

IKE encryption key expires. When the key expires, a new key is generated

without interrupting service. The keylife can be from 120 to 172800 seconds.

Local ID

If you are using peer IDs for authentication, enter the peer ID that the local

FortiGate unit will use to authenticate itself to remote VPN peers.
If you are using certificates for authentication, select the distinguished name

(DN) of the local certificate.

XAuth

If you select Enable as Client, type the user name and password that the

FortiGate unit will need to authenticate itself to the remote peer.
To select Enable as Server, you must first create user groups to identify the

remote peers and dialup clients that need access to the network behind the

FortiGate unit. You must also configure the FortiGate unit to forward

authentication requests to an external RADIUS or LDAP authentication

server. For information about these topics, see the “Users and Authentication”

chapter of the FortiGate Administration Guide. Select a Server Type setting to

determine the type of encryption method to use between the FortiGate unit,

the XAuth client and the external authentication server, and then select the

user group from the User Group list.

Nat-traversal

Enable this option if a NAT device exists between the local FortiGate unit and

the VPN peer or client. The local FortiGate unit and the VPN peer or client

must have the same NAT traversal setting (both selected or both cleared).

Keepalive
Frequency

If you enabled NAT traversal, enter a keepalive frequency setting. The value

represents an interval from 0 to 900 seconds.

Dead Peer
Detection

Enable this option to reestablish VPN tunnels on idle connections and clean

up dead IKE peers if required.