Phase 2 – Fortinet 100A User Manual
Page 250
250
01-28007-0068-20041203
Fortinet Inc.
Phase 1 advanced settings
VPN
Phase 2
You configure phase 2 settings to specify the parameters for creating and maintaining
a VPN tunnel between the FortiGate unit and the remote peer or client. In most cases,
you only need to configure the basic phase 2 settings.
To configure phase 2 settings
1
Go to VPN > IPSEC > Phase 2.
DH Group
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When using aggressive mode, DH groups cannot be negotiated.
•
If both VPN peers have static IP addresses and use aggressive mode,
select a single DH group. The setting on the FortiGate unit must be
identical to the setting on the remote peer or client.
•
When the VPN peer or client has a dynamic IP address and uses
aggressive mode, select up to three DH groups on the FortiGate unit and
one DH group on the remote peer or dialup client. The setting on the
remote peer or client must be identical to one of the selections on the
FortiGate unit.
•
If the VPN peer or client employs main mode, you can select multiple DH
groups. At least one of the settings on the remote peer or client must be
identical to the selections on the FortiGate unit.
Keylife
Type the amount of time (in seconds) that will be allowed to pass before the
IKE encryption key expires. When the key expires, a new key is generated
without interrupting service. The keylife can be from 120 to 172800 seconds.
Local ID
If you are using peer IDs for authentication, enter the peer ID that the local
FortiGate unit will use to authenticate itself to remote VPN peers.
If you are using certificates for authentication, select the distinguished name
(DN) of the local certificate.
XAuth
If you select Enable as Client, type the user name and password that the
FortiGate unit will need to authenticate itself to the remote peer.
To select Enable as Server, you must first create user groups to identify the
remote peers and dialup clients that need access to the network behind the
FortiGate unit. You must also configure the FortiGate unit to forward
authentication requests to an external RADIUS or LDAP authentication
server. For information about these topics, see the “Users and Authentication”
chapter of the FortiGate Administration Guide. Select a Server Type setting to
determine the type of encryption method to use between the FortiGate unit,
the XAuth client and the external authentication server, and then select the
user group from the User Group list.
Nat-traversal
Enable this option if a NAT device exists between the local FortiGate unit and
the VPN peer or client. The local FortiGate unit and the VPN peer or client
must have the same NAT traversal setting (both selected or both cleared).
Keepalive
Frequency
If you enabled NAT traversal, enter a keepalive frequency setting. The value
represents an interval from 0 to 900 seconds.
Dead Peer
Detection
Enable this option to reestablish VPN tunnels on idle connections and clean
up dead IKE peers if required.