Fortinet FortiGate 100 User Manual

IPSec VPN

Adding a phase 1 configuration for an AutoIKE VPN

FortiGate-100 Installation and Configuration Guide

187

10

Optionally, enter the Local ID of the FortiGate unit.
The entry is required if the FortiGate unit is functioning as a client and uses its local ID
to authenticate itself to the remote VPN peer. (If you do not add a local ID, the
FortiGate unit will transmit its IP address.)
Configure the local ID only with pre-shared keys and aggressive mode. Do not
configure the local ID with certificates or main mode.

Configuring advanced options

1

Select Advanced Options.

2

Optionally, select a Peer Option.
Use the Peer Options to authenticate remote VPN peers by the ID that they transmit
during phase 1.

3

Optionally, configure XAuth.
XAuth (IKE eXtended Authentication) authenticates VPN peers at the user level. If the
the FortiGate unit (the local VPN peer) is configured as an XAuth server, it will
authenticate remote VPN peers by referring to a user group. The users contained in
the user group can be configured locally on the FortiGate unit or on remotely located
LDAP or RADIUS servers. If the FortiGate unit is configured as an XAuth client, it will
provide a user name and password when it is challenged.

Accept any peer ID

Select to accept any peer ID (and therefore not authenticate

remote VPN peers by peer ID).

Accept this peer ID

Select to authenticate a specific VPN peer or a group of VPN

peers with a shared user name (ID) and password (pre-shared

key). Also add the peer ID. Also add the peer ID.

Accept peer ID in dialup
group

Select to authenticate each remote VPN peer with a unique user

name (ID) and password (pre-shared key). Also select a dialup

group (user group).
Configure the user group prior to configuring this peer option.

XAuth: Enable as a Client

Name

Enter the user name the local VPN peer uses to authenticate itself to the

remote VPN peer.

Password

Enter the password the local VPN peer uses to authenticate itself to the

remote VPN peer.

XAuth: Enable as a Server

Encryption
method

Select the encryption method used between the XAuth client, the FortiGate

unit and the authentication server.
PAP— Password Authentication Protocol.
CHAP—Challenge-Handshake Authentication Protocol.
MIXED—Select MIXED to use PAP between the XAuth client and the

FortiGate unit, and CHAP between the FortiGate unit and the authentication

server.
Use CHAP whenever possible. Use PAP if the authentication server does not

support CHAP. (Use PAP with all implementations of LDAP and some

implementations of Microsoft RADIUS). Use MIXED if the authentication server

supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet

Remote VPN Client.).

Usergroup

Select a group of users to be authenticated by XAuth. The individual users

within the group can be authenticated locally or by one or more LDAP or

RADIUS servers.
The user group must be added to the FortiGate configuration before it can be

selected here.