Fortinet black logo

Administration Guide

Configuring an IPsec VPN connection

Configuring an IPsec VPN connection

To configure an IPsec VPN connection:
  1. On the Remote Access tab, click Configure VPN.
  2. Select IPsec VPN, then configure the following settings:

    Connection Name

    Enter a name for the connection.

    Description

    (Optional) Enter a description for the connection.

    Remote Gateway

    Enter the IP address/hostname of the remote gateway. You can configure multiple remote gateways. If one gateway is not available, the VPN connects to the next configured gateway.

    Authentication Method

    Select X.509 Certificate or Pre-shared Key in the dropdown list. When you select x.509 Certificate, select Prompt on connect or a certificate from the list.

    Authentication (XAuth)

    Select Prompt on login, Save login, or Disable. Available if IKE version 1 is selected.

    Authentication (EAP)

    Select Prompt on login, Save login, or Disable. Available if IKE version 2 is selected.

    Username

    If you selected Save login, enter the username to save for the login.

    Advanced Settings

    Configure VPN settings, phase 1, and phase 2 settings.

    VPN Settings

    IKE

    Select Version 1 or Version 2.

    Mode

    Available if IKE version 1 is selected. Select one of the following:

    • Main: Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
    • Aggressive: Phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.

    Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

    Options

    Select one of the following:

    • Mode Config: IKE Mode Config can configure host IP address, domain, DNS and WINS addresses.
    • Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP address and the IP address and subnet values to assign. Select the checkbox to enable split tunneling.
    • DHCP over IPsec: DHCP over IPsec can assign an IP address, domain, DNS and WINS addresses. Select the checkbox to enable split tunneling.

    Phase 1

    Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

    You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

    IKE Proposal

    Select symmetric-key algorithms (encryption) and message digests (authentication) from the dropdown lists.

    DH Group

    Select one or more Diffie-Hellman groups from DH group 1, 2, 5, 14, 15, 16, 17, 18, 19 and 20. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups results in failed negotiations.

    Key Life

    Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.

    Local ID

    Enter the local ID (optional). This local ID value must match the peer ID value given for the remote VPN peer’s peer options.

    Dead Peer Detection

    Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.

    NAT Traversal

    Select the checkbox if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

    Phase 2

    Select the encryption and authentication algorithms that are proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals you specify must match configuration on the remote peer.

    IKE Proposal

    Select symmetric-key algorithms (encryption) and message digests (authentication) from the dropdown lists.

    Key Life

    The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.

    Enable Replay Detection

    Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.

    Enable Perfect Forward Secrecy (PFS)

    Select the checkbox to enable perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.

    DH Group

    Select one Diffie-Hellman (DH) group (1, 2, 5, 14, 15, 16, 17, 18, 19 or 20). This must match the DH group the remote peer or dialup client uses.

    +

    Select the add icon to add a new connection.

    -

    Select a connection and then select the delete icon to delete a connection.

  3. Click Save to save the VPN connection.

Configuring an IPsec VPN connection

To configure an IPsec VPN connection:
  1. On the Remote Access tab, click Configure VPN.
  2. Select IPsec VPN, then configure the following settings:

    Connection Name

    Enter a name for the connection.

    Description

    (Optional) Enter a description for the connection.

    Remote Gateway

    Enter the IP address/hostname of the remote gateway. You can configure multiple remote gateways. If one gateway is not available, the VPN connects to the next configured gateway.

    Authentication Method

    Select X.509 Certificate or Pre-shared Key in the dropdown list. When you select x.509 Certificate, select Prompt on connect or a certificate from the list.

    Authentication (XAuth)

    Select Prompt on login, Save login, or Disable. Available if IKE version 1 is selected.

    Authentication (EAP)

    Select Prompt on login, Save login, or Disable. Available if IKE version 2 is selected.

    Username

    If you selected Save login, enter the username to save for the login.

    Advanced Settings

    Configure VPN settings, phase 1, and phase 2 settings.

    VPN Settings

    IKE

    Select Version 1 or Version 2.

    Mode

    Available if IKE version 1 is selected. Select one of the following:

    • Main: Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
    • Aggressive: Phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.

    Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

    Options

    Select one of the following:

    • Mode Config: IKE Mode Config can configure host IP address, domain, DNS and WINS addresses.
    • Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP address and the IP address and subnet values to assign. Select the checkbox to enable split tunneling.
    • DHCP over IPsec: DHCP over IPsec can assign an IP address, domain, DNS and WINS addresses. Select the checkbox to enable split tunneling.

    Phase 1

    Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

    You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

    IKE Proposal

    Select symmetric-key algorithms (encryption) and message digests (authentication) from the dropdown lists.

    DH Group

    Select one or more Diffie-Hellman groups from DH group 1, 2, 5, 14, 15, 16, 17, 18, 19 and 20. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups results in failed negotiations.

    Key Life

    Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.

    Local ID

    Enter the local ID (optional). This local ID value must match the peer ID value given for the remote VPN peer’s peer options.

    Dead Peer Detection

    Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.

    NAT Traversal

    Select the checkbox if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

    Phase 2

    Select the encryption and authentication algorithms that are proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals you specify must match configuration on the remote peer.

    IKE Proposal

    Select symmetric-key algorithms (encryption) and message digests (authentication) from the dropdown lists.

    Key Life

    The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.

    Enable Replay Detection

    Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.

    Enable Perfect Forward Secrecy (PFS)

    Select the checkbox to enable perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.

    DH Group

    Select one Diffie-Hellman (DH) group (1, 2, 5, 14, 15, 16, 17, 18, 19 or 20). This must match the DH group the remote peer or dialup client uses.

    +

    Select the add icon to add a new connection.

    -

    Select a connection and then select the delete icon to delete a connection.

  3. Click Save to save the VPN connection.