Configuring IPSec VPN
To configure IPSec VPN, you must create at least one IPSec phase 1 configuration and at least one IPSec phase 2 configuration.
|
When creating a new IPSec interface, FortiPortal checks whether the normalization interface exists or not using the IPSec interface name:
When deleting an IPSec interface, FortiPortal removes the dynamic mapping from the normalization interface. |
To create or edit an IPSec phase 1 configuration:
-
In Security > Network, select IPSec Phase 1 from the VPN dropdown menu.
-
Click Create or select a configuration and click Edit.
-
In the form, enter the following information:
Settings
Guidelines
Name
Required. Enter a name for this Phase-1 configuration. The value is a string with a maximum of 15 characters.
Comments
Enter an optional description. The value is a string with a maximum of 255 characters.
Remote Gateway
Required. Select Static IP Address, Dialup user, or Dynamic DNS.
IP Address
Required if you select Static IP Address as the Remote Gateway. Enter the IPv4 address.
Dynamic DNS
Optional if you select Dynamic DNS as the Remote Gateway. Enter the fully qualified domain name.
Local Interface
Required. Select an interface from the dropdown or select any.
Mode
Required. Select Main or Aggressive for the phase-1 mode.
Authentication Method
Required. Select Pre-shared Key or Signature for the authentication method.
Pre-shared Key
If Pre-shared Key is selected as the Authentication Method, this field is required. Enter a string for the pre-shared key. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.
Certificate Name
If Signature is selected as the Authentication Method, this field is required. Select a certificate from the dropdown.
Peer Options
If the Mode is Aggressive, or Signature is selected as the Authentication Method, this field is available but optional. Select Any peer id, One peer id, Peer certificate, or Peer certificate group.
Peer id
If One peer id is selected in Peer Options, this field is required. Enter the peer ID to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. The value is a string with a maximum of 255 characters.
Peer Certificate
If Peer certificate is selected in Peer Options, this field is available but optional. From the dropdown, select a peer certificate.
Peer Certificate Group
If Peer certificate group is selected in Peer Options, this field is available but optional. From the dropdown, select a peer certificate group.
Advanced...(XAUTH, NAT-traversal, DPD)
P1 Proposal
Select the encryption and authentication algorithms. You can select more than one from the dropdown.
-
Click Save.
To create or edit an IPSec phase 2 configuration:
-
In Security > Network, select IPSec Phase 2 from the VPN dropdown menu.
-
Click Create or select a configuration and click Edit.
-
In the form, enter the following information:
Settings
Guidelines
Tunnel Name
Required. Enter a name for this Phase-2 configuration. The value is a string with a maximum of 35 characters.
Phase 1
Required. Select an IPSec Phase-1 configuration.
Advanced
Diffie-Hellman Groups
Required. Select one or more of the following Diffie-Hellman (DH) groups: 1,2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, and 32. At least one of the DH group settings on the remote peer or client must match one the selections on the firewall unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.
Key Life
Required. Select the PFS key life. Select Seconds, KBytes, or Both.
- If Seconds is selected, type the number of seconds. The default is 43200. The value range is 120-172800.
- If KBytes is selected, type the number of KB. The default is 5120. The value range is 5120-4294967295.
- If Both is selected, type the number of seconds and the number of KB.
DHCP-IPsec
Optional. The default is deselected.
Auto Keep Alive
Optional. Select to enable or disable autokey keep alive. The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. The default is deselected.
Quick Mode Selector
Local Address
Select Subnet, IP Range, Static IP Address, or Named Address.
- If Subnet is selected, enter an IP address and netmask.
- If IP Range is selected, enter the first IP address and the last IP address in the range.
- If Static IP Address is selected, enter an IPv4 address.
- If Named Address is selected, select from the drop-down list.
Remote Address
Select Subnet, IP Range, Static IP Address, or Named Address.
- If Subnet is selected, enter an IP address and netmask.
- If IP Range is selected, enter the first IP address and the last IP address in the range.
- If Static IP Address is selected, enter an IPv4 address.
- If Named Address is selected, select from the drop-down list.
Local Port
Enter the number of the local port. The default is 0 The maximum value is 65535.
Remote Port
Enter the number of the remote port. The default is 0 The maximum value is 65535.
Protocol
Enter the protocol number. The default is 0 The maximum value is 255.
-
Click Save.