Fortinet fortigate-200a Betriebsanweisung
VPN
Phase 1
FortiGate-300A Administration Guide
01-28006-0092-20041105
251
Configuring XAuth
XAuth authenticates users in a separate exchange held between Phases 1 and 2.
Encryption
The FortiGate unit supports the following encryption methods:
DES
3DES
AES128
AES192
AES256
DES
3DES
AES128
AES192
AES256
Authentication The FortiGate unit supports the following authentication methods:
MD5
SHA1
SHA1
DH Group
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When the VPN peers have static IP addresses and use aggressive mode,
When the VPN peers have static IP addresses and use aggressive mode,
select a single matching DH group.
When the VPN peers use aggressive mode in a dialup configuration, select up
When the VPN peers use aggressive mode in a dialup configuration, select up
to three DH groups for the dialup server and select one DH group for the
dialup user (client or gateway).
When the VPN peers employ main mode, you can select multiple DH groups.
When the VPN peers employ main mode, you can select multiple DH groups.
Keylife
The keylife is the amount of time in seconds before the IKE encryption key
expires. When the key expires, a new key is generated without interrupting
service. P1 proposal keylife can be from 120 to 172,800 seconds.
Local ID
If you are using peer IDs for authentication, enter the peer ID that the
FortiGate unit will use to authenticate itself to remote VPN peers.
If you are using certificates for authentication, enter the distinguished name
If you are using certificates for authentication, enter the distinguished name
(DN) of the local certificate.
XAuth
You can configure the FortiGate unit as an Extended Authentication (XAuth)
client or an XAuth server. For more information, see
.
Nat-traversal
Enable this option if you expect the IPSec VPN traffic to go through a gateway
that performs NAT. If no NAT device is detected, enabling NAT traversal has
no effect. Both ends of the VPN must have the same NAT traversal setting. If
you enable NAT traversal you can set the keepalive frequency. NAT traversal
is enabled by default.
Keepalive
Frequency
Frequency
If NAT Traversal is selected, enter the Keepalive Frequency in seconds.
The keepalive frequency specifies how frequently empty UDP packets are
The keepalive frequency specifies how frequently empty UDP packets are
sent through the NAT device to ensure that the NAT mapping does not change
until the IKE and IPSec keylife expires.
The keepalive frequency can be from 0 to 900 seconds.
The keepalive frequency can be from 0 to 900 seconds.
Dead Peer
Detection
Detection
Enable this option to clean up dead VPN connections and establish new VPN
connections. You can specify additional Dead Peer Detection (DPD) settings
such as long idle, short idle, retry count and retry interval through the CLI. See
.
XAuth: Enable as Client
Username
Username
Enter the user name the local VPN peer uses to authenticate itself to the
remote VPN peer.
Password
Enter the password the local VPN peer uses to authenticate itself to the
remote VPN peer.