IKE settings
Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates.
The following table provides the XML tags for IKE settings, as well as the descriptions and default values where applicable.
XML tag |
Description |
Default value |
---|---|---|
<version> |
Determine IKE version. FortiClient 6.0.10 supports IKE v1 and IKE v2. Enter |
1 |
<prompt_certificate> |
Prompt for certificate on connect. Boolean value: |
|
<implied_SPDO> |
Configure what ports allow traffic. When this setting is Boolean value: |
|
<implied_SPDO_timeout> |
When FortiClient blocks all outbound non-IKE packets when To avoid this deadlock, set When |
|
<server> |
|
|
<authentication_method> |
Authentication method. Select one of the following:
|
|
<auth_data> elements |
||
<preshared_key> |
Encrypted value of the preshared key. |
|
<certificate> |
Use the |
|
<mode> |
Connection mode.
|
|
<dhgroup> |
A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons. |
|
<key_life> |
Phase 2 key expiry duration, in seconds. |
28800 |
<localid> |
Enter the peer ID configured in the FortiGate Phase 1 configuration. If Accept any peer ID has been configured, leave this field blank. |
|
|
Enter the FortiGate certificate subject name or FQDN. The peer ID must match the certificate local ID on the FortiGate for a successful IPsec VPN connection. |
|
<nat_traversal> |
Enable or disable NAT traversal. Boolean value: |
|
<mode_config> |
Enable or disable mode configuration. Boolean value: |
|
<enable_local_lan> |
Enable or disable local LAN. When the Boolean value is set to Boolean value: |
0 |
<block_outside_dns> |
When this setting is When this setting is Boolean value: |
0 |
<nat_alive_freq> |
NAT alive frequency. |
|
<dpd> |
Enable or disable Dead Peer Detection (DPD). Boolean value: |
1 |
<dpd_retry_count> |
Number of times to send unacknowledged DPD messages before declaring peer as dead. |
3 |
<dpd_retry_interval> |
Duration of DPD idle periods, in seconds. |
5 |
<enable_ike_fragmentation> |
Support fragmented IKE packets. |
0 |
<run_fcauth_system> |
When this setting is Boolean value: |
0 |
<xauth_timeout> |
Configure the IKE Extended Authentication (xAuth) timeout in seconds. Default value is two minutes (120 seconds) if not configured. Enter a value between 120 and 300 seconds. |
120 |
|
||
<enabled> |
Select to use IKE Extended Authentication (xAuth). Boolean value: |
|
<prompt_username> |
Request a username. Boolean value: |
|
<username> |
Enter the encrypted or non-encrypted user name on IPsec server. |
|
Enter the encrypted or non-encrypted password. |
|
|
<attempts_allowed> |
Maximum number of failed login attempts allowed. |
|
<use_otp> |
Use One Time Password (OTP). When this setting is Boolean value: |
|
|
||
<proposal> |
Encryption and authentication types to use, separated by a pipe. Example: <proposal>3DES|MD5<proposal> Multiple elements accepted. First setting: Encryption type: DES, 3DES, AES128, AES192, AES256 Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512 |
|