Version:


Table of Contents

7.0.0
Download PDF
Copy Link

Creating an IPsec VPN connection

To create a new IPsec VPN connection:
  1. Create the new IPsec VPN connection:
    1. Select New VPN from the toolbar at the bottom of the page.

    2. Enter a name for the new VPN connection, select IPsec VPN under VPN Type, then select Create.

      The IPsec VPN settings page displays.

  2. Select Server settings > Network settings > FortiGate. Enter the server IP address or domain name, then select OK.

  3. Configure authentication settings:
    1. Under Authentication settings, select Authorization method, and select Pre-Shared Key or X.509 Certificate.

    2. If desired, select Pre-shared Key to enter the pre-shared key value.

      The simplest way to authenticate with the FortiGate unit is by means of a pre-shared key. This is less secure than using certificates, especially if it is used alone, without requiring peer IDs or extended authentication (XAuth).

      The pre-shared key must contain at least six characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

      The pre-shared key configured on the client must match the pre-shared key configured on the FortiGate. Contact your network administrator for the key.

    3. Select Local ID, enter the local ID, and select OK.

    4. For X.509 certificate select Certificate, then browse for the certificate file on your device.

      To authenticate with the FortiGate unit using digital certificates, you must have the required certificates installed on the Android device (peer) and the FortiGate unit (server).

      Contact your network administrator for the correct X.509 certificate file.
    5. Select IKE mode, and select Aggressive Mode or Main Mode (ID protection).

      In Aggressive Mode, the phase 1 parameters are exchanged in a single message with unencrypted authentication information.

      In Main Mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

      The IKE Mode selected on the client must match the mode selected on the server. Contact your network administrator for the correct setting.
  4. Select Go Back to return to the IPsec VPN settings page.
  5. Select IPsec phase 1 settings to view or edit the phase 1 proposal encryption and authentication settings. You can choose to use the default settings.

    Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. You can select any of the following symmetric-key algorithms:

    • DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
    • 3DES: Triple-DES, in which plain text is encrypted three times by three keys.
    • AES128: A 128-bit block algorithm that uses a 128-bit key.

    You can select one of the following message digests to check the authenticity of messages during phase 1 negotiations:

    • MD5: Message Digest 5, the hash algorithm developed by RSA Data Security.
    • SHA-1: Secure Hash Algorithm 1, which produces a 160-bit message digest.

    Select one or more Diffie-Hellman (DH) groups from DH group 1, 2, 5, and 14. When using aggressive mode, DH groups cannot be negotiated.

    Contact your network administrator for the correct phase 1 encryption and authentication algorithms, and DH group.

     

  6. Select Go Back to return to the IPsec VPN settings page.
  7. Select IPsec XAuth settings to view or edit the XAuth and user settings. XAuth is enabled by default. Select Username to enter the FortiGate IPsec username. Select Password to enter the password value. To use XAuth, you must first configure the user’s credentials on your FortiGate, and external RADIUS or LDAP server.

    Extended authentication (XAuth) increases security by requiring the remote dialup client user to authenticate in a separate exchange at the end of phase 1. XAuth draws on existing FortiGate user group definitions and uses established authentication mechanisms such as PAP, CHAP, RADIUS and LDAP to authenticate dialup clients.

  8. Select Go Back to return to the IPsec VPN settings page.
  9. Select IPsec phase 2 settings to view or edit the phase 2 encryption and authentication settings. You can choose to use the default settings.

    Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. You can select any of the following symmetric-key algorithms:

    • DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
    • 3DES: Triple-DES, in which plain text is encrypted three times by three keys.
    • AES128: A 128-bit block algorithm that uses a 128-bit key.

    You can select one of the following message digests to check the authenticity of messages during phase 1 negotiations:

    • MD5: Message Digest 5, the hash algorithm developed by RSA Data Security.
    • SHA-1: Secure Hash Algorithm 1, which produces a 160-bit message digest.

    Select one or more Diffie-Hellman groups from DH groups 1, 2, 5, and 14. When using aggressive mode, DH groups cannot be negotiated.

    Contact your network administrator for the correct phase 2 encryption and authentication algorithms and DH group.

Creating an IPsec VPN connection

To create a new IPsec VPN connection:
  1. Create the new IPsec VPN connection:
    1. Select New VPN from the toolbar at the bottom of the page.

    2. Enter a name for the new VPN connection, select IPsec VPN under VPN Type, then select Create.

      The IPsec VPN settings page displays.

  2. Select Server settings > Network settings > FortiGate. Enter the server IP address or domain name, then select OK.

  3. Configure authentication settings:
    1. Under Authentication settings, select Authorization method, and select Pre-Shared Key or X.509 Certificate.

    2. If desired, select Pre-shared Key to enter the pre-shared key value.

      The simplest way to authenticate with the FortiGate unit is by means of a pre-shared key. This is less secure than using certificates, especially if it is used alone, without requiring peer IDs or extended authentication (XAuth).

      The pre-shared key must contain at least six characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

      The pre-shared key configured on the client must match the pre-shared key configured on the FortiGate. Contact your network administrator for the key.

    3. Select Local ID, enter the local ID, and select OK.

    4. For X.509 certificate select Certificate, then browse for the certificate file on your device.

      To authenticate with the FortiGate unit using digital certificates, you must have the required certificates installed on the Android device (peer) and the FortiGate unit (server).

      Contact your network administrator for the correct X.509 certificate file.
    5. Select IKE mode, and select Aggressive Mode or Main Mode (ID protection).

      In Aggressive Mode, the phase 1 parameters are exchanged in a single message with unencrypted authentication information.

      In Main Mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

      The IKE Mode selected on the client must match the mode selected on the server. Contact your network administrator for the correct setting.
  4. Select Go Back to return to the IPsec VPN settings page.
  5. Select IPsec phase 1 settings to view or edit the phase 1 proposal encryption and authentication settings. You can choose to use the default settings.

    Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. You can select any of the following symmetric-key algorithms:

    • DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
    • 3DES: Triple-DES, in which plain text is encrypted three times by three keys.
    • AES128: A 128-bit block algorithm that uses a 128-bit key.

    You can select one of the following message digests to check the authenticity of messages during phase 1 negotiations:

    • MD5: Message Digest 5, the hash algorithm developed by RSA Data Security.
    • SHA-1: Secure Hash Algorithm 1, which produces a 160-bit message digest.

    Select one or more Diffie-Hellman (DH) groups from DH group 1, 2, 5, and 14. When using aggressive mode, DH groups cannot be negotiated.

    Contact your network administrator for the correct phase 1 encryption and authentication algorithms, and DH group.

     

  6. Select Go Back to return to the IPsec VPN settings page.
  7. Select IPsec XAuth settings to view or edit the XAuth and user settings. XAuth is enabled by default. Select Username to enter the FortiGate IPsec username. Select Password to enter the password value. To use XAuth, you must first configure the user’s credentials on your FortiGate, and external RADIUS or LDAP server.

    Extended authentication (XAuth) increases security by requiring the remote dialup client user to authenticate in a separate exchange at the end of phase 1. XAuth draws on existing FortiGate user group definitions and uses established authentication mechanisms such as PAP, CHAP, RADIUS and LDAP to authenticate dialup clients.

  8. Select Go Back to return to the IPsec VPN settings page.
  9. Select IPsec phase 2 settings to view or edit the phase 2 encryption and authentication settings. You can choose to use the default settings.

    Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. You can select any of the following symmetric-key algorithms:

    • DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
    • 3DES: Triple-DES, in which plain text is encrypted three times by three keys.
    • AES128: A 128-bit block algorithm that uses a 128-bit key.

    You can select one of the following message digests to check the authenticity of messages during phase 1 negotiations:

    • MD5: Message Digest 5, the hash algorithm developed by RSA Data Security.
    • SHA-1: Secure Hash Algorithm 1, which produces a 160-bit message digest.

    Select one or more Diffie-Hellman groups from DH groups 1, 2, 5, and 14. When using aggressive mode, DH groups cannot be negotiated.

    Contact your network administrator for the correct phase 2 encryption and authentication algorithms and DH group.