Fortinet black logo

Handbook

Phase 1 configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:649957
Download PDF

Phase 1 configuration

To begin defining the Phase 1 configuration, go to VPN > IPsec Tunnels and select Create New. Enter a unique descriptive name for the VPN tunnel and follow the instructions in the VPN Creation Wizard.

The Phase 1 configuration mainly defines the ends of the IPsec tunnel. The remote end is the remote gateway with which the FortiGate unit exchanges IPsec packets. The local end is the FortiGate interface that sends and receives IPsec packets.

If you want to control how the IKE negotiation is processed when there is no traffic, as well as the length of time the FortiGate unit waits for negotiations to occur, you can use the negotiation-timeout and auto-negotiate commands in the CLI.

For more information, refer to Autokey Keep Alive and Auto-negotiate.

Name

Type a name for the Phase 1 definition. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. If Remote Gateway is Dialup User, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on.

For a tunnel mode VPN, the name normally reflects where the remote connection originates. For a route-based tunnel, the FortiGate unit also uses the name for the virtual IPsec interface that it creates automatically.

Remote Gateway

Select the category of the remote connection:

Static IP Address — If the remote peer has a static IP address.
Dialup User — If one or more FortiClient or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit.
Dynamic DNS — If a remote peer that has a domain name and subscribes to a dynamic DNS service will connect to the FortiGate unit.

IP Address

If you selected Static IP Address, enter the IP address of the remote peer.

Dynamic DNS

If you selected Dynamic DNS, enter the domain name of the remote peer.

Local Interface

This option is available in NAT mode only. Select the name of the interface through which remote peers or dialup clients connect to the FortiGate unit.

By default, the local VPN gateway IP address is the IP address of the interface that you selected.

Mode

Main mode — the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
Aggressive mode — the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted.

When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key, you must select Aggressive mode if there is more than one dialup phase1 configuration for the interface IP address.

When the remote VPN peer has a dynamic IP address and is authenticated by a certificate, you must select Aggressive mode if there is more than one Phase 1 configuration for the interface IP address and these Phase 1 configurations use different proposals.

Authentication Method

Select Preshared Key or RSA Signature.

Pre-shared Key

If you selected Pre-shared Key, enter the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must define the same key at the remote peer or client.

The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

Certificate Name

If you selected RSA Signature, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations.

Peer Options

Peer options are available to authenticate VPN peers or clients, depending on the Remote Gateway and Authentication Method settings.

Any peer ID

Accept the local ID of any remote VPN peer or client. The FortiGate unit does not check identifiers (local IDs). You can set Mode to Aggressive or Main.

You can use this option with RSA Signature authentication. But, for highest security, configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only.

This peer ID

This option is available when Aggressive Mode is enabled. Enter the identifier that is used to authenticate the remote peer. This identifier must match the Local ID that the remote peer’s administrator has configured.

If the remote peer is a FortiGate unit, the identifier is specified in the Local ID field of the Advanced Phase 1 configuration.

If the remote peer is a FortiClient user, the identifier is specified in the Local ID field, accessed by selecting Config in the Policy section of the VPN connection’s Advanced Settings.

In circumstances where multiple remote dialup VPN tunnels exist, each tunnel must have a peer ID set.

Peer ID from dialup group

Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre‑shared keys only) through the same VPN tunnel.

You must create a dialup user group for authentication purposes. Select the group from the list next to the Peer ID from dialup group option.

You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. If the dialup clients use unique pre-shared keys only, you can set Mode to Main if there is only one dialup Phase 1 configuration for this interface IP address.

Phase 1 advanced configuration settings

You can use the following advanced parameters to select the encryption and authentication algorithms that the FortiGate unit uses to generate keys for the IKE exchange. You can also use the following advanced parameters to ensure the smooth operation of Phase 1 negotiations.

These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).

caution icon

If the FortiGate unit will act as a VPN client, and you are using security certificates for authentication, set the Local ID to the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes.

In FortiOS 5.4 and later releases, an exact match is required to optimize the IKE gateway search utilizing binary trees. However, it is also possible to have partial matching of 'user.peer:cn' to match peers to gateways by performing a secondary match. When IKE receives IDi of type ASN1.DN, the first search is done with the whole DN string. If none is found, IKE will extract just the CN attribute value and perform a second search.

VXLAN over IPsec

Packets with VXLAN header are encapsulated within IPsec tunnel mode.

To configure VXLAN over IPsec - CLI:

config vpn ipsec phase1-interface/phase1

edit ipsec

set interface <name>

set encapsulation vxlan/gre

set encapsulation-address ike/ipv4/ipv6

set encap-local-gw4 xxx.xxx.xxx.xxx

set encap-remote-gw xxx.xxx.xxx.xxx

next

end

IPsec tunnel idle timer

You can define an idle timer for IPsec tunnels. When no traffic has passed through the tunnel for the configured idle-timeout value, the IPsec tunnel will be flushed.

To configure IPsec tunnel idle timeout - CLI:

config vpn ipsec phase1-interface

edit p1

set idle-timeout [enable | disable]

set idle-timeoutinterval <integer> //IPsec tunnel idle timeout in minutes (10 - 43200).

end

end

IPv6 Version

Select if you want to use IPv6 addresses for the remote gateway and interface IP addresses.

Local Gateway IP

Specify an IP address for the local end of the VPN tunnel. Select one of the following:

Main Interface IP — The FortiGate unit obtains the IP address of the interface from the network interface settings.
Specify — Enter a secondary address of the interface selected in the Phase 1 Local Interface field.

You cannot configure Interface mode in a transparent mode VDOM.

Phase 1 Proposal

Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of three combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

Select one of the following symmetric-key encryption algorithms:

DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES; plain text is encrypted three times by three keys.
AES128 — A 128-bit block algorithm that uses a 128-bit key.
AES192 — A 128-bit block algorithm that uses a 192-bit key.
AES256 — A 128-bit block algorithm that uses a 256-bit key.
ChaCha20/Poly1305— A 128-bit block algorithm that uses a 128-bit key and a symmetric cipher. Only available for IKEv2.

You can select either of the following message digests to check the authenticity of messages during an encrypted session:

MD5 — Message Digest 5.
SHA1 — Secure Hash Algorithm 1 - a 160-bit message digest.

To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.

Diffie-Hellman Group

Select one or more Diffie-Hellman groups from DH groups 1, 2, 5, and 14 through 21. At least one of the Diffie-Hellman Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.

Keylife

Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172 800 seconds.

Local ID

If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the Phase 1 exchange.

If the FortiGate unit will act as a VPN client, and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes.

If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is, the tunnel will be dedicated to this Fortinet dialup client), set Mode to Aggressive.

Note that this Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.

XAuth

This option supports the authentication of dialup clients. It is available for IKE v1 only.

Disable — Select if you do not use XAuth.
Enable as Client — If the FortiGate unit is a dialup client, enter the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server.
Enable as Server — This is available only if Remote Gateway is set to Dialup User. Dialup clients authenticate as members of a dialup user group. You must first create a user group for the dialup clients that need access to the network behind the FortiGate unit.

You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server.

Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit, the XAuth client and the external authentication server, and then select the user group from the User Group list.

Username

Enter the user name that is used for authentication.

Password

Enter the password that is used for authentication.

NAT Traversal

Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

Additionally, you can force IPsec to use NAT traversal. If NAT is set to Forced, the FortiGate will use a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

Keepalive Frequency

If you enabled NAT-traversal, enter a keepalive frequency setting.

Dead Peer Detection

Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes.

With Dead Peer Detection selected, you can use the config vpn ipsec phase1 (tunnel mode) or config vpn ipsec phase1-interface (interface mode) CLI command to optionally specify a retry count and a retry interval.

IKEv1 fragmentation

UDP fragmentation can cause issues in IPsec when either the ISP or perimeter firewall(s) cannot pass or fragment the oversized UDP packets that occur when using a very large public security key (PSK). The result is that IPsec tunnels do not come up. The solution is IKE fragmentation.

For most configurations, enabling IKE fragmentation allows connections to automatically establish when they otherwise might have failed due to intermediate nodes dropping IKE messages containing large certificates, which typically push the packet size over 1500 bytes.

FortiOS will fragment a packet on sending if, and only if, all the following are true:

  • Phase 1 contains "set fragmentation enable".
  • The packet is larger than the minimum MTU (576 for IPv4, 1280 for IPv6).
  • The packet is being re-transmitted.

By default, IKE fragmentation is enabled, but upon upgrading, any existing phase1-interface may have "set fragmentation disable" added in order to preserve the existing behaviour of not supporting fragmentation.

Enabling or disabling IKE fragmentation - CLI

config vpn ipsec phase1-interface

edit 1

set fragmentation [enable | disable]

next

end

IKEv2 fragmentation

With IKEv2, because RFC 7383 requires each fragment to be individually encrypted and authenticated, we would have to keep a copy of the unencrypted payloads around for each outgoing packet, in case the original single packet was never answered and we wanted to retry with fragments. With the following implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.

CLI syntax

config vpn ipsec phase1-interface

edit ike

set ike-version 2

set fragmentation [enable|disable]

set fragmentation-mtu [500-16000]

next

end

Phase 2 configuration

After IPsec Phase 1 negotiations end successfully, you begin Phase 2. You can configure the Phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. During Phase 2, you select specific IPsec security associations needed to implement security services and establish a tunnel.

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic Phase 2 settings.

These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).

Name

Type a name to identify the Phase 2 configuration.

Phase 1

Select the Phase 1 tunnel configuration. For more information on configuring Phase 1, see Phase 1 configuration. The Phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured.

Advanced

Define advanced Phase 2 parameters. For more information, see Phase 2 advanced configuration settings.

Phase 2 advanced configuration settings

In Phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). These are called Phase 2 Proposal parameters. The keys are generated automatically using a Diffie-Hellman algorithm.

You can use a number of additional advanced Phase 2 settings to enhance the operation of the tunnel.

Phase 2 Proposal

Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.

Initially there are two proposals. Add and Delete icons are next to the second Authentication field.

It is invalid to set both Encryption and Authentication to NULL.

Encryption

Select a symmetric-key algorithms:

NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES; plain text is encrypted three times by three keys.
AES128 — A 128-bit block algorithm that uses a 128-bit key.
AES192 — A 128-bit block algorithm that uses a 192-bit key.
AES256 — A 128-bit block algorithm that uses a 256-bit key.
ChaCha20/Poly1305— A 128-bit block algorithm that uses a 128-bit key and a symmetric cipher. Only available for IKEv2.

Authentication

You can select either of the following message digests to check the authenticity of messages during an encrypted session:

NULL — Do not use a message digest.
MD5 — Message Digest 5.
SHA1 — Secure Hash Algorithm 1 - a 160-bit message digest.

To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.

Enable replay detection

Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.

Enable perfect forward secrecy (PFS)

Perfect forward secrecy (PFS) improves security by forcing a new Diffie‑Hellman exchange whenever keylife expires.

Diffie-Hellman Group

Select one Diffie-Hellman group (1, 2, 5, or 14 through 21). This must match the DH Group that the remote peer or dialup client uses.

Keylife

Select the method for determining when the Phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed.

Autokey Keep Alive

Select the check box if you want the tunnel to remain active when no data is being processed.

Auto-negotiate

Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires.

DHCP-IPsec

Provide IP addresses dynamically to VPN clients. This is available for Phase 2 configurations associated with a dialup Phase 1 configuration.

You also need configure a DHCP server or relay on the private network interface. You must configure the DHCP parameters separately.

If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the Phase 1 Peer Options to Peer ID from dialup group and select the appropriate user group. See Phase 1 configuration.

If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients.

Quick Mode Selector

Specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, keep the default value of 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and a protocol number.

If you are editing an existing Phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI.

Source address

If the FortiGate unit is a dialup server, enter the source IP address that corresponds to the local senders or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer.

If the FortiGate unit is a dialup client, source address must refer to the private network behind the Fortinet dialup client.

Source port

Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0.

Destination address

Enter the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80-100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.

Destination port

Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, enter 0.

Protocol

Enter the IP protocol number of the service. To specify all services, enter 0.

FortiClient VPN

Use the FortiClient VPN for OS X, Windows, and Android VPN Wizard option when configuring an IPsec VPN for remote users to connect to the VPN tunnel using FortiClient.

When configuring a FortiClient VPN connection, the settings for Phase 1 and Phase 2 settings are automatically configured by the FortiGate unit. They are set to:

  • Remote Gateway — Dialup User
  • Mode — Aggressive
  • Default settings for Phase 1 and 2 Proposals
  • XAUTH Enable as Server (Auto)
  • IKE mode-config will be enabled
  • Peer Option — “Any peer ID”

The remainder of the settings use the current FortiGate defaults. Note that FortiClient settings need to match these FortiGate defaults. If you need to configure advanced settings for the FortiClient VPN, you must do so using the CLI.

Name

Enter a name for the FortiClient VPN.

Local Outgoing Interface

Select the local outgoing interface for the VPN.

Authentication Method

Select the type of authentication used when logging in to the VPN.

Preshared Key

If Pre-shared Key was selected in Authentication Method, enter the pre-shared key in the field provided.

User Group

Select a user group. You can also create a user group from the drop-down list by selecting Create New.

Address Range Start IP

Enter the start IP address for the DHCP address range for the client.

Address Range End IP

Enter the end IP address for the address range.

Subnet Mask

Enter the subnet mask.

Enable IPv4 Split Tunnel

Enabled by default, this option enables the FortiClient user to use the VPN to access internal resources while other Internet access is not sent over the VPN, alleviating potential traffic bottlenecks in the VPN connection. Disable this option to have all traffic sent through the VPN tunnel.

Accessible Networks

Select from a list of internal networks that the FortiClient user can access.

Client Options

These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

Save Password - When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.

Auto Connect - When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

Always Up (Keep Alive) - When enabled, if the user selects this option, the FortiClient connection will not shut down. When not selected, during periods of inactivity, FortiClient will attempt to stay connected every three minutes for a maximum of 10 minutes.

Endpoint Registration

When selected, the FortiGate unit requests a registration key from FortiClient before a connection can be established. A registration key is defined by going to System > Advanced.

For more information on FortiClient VPN connections to a FortiGate unit, see the FortiClient Administration Guide.

DNS Server

Select which DNS server to use for this VPN:

Use System DNS — Use the same DNS servers as the FortiGate unit. These are configured at Network > DNS. This is the default option.
Specify — Specify the IP address of a different DNS server.

Phase 1 configuration

To begin defining the Phase 1 configuration, go to VPN > IPsec Tunnels and select Create New. Enter a unique descriptive name for the VPN tunnel and follow the instructions in the VPN Creation Wizard.

The Phase 1 configuration mainly defines the ends of the IPsec tunnel. The remote end is the remote gateway with which the FortiGate unit exchanges IPsec packets. The local end is the FortiGate interface that sends and receives IPsec packets.

If you want to control how the IKE negotiation is processed when there is no traffic, as well as the length of time the FortiGate unit waits for negotiations to occur, you can use the negotiation-timeout and auto-negotiate commands in the CLI.

For more information, refer to Autokey Keep Alive and Auto-negotiate.

Name

Type a name for the Phase 1 definition. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. If Remote Gateway is Dialup User, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on.

For a tunnel mode VPN, the name normally reflects where the remote connection originates. For a route-based tunnel, the FortiGate unit also uses the name for the virtual IPsec interface that it creates automatically.

Remote Gateway

Select the category of the remote connection:

Static IP Address — If the remote peer has a static IP address.
Dialup User — If one or more FortiClient or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit.
Dynamic DNS — If a remote peer that has a domain name and subscribes to a dynamic DNS service will connect to the FortiGate unit.

IP Address

If you selected Static IP Address, enter the IP address of the remote peer.

Dynamic DNS

If you selected Dynamic DNS, enter the domain name of the remote peer.

Local Interface

This option is available in NAT mode only. Select the name of the interface through which remote peers or dialup clients connect to the FortiGate unit.

By default, the local VPN gateway IP address is the IP address of the interface that you selected.

Mode

Main mode — the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
Aggressive mode — the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted.

When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key, you must select Aggressive mode if there is more than one dialup phase1 configuration for the interface IP address.

When the remote VPN peer has a dynamic IP address and is authenticated by a certificate, you must select Aggressive mode if there is more than one Phase 1 configuration for the interface IP address and these Phase 1 configurations use different proposals.

Authentication Method

Select Preshared Key or RSA Signature.

Pre-shared Key

If you selected Pre-shared Key, enter the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must define the same key at the remote peer or client.

The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

Certificate Name

If you selected RSA Signature, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations.

Peer Options

Peer options are available to authenticate VPN peers or clients, depending on the Remote Gateway and Authentication Method settings.

Any peer ID

Accept the local ID of any remote VPN peer or client. The FortiGate unit does not check identifiers (local IDs). You can set Mode to Aggressive or Main.

You can use this option with RSA Signature authentication. But, for highest security, configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only.

This peer ID

This option is available when Aggressive Mode is enabled. Enter the identifier that is used to authenticate the remote peer. This identifier must match the Local ID that the remote peer’s administrator has configured.

If the remote peer is a FortiGate unit, the identifier is specified in the Local ID field of the Advanced Phase 1 configuration.

If the remote peer is a FortiClient user, the identifier is specified in the Local ID field, accessed by selecting Config in the Policy section of the VPN connection’s Advanced Settings.

In circumstances where multiple remote dialup VPN tunnels exist, each tunnel must have a peer ID set.

Peer ID from dialup group

Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre‑shared keys only) through the same VPN tunnel.

You must create a dialup user group for authentication purposes. Select the group from the list next to the Peer ID from dialup group option.

You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. If the dialup clients use unique pre-shared keys only, you can set Mode to Main if there is only one dialup Phase 1 configuration for this interface IP address.

Phase 1 advanced configuration settings

You can use the following advanced parameters to select the encryption and authentication algorithms that the FortiGate unit uses to generate keys for the IKE exchange. You can also use the following advanced parameters to ensure the smooth operation of Phase 1 negotiations.

These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).

caution icon

If the FortiGate unit will act as a VPN client, and you are using security certificates for authentication, set the Local ID to the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes.

In FortiOS 5.4 and later releases, an exact match is required to optimize the IKE gateway search utilizing binary trees. However, it is also possible to have partial matching of 'user.peer:cn' to match peers to gateways by performing a secondary match. When IKE receives IDi of type ASN1.DN, the first search is done with the whole DN string. If none is found, IKE will extract just the CN attribute value and perform a second search.

VXLAN over IPsec

Packets with VXLAN header are encapsulated within IPsec tunnel mode.

To configure VXLAN over IPsec - CLI:

config vpn ipsec phase1-interface/phase1

edit ipsec

set interface <name>

set encapsulation vxlan/gre

set encapsulation-address ike/ipv4/ipv6

set encap-local-gw4 xxx.xxx.xxx.xxx

set encap-remote-gw xxx.xxx.xxx.xxx

next

end

IPsec tunnel idle timer

You can define an idle timer for IPsec tunnels. When no traffic has passed through the tunnel for the configured idle-timeout value, the IPsec tunnel will be flushed.

To configure IPsec tunnel idle timeout - CLI:

config vpn ipsec phase1-interface

edit p1

set idle-timeout [enable | disable]

set idle-timeoutinterval <integer> //IPsec tunnel idle timeout in minutes (10 - 43200).

end

end

IPv6 Version

Select if you want to use IPv6 addresses for the remote gateway and interface IP addresses.

Local Gateway IP

Specify an IP address for the local end of the VPN tunnel. Select one of the following:

Main Interface IP — The FortiGate unit obtains the IP address of the interface from the network interface settings.
Specify — Enter a secondary address of the interface selected in the Phase 1 Local Interface field.

You cannot configure Interface mode in a transparent mode VDOM.

Phase 1 Proposal

Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of three combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

Select one of the following symmetric-key encryption algorithms:

DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES; plain text is encrypted three times by three keys.
AES128 — A 128-bit block algorithm that uses a 128-bit key.
AES192 — A 128-bit block algorithm that uses a 192-bit key.
AES256 — A 128-bit block algorithm that uses a 256-bit key.
ChaCha20/Poly1305— A 128-bit block algorithm that uses a 128-bit key and a symmetric cipher. Only available for IKEv2.

You can select either of the following message digests to check the authenticity of messages during an encrypted session:

MD5 — Message Digest 5.
SHA1 — Secure Hash Algorithm 1 - a 160-bit message digest.

To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.

Diffie-Hellman Group

Select one or more Diffie-Hellman groups from DH groups 1, 2, 5, and 14 through 21. At least one of the Diffie-Hellman Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.

Keylife

Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172 800 seconds.

Local ID

If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the Phase 1 exchange.

If the FortiGate unit will act as a VPN client, and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes.

If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is, the tunnel will be dedicated to this Fortinet dialup client), set Mode to Aggressive.

Note that this Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.

XAuth

This option supports the authentication of dialup clients. It is available for IKE v1 only.

Disable — Select if you do not use XAuth.
Enable as Client — If the FortiGate unit is a dialup client, enter the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server.
Enable as Server — This is available only if Remote Gateway is set to Dialup User. Dialup clients authenticate as members of a dialup user group. You must first create a user group for the dialup clients that need access to the network behind the FortiGate unit.

You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server.

Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit, the XAuth client and the external authentication server, and then select the user group from the User Group list.

Username

Enter the user name that is used for authentication.

Password

Enter the password that is used for authentication.

NAT Traversal

Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

Additionally, you can force IPsec to use NAT traversal. If NAT is set to Forced, the FortiGate will use a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

Keepalive Frequency

If you enabled NAT-traversal, enter a keepalive frequency setting.

Dead Peer Detection

Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes.

With Dead Peer Detection selected, you can use the config vpn ipsec phase1 (tunnel mode) or config vpn ipsec phase1-interface (interface mode) CLI command to optionally specify a retry count and a retry interval.

IKEv1 fragmentation

UDP fragmentation can cause issues in IPsec when either the ISP or perimeter firewall(s) cannot pass or fragment the oversized UDP packets that occur when using a very large public security key (PSK). The result is that IPsec tunnels do not come up. The solution is IKE fragmentation.

For most configurations, enabling IKE fragmentation allows connections to automatically establish when they otherwise might have failed due to intermediate nodes dropping IKE messages containing large certificates, which typically push the packet size over 1500 bytes.

FortiOS will fragment a packet on sending if, and only if, all the following are true:

  • Phase 1 contains "set fragmentation enable".
  • The packet is larger than the minimum MTU (576 for IPv4, 1280 for IPv6).
  • The packet is being re-transmitted.

By default, IKE fragmentation is enabled, but upon upgrading, any existing phase1-interface may have "set fragmentation disable" added in order to preserve the existing behaviour of not supporting fragmentation.

Enabling or disabling IKE fragmentation - CLI

config vpn ipsec phase1-interface

edit 1

set fragmentation [enable | disable]

next

end

IKEv2 fragmentation

With IKEv2, because RFC 7383 requires each fragment to be individually encrypted and authenticated, we would have to keep a copy of the unencrypted payloads around for each outgoing packet, in case the original single packet was never answered and we wanted to retry with fragments. With the following implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.

CLI syntax

config vpn ipsec phase1-interface

edit ike

set ike-version 2

set fragmentation [enable|disable]

set fragmentation-mtu [500-16000]

next

end

Phase 2 configuration

After IPsec Phase 1 negotiations end successfully, you begin Phase 2. You can configure the Phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. During Phase 2, you select specific IPsec security associations needed to implement security services and establish a tunnel.

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic Phase 2 settings.

These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).

Name

Type a name to identify the Phase 2 configuration.

Phase 1

Select the Phase 1 tunnel configuration. For more information on configuring Phase 1, see Phase 1 configuration. The Phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured.

Advanced

Define advanced Phase 2 parameters. For more information, see Phase 2 advanced configuration settings.

Phase 2 advanced configuration settings

In Phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). These are called Phase 2 Proposal parameters. The keys are generated automatically using a Diffie-Hellman algorithm.

You can use a number of additional advanced Phase 2 settings to enhance the operation of the tunnel.

Phase 2 Proposal

Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.

Initially there are two proposals. Add and Delete icons are next to the second Authentication field.

It is invalid to set both Encryption and Authentication to NULL.

Encryption

Select a symmetric-key algorithms:

NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES; plain text is encrypted three times by three keys.
AES128 — A 128-bit block algorithm that uses a 128-bit key.
AES192 — A 128-bit block algorithm that uses a 192-bit key.
AES256 — A 128-bit block algorithm that uses a 256-bit key.
ChaCha20/Poly1305— A 128-bit block algorithm that uses a 128-bit key and a symmetric cipher. Only available for IKEv2.

Authentication

You can select either of the following message digests to check the authenticity of messages during an encrypted session:

NULL — Do not use a message digest.
MD5 — Message Digest 5.
SHA1 — Secure Hash Algorithm 1 - a 160-bit message digest.

To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.

Enable replay detection

Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.

Enable perfect forward secrecy (PFS)

Perfect forward secrecy (PFS) improves security by forcing a new Diffie‑Hellman exchange whenever keylife expires.

Diffie-Hellman Group

Select one Diffie-Hellman group (1, 2, 5, or 14 through 21). This must match the DH Group that the remote peer or dialup client uses.

Keylife

Select the method for determining when the Phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed.

Autokey Keep Alive

Select the check box if you want the tunnel to remain active when no data is being processed.

Auto-negotiate

Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires.

DHCP-IPsec

Provide IP addresses dynamically to VPN clients. This is available for Phase 2 configurations associated with a dialup Phase 1 configuration.

You also need configure a DHCP server or relay on the private network interface. You must configure the DHCP parameters separately.

If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the Phase 1 Peer Options to Peer ID from dialup group and select the appropriate user group. See Phase 1 configuration.

If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients.

Quick Mode Selector

Specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, keep the default value of 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and a protocol number.

If you are editing an existing Phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI.

Source address

If the FortiGate unit is a dialup server, enter the source IP address that corresponds to the local senders or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer.

If the FortiGate unit is a dialup client, source address must refer to the private network behind the Fortinet dialup client.

Source port

Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0.

Destination address

Enter the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80-100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.

Destination port

Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, enter 0.

Protocol

Enter the IP protocol number of the service. To specify all services, enter 0.

FortiClient VPN

Use the FortiClient VPN for OS X, Windows, and Android VPN Wizard option when configuring an IPsec VPN for remote users to connect to the VPN tunnel using FortiClient.

When configuring a FortiClient VPN connection, the settings for Phase 1 and Phase 2 settings are automatically configured by the FortiGate unit. They are set to:

  • Remote Gateway — Dialup User
  • Mode — Aggressive
  • Default settings for Phase 1 and 2 Proposals
  • XAUTH Enable as Server (Auto)
  • IKE mode-config will be enabled
  • Peer Option — “Any peer ID”

The remainder of the settings use the current FortiGate defaults. Note that FortiClient settings need to match these FortiGate defaults. If you need to configure advanced settings for the FortiClient VPN, you must do so using the CLI.

Name

Enter a name for the FortiClient VPN.

Local Outgoing Interface

Select the local outgoing interface for the VPN.

Authentication Method

Select the type of authentication used when logging in to the VPN.

Preshared Key

If Pre-shared Key was selected in Authentication Method, enter the pre-shared key in the field provided.

User Group

Select a user group. You can also create a user group from the drop-down list by selecting Create New.

Address Range Start IP

Enter the start IP address for the DHCP address range for the client.

Address Range End IP

Enter the end IP address for the address range.

Subnet Mask

Enter the subnet mask.

Enable IPv4 Split Tunnel

Enabled by default, this option enables the FortiClient user to use the VPN to access internal resources while other Internet access is not sent over the VPN, alleviating potential traffic bottlenecks in the VPN connection. Disable this option to have all traffic sent through the VPN tunnel.

Accessible Networks

Select from a list of internal networks that the FortiClient user can access.

Client Options

These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

Save Password - When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.

Auto Connect - When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

Always Up (Keep Alive) - When enabled, if the user selects this option, the FortiClient connection will not shut down. When not selected, during periods of inactivity, FortiClient will attempt to stay connected every three minutes for a maximum of 10 minutes.

Endpoint Registration

When selected, the FortiGate unit requests a registration key from FortiClient before a connection can be established. A registration key is defined by going to System > Advanced.

For more information on FortiClient VPN connections to a FortiGate unit, see the FortiClient Administration Guide.

DNS Server

Select which DNS server to use for this VPN:

Use System DNS — Use the same DNS servers as the FortiGate unit. These are configured at Network > DNS. This is the default option.
Specify — Specify the IP address of a different DNS server.