Phase 1 configuration
To begin defining the Phase 1 configuration, go to VPN > IPsec Tunnels and select Create New. Enter a unique descriptive name for the VPN tunnel and follow the instructions in the VPN Creation Wizard.
The Phase 1 configuration mainly defines the ends of the IPsec tunnel. The remote end is the remote gateway with which the FortiGate unit exchanges IPsec packets. The local end is the FortiGate interface that sends and receives IPsec packets.
If you want to control how the IKE negotiation is processed when there is no traffic, as well as the length of time the FortiGate unit waits for negotiations to occur, you can use the negotiation-timeout
and auto-negotiate
commands in the CLI.
For more information, refer to Autokey Keep Alive and Auto-negotiate.
Name |
Type a name for the Phase 1 definition. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. If Remote Gateway is Dialup User, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on. |
Remote Gateway |
Select the category of the remote connection: |
IP Address |
If you selected Static IP Address, enter the IP address of the remote peer. |
Dynamic DNS |
If you selected Dynamic DNS, enter the domain name of the remote peer. |
Local Interface |
This option is available in NAT mode only. Select the name of the interface through which remote peers or dialup clients connect to the FortiGate unit. |
Mode |
Main mode — the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. |
Authentication Method |
Select Preshared Key or RSA Signature. |
Pre-shared Key |
If you selected Pre-shared Key, enter the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must define the same key at the remote peer or client. |
Certificate Name |
If you selected RSA Signature, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. |
Peer Options |
Peer options are available to authenticate VPN peers or clients, depending on the Remote Gateway and Authentication Method settings. |
Any peer ID |
Accept the local ID of any remote VPN peer or client. The FortiGate unit does not check identifiers (local IDs). You can set Mode to Aggressive or Main. |
This peer ID |
This option is available when Aggressive Mode is enabled. Enter the identifier that is used to authenticate the remote peer. This identifier must match the Local ID that the remote peer’s administrator has configured. |
Peer ID from dialup group |
Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre‑shared keys only) through the same VPN tunnel. |
Phase 1 advanced configuration settings
You can use the following advanced parameters to select the encryption and authentication algorithms that the FortiGate unit uses to generate keys for the IKE exchange. You can also use the following advanced parameters to ensure the smooth operation of Phase 1 negotiations.
These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).
|
If the FortiGate unit will act as a VPN client, and you are using security certificates for authentication, set the Local ID to the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes. In FortiOS 5.4 and later releases, an exact match is required to optimize the IKE gateway search utilizing binary trees. However, it is also possible to have partial matching of 'user.peer:cn' to match peers to gateways by performing a secondary match. When IKE receives IDi of type ASN1.DN, the first search is done with the whole DN string. If none is found, IKE will extract just the CN attribute value and perform a second search. |
VXLAN over IPsec |
Packets with VXLAN header are encapsulated within IPsec tunnel mode. To configure VXLAN over IPsec - CLI: config vpn ipsec phase1-interface/phase1 edit ipsec set interface <name> set encapsulation vxlan/gre set encapsulation-address ike/ipv4/ipv6 set encap-local-gw4 xxx.xxx.xxx.xxx set encap-remote-gw xxx.xxx.xxx.xxx next end |
IPsec tunnel idle timer |
You can define an idle timer for IPsec tunnels. When no traffic has passed through the tunnel for the configured idle-timeout value, the IPsec tunnel will be flushed. To configure IPsec tunnel idle timeout - CLI: config vpn ipsec phase1-interface edit p1 set idle-timeout [enable | disable] set idle-timeoutinterval <integer> //IPsec tunnel idle timeout in minutes (10 - 43200). end end |
IPv6 Version |
Select if you want to use IPv6 addresses for the remote gateway and interface IP addresses. |
Local Gateway IP |
Specify an IP address for the local end of the VPN tunnel. Select one of the following: |
Phase 1 Proposal |
Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required. |
|
You can select either of the following message digests to check the authenticity of messages during an encrypted session: |
Diffie-Hellman Group |
Select one or more Diffie-Hellman groups from DH groups 1, 2, 5, and 14 through 21. At least one of the Diffie-Hellman Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. |
Keylife |
Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172 800 seconds. |
Local ID |
If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the Phase 1 exchange. |
XAuth |
This option supports the authentication of dialup clients. It is available for IKE v1 only. |
Username |
Enter the user name that is used for authentication. |
Password |
Enter the password that is used for authentication. |
NAT Traversal |
Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. |
Keepalive Frequency |
If you enabled NAT-traversal, enter a keepalive frequency setting. |
Dead Peer Detection |
Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes. |
IKEv1 fragmentation
UDP fragmentation can cause issues in IPsec when either the ISP or perimeter firewall(s) cannot pass or fragment the oversized UDP packets that occur when using a very large public security key (PSK). The result is that IPsec tunnels do not come up. The solution is IKE fragmentation.
For most configurations, enabling IKE fragmentation allows connections to automatically establish when they otherwise might have failed due to intermediate nodes dropping IKE messages containing large certificates, which typically push the packet size over 1500 bytes.
FortiOS will fragment a packet on sending if, and only if, all the following are true:
- Phase 1 contains "
set fragmentation enable
". - The packet is larger than the minimum MTU (576 for IPv4, 1280 for IPv6).
- The packet is being re-transmitted.
By default, IKE fragmentation is enabled, but upon upgrading, any existing phase1-interface may have "set fragmentation disable
" added in order to preserve the existing behaviour of not supporting fragmentation.
Enabling or disabling IKE fragmentation - CLI
config vpn ipsec phase1-interface
edit 1
set fragmentation [enable | disable]
next
end
IKEv2 fragmentation
With IKEv2, because RFC 7383 requires each fragment to be individually encrypted and authenticated, we would have to keep a copy of the unencrypted payloads around for each outgoing packet, in case the original single packet was never answered and we wanted to retry with fragments. With the following implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.
CLI syntax
config vpn ipsec phase1-interface
edit ike
set ike-version 2
set fragmentation [enable|disable]
set fragmentation-mtu [500-16000]
next
end
Phase 2 configuration
After IPsec Phase 1 negotiations end successfully, you begin Phase 2. You can configure the Phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. During Phase 2, you select specific IPsec security associations needed to implement security services and establish a tunnel.
The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic Phase 2 settings.
These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).
Name |
Type a name to identify the Phase 2 configuration. |
Phase 1 |
Select the Phase 1 tunnel configuration. For more information on configuring Phase 1, see Phase 1 configuration. The Phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured. |
Advanced |
Define advanced Phase 2 parameters. For more information, see Phase 2 advanced configuration settings. |
Phase 2 advanced configuration settings
In Phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). These are called Phase 2 Proposal parameters. The keys are generated automatically using a Diffie-Hellman algorithm.
You can use a number of additional advanced Phase 2 settings to enhance the operation of the tunnel.
Phase 2 Proposal |
Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer. |
Encryption |
Select a symmetric-key algorithms: |
Authentication |
You can select either of the following message digests to check the authenticity of messages during an encrypted session: |
Enable replay detection |
Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. |
Enable perfect forward secrecy (PFS) |
Perfect forward secrecy (PFS) improves security by forcing a new Diffie‑Hellman exchange whenever keylife expires. |
Diffie-Hellman Group |
Select one Diffie-Hellman group (1, 2, 5, or 14 through 21). This must match the DH Group that the remote peer or dialup client uses. |
Keylife |
Select the method for determining when the Phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed. |
Autokey Keep Alive |
Select the check box if you want the tunnel to remain active when no data is being processed. |
Auto-negotiate |
Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires. |
DHCP-IPsec |
Provide IP addresses dynamically to VPN clients. This is available for Phase 2 configurations associated with a dialup Phase 1 configuration. |
Quick Mode Selector |
Specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, keep the default value of 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and a protocol number. |
Source address |
If the FortiGate unit is a dialup server, enter the source IP address that corresponds to the local senders or network behind the local VPN peer (for example, |
Source port |
Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type |
Destination address |
Enter the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example, |
Destination port |
Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, enter |
Protocol |
Enter the IP protocol number of the service. To specify all services, enter |
FortiClient VPN
Use the FortiClient VPN for OS X, Windows, and Android VPN Wizard option when configuring an IPsec VPN for remote users to connect to the VPN tunnel using FortiClient.
When configuring a FortiClient VPN connection, the settings for Phase 1 and Phase 2 settings are automatically configured by the FortiGate unit. They are set to:
- Remote Gateway — Dialup User
- Mode — Aggressive
- Default settings for Phase 1 and 2 Proposals
- XAUTH Enable as Server (Auto)
- IKE mode-config will be enabled
- Peer Option — “Any peer ID”
The remainder of the settings use the current FortiGate defaults. Note that FortiClient settings need to match these FortiGate defaults. If you need to configure advanced settings for the FortiClient VPN, you must do so using the CLI.
Name |
Enter a name for the FortiClient VPN. |
Local Outgoing Interface |
Select the local outgoing interface for the VPN. |
Authentication Method |
Select the type of authentication used when logging in to the VPN. |
Preshared Key |
If Pre-shared Key was selected in Authentication Method, enter the pre-shared key in the field provided. |
User Group |
Select a user group. You can also create a user group from the drop-down list by selecting Create New. |
Address Range Start IP |
Enter the start IP address for the DHCP address range for the client. |
Address Range End IP |
Enter the end IP address for the address range. |
Subnet Mask |
Enter the subnet mask. |
Enable IPv4 Split Tunnel |
Enabled by default, this option enables the FortiClient user to use the VPN to access internal resources while other Internet access is not sent over the VPN, alleviating potential traffic bottlenecks in the VPN connection. Disable this option to have all traffic sent through the VPN tunnel. |
Accessible Networks |
Select from a list of internal networks that the FortiClient user can access. |
Client Options |
These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default. |
Endpoint Registration |
When selected, the FortiGate unit requests a registration key from FortiClient before a connection can be established. A registration key is defined by going to System > Advanced. |
DNS Server |
Select which DNS server to use for this VPN: |