Fortinet black logo

Handbook

Tunnel requests for peer authentication

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:462547
Download PDF

Tunnel requests for peer authentication

When a client-side FortiGate unit attempts to start a WAN optimization tunnel with a peer server-side FortiGate unit, the tunnel request includes the following information:

  • the client-side local host ID
  • the name of an authentication group, if included in the rule that initiates the tunnel
  • if an authentication group is used, the authentication method it specifies: pre-shared key or certificate
  • the type of tunnel (secure or not).

For information about configuring the local host ID, peers and authentication groups, see Tunnel requests for peer authentication and Tunnel requests for peer authentication .

The authentication group is optional unless the tunnel is a secure tunnel. For more information, see Tunnel requests for peer authentication .

If the tunnel request includes an authentication group, the authentication will be based on the settings of this group as follows:

  • The server-side FortiGate unit searches its own configuration for the name of the authentication group in the tunnel request. If no match is found, the authentication fails.
  • If a match is found, the server-side FortiGate unit compares the authentication method in the client and server authentication groups. If the methods do not match, the authentication fails.
  • If the authentication methods match, the server-side FortiGate unit tests the peer acceptance settings in its copy of the authentication group.
  • If the setting is Accept Any Peer, the authentication is successful.
  • If the setting is Specify Peer, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the peer name in the server-side authentication group. If the names match, authentication is successful. If a match is not found, authentication fails.
  • If the setting is Accept Defined Peers, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the server-side peer list. If a match is found, authentication is successful. If a match is not found, authentication fails.

If the tunnel request does not include an authentication group, authentication will be based on the client-side local host ID in the tunnel request. The server-side FortiGate unit searches its peer list to match the client-side local host ID in the tunnel request. If a match is found, authentication is successful. If a match is not found, authentication fails.

If the server-side FortiGate unit successfully authenticates the tunnel request, the server-side FortiGate unit sends back a tunnel setup response message. This message includes the server-side local host ID and the authentication group that matches the one in the tunnel request.

The client-side FortiGate unit then performs the same authentication procedure as the server-side FortiGate unit did. If both sides succeed, tunnel setup continues.

Tunnel requests for peer authentication

When a client-side FortiGate unit attempts to start a WAN optimization tunnel with a peer server-side FortiGate unit, the tunnel request includes the following information:

  • the client-side local host ID
  • the name of an authentication group, if included in the rule that initiates the tunnel
  • if an authentication group is used, the authentication method it specifies: pre-shared key or certificate
  • the type of tunnel (secure or not).

For information about configuring the local host ID, peers and authentication groups, see Tunnel requests for peer authentication and Tunnel requests for peer authentication .

The authentication group is optional unless the tunnel is a secure tunnel. For more information, see Tunnel requests for peer authentication .

If the tunnel request includes an authentication group, the authentication will be based on the settings of this group as follows:

  • The server-side FortiGate unit searches its own configuration for the name of the authentication group in the tunnel request. If no match is found, the authentication fails.
  • If a match is found, the server-side FortiGate unit compares the authentication method in the client and server authentication groups. If the methods do not match, the authentication fails.
  • If the authentication methods match, the server-side FortiGate unit tests the peer acceptance settings in its copy of the authentication group.
  • If the setting is Accept Any Peer, the authentication is successful.
  • If the setting is Specify Peer, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the peer name in the server-side authentication group. If the names match, authentication is successful. If a match is not found, authentication fails.
  • If the setting is Accept Defined Peers, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the server-side peer list. If a match is found, authentication is successful. If a match is not found, authentication fails.

If the tunnel request does not include an authentication group, authentication will be based on the client-side local host ID in the tunnel request. The server-side FortiGate unit searches its peer list to match the client-side local host ID in the tunnel request. If a match is found, authentication is successful. If a match is not found, authentication fails.

If the server-side FortiGate unit successfully authenticates the tunnel request, the server-side FortiGate unit sends back a tunnel setup response message. This message includes the server-side local host ID and the authentication group that matches the one in the tunnel request.

The client-side FortiGate unit then performs the same authentication procedure as the server-side FortiGate unit did. If both sides succeed, tunnel setup continues.