Phase 2 configuration

After phase 1 negotiations end successfully, phase 2 begins. In Phase 2, the VPN peer or client and the FortiGate exchange keys again to establish a secure communication channel. The phase 2 proposal parameters select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of security associations (SAs). The keys are generated automatically using a Diffie-Hellman algorithm.

The basic phase 2 settings associate IPsec phase 2 parameters with the phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic Phase 2 settings.

Some settings can be configured in the CLI. The following options are available in the VPN Creation Wizard after the tunnel is created:

New Phase 2

 

 

 

Name

Phase 2 definition name.

 

Local Address

A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer. Add a specific address or range to allow traffic from and to only this local address.

See Quick mode selectors.

 

Remote Address

Enter the destination IP address that corresponds to the recipients or network behind the remote VPN peer. A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.

See Quick mode selectors.

Advanced

Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. To establish a VPN connection, at least one of the proposals specified must match the configuration on the remote peer.

 

 

Encryption

The following symmetric-key encryption algorithms are available:

  • NULL: do not use an encryption algorithm.
  • DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
  • 3DES: triple-DES; plain text is encrypted three times by three keys.
  • AES128: Advanced Encryption Standard, a 128-bit block algorithm that uses a 128-bit key.
  • AES128GCM: AES in Galois/Counter Mode, a 128-bit block algorithm that uses a 128-bit key. Only available for IKEv2.
  • AES192: a 128-bit block algorithm that uses a 192-bit key.
  • AES256: a 128-bit block algorithm that uses a 256-bit key.
  • AES256GCM: AES in Galois/Counter Mode, a 128-bit block algorithm that uses a 256-bit key. Only available for IKEv2.
  • CHACHA20POLY1305: a 128-bit block algorithm that uses a 128-bit key and a symmetric cipher. Only available for IKEv2.

See ChaCha20 and Poly1305 AEAD cipher, AES-GCM for IKEv2 phase 1, and HMAC settings.

 

Authentication

The following message digests that check the message authenticity during an encrypted session are available:

  • NULL: do not use a message digest.
  • MD5: message digest 5.
  • SHA1: secure hash algorithm 1; a 160-bit message digest.
  • SHA256: a 256-bit message digest.
  • SHA384: a 384-bit message digest.
  • SHA512: a 512-bit message digest.

See also HMAC settings.

 

Enable Replay Detection

Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.

Replay detection allows the FortiGate to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the FortiGate discards them.

Note that 64-bit extended sequence numbers (as described in RFC 4303, RFC 4304 as an addition to IKEv1, and RFC 5996 for IKEv2) are supported for IPsec when replay detection is enabled.

 

Enable Perfect Forward Secrecy (PFS)

Perfect forward secrecy (PFS) improves security by forcing a new Diffie‑Hellman exchange whenever keylife expires.

 

Diffie-Hellman Group

Asymmetric key algorithms used for public key cryptography.

Select one or more from groups 1, 2, 5, and 14 through 32. At least one of the Diffie-Hellman Groups (DH) settings on the remote peer or client must match one the selections on the FortiGate. Failure to match one or more DH groups will result in failed negotiations.

 

Local Port

Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, select All, or enter 0.

 

Remote Port

Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, select All, or enter 0.

 

Protocol

Enter the IP protocol number of the service. To specify all services, select All, or enter 0.

 

Auto-negotiate

Select this option for the tunnel to be automatically renegotiated when the it expires. See Auto-negotiate.

 

Autokey Keep Alive

Select this option for the tunnel to remain active when no data is being processed.