Phase 2 configuration

Phase 2 definition name.

A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer. Add a specific address or range to allow traffic from and to only this local address.

See Quick mode selectors.

Enter the destination IP address that corresponds to the recipients or network behind the remote VPN peer. A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.

See Quick mode selectors.

Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. To establish a VPN connection, at least one of the proposals specified must match the configuration on the remote peer.

The following symmetric-key encryption algorithms are available:

• NULL: do not use an encryption algorithm.
• DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
• 3DES: triple-DES; plain text is encrypted three times by three keys.
• AES128: Advanced Encryption Standard, a 128-bit block algorithm that uses a 128-bit key.
• AES128GCM: AES in Galois/Counter Mode, a 128-bit block algorithm that uses a 128-bit key. Only available for IKEv2.
• AES192: a 128-bit block algorithm that uses a 192-bit key.
• AES256: a 128-bit block algorithm that uses a 256-bit key.
• AES256GCM: AES in Galois/Counter Mode, a 128-bit block algorithm that uses a 256-bit key. Only available for IKEv2.
• CHACHA20POLY1305: a 128-bit block algorithm that uses a 128-bit key and a symmetric cipher. Only available for IKEv2.

See ChaCha20 and Poly1305 AEAD cipher, AES-GCM for IKEv2 phase 1, and HMAC settings.

The following message digests that check the message authenticity during an encrypted session are available:

• NULL: do not use a message digest.
• MD5: message digest 5.
• SHA1: secure hash algorithm 1; a 160-bit message digest.
• SHA256: a 256-bit message digest.
• SHA384: a 384-bit message digest.
• SHA512: a 512-bit message digest.

See also HMAC settings.

Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.

Replay detection allows the FortiGate to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the FortiGate discards them.

Note that 64-bit extended sequence numbers (as described in RFC 4303, RFC 4304 as an addition to IKEv1, and RFC 5996 for IKEv2) are supported for IPsec when replay detection is enabled.

Perfect forward secrecy (PFS) improves security by forcing a new Diffie‑Hellman exchange whenever keylife expires.

Asymmetric key algorithms used for public key cryptography.

Select one or more from groups 1, 2, 5, and 14 through 32. At least one of the Diffie-Hellman Groups (DH) settings on the remote peer or client must match one the selections on the FortiGate. Failure to match one or more DH groups will result in failed negotiations.

Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, select All, or enter 0.

Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, select All, or enter 0.

Enter the IP protocol number of the service. To specify all services, select All, or enter 0.

Select this option for the tunnel to be automatically renegotiated when the it expires. See Auto-negotiate.

Select this option for the tunnel to remain active when no data is being processed.