Phase 1 configuration
Phase 1 configuration primarily defines the parameters used in IKE (Internet Key Exchange) negotiation between the ends of the IPsec tunnel. The local end is the FortiGate interface that initiates the IKE negotiations. The remote end is the remote gateway that responds and exchanges messages with the initiator. Hence, they are sometimes referred to as the initiator and responder. The purpose of phase 1 is to secure a tunnel with one bi-directional IKE SA (security association) for negotiating IKE phase 2 parameters.
The auto-negotiate
and negotiation-timeout
commands control how the IKE negotiation is processed when there is no traffic, and the length of time that the FortiGate waits for negotiations to occur.
IPsec tunnels can be configured in the GUI using the VPN Creation Wizard. Go to VPN > IPsec Wizard. The wizard includes several templates (site-to-site, hub and spoke, remote access), but a custom tunnel can be configured with the following settings:
Name |
Phase 1 definition name. The maximum length is 15 characters for an interface mode VPN and 35 characters for a policy-based VPN. For a policy-based VPN, the name normally reflects where the remote connection originates. For a route-based tunnel, the FortiGate also uses the name for the virtual IPsec interface that it creates automatically. |
|
Network |
|
|
|
IP Version |
Protocol, either IPv4 or IPv6. |
|
Remote Gateway |
Category of the remote connection:
|
|
IP Address |
The IP address of the remote peer. This option is only available when the Remote Gateway is Static IP Address. |
|
Dynamic DNS |
The domain name of the remote peer. This option is only available when the Remote Gateway is Dynamic DNS. |
|
Interface |
The interface through which remote peers or dialup clients connect to the FortiGate. This option is only available in NAT mode. |
|
Local Gateway |
IP address for the local end of the VPN tunnel (Primary IP is used by default):
Interface mode cannot be configured in a transparent mode VDOM. |
|
Mode Config |
This option is only available when the Remote Gateway is Dialup User. Configure the client IP address range, subnet mask/prefix length, DNS server, and split tunnel capability to automate remote client addressing. |
NAT Traversal |
This option is only available when the Remote Gateway is Static IP Address or Dynamic DNS. ESP (encapsulating security payload), the protocol for encrypting data in the VPN session, uses IP protocol 50 by default. However, it does not use any port numbers so when traversing a NAT device, the packets cannot be demultiplexed. Enabling NAT traversal encapsulates the ESP packet inside a UDP packet, thereby adding a unique source port to the packet. This allows the NAT device to map the packets to the correct session.
|
|
Keepalive Frequency |
Keepalive frequency setting. This option is only available when NAT Traversal is set to Enable or Forced. The NAT device between the VPN peers may remove the session when the VPN connection remains idle for too long. The value represents an interval in seconds where the connection will be maintained with periodic keepalive packets. The keepalive interval must be smaller than the session lifetime value used by the NAT device. The keepalive packet is a 138-byte ISAKMP exchange. |
|
Dead Peer Detection |
Reestablishes VPN tunnels on idle connections and cleans up dead IKE peers if required. This feature minimizes the traffic required to check if a VPN peer is available or unavailable (dead). The available options are:
Notifications are received whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes. |
|
Forward Error Correction |
Enable on both ends of the tunnel to correct errors in data transmission by sending redundant data across the VPN. |
|
Device creation |
Advanced option. When enabled, a dynamic interface (network device) is created for each dialup tunnel. |
|
Aggregate member |
Advanced option. When enabled, the tunnel can be used as an aggregate member candidate. |
|
A |