Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiPortal 5.3.6 User Guide
    5.3.6
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0

    Configuring VPNs

    Configuring VPNs

    Use the VPN area to configure IPSec phase 1 and phase 2. You must have at least one IPSec phase-1 configuration and at least one IPSec phase-2 configuration.

    In this area, the following actions are available:

    • Show x Entries—use the drop-down menu to set the number of entries to display
    • Search—enter text to search for in the table
    • Create New—configure the IPSec phase 1 or the IPSec phase 2
    • Edit—change an existing IPSec phase-1 or IPSec phase-2 configuration
    • Delete—delete an IPSec phase-1 or IPSec phase-2 configuration

    Creating an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
    2. Right-click a configuration and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Enter values in the relevant fields and select Save. See IPSec phase-1 fields and IPSec phase-2 fields.
    4. Select Save.

    Updating an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
    2. Right-click a configuration and select Edit.
    3. Update the values that have changed.
    4. Select Save.

    Deleting an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
    2. Right-click a configuration and select Delete.

    IPSec phase-1 fields

    The Create New IPSec Phase1 and Edit IPSec Phase1 forms contain the following fields:

    Settings

    Guidelines

    Gateway Name

    Required. Type a name for this Phase-1 configuration. The value is a string with a maximum of 15 characters.

    Comments

    Type an optional description. The value is a string with a maximum of 255 characters.

    Remote Gateway

    Required. Select Static IP Address, Dialup user, or Dynamic DNS.

    IP Address

    Required if you select Static IP Address. Type the IPv4 address.

    Dynamic DNS

    Required if you select Dynamic DNS. Type the fully qualified domain name.

    Local Interface

    Required. Select an interface from the drop-down list or select any.

    Mode

    Required. Select Main or Aggressive for the phase-1 mode.

    Authentication Method

    Required. Select Pre-shared Key or Signature for the authentication method.

    Pre-shared Key

    If Pre-shared Key is selected, this field is required. Type a string for the pre-shared key. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

    User Group

    If Pre-shared Key is selected, this field is available but optional. Enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers.

    Certificate Name

    If Signature is selected, this field is available but optional. Select a certificate from the drop-down list.

    Peer Options

    If Signature is selected, this field is available but optional. Select Any peer id or One peer id.

    peer id

    If One peer id is selected, this field is required. Enter the peer ID to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. The value is a string with a maximum of 255 characters.

    Advanced...(XAUTH, NAT-traversal, DPD)

    Local Gateway IP

    Select Specify or Main Interface IP. If you select Specify, type the IPv4 address in the field.

    P1 Proposal

    Select the encryption and authentication algorithms. You can select more than one. Use the arrows to move the algorithms from Available Encryption-Authentication Pair box to the Selected Encryption-Authentication Pair box.

    Diffie-Hellman Groups

    Select one or more of the following Diffie-Hellman (DH) groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

    Key Life

    Type the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172800 seconds. The default is 86400.

    Local ID

    A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID uniquely identifies one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. Type a string with a maximum of 63 characters.

    XAuth

    Select Disable or Client for the XAUTH type. The default is Disable.

    NAT-traversal

    Select Disable, Enable, or Forced. The default is Enable.

    Keep Alive Frequency

    If NAT traversal is enabled or forced, type a keep-alive frequency setting (10-900 seconds). The default is 10. The value range is 10-900.

    Dead Peer Detection

    Select Disable, On Idle, or On Demand.

    IPSec phase-2 fields

    The Create New IPSec Phase2 and Edit IPSec Phase2 forms contain the following fields:

    Settings

    Guidelines

    Tunnel Name

    Required. Type a name for this Phase-2 configuration. The value is a string with a maximum of 35 characters.

    Phase 1

    Required. Select an IPSec Phase-1 configuration.

    Advanced

    P2 Proposal

    Select the encryption and authentication algorithms. You can select more than one. Use the arrows to move the algorithms from Available Encryption-Authentication Pair box to the Selected Encryption-Authentication Pair box.

    Replay Detection

    Select to enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. The default is selected.

    Perfect forward secrecy (PFS)

    Select to enable or disable perfect forward secrecy (PFS). Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever the key life expires. The default is selected.

    Diffie-Hellman Groups

    Required. Select one or more of the following Diffie-Hellman (DH) groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

    Key Life

    Required. Select the PFS key life. Select Seconds, KBytes, or Both.

    • If Seconds is selected, type the number of seconds. The default is 43200. The value range is 120-172800.
    • If KBytes is selected, type the number of KB. The default is 5120. The value range is 5120-4294967295.
    • If Both is selected, type the number of seconds and the number of KB.

    Auto Keep Alive

    Optional. Select to enable or disable autokey keep alive. The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. The default is deselected.

    DHCP-IPsec

    Optional. The default is deselected.

    Quick Mode Selector

    Local Address

    Select Subnet, IP Range, IP Address, or Named Address.

    • If Subnet is selected, enter an IP address and netmask.
    • If IP Range is selected, enter the first IP address and the last IP address in the range.
    • If IP Address is selected, enter an IPv4 address.
    • If Named Address is selected, select from the drop-down list.

    Remote Address

    Select Subnet, IP Range, IP Address, or Named Address.

    • If Subnet is selected, enter an IP address and netmask.
    • If IP Range is selected, enter the first IP address and the last IP address in the range.
    • If IP Address is selected, enter an IPv4 address.
    • If Named Address is selected, select from the drop-down list.

    Local Port

    Enter the number of the local port. The default is 0 The maximum value is 65535.

    Remote Port

    Enter the number of the remote port. The default is 0 The maximum value is 65535.

    Protocol

    Enter the protocol number. The default is 0 The maximum value is 255.
    Previous
    Next

    Configuring VPNs

    Configuring VPNs

    Use the VPN area to configure IPSec phase 1 and phase 2. You must have at least one IPSec phase-1 configuration and at least one IPSec phase-2 configuration.

    In this area, the following actions are available:

    • Show x Entries—use the drop-down menu to set the number of entries to display
    • Search—enter text to search for in the table
    • Create New—configure the IPSec phase 1 or the IPSec phase 2
    • Edit—change an existing IPSec phase-1 or IPSec phase-2 configuration
    • Delete—delete an IPSec phase-1 or IPSec phase-2 configuration

    Creating an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
    2. Right-click a configuration and select Create New. If the table is blank, right-click under the column headings and select Create New.
    3. Enter values in the relevant fields and select Save. See IPSec phase-1 fields and IPSec phase-2 fields.
    4. Select Save.

    Updating an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
    2. Right-click a configuration and select Edit.
    3. Update the values that have changed.
    4. Select Save.

    Deleting an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN tree.
    2. Right-click a configuration and select Delete.

    IPSec phase-1 fields

    The Create New IPSec Phase1 and Edit IPSec Phase1 forms contain the following fields:

    Settings

    Guidelines

    Gateway Name

    Required. Type a name for this Phase-1 configuration. The value is a string with a maximum of 15 characters.

    Comments

    Type an optional description. The value is a string with a maximum of 255 characters.

    Remote Gateway

    Required. Select Static IP Address, Dialup user, or Dynamic DNS.

    IP Address

    Required if you select Static IP Address. Type the IPv4 address.

    Dynamic DNS

    Required if you select Dynamic DNS. Type the fully qualified domain name.

    Local Interface

    Required. Select an interface from the drop-down list or select any.

    Mode

    Required. Select Main or Aggressive for the phase-1 mode.

    Authentication Method

    Required. Select Pre-shared Key or Signature for the authentication method.

    Pre-shared Key

    If Pre-shared Key is selected, this field is required. Type a string for the pre-shared key. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

    User Group

    If Pre-shared Key is selected, this field is available but optional. Enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers.

    Certificate Name

    If Signature is selected, this field is available but optional. Select a certificate from the drop-down list.

    Peer Options

    If Signature is selected, this field is available but optional. Select Any peer id or One peer id.

    peer id

    If One peer id is selected, this field is required. Enter the peer ID to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. The value is a string with a maximum of 255 characters.

    Advanced...(XAUTH, NAT-traversal, DPD)

    Local Gateway IP

    Select Specify or Main Interface IP. If you select Specify, type the IPv4 address in the field.

    P1 Proposal

    Select the encryption and authentication algorithms. You can select more than one. Use the arrows to move the algorithms from Available Encryption-Authentication Pair box to the Selected Encryption-Authentication Pair box.

    Diffie-Hellman Groups

    Select one or more of the following Diffie-Hellman (DH) groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

    Key Life

    Type the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172800 seconds. The default is 86400.

    Local ID

    A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID uniquely identifies one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. Type a string with a maximum of 63 characters.

    XAuth

    Select Disable or Client for the XAUTH type. The default is Disable.

    NAT-traversal

    Select Disable, Enable, or Forced. The default is Enable.

    Keep Alive Frequency

    If NAT traversal is enabled or forced, type a keep-alive frequency setting (10-900 seconds). The default is 10. The value range is 10-900.

    Dead Peer Detection

    Select Disable, On Idle, or On Demand.

    IPSec phase-2 fields

    The Create New IPSec Phase2 and Edit IPSec Phase2 forms contain the following fields:

    Settings

    Guidelines

    Tunnel Name

    Required. Type a name for this Phase-2 configuration. The value is a string with a maximum of 35 characters.

    Phase 1

    Required. Select an IPSec Phase-1 configuration.

    Advanced

    P2 Proposal

    Select the encryption and authentication algorithms. You can select more than one. Use the arrows to move the algorithms from Available Encryption-Authentication Pair box to the Selected Encryption-Authentication Pair box.

    Replay Detection

    Select to enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. The default is selected.

    Perfect forward secrecy (PFS)

    Select to enable or disable perfect forward secrecy (PFS). Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever the key life expires. The default is selected.

    Diffie-Hellman Groups

    Required. Select one or more of the following Diffie-Hellman (DH) groups: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

    Key Life

    Required. Select the PFS key life. Select Seconds, KBytes, or Both.

    • If Seconds is selected, type the number of seconds. The default is 43200. The value range is 120-172800.
    • If KBytes is selected, type the number of KB. The default is 5120. The value range is 5120-4294967295.
    • If Both is selected, type the number of seconds and the number of KB.

    Auto Keep Alive

    Optional. Select to enable or disable autokey keep alive. The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. The default is deselected.

    DHCP-IPsec

    Optional. The default is deselected.

    Quick Mode Selector

    Local Address

    Select Subnet, IP Range, IP Address, or Named Address.

    • If Subnet is selected, enter an IP address and netmask.
    • If IP Range is selected, enter the first IP address and the last IP address in the range.
    • If IP Address is selected, enter an IPv4 address.
    • If Named Address is selected, select from the drop-down list.

    Remote Address

    Select Subnet, IP Range, IP Address, or Named Address.

    • If Subnet is selected, enter an IP address and netmask.
    • If IP Range is selected, enter the first IP address and the last IP address in the range.
    • If IP Address is selected, enter an IPv4 address.
    • If Named Address is selected, select from the drop-down list.

    Local Port

    Enter the number of the local port. The default is 0 The maximum value is 65535.

    Remote Port

    Enter the number of the remote port. The default is 0 The maximum value is 65535.

    Protocol

    Enter the protocol number. The default is 0 The maximum value is 255.
    Previous
    Next