Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiPortal 7.0.1 User Guide
    7.0.1
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0

    VPN

    VPN

    The VPN dropdown menu on the Security > Network tab displays a list of configurations for Internet Protocol Security (IPsec) Phase 1 and Phase 2.

    Use the VPN dropdown menu to configure VPNs.

    Configuring VPNs

    Use the VPN dropdown to configure IPSec phase 1 and phase 2.

    You must have at least one IPSec phase-1 configuration and at least one IPSec phase-2 configuration.

    When creating a new IPSec interface, FortiPortal now checks whether the normalization interface exists or not using the IPSec interface name:

    • If the interface exists, FortiPortal creates a dynamic mapping for the targeted firewall device/VDOM.

    • Otherwise, FortiPortal creates both the normalization interface and the dynamic mapping.

    When deleting an IPSec interface, FortiPortal removes the dynamic mapping from the normalization interface.

    Creating an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN dropdown menu.
    2. Select Create.
    3. Enter values in the relevant fields and select Save. See IPSec phase-1 fields and IPSec phase-2 fields.
    4. Select Save.

    Updating an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN dropdown menu.
    2. Select a configuration and then select Edit.
    3. Update the values that have changed.
    4. Select Save.

    Deleting an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN dropdown menu.
    2. Select configurations and then select Delete.

    IPSec phase-1 fields

    The Create IPSec Phase1 and Edit IPSec Phase1 dialogs contain the following fields:

    Settings

    Guidelines

    Name

    Required. Type a name for this Phase-1 configuration. The value is a string with a maximum of 15 characters.

    Comments

    Type an optional description. The value is a string with a maximum of 255 characters.

    Remote Gateway

    Required. Select Static IP Address, Dialup user, or Dynamic DNS.

    IP Address

    Required if you select Static IP Address as the Remote Gateway. Type the IPv4 address.

    Dynamic DNS

    Optional if you select Dynamic DNS as the Remote Gateway. Type the fully qualified domain name.

    Local Interface

    Required. Select an interface from the dropdown or select any.

    Mode

    Required. Select Main or Aggressive for the phase-1 mode.

    Authentication Method

    Required. Select Pre-shared Key or Signature for the authentication method.

    Pre-shared Key

    If Pre-shared Key is selected as the Authentication Method, this field is required. Type a string for the pre-shared key. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

    Certificate Name

    If Signature is selected as the Authentication Method, this field is required. Select a certificate from the dropdown.

    Peer Options

    If the Mode is Aggressive, or Signature is selected as the Authentication Method, this field is available but optional. Select Any peer id, One peer id, Peer certificate, or Peer certificate group.

    Peer id

    If One peer id is selected in Peer Options, this field is required. Enter the peer ID to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. The value is a string with a maximum of 255 characters.

    Peer Certificate

    If Peer certificate is selected in Peer Options, this field is available but optional. From the dropdown, select a peer certificate.

    Peer Certificate Group

    If Peer certificate group is selected in Peer Options, this field is available but optional. From the dropdown, select a peer certificate group.

    Advanced...(XAUTH, NAT-traversal, DPD)

    P1 Proposal

    Select the encryption and authentication algorithms. You can select more than one from the dropdown.

    IPSec phase-2 fields

    The Create IPSec Phase2 and Edit IPSec Phase2 dialogs contain the following fields:

    Settings

    Guidelines

    Tunnel Name

    Required. Type a name for this Phase-2 configuration. The value is a string with a maximum of 35 characters.

    Phase 1

    Required. Select an IPSec Phase-1 configuration.

    Advanced

    Diffie-Hellman Groups

    Required. Select one or more of the following Diffie-Hellman (DH) groups: 1,2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, and 32. At least one of the DH group settings on the remote peer or client must match one the selections on the firewall unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

    Key Life

    Required. Select the PFS key life. Select Seconds, KBytes, or Both.

    • If Seconds is selected, type the number of seconds. The default is 43200. The value range is 120-172800.
    • If KBytes is selected, type the number of KB. The default is 5120. The value range is 5120-4294967295.
    • If Both is selected, type the number of seconds and the number of KB.

    DHCP-IPsec

    Optional. The default is deselected.

    Auto Keep Alive

    Optional. Select to enable or disable autokey keep alive. The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. The default is deselected.

    Quick Mode Selector

    Local Address

    Select Subnet, IP Range, Static IP Address, or Named Address.

    • If Subnet is selected, enter an IP address and netmask.
    • If IP Range is selected, enter the first IP address and the last IP address in the range.
    • If Static IP Address is selected, enter an IPv4 address.
    • If Named Address is selected, select from the drop-down list.

    Remote Address

    Select Subnet, IP Range, Static IP Address, or Named Address.

    • If Subnet is selected, enter an IP address and netmask.
    • If IP Range is selected, enter the first IP address and the last IP address in the range.
    • If Static IP Address is selected, enter an IPv4 address.
    • If Named Address is selected, select from the drop-down list.

    Local Port

    Enter the number of the local port. The default is 0 The maximum value is 65535.

    Remote Port

    Enter the number of the remote port. The default is 0 The maximum value is 65535.

    Protocol

    Enter the protocol number. The default is 0 The maximum value is 255.
    Previous
    Next

    VPN

    VPN

    The VPN dropdown menu on the Security > Network tab displays a list of configurations for Internet Protocol Security (IPsec) Phase 1 and Phase 2.

    Use the VPN dropdown menu to configure VPNs.

    Configuring VPNs

    Use the VPN dropdown to configure IPSec phase 1 and phase 2.

    You must have at least one IPSec phase-1 configuration and at least one IPSec phase-2 configuration.

    When creating a new IPSec interface, FortiPortal now checks whether the normalization interface exists or not using the IPSec interface name:

    • If the interface exists, FortiPortal creates a dynamic mapping for the targeted firewall device/VDOM.

    • Otherwise, FortiPortal creates both the normalization interface and the dynamic mapping.

    When deleting an IPSec interface, FortiPortal removes the dynamic mapping from the normalization interface.

    Creating an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN dropdown menu.
    2. Select Create.
    3. Enter values in the relevant fields and select Save. See IPSec phase-1 fields and IPSec phase-2 fields.
    4. Select Save.

    Updating an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN dropdown menu.
    2. Select a configuration and then select Edit.
    3. Update the values that have changed.
    4. Select Save.

    Deleting an IPSec phase-1 or phase-2 configuration

    1. Select IPSec Phase 1 or IPSec Phase 2 from the VPN dropdown menu.
    2. Select configurations and then select Delete.

    IPSec phase-1 fields

    The Create IPSec Phase1 and Edit IPSec Phase1 dialogs contain the following fields:

    Settings

    Guidelines

    Name

    Required. Type a name for this Phase-1 configuration. The value is a string with a maximum of 15 characters.

    Comments

    Type an optional description. The value is a string with a maximum of 255 characters.

    Remote Gateway

    Required. Select Static IP Address, Dialup user, or Dynamic DNS.

    IP Address

    Required if you select Static IP Address as the Remote Gateway. Type the IPv4 address.

    Dynamic DNS

    Optional if you select Dynamic DNS as the Remote Gateway. Type the fully qualified domain name.

    Local Interface

    Required. Select an interface from the dropdown or select any.

    Mode

    Required. Select Main or Aggressive for the phase-1 mode.

    Authentication Method

    Required. Select Pre-shared Key or Signature for the authentication method.

    Pre-shared Key

    If Pre-shared Key is selected as the Authentication Method, this field is required. Type a string for the pre-shared key. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

    Certificate Name

    If Signature is selected as the Authentication Method, this field is required. Select a certificate from the dropdown.

    Peer Options

    If the Mode is Aggressive, or Signature is selected as the Authentication Method, this field is available but optional. Select Any peer id, One peer id, Peer certificate, or Peer certificate group.

    Peer id

    If One peer id is selected in Peer Options, this field is required. Enter the peer ID to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. The value is a string with a maximum of 255 characters.

    Peer Certificate

    If Peer certificate is selected in Peer Options, this field is available but optional. From the dropdown, select a peer certificate.

    Peer Certificate Group

    If Peer certificate group is selected in Peer Options, this field is available but optional. From the dropdown, select a peer certificate group.

    Advanced...(XAUTH, NAT-traversal, DPD)

    P1 Proposal

    Select the encryption and authentication algorithms. You can select more than one from the dropdown.

    IPSec phase-2 fields

    The Create IPSec Phase2 and Edit IPSec Phase2 dialogs contain the following fields:

    Settings

    Guidelines

    Tunnel Name

    Required. Type a name for this Phase-2 configuration. The value is a string with a maximum of 35 characters.

    Phase 1

    Required. Select an IPSec Phase-1 configuration.

    Advanced

    Diffie-Hellman Groups

    Required. Select one or more of the following Diffie-Hellman (DH) groups: 1,2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31, and 32. At least one of the DH group settings on the remote peer or client must match one the selections on the firewall unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. By default, 5 and 14 are selected.

    Key Life

    Required. Select the PFS key life. Select Seconds, KBytes, or Both.

    • If Seconds is selected, type the number of seconds. The default is 43200. The value range is 120-172800.
    • If KBytes is selected, type the number of KB. The default is 5120. The value range is 5120-4294967295.
    • If Both is selected, type the number of seconds and the number of KB.

    DHCP-IPsec

    Optional. The default is deselected.

    Auto Keep Alive

    Optional. Select to enable or disable autokey keep alive. The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SA will not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. The default is deselected.

    Quick Mode Selector

    Local Address

    Select Subnet, IP Range, Static IP Address, or Named Address.

    • If Subnet is selected, enter an IP address and netmask.
    • If IP Range is selected, enter the first IP address and the last IP address in the range.
    • If Static IP Address is selected, enter an IPv4 address.
    • If Named Address is selected, select from the drop-down list.

    Remote Address

    Select Subnet, IP Range, Static IP Address, or Named Address.

    • If Subnet is selected, enter an IP address and netmask.
    • If IP Range is selected, enter the first IP address and the last IP address in the range.
    • If Static IP Address is selected, enter an IPv4 address.
    • If Named Address is selected, select from the drop-down list.

    Local Port

    Enter the number of the local port. The default is 0 The maximum value is 65535.

    Remote Port

    Enter the number of the remote port. The default is 0 The maximum value is 65535.

    Protocol

    Enter the protocol number. The default is 0 The maximum value is 255.
    Previous
    Next