Fortinet white logo
Fortinet white logo

Administration Guide

Edit an IPsec tunnel

Edit an IPsec tunnel

Select an IPsec tunnel and then click Edit to open the Edit VPN Tunnel page.

Configure the following settings in the Edit VPN Tunnel page. After each editing a section, select the checkmark icon to save your changes. After you make all of your changes, click OK.

Name

The name of the IPsec tunnel cannot be changed.

Comments

An optional description of the IPsec tunnel.

Network

Select Edit to make changes.

IP Version

This option is set to IPv4.

Remote Gateway

This option is set to Static IP Address for a remote peer that has a static IP address.

IP Address

Enter the IP address of the remote peer.

Interface

Select the name of the interface through which remote peers connect to the FortiProxy unit.

Local Gateway

Enable this option to configure a local gateway and then select Primary IP, Secondary IP, or Specify. Enter or select the IP address.

NAT Traversal

Select Enable if a NAT device exists between the local FortiProxy unit. and the VPN peer or client. The local FortiProxy unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. Additionally, you can force IPsec to use NAT traversal.

If this option is set to Forced, the FortiProxy unit uses a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

Keepalive Frequency

If you selected Enable or Forced for the NAT traversal, enter a keep-alive frequency.

Forward Error Correction

Select Egress or Ingress.

Add route

Select Enabled if you want to add a route.

Auto discovery sender

Select Enabled to automatically discover the sender.

Auto discover receiver

Select Enabled to automatically discover the receiver.

Authentication

Select Edit to make changes.

Method

Select Pre-shared Key or Signature:

  • Pre-shared Key—A preshared key contains at least six random alphanumeric characters. Users of the VPN must obtain the preshared key from the person who manages the VPN server and add the preshared key to their VPN client configuration.

  • Signature—Use one or more certificates for authentication.

Pre-shared Key

If you selected Pre-shared Key for the authentication method, enter the pre-shared key that the FortiProxy unit will use to authenticate itself to the remote peer or dial-up client during Phase 1 negotiations. You must define the same key at the remote peer or client.

The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

Certificate Name

If you selected Signature for the authentication method, select + and then select one or more certificates that the FortiProxy unit will use to authenticate itself.

Version

IKE version 1 is selected by default.

Mode

Select Aggressive or Main (ID protection):

  • Main (ID protection)—The Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

  • Aggressive—The Phase 1 parameters are exchanged in single message with authentication information that is not encrypted.

Phase 1 Proposal

Select Edit to make changes.

Select Add to get another row of Encryption and Authentication options.

Encryption

Select DES, 3DES, AES128, AES192, AES256 to use as the encryption algorithm.

Authentication

Select MD5, SHA1, SHA256, SHA384, or SHA512 to use for authentication.

Diffie-Hellman Groups

Select one or more Diffie-Hellman (DH) asymmetric key algorithms for public key cryptography.

Key Lifetime (seconds)

Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key lifetime can be from 120 to 172,800 seconds.

Local ID

A Local ID is an alphanumeric value.

XAUTH

Select Edit to make changes.

Type

Select Client to require an additional user name and password for authentication.

Username

If you selected Client, enter a user name for authentication.

Password

If you selected Client, enter a password for authentication.

Phase 2 Selectors

Select Add to enter new phase-2 information.

Name

Enter the Phase-2 name.

Comments

An optional description of the VPN tunnel.

Local Address

Select Subnet, IP Range, IP Address, Named Address,IPv6 Subnet, IPv6 Range, IPv6 Address, or Named IPv6 Address and then enter the specified information.

Remote Address

Select Subnet, IP Range, IP Address, Named Address,IPv6 Subnet, IPv6 Range, IPv6 Address, or Named IPv6 Address and then enter the specified information.

Phase 2 Proposal

Select Add to get another row of Encryption and Authentication options.

Encryption

Select DES, 3DES, AES128, AES128GCM, AES192, AES256 or CHACHA20POLY1305 to use as the encryption algorithm.

Authentication

Select MD5, SHA1, SHA256, SHA384, or SHA512 to use for authentication.

Enable Replay Detection

Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.

Enable Perfect Forward Secrecy (PFS)

Enable for PFS.

Local Port

Select All or enter the local port number.

Remote Port

Select All or enter the remote port number.

Protocol

Select All or enter the protocol number.

Auto-negotiate

Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires.

Autokey Keep Alive

Select the check box if you want the tunnel to remain active when no data is being processed.

Key Lifetime

Select the method for determining when the Phase 2 key expires: Seconds, Kilobytes, or Both. If you select Both, the key expires when either the time has passed or the number of kilobytes have been processed.

Seconds

If you selected Seconds or Both for the key lifetime, enter the number of seconds.

Kilobytes

If you selected Kilobytes or Both for the key lifetime, enter the number of kilobytes.

Edit an IPsec tunnel

Edit an IPsec tunnel

Select an IPsec tunnel and then click Edit to open the Edit VPN Tunnel page.

Configure the following settings in the Edit VPN Tunnel page. After each editing a section, select the checkmark icon to save your changes. After you make all of your changes, click OK.

Name

The name of the IPsec tunnel cannot be changed.

Comments

An optional description of the IPsec tunnel.

Network

Select Edit to make changes.

IP Version

This option is set to IPv4.

Remote Gateway

This option is set to Static IP Address for a remote peer that has a static IP address.

IP Address

Enter the IP address of the remote peer.

Interface

Select the name of the interface through which remote peers connect to the FortiProxy unit.

Local Gateway

Enable this option to configure a local gateway and then select Primary IP, Secondary IP, or Specify. Enter or select the IP address.

NAT Traversal

Select Enable if a NAT device exists between the local FortiProxy unit. and the VPN peer or client. The local FortiProxy unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. Additionally, you can force IPsec to use NAT traversal.

If this option is set to Forced, the FortiProxy unit uses a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

Keepalive Frequency

If you selected Enable or Forced for the NAT traversal, enter a keep-alive frequency.

Forward Error Correction

Select Egress or Ingress.

Add route

Select Enabled if you want to add a route.

Auto discovery sender

Select Enabled to automatically discover the sender.

Auto discover receiver

Select Enabled to automatically discover the receiver.

Authentication

Select Edit to make changes.

Method

Select Pre-shared Key or Signature:

  • Pre-shared Key—A preshared key contains at least six random alphanumeric characters. Users of the VPN must obtain the preshared key from the person who manages the VPN server and add the preshared key to their VPN client configuration.

  • Signature—Use one or more certificates for authentication.

Pre-shared Key

If you selected Pre-shared Key for the authentication method, enter the pre-shared key that the FortiProxy unit will use to authenticate itself to the remote peer or dial-up client during Phase 1 negotiations. You must define the same key at the remote peer or client.

The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

Certificate Name

If you selected Signature for the authentication method, select + and then select one or more certificates that the FortiProxy unit will use to authenticate itself.

Version

IKE version 1 is selected by default.

Mode

Select Aggressive or Main (ID protection):

  • Main (ID protection)—The Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

  • Aggressive—The Phase 1 parameters are exchanged in single message with authentication information that is not encrypted.

Phase 1 Proposal

Select Edit to make changes.

Select Add to get another row of Encryption and Authentication options.

Encryption

Select DES, 3DES, AES128, AES192, AES256 to use as the encryption algorithm.

Authentication

Select MD5, SHA1, SHA256, SHA384, or SHA512 to use for authentication.

Diffie-Hellman Groups

Select one or more Diffie-Hellman (DH) asymmetric key algorithms for public key cryptography.

Key Lifetime (seconds)

Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key lifetime can be from 120 to 172,800 seconds.

Local ID

A Local ID is an alphanumeric value.

XAUTH

Select Edit to make changes.

Type

Select Client to require an additional user name and password for authentication.

Username

If you selected Client, enter a user name for authentication.

Password

If you selected Client, enter a password for authentication.

Phase 2 Selectors

Select Add to enter new phase-2 information.

Name

Enter the Phase-2 name.

Comments

An optional description of the VPN tunnel.

Local Address

Select Subnet, IP Range, IP Address, Named Address,IPv6 Subnet, IPv6 Range, IPv6 Address, or Named IPv6 Address and then enter the specified information.

Remote Address

Select Subnet, IP Range, IP Address, Named Address,IPv6 Subnet, IPv6 Range, IPv6 Address, or Named IPv6 Address and then enter the specified information.

Phase 2 Proposal

Select Add to get another row of Encryption and Authentication options.

Encryption

Select DES, 3DES, AES128, AES128GCM, AES192, AES256 or CHACHA20POLY1305 to use as the encryption algorithm.

Authentication

Select MD5, SHA1, SHA256, SHA384, or SHA512 to use for authentication.

Enable Replay Detection

Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.

Enable Perfect Forward Secrecy (PFS)

Enable for PFS.

Local Port

Select All or enter the local port number.

Remote Port

Select All or enter the remote port number.

Protocol

Select All or enter the protocol number.

Auto-negotiate

Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires.

Autokey Keep Alive

Select the check box if you want the tunnel to remain active when no data is being processed.

Key Lifetime

Select the method for determining when the Phase 2 key expires: Seconds, Kilobytes, or Both. If you select Both, the key expires when either the time has passed or the number of kilobytes have been processed.

Seconds

If you selected Seconds or Both for the key lifetime, enter the number of seconds.

Kilobytes

If you selected Kilobytes or Both for the key lifetime, enter the number of kilobytes.