FortiOS 6 – IPSEC Phase 1 parameters

Authenticating the FortiGate unit

The FortiGate unit can authenticate itself to remote peers or dialup clients using either a pre-shared key or an RSA Signature (certificate).

Authenticating the FortiGate unit with digital certificates

To authenticate the FortiGate unit using digital certificates, you must have the required certificates installed on the remote peer and on the FortiGate unit. The signed server certificate on one peer is validated by the presence of the root certificate installed on the other peer. If you use certificates to authenticate the FortiGate unit, you can also require the remote peers or dialup clients to authenticate using certificates.

For more information about obtaining and installing certificates, see the FortiOS User Authentication guide.

Authenticating the FortiGate unit using digital certificates

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button):

Authenticating the FortiGate unit

Name Enter a name that reflects the origination of the remote connection. For interface mode, the name can be up to 15 characters long.
Remote Gateway Select the nature of the remote connection.

Each option changes the available fields you must configure. For more information, see Authenticating the FortiGate unit on page 49.

Local Interface Select the interface that is the local end of the IPsec tunnel. For more information, see Authenticating the FortiGate unit on page 49. The local interface is typically the WAN1 port.
Mode Select a mode. It is easier to use Aggressive mode.

In Main mode, parameters are exchanged in multiple encrypted rounds.

In Aggressive mode, parameters are exchanged in a single unencrypted message.

Aggressive mode must be used when the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID).

For more information, see Authenticating the FortiGate unit on page 49.

Authentication Method Select Signature.
Certificate Name Select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations.

You must obtain and load the required server certificate before this selection. See the FortiOS User Authentication guide. If you have not loaded any certificates, use the certificate named Fortinet_Factory.

Peer Options Peer options define the authentication requirements for remote peers or dialup clients. They are not for your FortiGate unit itself.

See Authenticating the FortiGate unit on page 49.

Advanced You can use the default settings for most Phase 1 configurations. Changes are required only if your network requires them. These settings includes IKE version, DNS server, P1 proposal encryption and authentication settings, and XAuth settings. See Authenticating the FortiGate unit on page 49.
  1. If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters in the Advanced section. See Authenticating the FortiGate unit on page 49.
  2. Select OK.

the FortiGate unit

Authenticating the FortiGate unit with a pre-shared key

The simplest way to authenticate a FortiGate unit to its remote peers or dialup clients is by means of a pre-shared key. This is less secure than using certificates, especially if it is used alone, without requiring peer IDs or extended authentication (XAuth). Also, you need to have a secure way to distribute the pre-shared key to the peers.

If you use pre-shared key authentication alone, all remote peers and dialup clients must be configured with the same pre-shared key. Optionally, you can configure remote peers and dialup clients with unique pre-shared keys. On the FortiGate unit, these are configured in user accounts, not in the phase_1 settings. For more information, see Authenticating the FortiGate unit on page 49.

The pre-shared key must contain at least 6 printable characters and best practices dictate that it be known only to network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

If you authenticate the FortiGate unit using a pre-shared key, you can require remote peers or dialup clients to authenticate using peer IDs, but not client certificates.

Authenticating the FortiGate unit with a pre-shared key

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button):
Name Enter a name that reflects the origination of the remote connection.
Remote Gateway Select the nature of the remote connection. For more information, see Authenticating the FortiGate unit on page 49.
Local Interface Select the interface that is the local end of the IPsec tunnel. For more information, see Authenticating the FortiGate unit on page 49. The local interface is typically the WAN1 port.
Mode Select Main or Aggressive mode.

In Main mode, the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

In Aggressive mode, the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted.

When the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID), you must select Aggressive mode if there is more than one dialup Phase 1 configuration for the interface IP address.

For more information, see Authenticating the FortiGate unit on page 49.

Authentication Method Select Pre-shared Key.

 

Pre-shared Key Enter the preshared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.
Peer options Peer options define the authentication requirements for remote peers or dialup clients, not for the FortiGate unit itself. You can require the use of

peer IDs, but not client certificates. For more information, see Authenticating the FortiGate unit on page 49.

Advanced You can retain the default settings unless changes are needed to meet your specific requirements. See Authenticating the FortiGate unit on page 49.
  1. If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters. See Authenticating the FortiGate unit on page 49.
  2. Select OK.
This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.