FortiGate Installation and Configuration Guide

ManualsBrandsFortinet ManualsNetwork CardFortiGate 50A

181

182

183

184

185

186

187

188

189

190

186 Fortinet Inc.

AutoIKE IPSec VPNs IPSec VPN

4 Optionally, configure NAT Traversal.

5 Optionally, configure Dead Peer Detection.

Use these settings to monitor the status of the connection between VPN peers. DPD

allows dead connections to be cleaned up and new VPN tunnels established. DPD is

not supported by all vendors.

6 Select OK to save the phase 1 parameters.

XAuth: Enable as a Server

Encryption

method

Select the encryption method used between the XAuth client, the FortiGate

unit and the authentication server.

PAP— Password Authentication Protocol.

CHAP—Challenge-Handshake Authentication Protocol.

MIXED—Select MIXED to use PAP between the XAuth client and the

FortiGate unit, and CHAP between the FortiGate unit and the

authentication server.

Use CHAP whenever possible. Use PAP if the authentication server does

not support CHAP. (Use PAP with all implementations of LDAP and some

implementations of Microsoft RADIUS). Use MIXED if the authentication

server supports CHAP but the XAuth client does not. (Use MIXED with the

Fortinet Remote VPN Client.).

Usergroup Select a group of users to be authenticated by XAuth. The individual users

within the group can be authenticated locally or by one or more LDAP or

RADIUS servers.

The user group must be added to the FortiGate configuration before it can

be selected here.

Enable Select Enable if you expect the IPSec VPN traffic to go through a gateway

that performs NAT. If no NAT device is detected, enabling NAT traversal

has no effect. Both ends of the VPN (both VPN peers) must have the same

NAT traversal setting.

Keepalive

Frequency

If you enable NAT-traversal, you can change the number of seconds in the

Keepalive Frequency field. This number specifies, in seconds, how

frequently empty UDP packets are sent through the NAT device to ensure

that the NAT mapping does not change until P1 and P2 keylife expires. The

keepalive frequency can be from 0 to 900 seconds.

Enable Select Enable to enable DPD between the local and remote peers.

Short Idle Set the time, in seconds, that a link must remain unused before the local

VPN peer considers it to be idle. After this period of time expires, whenever

the local peer sends traffic to the remote VPN peer it also sends a DPD

probe to determine the status of the link. To control the length of time that

the FortiGate unit takes to detect a dead peer with DPD probes, configure

the Retry Count and the Retry Interval.

Retry Count Set the number of times that the local VPN peer retries the DPD probe

before it considers the channel to be dead and tears down the security

association (SA). To avoid false negatives because of congestion or other

transient failures, set the retry count to a sufficiently high value for your

network.

Retry Interval Set the time, in seconds, that the local VPN peer unit waits between

retrying DPD probes.

Long Idle Set the time, in seconds, that a link must remain unused before the local

VPN peer pro-actively probes its state. After this period of time expires, the

local peer sends a DPD probe to determine the status of the link even if

there is no traffic between the local peer and the remote peer.