Phase 2 configuration
After IPsec Phase 1 negotiations end successfully, you begin Phase 2. You can configure the Phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. During Phase 2, you select specific IPsec security associations needed to implement security services and establish a tunnel.
The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic Phase 2 settings.
These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).
Name Type a name to identify the Phase 2 configuration.
Phase 1 Select the Phase 1 tunnel configuration. For more information on con- figuring Phase 1, see Phase 1 configuration on page 1611. The Phase 1 configuration describes how remote VPN peers or clients will be authen- ticated on this tunnel, and how the connection to the remote peer or client will be secured.
Advanced Define advanced Phase 2 parameters. For more information, see Phase 2 advanced configuration settings below.
Phase 2 advanced configuration settings
In Phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). These are called Phase 2 Proposal parameters. The keys are generated automatically using a Diffie-Hellman algorithm.
You can use a number of additional advanced Phase 2 settings to enhance the operation of the tunnel.
Phase 2 Proposal Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To estab- lish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
Initially there are two proposals. Add and Delete icons are next to the second Authentication field.
It is invalid to set both Encryption and Authentication to NULL.
Encryption Select a symmetric-key algorithms:
NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a
56-bit key.
3DES — Triple-DES; plain text is encrypted three times by three keys.
AES128 — A 128-bit block algorithm that uses a 128-bit key. AES192 — A 128-bit block algorithm that uses a 192-bit key. AES256 — A 128-bit block algorithm that uses a 256-bit key.
Authentication You can select either of the following message digests to check the authen- ticity of messages during an encrypted session:
NULL — Do not use a message digest.
MD5 — Message Digest 5.
SHA1 — Secure Hash Algorithm 1 – a 160-bit message digest.
To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third com- bination, use the Add button beside the fields for the second combination.
Enable replay detection Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.
Enable perfect forward secrecy (PFS)
Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires.
Diffie–Hellman Group Select one Diffie-Hellman group (1, 2, 5, or 14 through 21). This must match the DH Group that the remote peer or dialup client uses.
Keylife Select the method for determining when the Phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed.
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is being processed.
Auto–negotiate Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires.
DHCP–IPsec Provide IP addresses dynamically to VPN clients. This is available for Phase 2 configurations associated with a dialup Phase 1 configuration.
You also need configure a DHCP server or relay on the private network interface. You must configure the DHCP parameters separately.
If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the Phase 1 Peer Options to Peer ID from dialup group and select the appropriate user group. See Phase 1 configuration on page 1611.
If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients.
Quick Mode Selector Specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, keep the default value of 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks mak- ing up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and des- tination port numbers and a protocol number.
If you are editing an existing Phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been con- figured to use firewall addresses as selectors. This option exists only in the CLI.
Source address If the FortiGate unit is a dialup server, enter the source IP address that cor- responds to the local senders or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer.
If the FortiGate unit is a dialup client, source address must refer to the private network behind the Fortinet dialup client.
Source port Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0.
Destination address Enter the destination IP address that corresponds to the recipients or net- work behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80-100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.
Destination port Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, enter 0.
Protocol Enter the IP protocol number of the service. To specify all services, enter 0.