Uses UDP port 500 (and UDP port 4500 when crossing NAT)
Negotiates a tunnel’s private keys, authentication, and encryption
One lPsec SA is used per traffic direction.
Phases:
Phase1
Phase2

Phase 1 negotiation modes

Phase 2 negotiation mode

takes place when each endpoint of the tunnel—the initiator and the responder—connects and begins to set up the VPN.

Key agreement method:
Independently calculate a private key using only public keys

Each FortiGate uses a shared secret key plus a nonce to calculate keys for the following:
Symmetric encryption algorithms (such as 3DES, AES)
Symmetric authentication (HMACs)

Negotiates two unidirectional SAs for ESP (called lPsec SAS)
Protected by phase IKE SA
When SAs are about to expire, it renegotiates
Optionally, if Perfect Forward Secrecy is set to Enabled, FortiGate uses Diffie-Hellman to generate new keys each time phase 2 expires.
Each phase 1 can have multiple phase 2s.
High security subnets can have stronger ESP.

Also, if you set ____________ to Enable, each time phase 2 expires, FortiGate will use Diffie-Hellman to recalculate new secret keys. In this way, new keys are not derived from older keys, making it much harder for an attacker to crack the tunnel.

If multiple phase 2 exist, FortiGate directs traffic to the correct phase 2.
Allows granular security settings for each LAN.
If traffic does not match an lPsec SA selector, it is dropped.
ln point-to-pointVPNs, selectors must match.
- The source on one FortiGate is the destination setting on the other.

Select which SA to apply using:
Destination and source IP subnet(s)
Protocol number
Source port and destination port

In aggressive mode, how many packets are exchanged to establish phase 1 of the lPsec tunnel?

Which statement about quick mode selectors is true?

Settings need in Dialup VPN between two fortigates

Dialup IPsec is also known as

IKE mode configuration automatically configures network settings?