Description
The IKE configuration method is a new feature in FortiOS 4.0 MR1 Patch1 which allows configuration items to be exchanged securely between 2 IKE peers. This article shows the features and their scope for utilization.
Scope
All FortiGate users using FortiOS 4.1.1 (4.0 MR1 Patch1)
Solution
This new feature is only available for phase-1 IPSec configurations in interface-mode on the CLI of the FortiGate. Phase-2 parameters can be configured on both the GUI and the CLI.
The mode-cfg phase-1 settings will automatically populate the GUI once they have been configured on the CLI.
nb: IPV4 range exclusions, IPV6, and Split Tunneling are all supported for this feature.
1. FortiGate-FortiGate connections or FortiGate-3rd party IKE peer connections
The mode-cfg setup can be configured in the following 2 networking scenarios when making an ike IPSec connection between FortiGate's or between a FortiGate and a 3rd Party IKE peer using mode-cfg:
mode-cfg server = dynamic (dialup) user for IPSec phase-1 connection
mode-cfg client = static user using DDNS for IPSec phase-1 connection
2. IPSec_Dialer => FortiGate
VIP address assigned by the FortiGate.
Default Route route pushed by the FortiGate or remote networks pushed by the FortiGate.
DHCP over IPSec can also be used and this is the expected behavior when an IPSec dialer initiates an IKE connection:
1) Main/Aggressive mode negotiation is initiated by the Client
2) Quick Mode negotiation (DHCP traffic) is initiated by the Client
3) DHCP lease is obtained by the Client (ESP traffic exchange)
4) IPSec SA deletion is initiated by the Client
5) Quick Mode negotiation (data traffic) is initiated by the Client
mode-cfg behavior for standard IKE connection without DHCP over IPSec:
1) Main/Aggressive mode negotiation is initiated by the Client
2) mode-cfg transaction is initiated by the Client (Request/Reply)
3) Quick Mode negotiation (data traffic) is initiated by the Client
