Created on 02-26-2007 12:00 AM Edited on 12-12-2024 10:00 PM By Jean-Philippe_P
Description
This article explains the use of auto-negotiate and keepalive options under IPsec VPN phase2 settings.
Scope
FortiGate.
Solution
Autokey Keep Alive: Enable the option to remain the tunnel active when no data is being processed.
The Phase-2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption.
If there is no traffic, however, the SA expires (by default) and phase-2 goes down.
A new SA will not be generated until there is traffic.
The Autokey Keep Alive option ensures that a new Phase 2 SA is negotiated, even if there is no traffic so that the VPN tunnel stays up.
Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires.
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established.
Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.
If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel.
Auto-negotiate initiates the phase-2 SA negotiation automatically, repeating every five seconds until the SA is established.
Automatically establishing the SA can be important for a dial-up peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dial-up peer.
Otherwise, the VPN tunnel does not exist until the dial-up peer initiates traffic.
To configure auto-negotiate:
Policy-based IPsec VPN.
config vpn ipsec phase2
edit <phase2_name>
set auto-negotiate enable
set keepalive enable
next
end
Route-based IPsec VPN.
config vpn ipsec phase2-interface
edit <phase2_name>
set auto-negotiate enable
set keepalive enable
next
end
To configure via GUI:
Auto-negotiation and keepalive are disabled by default on the FortiGate.
However, keepalive gets implicitly enabled once auto-negotiation is enabled.
CLI Troubleshooting:
Note:
Enabling auto-negotiation is not possible for dial-up IPsec VPN tunnels.
Related document:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.