Description
Can be use in any fortigate model with FortiOS 3.0MR2 or newer.This article explains the difference between the IPSec VPN phase 2 auto-negotiate and keepalive options, and why you probably want to use both of them.
Auto-negotiate
What is auto-negotiate?
An IPSec VPN creates an encrypted security association (SA) between two peers. This is done in two phases. By default, the phase 2 SA is not negotiated until a peer attempts to send data. When enabled, auto-negotiate initiates the phase 2 SA negotiation automatically, repeating every five seconds until the SA is established.
When to use auto-negotiate
You might want to enable auto-negotiate if one end of the VPN is a dialup peer. In this configuration, only the dialup peer can bring up the tunnel, because the other peer cannot know the dialup peer’s gateway address. Enabling auto-negotiate at the dialup peer ensures that the VPN tunnel is available for users at the other peer to initiate traffic.
The auto-negotiate feature will detect if the tunnel ever goes down, and will try to re-establish the SA. However, the keepalive feature is a better way to keep your VPN up.
To enable auto-negotiate
The auto-negotiate feature is available only throught the Command Line Interface (CLI). Use the following commands to enable it.
config vpn ipsec phase2
edit <phase2_name>
set auto-negotiate enable
end
Keepalive
What is Keepalive?
The phase 2 security association (SA) has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA with no interruption. If there is no traffic, the SA expires and the VPN tunnel goes down.
The Keepalive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up.
To enable Keepalive – Web-based manager
- Go to VPN > IPSEC > Auto Key (IKE).
- Select the Edit icon for your phase 2 configuration.
- Select Advanced.
- Select Autokey Keep Alive.
- Select OK.
To enable Keepalive – CLI
config vpn ipsec phase2
edit <phase2_name>
set keepalive enable
end
Can i use both Auto-negotiate and Keepalive?
Yes. Auto-negotiate and Keepalive work very well together. Auto-negotiate starts your VPN and Keepalive makes sure it stays up.
Source : Kb.fortinet.com