We had to set one of these up today and it was a bit odd.
The easiest way is to say what settings worked :-)
Stick with SHA and 3DES. Group2 for DH, supposedly 14 will work but it didn't for us.
Use proxies, this was our final stumbling block. ISA wanted proxies in phase 2 or came up with INVALID-ID-INFORMATION in the Fortigate debugs.
Otherwise it's defaults for times, DPD etc.
Edit later:
ISA summarises multiple networks rather than creating a second phase 2. dumb..
ie we had 10.0.1.0/24 at the remote site and 10.0.2.0/24 at the head office end. They want to add 10.0.3.0/24 so debugging (you can't set this or see it in ISA by the looks of it) the HO end proxy goes from 10.0.2.0/24 to 10.0.0.0/16. So what happens when you add a second network to the remote office end?
No comments:
Post a Comment