This IPsec Phase 1 configuration defines a dynamic VPN tunnel that can accept connections from multiple peers. The settings chosen here suggest a configuration optimized for networks with intermittent traffic patterns while ensuring resources are used efficiently.
Key configurations and their impact:
set type dynamic - This allows multiple peers to establish connections dynamically without needing predefined IP addresses.
set ike-version 2 - Uses IKEv2, which is more efficient and supports features like EAP authentication and reduced rekeying overhead.
set dpd on-idle - Dead Peer Detection (DPD) is triggered only when the tunnel is idle, reducing unnecessary keep-alive packets and improving resource utilization. set add-route enable FortiGate automatically adds the route to the routing table when the tunnel is established, ensuring connectivity when needed. set proposal aes128-sha256 aes256-sha256 Uses strong encryption and hashing algorithms, ensuring a secure connection.
set keylife 28800 Sets a longer key lifetime (8 hours), reducing the frequency of rekeying, which is beneficial for stable connections.
Because DPD is set to on-idle, the tunnel will not constantly send keep-alive messages but will still ensure connectivity when traffic is detected. This makes the configuration ideal for networks with regular but non-continuous traffic, balancing security and resource efficiency.