nse4_fgt-72 Exam QuestionsBrowse all questions from this exam
Go to Exam

nse4_fgt-72 Exam - Question 65

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.

Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

Show Answer
Correct Answer: BCD

To bring phase 1 up, the administrator should ensure the IKE modes match on both FortiGate devices. On HQ-FortiGate, changing the IKE mode to Main (ID protection) will align with the Remote-FortiGate, which is also set to Main. Additionally, while the Remote-FortiGate already matches the network diagram with port1, the discrepancy lies in the Diffie-Hellman settings. Disabling Diffie-Hellman group 2 on HQ-FortiGate ensures the Phase 1 proposal settings match. Making these adjustments should resolve the phase 1 connectivity issue.

Discussion

5 comments
Sign in to comment
e359166Options: BD
Jul 24, 2023

FortiGate Security 7.2 study guide page 250 In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: mail and aggressive mode. The settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel. Note: on the network diagram, port 2 is used on the remote Fortigate so the answer is B & D

cyberfriends
Aug 15, 2023

It is page 250 for Infrastructure study guide 7.2

raydel92Options: BD
Sep 13, 2023

B. On HQ-FortiGate, set IKE mode to Main (ID protection). D. On Remote-FortiGate, set port2 as Interface. "In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel." Reference and download study guide: https://ebin.pub/fortinet-fortigate-infrastructure-study-guide-for-fortios-72.html

TakumiOptions: BD
Jul 16, 2023

The answer are B and D

Jumpy007Options: BD
Sep 16, 2023

FortiGate Infrastructure 7.2 study guide page 250 last paragraph.

Mocix
Mar 7, 2024

Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel.

AMK2ENGOptions: BD
Dec 22, 2023

B. On HQ-FortiGate, set IKE mode to Main (ID protection). D. On Remote-FortiGate, set port2 as Interface.