D is correct. FortiGate_Infrastructure_6.4 page 231 "Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic.

B. Life-span of SA is often shorter than the data tranfer session, as a result multiple Phase2 SAs are negotiated. When there's zero data transfer, Phase 2 SA doesn't get negotiated and existing one expires, bringing the tunnel down. When data transfer resumes, first the peers negotiate a new SA. In short Phase 1 is to authenticate and protect Peering, Phase 2 is for data Transfer.

• B. FortiGate automatically negotiates a new security association after the existing security association expires

According to the referenced KB article, it would have to be B ...

B is the correct answer. you are all confusing auto-keepalive with auto-negotiate

B and D are both correct, Fortigate Infrastructure page 222 7.0

The Answer is B. The key point in the question is "auto-negotiate" Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires. By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established. Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536?externalID=12069

I think C is very generic, IPsec tunnel consist of 2 phases and 2 SA. Yes it brings the tunnel up but this is happening because it is auto negotiating the 2nd SA if there's no traffic passing through the tunnel and the 2nd is expired. So I stick with B.

It is D

Acredito que a questão está deixando margem a dúvidas e, neste sentido, a mais correta é a D. Na B tem documentação informando que é depois de expirado o SA, já outra cita que antes de expirar o SA faz a negociação. Na D, fiz um teste usando dois FortiGate-VM sem hosts atrás (ou seja, sem tráfego), interligado através de um router. Ao desconectar a interface do router, após aproximadamente 60 segundos o túnel cai. Conectando novamente a interface o túnel não sobe (lembrem que não tem hosts atrás dos FGT gerando tráfego). Ao habilitar Auto-negotiate, quando reconecto a interface do router o túnel sobe. Isso levar ao texto da letra D, por tanto neste cenário duvidoso me parece a mais certa.

I believe the answer is B: https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/604285/phase-2-configuration#auto By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established. Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user. If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel. Auto-negotiate initiates the phase 2 SA negotiation automatically, repeating every five seconds until the SA is established. Automatically establishing the SA can be important for a dialup peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dialup peer. Otherwise, the VPN tunnel does not exist until the dialup peer initiates traffic.

B - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536 If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel. Auto-negotiate initiates the phase 2 SA negotiation automatically, repeating every five seconds until the SA is established.

Answer is D

D correct

D is correct

D is correct

It is B. https://kb.fortinet.com/kb/documentLink.do?externalID=12069 Auto-negotiate. By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. --> This means that when the IPSEC SA expires, the phase2 remains down "UNTIL" new interesting traffic triggers the negotiation for new IPSEC SA. But, if you enable "Auto-negotiate", as soon as the IPSEC SA expires, the "Auto-negotiate" feature will negotiate new one and start using it. So, this process will bring up the tunnel again, even if there is no interesting traffic.