What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?
A . FortiGate automatically negotiates different local and remote addresses with the remote peer.
B . FortiGate automatically negotiates a new security association after the existing security association expires.
C . FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
D . FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

View Answer

Answer: D

Explanation:

When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired SAs from the respective phase 2 selectors, and installs new ones. If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation. Enable auto-negotiate by default enabling auto-keep-alive too which brings up tunnel automatically. Answer B is little bit tricky, auto-negotiate will negotiate new SA "before" existing SA expired not "after" existing SA expired.