IPsec VPN

Internet Protocol security (IPsec) provides the following:
- Confidentiality – data encryption
- Integrity
- Authentication
Uses multiple technologies and protocols that collectively work together.
The Authentication Header (AH) protocol does integrity checking but does not provide data encryption.
FortiGate does not use AH.
FortiGate uses the Encapsulating Security Payload (ESP) protocol to encapsulate packets to be sent over the encrypted VPN tunnel.
Encapsulation
- Transport mode – An additional ESP header is inserted to provide the data but does not protect the original IP header of the packet.
- Tunnel mode – Provides an additional IP layer, then uses TCP/UDP. This mode encapsulates the packet, including the original IP header within an ESP header and adds a new IP header onto the packet. The entire packet is protected.
Negotiation
- This phase handles authentication
- Uses a handshake process to exchange keys

Establishes an IPsec VPN tunnel.
Uses the default ports: UDP 500 and UDP 4500 when transversing NAT.
Handles the exchange of the VPN tunnel private keys, authentication and data encryption.
IKE establishes a phase 1 tunnel, then a phase 2 tunnel within the phase 1.
IKE v1 is legacy.
IKE v2 is newer.

Exchange modes:
- Main – Exchanges 9 messages (6 for phase 1 and 3 for phase 2) - More Secure
- Aggressive – Exchanges 6 messages (3 for phase 1 and 3 for phase 2) - Less secure
Authentication: Uses symmetric methods such as Pre-Shared Key (PSK), certificate signature and Extended authentication (XAuth)
Support NAT-T as an extension
Unreliable as messages are not acknowledged when received.

Uses a single exchange procedure with 4 messages.
Authentication: Uses Asymmetric and supports PSK, certificate signature and EAP.
Natively supports NAT-T
Provides reliability by acknowledging messages when they are received.

Remote access – Allows remote user to securely connect to the corporate network.
Site to Site – Allows two sites to establish a secure connection between each other over the internet. Common topologies: peer to peer, hub and spoke, and Full/partial mesh.

This is a Fortinet technology which dynamically setup on-demand VPN tunnels between one site to another when needed.
Has the ability to provide full mesh topology.
Works better with dynamic routing as compared to static routing.

Go to, VPN > IPsec Wizard
Select the Template type such as: Site to Site, Hub and Spoke, Remote Access or Custom.
This wizard can be used for configuring a FortiClient VPN.
Templates can be found at: VPN > IPsec Tunnel Template.

Route-based
- Uses a virtual interface for each VPN
- Provides redundancy
- Supports dynamic routing, L2TP-over-IPsec and GRE-over-IPsec.
Policy-based
- Legacy method using VPN matching based on policy and is not recommended.

Create 2 firewall policy to allow incoming and outgoing traffic over the VPN tunnel
If a policy does not exist, the IPsec tunnel will not turn up.
Go to, Policy & Objects > Firewall Policy

Commonly used if the primary VPN is down, the firewall can redirect traffic through the backup/secondary VPN tunnel.
Partially redundant – one FortiGate device has two connections on the same port.
Fully redundant – one FortiGate device has two connections on separate physical ports.
To configure a redundant VPN:
1. Create one phase 1 tunnel and enable DPD on both ends of the VPN tunnel.
2. Create one phase 2 definition of each phase 1 tunnel.
3. Create a static route for each path/direction.
4. Create firewall policies for each IPsec interface

Phase 1
- Check tunnel status - Go to, Dashboard > Network > IPsec
- Check the default gateway - Go to, Dashboard > Network > Static & Dynamic Routing
Phase 2
- Check phase 2 status – Go to, Dashboard > Network > IPsec
- Check default gateway – Dashboard > Routing (Static & Dynamic Routing)

Back

Google Sites

Report abuse