Professional Documents
Culture Documents
7 April 2014
IPSec VPN
Module Overview
IPSec VPN Overview and Terminology
Internet Key Exchange
IKE Phase 1
IKE Phase 2
Diffie-Hellman
Quick Mode Selectors
Policy-based VPN
Route-based VPN
Configuring Point-to-point VPNs
VPN Monitor
IPSec VPN
7 April 2014
Module Objectives
By the end of this module participants will be able to:
Define the architectural components of IPSec VPN
Identify the phases of Internet Key Exchange (IKE)
Identify and compare route-based and policy-based VPNs
Deploy a site-to-site VPN between two FortiGate devices
Monitor VPN connections
IPSec VPN
7 April 2014
IPSec VPN
Suite of protocols for securing IP communications
by authenticating and/or encrypting packets
Private network
Data
confidential
Authentication
Data has
integrity
Data Integrity
Data Confidentiality
Sender
authenticated
5
IPSec VPN can protect upper layer protocols (such as TCP) but
the complexity, overhead and bandwidth required for the
exchange is increased
IPSec VPN
7 April 2014
Diffie-Hellman
Diffie-Hellman is a key-agreement protocol to allow a pair of peers to
communicate over an unsecure channel and independently calculate a
shared secret key using only public keys
The shared secret key is then used to calculate keys for symmetric
encryption algorithms (such as 3DES, AES) and symmetric
authentication (HMACs)
With Perfect Forward Secrecy (PFS) a new common secret key is
recalculated each time the phase 2 session key expires
IPSec VPN
7 April 2014
Phase 1
IKE phase 1 performs the following:
Authenticates and protects the parties involved in the IPSec transaction
Can use pre-shared keys or digital certificates (RSA signature)
Phase 2
IKE phase 2 performs the following:
Negotiates IPSec SA parameters
Protected by existing IKE SA
10
IPSec VPN
7 April 2014
Selectors support:
Destination and source IP addresses
Protocol number, and source and destination ports
11
One firewall policy (with the action ACCEPT) is usually required per direction
12
IPSec VPN
7 April 2014
Policy-based
Route-based
FortiGate operation
modes supported
L2TP-over-IPSec
Yes
No
GRE-over-IPSec
No
Yes
Routing Protocols
No
Yes
Number of policies
per VPN
13
Configuration
Step 1: Configure the phase 1
Step 2: Configure one or more phases 2
Step 3: Create the firewall policies
Step 4: Route the traffic to the IPSec interface (only for routebased VPNs)
14
IPSec VPN
7 April 2014
15
16
IPSec VPN
7 April 2014
17
18
IPSec VPN
7 April 2014
IPSec
Interface
19
20
IPSec VPN
7 April 2014
Key life
remaining time
Phase 1
name
21
Labs
Lab 1: IPSec VPN
Ex 1: Site to Site IPSec VPN
22
Local Quick
Mode
Selector
Status
Remote
Quick Mode
Selector
IPSec VPN
7 April 2014
23