IPSec VPN

7 April 2014

IPSec VPN

2014 Fortinet Inc. All rights reserved.

The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-06-50005-E-20140120

Module Overview
IPSec VPN Overview and Terminology
Internet Key Exchange
IKE Phase 1
IKE Phase 2
Diffie-Hellman
Quick Mode Selectors
Policy-based VPN
Route-based VPN
Configuring Point-to-point VPNs
VPN Monitor

IPSec VPN

7 April 2014

Module Objectives
By the end of this module participants will be able to:
Define the architectural components of IPSec VPN
Identify the phases of Internet Key Exchange (IKE)
Identify and compare route-based and policy-based VPNs
Deploy a site-to-site VPN between two FortiGate devices
Monitor VPN connections

Virtual Private Networks (VPN)

A virtual private network (VPN) allows users to remotely access
network resources as if they were physically connected to the local
network
Used when there is the need to transmit private data across a public
network
Is an encrypted point-to-point connection, so it cannot be intercepted
by unauthorized users
Uses different security methods to ensure that only authorized users
can access the private network

IPSec VPN

7 April 2014

IPSec VPN
Suite of protocols for securing IP communications
by authenticating and/or encrypting packets
Private network

Solves requirements for:

Data
confidential

Authentication
Data has
integrity

Data Integrity
Data Confidentiality
Sender
authenticated
5

IPSec VPN Overview

IPSec VPN operates at the network layer (layer 3)
Encryption occurs transparently to the upper layers
IP packets encapsulated within IPSec packets
Applications do not need to be designed to use IPSec

IPSec VPN can protect upper layer protocols (such as TCP) but
the complexity, overhead and bandwidth required for the
exchange is increased

IPSec VPN

7 April 2014

Diffie-Hellman
Diffie-Hellman is a key-agreement protocol to allow a pair of peers to
communicate over an unsecure channel and independently calculate a
shared secret key using only public keys
The shared secret key is then used to calculate keys for symmetric
encryption algorithms (such as 3DES, AES) and symmetric
authentication (HMACs)
With Perfect Forward Secrecy (PFS) a new common secret key is
recalculated each time the phase 2 session key expires

Internet Key Exchange

Internet Key Exchange (IKE) allows the parties involved in a
transaction to set up their Security Associations (SAs)
SAs are the basis for building security functions into IPSec
In normal two-way traffic the exchange is secured by a pair of SAs
IPSec administrators decide the encryption and authentication algorithms that can
be used in the exchange

IKE uses two distinct phases:

Phase 1
Phase 2

IPSec VPN

7 April 2014

Phase 1
IKE phase 1 performs the following:
Authenticates and protects the parties involved in the IPSec transaction
Can use pre-shared keys or digital certificates (RSA signature)

Negotiates a matching IKE SA policy between the computers to protect the

exchange
Performs a Diffie-Hellman exchange
The keys derived from this exchange are used in phase 2

Sets up a secure channel to negotiate phase 2 parameters

Two possible modes:

Main mode: 6 packets are interchanged
Aggressive mode: 3 packets are interchanged

Phase 2
IKE phase 2 performs the following:
Negotiates IPSec SA parameters
Protected by existing IKE SA

Renegotiates IPSec SAs regularly to ensure security

Optionally, additional Diffie-Hellman exchange may be performed

There can be more than one phase 2 per each phase 1

One mode:
Quick mode

10

IPSec VPN

7 April 2014

Quick Mode Selectors

Are used to identify and direct traffic to the appropriate phase 2 in
cases where multiple phase 2s exist
Allow SAs with different granularities
Similar to firewall policies:
VPN traffic that does not match the selectors is dropped

Selectors support:
Destination and source IP addresses
Protocol number, and source and destination ports

In point-to-point VPNs, the selectors configuration at both ends must

mirror each other:
The source at one end must be the destination at the other end

11

Types of FortiGate VPN configurations

Route-based (also known as interface-based):
Creates a virtual IPSec network interface:
Traffic crossing the tunnel must be routed to the virtual IPSec interface

One firewall policy (with the action ACCEPT) is usually required per direction

Policy-based (also known as tunnel-based):

One firewall policy (with the action IPSEC) is required to allow connections bidirectionally
Hidden in the GUI by default. It can be enabled with the command:
config system global
set gui-policy-based-ipsec enable
end

12

IPSec VPN

7 April 2014

Policy-based Versus Route-based

Feature

Policy-based

Route-based

FortiGate operation
modes supported

NAT and transparent modes

Only NAT mode

L2TP-over-IPSec

Yes

No

GRE-over-IPSec

No

Yes

Routing Protocols

No

Yes

Number of policies
per VPN

One policy controls connections A separated policy is

in both directions
required for connections
in each direction

Generally speaking, route-based VPNs offer more control and

flexibility

13

Configuration
Step 1: Configure the phase 1
Step 2: Configure one or more phases 2
Step 3: Create the firewall policies
Step 4: Route the traffic to the IPSec interface (only for routebased VPNs)

14

IPSec VPN

7 April 2014

Step 1: Defining Phase 1 Parameters

Enable it to select routebased VPN. Disable it to

select policy-based VPN

15

Step 2: Defining Phase 2 Parameters

16

IPSec VPN

7 April 2014

Step 3: Firewall Policy for Policy-based VPN

17

Step 3: Firewall Policy for Route-based VPN

The name of the IPSec

interface matches the
name of the phase 1

18

IPSec VPN

7 April 2014

Step 4: Routing the Traffic (only for Route-based VPN)

IP address
at the
remote site

IPSec
Interface

19

IPSec VPN Monitor

Monitor activity on IPSec VPN tunnels
Stop and start tunnels
Display address, proxy IDs, timeout information

Green arrow indicates that the negotiations were successful and

tunnel is UP
Red arrow means tunnel is DOWN or not in use

20

IPSec VPN

7 April 2014

IPSec VPN Monitor Example

Key life
remaining time
Phase 1
name

21

Labs
Lab 1: IPSec VPN
Ex 1: Site to Site IPSec VPN

22

Local Quick
Mode
Selector

Status
Remote
Quick Mode
Selector

IPSec VPN

7 April 2014

Classroom Lab Topology

23