Scribd
Upload
24 views10 pages

FG-74

The document provides a detailed overview of Fortigate IPsec configuration, focusing on the phases of establishing a secure VPN connection. It explains the workings of Phase 2, including the negotiation of security parameters, phase 2 selectors, proposals, and the importance of encryption domains. Additionally, it discusses the management of IPsec Security Associations (SAs), including their expiration and auto-negotiation to maintain traffic flow.

Uploaded by

mek otmane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
24 views10 pages

FG-74

The document provides a detailed overview of Fortigate IPsec configuration, focusing on the phases of establishing a secure VPN connection. It explains the workings of Phase 2, including the negotiation of security parameters, phase 2 selectors, proposals, and the importance of encryption domains. Additionally, it discusses the management of IPsec Security Associations (SAs), including their expiration and auto-negotiation to maintain traffic flow.

Uploaded by

mek otmane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

FortiGat

e
Firewall
Version
Fortigate Firewall
IPsec
 Fortigate IPsec Configuration
 IPsec Custome –Site to Site

VPN > Custom


Fortigate Firewall
IPsec
 Fortigate IPsec Configuration
 Phase 2—How it Works

 After phase 1 has established a secure channel to exchange data, phase 2 begins.

 Phase 2 negotiates security parameters for two IPsec SAs over the secure channel established during phase 1. ESP uses IPsec SAs to encrypt and decrypt the
traffic exchanged between sites.

 Each phase 1 can have multiple phase 2s. When would this happen? For example, you may want to use different encryption keys for each subnet whose traffic is
crossing the tunnel. How does FortiGate select which phase 2 to use? By checking which phase 2 selector (or quick mode selector) matches the traffic.
Fortigate Firewall
IPsec
 Fortigate IPsec Configuration
 Phase 2—Phase 2 Selectors

 In phase 2, you must define the encryption domain (or interesting traffic) of your IPsec tunnel. The
encryption domain refers to the traffic that you want to protect with IPsec, and it is determined by your
phase 2 selector configuration.

 You can configure multiple selectors to have more granular control over traffic. When you configure a
phase 2 selector, you specify the encryption domain by indicating the following network parameters:
• Local Address and Remote Address: as seen in the example shown on this slide, you can define IPv4
or IPv6 addresses using different address scopes. When selecting Named Address or Named IPv6
Address, FortiGate allows you to select an IPv4 or IPv6 firewall address object, respectively, configured
in the system.
• Protocol: is in the Advanced section, and is set to All by default.
• Local Port and Remote Port: are also shown in the Advanced section, and are set to All by default.
This applies only to port-based traffic such as TCP or UDP.
Fortigate Firewall
IPsec
 Fortigate IPsec Configuration
 Phase 2—Phase 2 Selectors

 Note that after the traffic is accepted by a firewall policy, traffic is dropped before entering the IPsec

tunnel if the traffic does not match any of the phase 2 selectors configured. For this reason, usually,

it’s more intuitive to filter traffic with firewall policies. So, if you don’t want to use phase 2 selector

filtering, you can just create one phase 2 selector with both the local and remote addresses set to

any subnet, like in the example shown on this slide, and then use firewall policies to control which

traffic is accepted on the IPsec tunnel.


Fortigate Firewall
IPsec
 Fortigate IPsec Configuration
 Phase 2—Phase 2 Proposal

 For every phase 2 selector, you need to configure one or more phase 2 proposals. A phase 2

proposal defines the algorithms supported by the peer for encrypting and decrypting the data over

the tunnel. You can configure multiple proposals to offer more options to the remote peer when

negotiating the IPsec SAs.

 Like in phase 1, you need to select a combination of encryption and authentication algorithms. Some

algorithms are considered more secure than others, so make sure to select the algorithms that

conform with your security policy. However, note that the selection of the algorithms has a direct

impact on FortiGate IPsec performance. For example, 3DES is known to be a much more resource-

intensive encryption algorithm than DES and AES, which means that your IPsec throughput could be

negatively impacted if you select 3DES as the encryption algorithm. Also, note that if you select

NULL as the encryption algorithm, traffic is not encrypted.


Fortigate Firewall
IPsec
 Fortigate IPsec Configuration
 Phase 2—Phase 2 Proposal

 When configuring the phase 2 proposal, you can select Enable Replay Detection to detect ant
replay attacks on ESP packets. Note that this is a local setting and, therefore, it is not included as
part of the proposals presented by the peer during phase 2 negotiation.

 Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays
them back into the tunnel.

 Replay detection allows the FortiGate to check all IPsec packets to see if they have been received
before. If any encrypted packets arrive out of order, the FortiGate discards them.

 Also, if you enable Perfect Forward Secrecy, FortiGate uses DH to enhance security during the
negotiation of IPsec SAs.
Fortigate Firewall
IPsec
 Fortigate IPsec Configuration
 Phase 2—Phase 2 Proposal

 IPsec SAs are periodically renegotiated to improve security, but when does that happen? It depends on the key lifetime settings configured on the phase 2 proposal.

 The expiration of an IPsec SA is determined by the lifetime type and threshold configured. By default, Key Lifetime is set to Seconds (time-based). This means that
when the SA duration reaches the number of seconds set as Seconds, the SA is considered expired. You can also set the key lifetime to Kilobytes (volume-based),
upon which the SA expires after the amount of traffic encrypted and decrypted using that SA reaches the threshold set. Alternatively, you can select Both as the key
lifetime type, upon which FortiGate tracks both the duration of the SA and the amount of traffic. Then, when any of the two thresholds is reached, the SA is considered
expired.
Fortigate Firewall
IPsec
 Fortigate IPsec Configuration
 Phase 2—Phase 2 Proposal

 When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired
SAs from the respective phase 2 selectors, and installs new ones. If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of
the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but
it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation.

 Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey
Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that
way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled
THANKS!
KEEP IN TOUCH

www.linkedin.com/in/saeedabdelhalimhamada

[email protected]

www.youtube.com/c/mindsets1

Saeed Abd Elhalim

mindsetsacademy

You might also like