IPsec VPN (5.6.1)

IPsec VPN (5.6.1)

New IPsec VPN features added to FortiOS 5.6.1.

Support for Brainpool curves specified in RFC 6954 for IKE (412795)

Added support for Brainpool curves specified in RFC 6954 (originally RFC 5639) for IKE. Four new values are added for VPN phase1 and phase2 DH groups. The allocated transform IDs are 27, 28, 29, 30:

l 27 – Brainpool 224-Bit Curve l 28 – Brainpool 256-Bit Curve l 29 – Brainpool 384-Bit Curve l 30 – Brainpool 512-Bit Curve

Syntax

config vpn ipsec phase1/phase1-interface edit <name>

set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30} next

end

config vpn ipsec phase2/phase2-interface edit <name>

set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30} next

end

Removed “exchange-interface-ip” option from “vpn ipsec phase1” (411981)

The command exchange-interface-ip only works for interface-based IPsec VPN (vpn ipsec phase1interface), and so it has been removed from policy-based IPsec VPN (vpn ipsec phase1).

IKEv2 ancillary RADIUS group authentication (406497)

This feature provides for the IDi information to be extracted from the IKEv2 AUTH exchange and sent to a RADIUS server, along with a fixed password configurable via CLI, to perform an additional group authentication step prior to tunnel establishment. The RADIUS server may return framed-IP-address, framed-ip-netmask, and dns-server attributes, which are then applied to the tunnel.

It should be noted, unlike Xauth or EAP, this feature does not perform individual user authentication, but rather treats all users on the gateway as a single group, and authenticates that group with RADIUS using a fixed password. This feature also works with RADIUS accounting, including the phase1 acct-verify option.

Syntax

config vpn ipsec phase1-interface edit <name> set mode-cfg enable

IPsec VPN (5.6.1)

set type dynamic set ike-version 2 set group-authentication {enable | disable} set group-authentication-secret <password>

next

end

IPsec mode-cfg can assign IPs from firewall address and sharing IP pools (393331)

This feature adds the ability for users to configure assign-IPs from firewall addresses/groups.

Previously, different policies accessing the same network needed to ensure that non-overlapping IP-ranges were assigned to policies to avoid the same IP address being assigned to multiple clients. With this feature, the address name is used to identify an IP pool and different policies can refer to the same IP pool to check for available IPs, thus simplifying the task of avoiding IP conflicts.

Syntax

config vpn ipsec phase1-interface edit <name> set mode-cfg enable set type dynamic

set assign-ip-from {range | dhcp | name} set ipv4-name <name> set ipv6-name <name>

next

end

Improve interface-based dynamic IPsec up/down time (379937)

This feature makes it possible to use a single interface for all instances that spawn via a given phase1. Instead of creating an interface per instance, all traffic will run over the single interface and any routes that need creating will be created on that single interface.

A new CLI option net-device is added in the phase1-interface command sets. The default is disable so that the new feature kicks in for all the new configurations. An upgrade feature will add a set net-device enable for all the existing configurations so that they will keep the old behavior.

Under the new single-interface scheme, instead of relying on routing to guide traffic to the specific instance, all traffic will flow to the specific device and IPsec will need to take care of locating the correct instance for outbound traffic. For this purpose, another new CLI option tunnel-search is created. The option is only available when the above net-device option is set to disable.

There are two options for tunnel-search, corrensponding to the two ways to select the tunnel for outbound traffic. One is selectors, meaning selecting a peer using the IPsec selectors (proxy-ids). The other is nexthop where all the peers use the same default selectors (0/0) while using some routing protocols such as BGP, OSPF, RIPng, etc. to resolve the routing. The default for tunnel-search is selectors.

Syntax

config vpn ipsec phase1-interface edit <name> set net-device {enable | disable} set tunnel-search {selectors | nexthop} next

(5.6.1)

end

Hide psksecret option when peertype is dialup (415480)

In aggressive mode and IKEv2, when peertype is dialup, pre-shared key is per-user based. There is no need to configure the psksecret in the phase1 setup. Previously, if left unconfigured, CLI would output psksecret error and fail to create the phase1 profile.

To prevent psksecret length check running on the configuration end, the psksecret option will be hidden. Prior to Mantis 397712, the length check passed because it was incorrectly checking the legnth of encrypted password which is always 204 length long.

Peertype dialup option removed for main mode.

New enforce-ipsec option added to L2TP config (423988)

A new enforce-ipsec option is added in L2TP configuration to force the FortiGate L2TP server to accept only IPsec encrypted connections.

Syntax

config vpn l2tp set eip 50.0.0.100 set sip 50.0.0.1 set status enable

set enforce-ipsec-interface {disable | enable}    (default = disable) set usrgrp <group_name>

end

IPsec VPN Wizard improvements (368069)

Previously, when using wan-load-balance (WLB) feature, and when configuring an IPsec tunnel with the wizard, the setting ‘incoming interface’ list does not contain the wan-load-balance nor the wan2 interface. Disabling the WLB permits the configuration. The solution in 5.6.1 is as follows:

l (368069) The IPsec VPN wizard now allows users to select members of virtual-wan-link (VWL) as IPsec phase1interface. Before saving, if the phase1 interface is a VWL member, then the Wizard automatically sets the virtualwan-link as the destination interface in the L2TP policy. l (246552) List VPN tunnels for VWL members if VWL is set as the destination interface in policy-based IPsec VPN.

IPsec manual key support removed from GUI (436041)

The majority of customers are not using policy-based IPsec today, and beyond that, very few are using manual key VPN. As a result, the IPsec manual key feature is removed from the GUI; the feature store option is removed as well.

Added GUI support for local-gw when configuring custom IPsec tunnels (423786)

Previously, the local-gw option was not available on the GUI when configuring a custom IPsec tunnel. This feature adds the local-gw setting to the IPsec VPN Edit dialog. The user is able to choose the primary or

 

secondary IP address from the currently selected interface, or specify an ip address manually. Both local-gw and local-gw6 are supported.

Moved the dn-format CLI option from phase1 config to vdom settings (435542)

Previous fix for dn-format didn’t take into account that, at the time isakmp_set_peer_identifier is used, we don’t have a connection and haven’t matched our gateway yet, so we can’t use that to determine the dn-format configuration setting.

The solution was to move the dn-format CLI option from phase1 config to vdom settings. It is renamed to ike-dn-format.

FGT IKE incorrect NAT detection causes ADVPN hub behind VIP to not generate shorcuts (416786)

When ADVPN NAT support was added, only spokes behind NAT was considered. No thought was given to a hub behind a VIP or the problems that occurred due to the way that FortiOS clients behind NAT enable NAT-T even when it is not required.

The solution in 5.6.1 is as follows:

  • Moved shortcut determination out of the kernel and up to IKE. The shortcut message now contains the ID of both tunnels so that IKE can check the NAT condition of both.
  • Added IKE debug to cover sending the initial shortcut query. The lack of this previously meant it could be awkard to determine if the offer had been converted into a query correctly.
  • Added “nat:” output in diag vpn ike gateway list output to indicate whether this device or the peer is behind NAT.
  • Tweaked the diag vpn tunnel list output so that the auto-discovery information now includes symbolic as well as numeric values, which makes it easier to see what type of auto-discovery was enabled.
This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.