IPsec VPN concepts

3 Replies

Encryption

Encryption mathematically transforms data to appear as meaningless random numbers. The original data is called plaintext and the encrypted data is called ciphertext. The opposite process, called decryption, performs the inverse operation to recover the original plaintext from the ciphertext.

The process by which the plaintext is transformed to ciphertext and back again is called an algorithm. All algorithms use a small piece of information, a key, in the arithmetic process of converted plaintext to ciphertext, or vice-versa. IPsec uses symmetrical algorithms, in which the same key is used to both encrypt and decrypt the data. The security of an encryption algorithm is determined by the length of the key that it uses. FortiGate IPsec VPNs offer the following encryption algorithms, in descending order of security:

Encryption Description
ChaCha20/Poly1305 A combination of the ChaCha20 symmetric cipher and Poly1305-AES, a variant of the AES 128-bit block algorithm that uses a 128-bit key and an 128-bit nonce.
AES-GCM Galois/Counter Mode (GCM), a block cipher mode of operation providing both confidentiality and data origin authentication.
AES256 A 128-bit block algorithm that uses a 256-bit key.
AES192 A 128-bit block algorithm that uses a 192-bit key.
AES128 A 128-bit block algorithm that uses a 128-bit key.

 

Encryption Description
3DES Triple-DES, in which plain text is DES-encrypted three times by three keys.
DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key

The default encryption algorithms provided on FortiGate units make recovery of encrypted data almost impossible without the proper encryption keys.

There is a human factor in the security of encryption. The key must be kept secret, known only to the sender and receiver of the messages. Also, the key must not be something that unauthorized parties might easily guess, such as the sender’s name, birthday or simple sequence such as 123456.

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “IPsec VPN concepts

  1. Nick

    Hi Mike,

    Have a quick question and it would be great if you could point me in the right direction.

    We have a Fortinet 60E appliance and are looking to set up 2 VPNs as follows.

    VPN1
    Allows access to servers A, B and C (all on 192.168.1.0/24)

    VPN2
    Allow access to server D (also on 192.168.1.0/24) only. Users on this tunnel should not have access to servers A, B or C.

    We have a single WAN Internet connection coming in on the WAN1 port.

    Is this possible to setup?

    Any help would be greatly appreciated. If you already have a cheat sheet or video available, that would be great.

    Thanks,

    Nick

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.