IPsec VPN concepts

3 Replies

Diffie-Hellman groups

FortiOS IPsec VPN supports the following Diffie-Hellman (DH) asymmetric key algorithms for public key cryptography.

DH Group Description
1 More Modular Exponential (MODP) DH Group with a 768-bit modulus
2 MODP with a 1024-bit modulus
5 MODP with a 1536-bit modulus
14 MODP with a 2048-bit modulus
15 MODP with a 3027-bit modulus
16 MODP with a 4096-bit modulus
17 MODP with a 6144-bit modulus
18 MODP with a 8192-bit modulus
19 256-bit random elliptic curve group
20 384-bit random elliptic curve group
21 521-bit random elliptic curve group
27 Brainpool 224-bit elliptic curve group
28 Brainpool 256-bit elliptic curve group
29 Brainpool 384-bit elliptic curve group
30 Brainpool 512-bit elliptic curve group
31 Curve25519 128-bit elliptic curve group

 

* When using aggressive mode, DH groups cannot be negotiated.

By default, DH group 14 is selected, to provide sufficient protection for stronger cipher suites that include AES and SHA2. If you select multiple DH groups, the order they appear in the configuration is the order in which they are negotiates.

If both VPN peers (or a VPN server and its client) have static IP addresses and use aggressive mode, select a single DH group. The setting on the FortiGate unit must be identical to the setting on the remote peer or dialup client.

When the remote VPN peer or client has a dynamic IP address and uses aggressive mode, select up to three DH groups on the FortiGate unit and one DH group on the remote peer or dialup client. The setting on the remote peer or dialup client must be identical to one of the selections on the FortiGate unit.

If the VPN peer or client employs main mode, you can select multiple DH groups. At least one of the settings on the remote peer or dialup client must be identical to the selections on the FortiGate unit.

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “IPsec VPN concepts

  1. Nick

    Hi Mike,

    Have a quick question and it would be great if you could point me in the right direction.

    We have a Fortinet 60E appliance and are looking to set up 2 VPNs as follows.

    VPN1
    Allows access to servers A, B and C (all on 192.168.1.0/24)

    VPN2
    Allow access to server D (also on 192.168.1.0/24) only. Users on this tunnel should not have access to servers A, B or C.

    We have a single WAN Internet connection coming in on the WAN1 port.

    Is this possible to setup?

    Any help would be greatly appreciated. If you already have a cheat sheet or video available, that would be great.

    Thanks,

    Nick

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.