IPsec overheads
The FortiGate sets an IPsec tunnel Maximum Transmission Unit (MTU) of 1436 for 3DES/SHA1 and an MTU of 1412 for AES128/SHA1, as seen with diag vpn tunnel list. This indicates that the FortiGate allocates 64 bytes of overhead for 3DES/SHA1 and 88 bytes for AES128/SHA1, which is the difference if you subtract this MTU from a typical ethernet MTU of 1500 bytes.
During the encryption process, AES/DES operates using a specific size of data which is block size. If data is smaller than that, it will be padded for the operation. MD5/SHA-1 HMAC also operates using a specific block size.
The following table describes the potential maximum overhead for each IPsec encryption:
| IPsec Transform Set | IPsec Overhead (Max. bytes) |
| ESP-AES (256, 192, or 128),ESP-SHA-HMAC, or MD5 | 88 |
| ESP-AES (256, 192, or 128) | 61 |
| ESP-3DES, ESP-DES | 45 |
| ESP-(DES or 3DES), ESP-SHA-HMAC, or MD5 | 64 |
| ESP-Null, ESP-SHA-HMAC, or MD5 | 45 |
| AH-SHA-HMAC or MD5 | 44 |
Authentication
To protect data via encryption, a VPN must ensure that only authorized users can access the private network. You must use either a preshared key on both VPN gateways or RSA X.509 security certificates. The examples in this guide use only preshared key authentication. Refer to the Fortinet Knowledge Base for articles on RSA X.509 security certificates.
Phase 1 and Phase 2 settings
Preshared keys
A preshared key contains at least six random alphanumeric characters. Users of the VPN must obtain the preshared key from the person who manages the VPN server and add the preshared key to their VPN client configuration.
Although it looks like a password, the preshared key, also known as a shared secret, is never sent by either gateway. The preshared key is used in the calculations at each end that generate the encryption keys. As soon as the VPN peers attempt to exchange encrypted data, preshared keys that do not match will cause the process to fail.
Additional authentication
To increase security, you can require additional means of authentication from users, such as:
l An identifier, called a peer ID or a local ID. l Extended authentication (XAUTH) which imposes an additional user name/password requirement.
A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID of a peer is called a Peer ID.
In FortiOS 5.2, new authentication methods have been implemented for IKE: ECDSA-256, ECDSA-384, and ECDSA-521. However, AES-XCBC is not supported.
Full CA chain checking
Added a new option (enabled by default) to fail certificate verification if any of the CAs in the trust chain are not found in the CA store. When disabled, a sub-CA is sufficient to pass certificate verification.
Syntax
config vpn certificate setting set check-ca-chain {enable | disable}
end
Hi Mike,
Have a quick question and it would be great if you could point me in the right direction.
We have a Fortinet 60E appliance and are looking to set up 2 VPNs as follows.
VPN1
Allows access to servers A, B and C (all on 192.168.1.0/24)
VPN2
Allow access to server D (also on 192.168.1.0/24) only. Users on this tunnel should not have access to servers A, B or C.
We have a single WAN Internet connection coming in on the WAN1 port.
Is this possible to setup?
Any help would be greatly appreciated. If you already have a cheat sheet or video available, that would be great.
Thanks,
Nick
End Users are using dial up IPSEC or is this a site to site?
Dial up IPSec.