IKEv1 fragmentation
UDP fragmentation can cause issues in IPsec when either the ISP or perimeter firewall(s) cannot pass or fragment the oversized UDP packets that occur when using a very large public security key (PSK). The result is that IPsec tunnels do not come up. The solution is IKE fragmentation.
For most configurations, enabling IKE fragmentation allows connections to automatically establish when they otherwise might have failed due to intermediate nodes dropping IKE messages containing large certificates, which typically push the packet size over 1500 bytes.
FortiOS will fragment a packet on sending if, and only if, all the following are true:
l Phase 1 contains “set fragmentation enable”. l The packet is larger than the minimum MTU (576 for IPv4, 1280 for IPv6). l The packet is being re-transmitted.
By default, IKE fragmentation is enabled, but upon upgrading, any existing phase1-interface may have have “set fragmentation disable” added in order to preserve the existing behaviour of not supporting fragmentation.
Enabling or disabling IKE fragmentation – CLI
config vpn ipsec phase1-interface edit 1 set fragmentation [enable | disable]
next
end
IKEv2 fragmentation
With IKEv2, because RFC 7383 requires each fragment to be individually encrypted and authenticated, we would have to keep a copy of the unencrypted payloads around for each outgoing packet, in case the original single packet was never answered and we wanted to retry with fragments. With the following implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.
CLI syntax
config vpn ipsec phase1-interface edit ike set ike-version 2 set fragmentation [enable|disable] set fragmentation-mtu [500-16000]
next
end
Phase 2 configuration
After IPsec Phase 1 negotiations end successfully, you begin Phase 2. You can configure the Phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. During Phase 2, you select specific IPsec security associations needed to implement security services and establish a tunnel.
The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic Phase 2 settings.
These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).
Name | Type a name to identify the Phase 2 configuration. |
Phase 1 | Select the Phase 1 tunnel configuration. For more information on configuring Phase 1, see Phase 1 configuration on page 32. The Phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured. |
Advanced | Define advanced Phase 2 parameters. For more information, see Phase 2 advanced configuration settings below. |
Phase 2 advanced configuration settings
In Phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). These are called Phase 2 Proposal parameters. The keys are generated automatically using a Diffie-Hellman algorithm.
You can use a number of additional advanced Phase 2 settings to enhance the operation of the tunnel.
Phase 2 Proposal | Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
Initially there are two proposals. Add and Delete icons are next to the second Authentication field. It is invalid to set both Encryption and Authentication to NULL. |
Encryption | Select a symmetric-key algorithms:
NULL — Do not use an encryption algorithm. DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key. 3DES — Triple-DES; plain text is encrypted three times by three keys. AES128 — A 128-bit block algorithm that uses a 128-bit key. AES192 — A 128-bit block algorithm that uses a 192-bit key. AES256 — A 128-bit block algorithm that uses a 256-bit key. ChaCha20/Poly1305— A 128-bit block algorithm that uses a 128-bit key and a symmetric cipher. Only available for IKEv2. |
Authentication | You can select either of the following message digests to check the authenticity of messages during an encrypted session:
NULL — Do not use a message digest. MD5 — Message Digest 5. SHA1 — Secure Hash Algorithm 1 – a 160-bit message digest. To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination. |
Enable replay detection | Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. |
Enable perfect forward secrecy (PFS) | Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. |
Diffie-Hellman Group | Select one Diffie-Hellman group (1, 2, 5, or 14 through 21). This must match the DH Group that the remote peer or dialup client uses. |
Keylife | Select the method for determining when the Phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed. |
Autokey Keep Alive | Select the check box if you want the tunnel to remain active when no data is being processed. |
Auto-negotiate | Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires. |
DHCP-IPsec | Provide IP addresses dynamically to VPN clients. This is available for Phase 2 configurations associated with a dialup Phase 1 configuration.
You also need configure a DHCP server or relay on the private network interface. You must configure the DHCP parameters separately. If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the Phase 1 Peer Options to Peer ID from dialup group and select the appropriate user group. See Phase 1 configuration on page 32. If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients. |
2
Quick Mode Selector | Specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, keep the default value of 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and a protocol number.
If you are editing an existing Phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI. |
Source address | If the FortiGate unit is a dialup server, enter the source IP address that corresponds to the local senders or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer.
If the FortiGate unit is a dialup client, source address must refer to the private network behind the Fortinet dialup client. |
Source port | Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0. |
Destination address | Enter the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10. [80-100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer. |
Destination port | Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, enter 0. |
Protocol | Enter the IP protocol number of the service. To specify all services, enter 0. |