Category Archives: FortiOS 6.2

SSL VPN split tunnel for remote user

SSL VPN split tunnel for remote user

This topic provides a sample configuration of remote users accessing the corporate network and internet through an SSL VPN by tunnel mode using FortiClient but accessing the Internet without going through the SSL VPN tunnel.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

  1. Configure the interface and firewall address.

Port1 interface connects to the internal network.

  1. Go to Network > Interface and edit the wan1
  2. Set IP/Network Mask to 20.120.123/255.255.255.0.
  3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
  4. Click OK.
  5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
  6. Configure user and user group.
    1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
    2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
  7. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal. Enable Split Tunneling.
    2. Select Routing Address. 4. Configure SSL VPN settings.
    3. Go to VPN > SSL-VPN Settings.
    4. Choose proper Listen on Interface, in this example, wan1.
    5. Listen on Port 10443.
    6. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
    7. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
    8. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
    9. Configure SSL VPN firewall policy.
  8. Go to Policy & Objects > IPv4 Policy.
  9. Fill in the firewall policy name. In this example: sslvpn split tunnel access.
  10. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
  11. Choose an Outgoing Interface. In this example: port1.
  12. Set the source to all and group to sslvpngroup.
  13. In this example, the destination is all.
  14. Set schedule to always, service to ALL, and Action to Accept.
  15. Click OK.

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet 192.168.1.0 255.255.255.0

next

end

  1. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

  1. Configure SSL VPN web portal.

config vpn ssl web portal edit “my-split-tunnel-portal” set tunnel-mode enable set split-tunneling enable

set split-tunneling-routing-address “192.168.1.0” set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-split-tunnel-portal”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

  1. Download FortiClient from forticlient.com.
  2. Open the FortiClient Console and go to Remote Access.
  3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

  1. Select Customize Port and set it to 10443.
  2. Save your settings.
  3. Use the credentials you’ve set up to connect to the SSL VPN tunnel.
  4. After connection, traffic to 168.1.0 goes through the tunnel. Other traffic goes through local gateway.
  5. In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
  6. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

SSL VPN full tunnel for remote user

SSL VPN full tunnel for remote user

This topic provides a sample configuration of remote users accessing the corporate network and internet through an SSL VPN by tunnel mode using FortiClient.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

  1. Configure the interface and firewall address. Port1 interface connects to the internal network.
    1. Go to Network > Interface and edit the wan1
    2. Set IP/Network Mask to 20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
    4. Click OK.
  2. Configure user and user group.
    1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
    2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
  3. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-full-tunnel-portal. Disable Split Tunneling.
  4. SSL VPN settings configuration.
    1. Go to VPN > SSL-VPN Settings.
    2. Choose proper Listen on Interface, in this example, wan1.
    3. Listen on Port 10443.
    4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
    5. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
    6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-full-tunnel-portal.
  5. SSL VPN firewall policy configuration.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name. In this example: sslvpn full tunnel access.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Choose an Outgoing Interface. In this example: port1.
    5. Set the source to all and group to sslvpngroup.
    6. In this example, the destination is all.
    7. Set schedule to always, service to ALL, and Action to Accept.
    8. Click OK.

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1”

set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

  1. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

  1. Configure SSL VPN web portal and predefine RDP bookmark for windows server.

config vpn ssl web portal edit “my-full-tunnel-portal” set tunnel-mode enable set split-tunneling disable set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-full-tunnel-portal”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “all” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

  1. Download FortiClient from forticlient.com.
  2. Open the FortiClient Console and go to Remote Access.
  3. Add a new connection.
  4. Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
  5. Select Customize Port and set it to 10443.
  6. Save your settings.
  7. Use the credentials you’ve set up to connect to the SSL VPN tunnel.
  8. After connection, all traffic except the local subnet will go through the tunnel FGT.
  9. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
  10. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

SSL VPN web mode for remote user

SSL VPN web mode for remote user

This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by web mode using a web browser.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

  1. Configure the interface and firewall address. Port1 interface connects to the internal network.
    1. Go to Network > Interface and edit the wan1
    2. Set IP/Network Mask to 20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0. d. Click OK.
    4. Go to Firewall & Objects > Address and create address for internet subnet 192.168.1.0.
  2. Configure user and user group.
    1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
    2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
  3. Configure SSL VPN web portal.
  4. Go to VPN > SSL-VPN Portals to create a web mode only portal my-web-portal.
  5. Set Predefined Bookmarks forWindows server to type RDP.
  6. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Choose proper Listen on Interface, in this example, wan1.
    3. Listen on Port 10443.
    4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
    5. Under Authentication/Portal Mapping, set default Portal Web-access for All OtherUsers/Groups.
    6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-Web-portal.
  7. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name. In this example: sslvpn web mode access.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Choose an Outgoing Interface. In this example: port1.
    5. Set the Source to all and group to sslvpngroup.
    6. In this example, the destination is the internal protected subnet 168.1.0.
    7. Set Schedule to always, service to ALL, and Action to Accept.
    8. Click OK.

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next end

  1. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

  1. Configure SSL VPN web portal and predefine RDP bookmark for windows server.

config vpn ssl web portal edit “my-web-portal” set web-mode enable config bookmark-group edit “gui-bookmarks” config bookmarks edit “Windows Server” set apptype rdp set host “192.168.1.114” set port 3389

set logon-user “your-windows-server-user-name” set logon-password your-windows-server-password

next

end

next

end

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-web-portal”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1

set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

  1. Open browser and log into the portal https://172.20.120.123:10443 using the credentials you’ve set up.
  2. In the portal with the predefined bookmark, select the bookmark to begin an RDP session.
  3. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
  4. Go to Log & Report > Traffic Log > Forward Traffic to view the details for the SSL entry.

Policy-based IPsec tunnel

Policy-based IPsec tunnel

This recipe provides an example configuration of policy-based IPsec tunnel. Site-to-site VPN between branch and HQ is used and HQ is the IPsec concentrator.

The following shows the network topology for this example:

To configure a policy-based IPsec tunnel using the GUI:

  1. Configure the IPsec VPN at HQ:
    1. Go to VPN > IPsec Wizard, enter a VPN name (to_branch1 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
    2. Go to VPN > IPsec Wizard, enter a VPN name (to_branch2 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
    3. Configure the IPsec concentrator at HQ:
      1. Go to VPN > IPsec Concentrator, enter a name, in this example, branch.
      2. Add to_branch1 and to_branch2 as Members.
      3. Click OK.
    4. Configure the firewall policy:
      1. Choose the Incoming Interface, in this example, port10.
      2. Choose the Outgoing Interface, in this example, port9.
      3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
      4. Select the VPN Tunnel, in this example, Branch1/Branch2.
      5. In this example, turn on Allow traffic to be initiated from the remote site.
      6. Click OK.
    5. Configure IPsec VPN at branch 1:
      1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
        • Uncheck Enable IPsec Interface Mode.
        • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
        • Click OK.
      2. Configure the firewall policy:
        1. Choose the Incoming Interface, in this example, internal.
        2. Choose the Outgoing Interface, in this example, wan1.
        3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
        4. Select the VPN Tunnel, in this example, to_HQ.
        5. In this example, turn on Allow traffic to be initiated from the remote site.
        6. Click OK.
      3. Configure IPsec VPN at branch 2:
        1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
          • Uncheck Enable IPsec Interface Mode.
          • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface.
          • In this example, set Authentication Method to Pre-shared Key and the Pre-shared Key is sample. In other cases, use the default.
          • Click OK.
        2. Configure the firewall policy:
          1. Choose the Incoming Interface, in this example, internal.
          2. Choose the Outgoing Interface, in this example, wan1.
          3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
          4. Select the VPN Tunnel, in this example, to_HQ.
          5. In this example, turn on Allow traffic to be initiated from the remote site.
          6. Click OK.

To configure a policy-based IPsec tunnel using the CLI:

  1. Configure the HQ WAN interface and static route:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0 next

edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

  1. Configure the HQ IPsec phase1 and phase2:

config vpn ipsec phase1 edit “to_branch1” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 15.1.1.2 set psksecret sample

next

edit “to_branch2” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 13.1.1.2 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_branch1” set phase1name “to_branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next edit “to_branch2” set phase1name “to_branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the HQ firewall policy:

config firewall policy edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “10.1.100.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch1” next

edit 2

set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “192.168.4.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch2”

next

end

  1. Configure the HQ concentrator:

config vpn ipsec concentrator

edit “branch”

set member “to_branch1” “to_branch2”

next

end

  1. Configure the branch WAN interface and static route:
  2. Branch1:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “internal”

set ip 10.1.100.1 255.255.255.0

next

end config router static

edit 1

set gateway 15.1.1.1 set device “wan1”

next

end

  1. Branch2:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “internal”

set ip 192.168.4.1 255.255.255.0

next

end config router static

edit 1

set gateway 13.1.1.1 set device “wan1”

next end

  1. Configure the branch IPsec phase1 and phase2:
  2. Branch1:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Branch2:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the branch firewall policy:
    1. Branch1:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “10.1.100.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next end

  1. Branch2:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “192.168.4.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next

end

  1. Optionally, view the IPsec VPN tunnel list at HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0 stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42932/43200

dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8 ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a

enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1 ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5

dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354

npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2

—-

name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909 ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe

enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259 ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0

  1. Optionally, view the IPsec VPN concentrator at HQ with the diagnose vpn concentrator list command:

list all ipsec concentrator in vd 0

name=branch              ref=3          tuns=2 flags=0

 

IPSEC IKEv2 phase2 encryption algorithm

IKEv2 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

  • null-md5 l null-sha1 l null-sha256 null-sha384 null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • des-null l des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • 3des-null l 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • aes128-null l aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes192-null l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-null l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU. CP9 supports AESGCM offloading. FortiGate supports:

  • aes128gcm l aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • chacha20poly1305

 

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aria128-null l aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-null l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-null l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • seed-null l seed-md5 l seed-sha1 l seed-sha256 l seed-sha384 l seed-sha512

IPSEC IKEv2 phase1 encryption algorithm

IKEv2 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes128gcm-prfsha1 l aes128gcm-prfsha256 l aes128gcm-prfsha384 l aes128gcm-prfsha512 l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512 l aes256gcm-prfsha1 l aes256gcm-prfsha256 aes256gcm-prfsha384 aes256gcm-prfsha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In chacha20poly1305 encryption algorithm, FortiGate supports:

  • chacha20poly1305-prfsha1 l chacha20poly1305-prfsha256 l chacha20poly1305-prfsha384 l chacha20poly1305-prfsha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5 l seed128-sha1 l seed128-sha256 l seed128-sha384 l seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128 l suite-b-gcm-256

IPSEC IKEv1 phase2 encryption algorithm

IKEv1 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

  • null-md5 l null-sha1 l null-sha256 l null-sha384 l null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • des-null l des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • 3des-null l 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • aes128-null l aes128-md5 l aes128-sha1 aes128-sha256 aes128-sha384 l aes128-sha512 l aes192-null l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-null l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aes128gcm l aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • chacha20poly1305

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aria128-null l aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-null l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-null l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • seed-null l seed-md5 l seed-sha1 seed-sha256 seed-sha384 l seed-sha512

IPSEC Encryption algorithms

Encryption algorithms

IKEv1 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-md5 l aria256-sha1 l aria256-sha256

 

aria256-sha384 aria256-sha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5 l seed128-sha1 l seed128-sha256 l seed128-sha384 l seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128 l suite-b-gcm-256