IPSec Dynamic DNS configuration

Dynamic DNS configuration

This section describes how to configure a site-to-site VPN, in which one FortiGate unit has a static IP address and the other FortiGate unit has a domain name and a dynamic IP address.

The following topics are included in this section:

Dynamic DNS over VPN concepts

DDNS topology

Configuration overview

Dynamic DNS over VPN concepts

A typical computer has a static IP address and one or more DNS servers to resolve fully qualified domain names (FQDN) into IP addresses. A domain name assigned to this computer is resolved by any DNS server having an entry for the domain name and its static IP address. The IP address never changes or changes only rarely so the DNS server can reliably say it has the correct address for that domain all the time.

Dynamic DNS (DDNS)

It is different when a computer has a dynamic IP address, such as an IP address assigned dynamically by a DHCP server, and a domain name. Computers that want to contact this computer do not know what its current IP address is. To solve this problem there are dynamic DNS (DDNS) servers. These are public servers that store a DNS entry for your computer that includes its current IP address and associated domain name. These entries are kept up to date by your computer sending its current IP address to the DDNS  server to ensure its entry is always up to date. When other computers want to contact your domain, their DNS gets your IP address from your DDNS server. To use DDNS servers, you must subscribe to them and usually pay for their services.

When configuring DDNS on your FortiGate unit, go to Network > DNS and enable Enable FortiGuard DDNS. Then select the interface with the dynamic connection, which DDNS server you have an account with, your domain name, and account information. If your DDNS server is not on the list, there is a generic option where you can provide your DDNS server information.

Routing

When an interface has some form of changing IP address (DDNS, PPPoE, or DHCP assigned address), routing needs special attention. The standard static route cannot handle the changing IP address. The solution is to use the dynamic-gateway command in the CLI. Say for example you already have four static routes, and you have a PPPoE connection over the wan2 interface and you want to use that as your default route.

The route is configured on the dynamic address VPN peer trying to access the static address FortiGate unit.

Configuring dynamic gateway routing – CLI

config router static edit 5 set dst 0.0.0.0 0.0.0.0 set dynamic-gateway enable set device wan2

Dynamic DNS over VPN concepts

next

end

 

For more information on DDNS, see the System Administration handbook chapter.

DDNS over VPN

IPsec VPN expects an IP address for each end of the VPN tunnel. All configuration and communication with that tunnel depends on the IP addresses as reference points. However, when the interface the tunnel is on has DDNS enabled there is no set IP address. The remote end of the VPN tunnel now needs another way to reference your end of the VPN tunnel. This is accomplished using Local ID.

A FortiGate unit that has a domain name and a dynamic IP address can initiate VPN connections anytime. The remote peer can reply to the local FortiGate unit using the source IP address that was sent in the packet header because it is current. Without doing a DNS lookup first, the remote peer runs the risk of the dynamic IP changing before it attempts to connect. To avoid this, the remote peer must perform a DNS lookup for the domain name of to be sure of the dynamic IP address before initiating the connection.

Remote Gateway

When configuring the Phase 1 entry for a VPN tunnel, the Remote Gateway determines the addressing method the remote end of the tunnel uses as one of Static IP Address, Dialup User, or Dynamic DNS. There are different fields for each option.

When you select the Dynamic DNS VPN type there is a related field called Dynamic DNS. The Dynamic DNS field is asking for the FQDN of the remote end of the tunnel. It uses this information to look up the IP address of the remote end of the tunnel through the DDNS server associated with that domain name.

Local ID (peer ID)

The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel. This enables a more secure connection. Also if you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. When you configure it on your end, it is your Local ID. When the remote end connects to you, they see it as your peer ID.

If you are debugging a VPN connection, the Local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems.

Configuring your Local ID
  1. Go to VPN > IPsec Wizard and create the new custom tunnel or go to VPN > IPsec Tunnels and edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert To Custom Tunnel button).
  3. In the Phase 1 Proposal section, enter your Local ID.
  4. Select OK.

The default configuration is to accept all local IDs (peer IDs). If you have Local ID set, the remote end of the tunnel must be configured to accept your local ID.

DDNS topology

Accepting a specific Peer ID
  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit Authentication (if it is not available, you may need to click the Convert To Custom Tunnel button).
  3. Set Mode to Aggressive.
  4. For Peer Options, select This peer ID. This option becomes visible only when Aggressive mode is selected.
  5. In the Peer ID field, enter the string the other end of the tunnel used for its local ID.
  6. Configure the rest of the Phase 1 entry as required.
  7. Select OK.

Route-based or policy-based VPN

VPN over dynamic DNS can be configured with either route-based or policy-based VPN settings. Both are valid, but have differences in configuration. Choose the best method based on your requirements. For more information on route-based and policy-based, see IPsec VPN overview on page 33.

Route-based VPN configuration requires two security policies to be configured (one for each direction of traffic) to permit traffic over the VPN virtual interface, and you must also add a static route entry for that VPN interface or the VPN traffic will not reach its destination. See Dynamic DNS configuration on page 117 and Dynamic DNS configuration on page 117.

Policy-based VPN configuration uses more complex and often more IPsec security policies, but does not require a static route entry. It has the benefit of being able to configure multiple policies for handling multiple protocols in different ways, such as more scanning of less secure protocols or guaranteeing a minimum bandwidth for protocols such as VoIP. See Dynamic DNS configuration on page 117 and Dynamic DNS configuration on page 117.

DDNS topology

In this scenario, two branch offices each have a FortiGate unit and are connected in a gateway-to-gateway VPN configuration. One FortiGate unit has a domain name (example.com) with a dynamic IP address. See branch_ 2 in the figure below.

Whenever the branch_2 unit connects to the Internet (and possibly also at predefined intervals set by the ISP), the ISP may assign a different IP address to the FortiGate unit. The unit has its domain name registered with a dynamic DNS service. The branch_2 unit checks in with the DDNS server on a regular basis, and that server provides the DNS information for the domain name, updating the IP address from time to time. Remote peers have to locate the branch_2 FortiGate unit through a DNS lookup each time to ensure the address they get is current and correct.

 

Example dynamic DNS configuration

When a remote peer (such as the branch_1 FortiGate unit above) initiates a connection to example.com, the local DNS server looks up and returns the IP address that matches the domain name example.com. The remote peer uses the retrieved IP address to establish a VPN connection with the branch_2 FortiGate unit.

Assumptions

  • You have administrator access to both FortiGate units.
  • Both FortiGate units have interfaces named wan1 and internal. (If not, you can use the alias feature to assign these labels as “nicknames” to other interfaces to follow this example.)
  • Both FortiGate units have the most recent firmware installed, have been configured for their networks, and are currently passing normal network traffic.
  • The branch_2 FortiGate unit has its wan1 interface defined as a dynamic DNS interface with the domain name of com.
  • A basic gateway-to-gateway configuration is in place (see Gateway-to-gateway configurations on page 1) except one of the FortiGate units has a static domain name and a dynamic IP address instead of a static IP address.
  • The FortiGate unit with the domain name is subscribed to one of the supported dynamic DNS services. Contact one of the services to set up an account. For more information and instructions about how to configure the FortiGate unit to push its dynamic IP address to a dynamic DNS server, see the System Administration handbook chapter.

Configuration overview

When a FortiGate unit receives a connection request from a remote VPN peer, it uses IPsec Phase 1 parameters to establish a secure connection and authenticate the VPN peer. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec Phase 2 parameters and applies the security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed:

  • Configure the branch_2 FortiGate unit with the dynamic IP address. This unit uses a Local ID string instead of an IP address to identify itself to the remote peer. See Configuring the dynamically-addressed VPN peer below, which is made up of configuring branch_2’s VPN tunnel settings and security policies.
  • Configure the fixed-address VPN peer. To initiate a VPN tunnel with the dynamically-addressed peer, this unit must first retrieve the IP address for the domain from the dynamic DNS service. See Configuring the fixed-address VPN peer, which is made up of configuring branch_1’s VPN tunnel settings and security policies.

Configuring the dynamically-addressed VPN peer

It is assumed that this FortiGate unit (branch_2) has already had its public facing interface, for example the wan1, configured with the proper dynamic DNS configuration.

Configuring branch_2, the dynamic address side

Define the Phase 1 parameters needed to establish a secure connection with the remote peer. See Phase 1 parameters on page 52. During this procedure you need to choose if you will be using route-based or policy-based VPNs.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit Network (full configuration options are only available once you click the Convert To Custom Tunnel button).
  3. Enter the following information:
Remote Gateway Select Static IP Address.

The remote peer this FortiGate is connecting to has a static IP public address.

If the remote interface is PPPoE do not select Retrieve default gateway from server.

IP Address Enter 172.16.20.1, the IP address of the public interface to the remote peer.
Interface Select the Internet-facing interface wan1 (selected by default).
NAT Traversal Select Enable (selected by default).
Keepalive Frequency Enter a keepalive frequency (In seconds; set to 10 by default).
Dead Peer Detection Select a dead peer detection option. On Idle will attempt to reestablish VPN tunnels when a connection becomes idle (the idle interval is not a negotiated value).

Use of periodic dead peer detection incurs extra overhead. When communicating to large numbers of IKE peers, you should consider using On Demand. (set to On Demand by default).

  1. Edit Authentication and complete the following:
Mode Select Aggressive.
  1. Edit Phase 1 Proposal and complete the following:
Local ID Enter example.com.

A character string used by the branch_2 FortiGate unit to identify itself to the remote peer.

This value must be identical to the value in the This peer ID field of the Phase 1 remote gateway configuration on the branch_1 remote peer. See Configuration overview on page 120.

  1. Open the Phase 2 Selectors

Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. For details on Phase 2, see Phase 2 parameters on page 72.

  1. Enter the following information and select OK.
Name Automatically entered as the name of the VPN tunnel.
Phase 1 Select branch_2.

The name of the Phase 1 configuration that you defined earlier.

Define security policies to permit communications between the private networks through the VPN tunnel. Routebased and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies on page 1.

After defining the two address ranges, select one of Creating branch_2 route-ased security policies on page 123 or Creating branch_2 policy-based security policies on page 125 to configure the appropriate VPN policies.

Define VPN connection names for the address ranges of the private networks. These addresses are used in the security policies that permit communication between the networks. For more information, see Defining VPN security policies on page 1.

Define an address name for the IP address and netmask of the private network behind the local FortiGate unit.

  1. Go to Policy & Objects > Addresses.
  2. Select Create New.
  3. Enter the following information, and select OK.
Name Enter branch_2_internal. Enter a meaningful name.
Type Select IP/Netmask.
Subnet / IP Range Enter 10.10.10.0/24.

Include the netmask or specify a specific range.

Interface Select internal. The interface that will be handling the traffic from the internal network.

Define an address name for the IP address and netmask of the private network behind the remote peer.

  1. Select Create New.
  2. Enter the following information, and select OK.
Name Enter branch_1_internal. A meaningful name for the private network at the remote end of the VPN tunnel.
Type Select IP/Netmask.
Subnet / IP Range Enter 192.168.1.0/24.

Include the netmask. Optionally you can specify a range

Interface Select any.

The interface that will be handling the remote VPN traffic on this FortiGate unit. If you are unsure, or multiple interfaces may be handling this traffic use any.

Creating branch_2 route-ased security policies

Define ACCEPT security policies to permit communication between the branch_2 and branch_1 private networks. Once the route-based policy is configured a routing entry must be configured to route traffic over the VPN interface.

Define a policy to permit the branch_2 local FortiGate unit to initiate a VPN session with the branch_1 VPN peer.

  1. Go to Policy & Objects > IPv4 Policy and select Create New. 2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select internal.

The interface that connects to the private network behind this FortiGate unit.

Outgoing Interface Select branch_2. The VPN Tunnel (IPsec Interface).
Source Select branch_2_internal.

Select the address name for the private network behind this FortiGate unit.

Destination Address Select branch_1_internal.

The address name the private network behind the remote peer.

Action Select ACCEPT.
NAT Disable NAT.
Comments Route-based: Initiate a branch_2 to branch_1 VPN tunnel.

Define a policy to permit the branch_1 remote VPN peer to initiate VPN sessions.

  1. Select Create New.
  2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select branch_2. The VPN Tunnel (IPsec Interface).
Outgoing Interface Select internal. The interface connecting the private network behind this FortiGate unit.
Source Select branch_1_internal. The address name for the private network behind the remote peer.
Destination Address Select branch_2_internal. The address name for the private network behind this FortiGate unit.
Action Select ACCEPT.
NAT Disable NAT.
Comments Route-based: Initiate a branch_1 to branch_2 internal VPN tunnel.
  1. Optionally configure any other security policy settings you require such as UTM or traffic shaping for this policy.
  2. Place these policies in the policy list above any other policies having similar source and destination addresses. This will ensure VPN traffic is matched against the VPN policies before any other policies.
Creating routing entry for VPN interface – CLI

config router static edit 5 set dst 0.0.0.0 0.0.0.0

set dynamic-dateway enable set device wan1

next

end

This routing entry must be added in the CLI because the dynamic-gateway option is not available in the webbased manager.

Creating branch_2 policy-based security policies

Define an IPsec policy to permit VPN sessions between the private networks. Define an IPsec policy to permit the VPN sessions between the local branch_2 unit and the remote branch_1 unit.

  1. Go to Policy & Objects > IPv4 Policy and select Create New. 2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select internal. The interface connecting the private network behind this FortiGate unit.
Outgoing Interface Select wan1. The FortiGate unit’s public interface.
Source Select branch_2_internal. The address name for the private network behind this local FortiGate unit.
Destination Address Select branch_1_internal. The address name for the private network behind branch_1, the remote peer.
Action Select IPsec. Under VPN Tunnel, select branch_2 from the drop-down list. The name of the Phase 1 tunnel. Select Allow traffic to be initiated from the remote site.
Comments Policy-based: allows traffic in either direction to initiate the VPN tunnel.
  1. Optionally configure any other security policy settings you require such as UTM or traffic shaping for this policy.
  2. Place these policies in the policy list above any other policies having similar source and destination addresses. This will ensure VPN traffic is matched against the VPN policies before any other policies.

Configuring the fixed-address VPN peer

The fixed-address VPN peer, branch_1, needs to retrieve the IP address from the dynamic DNS service to initiate communication with the dynamically-addressed peer, branch_2. It also depends on the peer ID (local ID) to initiate the VPN tunnel with branch_2.

Define the Phase 1 parameters needed to establish a secure connection with the remote peer. For more information, see Phase 1 parameters on page 52.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit Network (if it is not available, you may need to click the Convert to Custom Tunnel button). Enter the following information and select OK.
Remote Gateway Select Dynamic DNS. The remote peer this FortiGate is connecting to has a dynamic IP address.
Dynamic DNS Type the fully qualified domain name of the remote peer (for example, example.com).
Interface Select wan1. The public facing interface on the fixed-address FortiGate unit.
Mode Config Select Aggressive.
Peer Options Select This peer ID, and enter example.com. This option only appears when the mode is set to Aggressive. The identifier of the FortiGate unit with the dynamic address.
  1. Edit Authentication, enter the following information and select OK.
Peer Options Select This peer ID, and enter example.com. This option only appears when the authentication method is set to Signature. The identifier of the FortiGate unit with the dynamic address.
  1. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. See Phase 2 parameters on page 72. Enter these settings in particular:
Name Enter branch_1_p2. A name to identify this Phase 2 configuration.
Phase 1 Select branch_1.

The name of the Phase 1 configuration that you defined for the remote peer. You can select the name of the remote gateway from the Dynamic DNS part of the list.

The branch_1 FortiGate unit has a fixed IP address and will be connecting to the branch_2 FortiGate unit that has a dynamic IP address and a domain name of example.com. Remember if you are using route-based security policies that you must add a route for the VPN traffic.

Defining address ranges for branch_1 security policies

As with branch_2 previously, branch_1 needs address ranges defined as well. See Defining policy addresses on page 1.

  1. Go to Policy & Objects > Addresses and select Create New > Address.
  2. Enter the following information, and select OK.
Name Enter branch_2_internal. A meaningful name for the private network behind the branch_2 FortiGate unit.
Type Select IP/Netmask.
Subnet / IP Range Enter 10.10.10.0/24. Include the netmask or specify a specific range.
Interface Select internal. This is the interface on this FortiGate unit that will be handling with this traffic.
  1. Define an address name for the IP address and netmask of the private network behind the remote peer. Create another address. Enter the following information, and select OK.
Name Enter branch_1_internal. A meaningful name for the private network behind the branch_1 peer.
Type Select IP/Netmask.
Subnet / IP Range Enter 192.168.1.0/24. Include the netmask or specify a specific range.
Interface Select any. The interface on this FortiGate unit that will be handling with this traffic. If you are unsure, or multiple interfaces may be handling this traffic use any.

Creating branch_1 route-based security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses. See Defining VPN security policies on page 1.

  1. Go to Policy & Objects > IPv4 Policy and select Create New. 2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select internal. The interface that connects to the private network behind the branch_1 FortiGate unit.
Outgoing Interface Select branch_1. The VPN Tunnel (IPsec Interface) you configured earlier.
Source Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Destination Address Select branch_2_internal. The address name that you defined for the private network behind the branch_2 peer.
Action Select ACCEPT.
NAT Disable NAT.
Comments Internal -> branch2

To permit the remote client to initiate communication, you need to define a security policy for communication in that direction.

  1. Select Create New.
  2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select branch_1. The VPN Tunnel (IPsec Interface) you configured earlier.
Outgoing Interface Select internal. The interface that connects to the private network behind this FortiGate unit.
Source Select branch_2_internal. The address name that you defined for the private network behind the branch_2 remote peer.
Destination Address Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Action Select ACCEPT.
NAT Disable NAT.
Comments branch_2 -> Internal

Creating branch_1 policy-based security policies

A policy-based security policy allows you the flexibility to allow inbound or outbound traffic or both through this single policy.

This policy-based IPsec VPN security policy allows both inbound and outbound traffic

  1. Go to Policy & Objects > IPv4 Policy and select Create New. 2. Enter the following information, and select OK.
Incoming Interface Select internal. The interface that connects to the private network behind this FortiGate unit.
Outgoing Interface Select wan1. The FortiGate unit’s public interface.
Source Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Destination Address Select branch_2_internal. The address name that you defined for the private network behind the remote peer.
Action Select IPsec. Under VPN Tunnel, select branch_1 from the drop-down list. The name of the Phase 1 tunnel. Select Allow traffic to be initiated from the remote site.
  1. Place this security policy in the policy list above any other policies having similar source and destination addresses.

Results

Once both ends are configured, you can test the VPN tunnel.

To test the VPN initiated by branch_2

  1. On branch_2, go to Monitor > IPsec Monitor.

All IPsec VPN tunnels will be listed on this page, no matter if they are connected or disconnected.

  1. Select the tunnel listed for branch_2, and select the status column for that entry.

The status will say Bring Up and remote port, incoming and outgoing data will all be zero. This indicates an inactive tunnel. When you right-click and select Bring Up, the FortiGate will try to set up a VPN session over this tunnel. If it is successful, Bring Up will change to Active, and the arrow icon will change to a green up arrow icon.

  1. If this does not create a VPN tunnel with increasing values for incoming and outgoing data, you need to start troubleshooting:

To test the VPN initiated by branch_1

  1. On branch_1, go to Monitor > IPsec Monitor.
  2. Select the tunnel listed for branch_1, and select the status column.

The difference between branch_2 and branch_1 at this point is that the tunnel entry for branch-1 will not have a remote gateway IP address. It will be resolved when the VPN tunnel is started.

  1. If this does not create a VPN tunnel with increasing values for incoming and outgoing data, you need to start troubleshooting.

Some troubleshooting ideas include:

  • If there was no entry for the tunnel on the monitor page, check the Auto Key (IKE) page to verify the Phase 1 and Phase 2 entries exist.
  • Check the security policy or policies, and ensure there is an outgoing policy as a minimum.
  • Check that you entered a local ID in the Phase 1 configuration, and that branch_1 has the same local ID. l Ensure the local DNS server has an up-to-date DNS entry for exmaple.com.

For more information, see Troubleshooting on page 1.

 

IPSec Hub-and-spoke configurations

Hub-and-spoke configurations

This section describes how to set up hub-and-spoke IPsec VPNs. The following topics are included in this section:

Configuration overview

Configure the hub

Configure the spokes

Dynamic spokes configuration example

Configuration overview

In a hub-and-spoke configuration, VPN connections radiate from a central FortiGate unit (the hub) to a number of remote peers (the spokes). Traffic can pass between private networks behind the hub and private networks behind the remote peers. Traffic can also pass between remote peer private networks through the hub.

Example hub-and-spoke configuration

The actual implementation varies in complexity depending on:

 

Configuration overview

  • Whether the spokes are statically or dynamically addressed
  • The addressing scheme of the protected subnets
  • How peers are authenticated

This guide discusses the issues involved in configuring a hub-and-spoke VPN and provides some basic configuration examples.

Hub-and-spoke infrastructure requirements

  • The FortiGate hub must be operating in NAT mode and have a static public IP address.
  • Spokes may have static IP addresses, dynamic IP addresses (see FortiGate dialup-client configurations on page 1), or static domain names and dynamic IP addresses (see Dynamic DNS configuration on page 1).

Spoke gateway addressing

The public IP address of the spoke is the VPN remote gateway as seen from the hub. Statically addressed spokes each require a separate VPN Phase 1 configuration on the hub. When there are many spokes, this becomes rather cumbersome.

Using dynamic addressing for spokes simplifies the VPN configuration because then the hub requires only a single Phase 1 configuration with “dialup user” as the remote gateway. You can use this configuration even if the remote peers have static IP addresses. A remote peer can establish a VPN connection regardless of its IP address if its traffic selectors match and it can authenticate to the hub. See Configuration overview on page 100 for an example of this configuration.

Protected networks addressing

The addresses of the protected networks are needed to configure destination selectors and sometimes for security policies and static routes. The larger the number of spokes, the more addresses there are to manage. You can

  • Assign spoke subnets as part of a larger subnet, usually on a new network or
  • Create address groups that contain all of the needed addresses

Using aggregated subnets

If you are creating a new network, where subnet IP addresses are not already assigned, you can simplify the VPN configuration by assigning spoke subnets that are part of a large subnet.

Aggregated subnets

All spokes use the large subnet address, 10.1.0.0/16 for example, as:

  • The IPsec destination selector
  • The destination of the security policy from the private subnet to the VPN (required for policy-based VPN, optional for route-based VPN)
  • The destination of the static route to the VPN (route-based)

Each spoke uses the address of its own protected subnet as the IPsec source selector and as the source address in its VPN security policy. The remote gateway is the public IP address of the hub FortiGate unit.

Using an address group

If you want to create a hub-and-spoke VPN between existing private networks, the subnet addressing usually does not fit the aggregated subnet model discussed earlier. All of the spokes and the hub will need to include the addresses of all the protected networks in their configuration.

On FortiGate units, you can define a named firewall address for each of the remote protected networks and add these addresses to a firewall address group. For a policy-based VPN, you can then use this address group as the destination of the VPN security policy.

For a route-based VPN, the destination of the VPN security policy can be set to All. You need to specify appropriate routes for each of the remote subnets.

Authentication

Authentication is by a common pre-shared key or by certificates. For simplicity, the examples in this chapter assume that all spokes use the same pre-shared key.

Configure the hub

At the FortiGate unit that acts as the hub, you need to:

hub

  • Configure the VPN to each spoke
  • Configure communication between spokes

You configure communication between spokes differently for a policy-based VPN than for a route-based VPN. For a policy-based VPN, you configure a VPN concentrator. For a route-based VPN, you must either define security policies or group the IPsec interfaces into a zone.

Define the hub-spoke VPNs

Perform these steps at the FortiGate unit that will act as the hub. Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.

Configuring the VPN hub

  1. At the hub, define the Phase 1 configuration for each spoke. See Phase 1 parameters on page 52. Enter these settings in particular:
Name Enter a name to identify the VPN in Phase 2 configurations, security policies and the VPN monitor.
Remote Gateway The remote gateway is the other end of the VPN tunnel. There are three options:

Static IP Address  — Enter the spoke’s public IP Address. You will need to create a Phase 1 configuration for each spoke. Either the hub or the spoke can establish the VPN connection.

Dialup User — No additional information is needed. The hub accepts connections from peers with appropriate encryption and authentication settings. Only one Phase 1 configuration is needed for multiple dialup spokes. Only the spoke can establish the VPN tunnel.

Dynamic DNS — If the spoke subscribes to a dynamic DNS service, enter the spoke’s Dynamic DNS domain name. Either the hub or the spoke can establish the VPN connection. For more information, see Dynamic DNS configuration on page 1.

Local Interface Select the FortiGate interface that connects to the remote gateway. This is usually the FortiGate unit’s public interface.
  1. Define the Phase 2 parameters needed to create a VPN tunnel with each spoke. See Phase 2 parameters on page
  2. 72. Enter these settings in particular:
Name Enter a name to identify this spoke Phase 2 configuration.
Phase 1 Select the name of the Phase 1 configuration that you defined for this spoke.

IPsec VPN in ADVPN hub-and-spoke

IPsec VPN traffic is allowed through a tunnel between an ADVPN hub-and-spoke.

CLI Syntax:

config vpn ipsec phase1-interface edit “int-fgtb” … set auto-discovery-sender [enable | disable] set auto-discovery-receiver [enable | disable] set auto-discovery-forwarder [enable | disable] …

next

end

config vpn ipsec phase2-interface edit “int-fgtb” …

set auto-discovery-sender phase1 [enable | disable] …

next

end

Define the hub-spoke security policies

  1. Define a name for the address of the private network behind the hub. For more information, see Defining policy addresses on page 1.
  2. Define names for the addresses or address ranges of the private networks behind the spokes. For more information, see Defining policy addresses on page 1.
  3. Define the VPN concentrator. See To define the VPN concentrator on page 105.
  4. Define security policies to permit communication between the hub and the spokes. For more information, see Defining VPN security policies on page 1.

Route-based VPN security policies

Define ACCEPT security policies to permit communications between the hub and the spoke. You need one policy for each direction.

Adding policies
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings in particular:
Incoming Interface Select the VPN Tunnel (IPsec Interface) you configured in Step 1.
Source Address Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit.
Outgoing Interface Select the hub’s interface to the internal (private) network.
Destination Address Select the source address that you defined in Step 1.
Action Select ACCEPT.
Enable NAT Enable.

 

hub

Incoming Interface Select the VPN Tunnel (IPsec Interface) you configured inStep 1.
Source Address Select the address name you defined in Step 2 for the private network behind the spoke FortiGate units.
Outgoing Interface Select the source address that you defined in Step 1.
Destination Address Select the hub’s interface to the internal (private) network.
Action Select ACCEPT.
Enable NAT Enable.

Policy-based VPN security policy

Define an IPsec security policy to permit communications between the hub and the spoke.

Adding policies
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter these settings in particular:
Incoming Interface Select the hub’s interface to the internal (private) network.
Source Address Select the source address that you defined in Step 1.
Outgoing Interface Select the hub’s public network interface.
Destination Address Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit.
VPN Tunnel Select Use Existing and select the name of the Phase 1 configuration that you created for the spoke in Step 1.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

In the policy list, arrange the policies in the following order:

l IPsec policies that control traffic between the hub and the spokes first  l The default security policy last

Configuring communication between spokes (policy-based VPN)

For a policy-based hub-and-spoke VPN, you define a concentrator to enable communication between the spokes.

To define the VPN concentrator

  1. At the hub, go to VPN > IPsec Concentrator and select Create New.
  2. In the Concentrator Name field, type a name to identify the concentrator.
  3. From the Available Tunnels list, select a VPN tunnel and then select the right-pointing arrow.
  4. Repeat Step 3 until all of the tunnels associated with the spokes are included in the concentrator.
  5. Select OK.

Configuring communication between spokes (route-based VPN)

For a route-based hub-and-spoke VPN, there are several ways you can enable communication between the spokes:

  • Put all of the IPsec interfaces into a zone and enable intra-zone traffic. This eliminates the need for any security policy for the VPN, but you cannot apply UTM features to scan the traffic for security threats.
  • Put all of the IPsec interfaces into a zone and create a single zone-to-zone security policy
  • Create a security policy for each pair of spokes that are allowed to communicate with each other. The number of policies required increases rapidly as the number of spokes increases.

Using a zone as a concentrator

A simple way to provide communication among all of the spokes is to create a zone and allow intra-zone communication. You cannot apply UTM features using this method.

  1. Go to Network > Interfaces.
  2. Select the down-arrow on the Create New button and select Zone.
  3. In the Zone Name field, enter a name, such as Our_VPN_zone.
  4. Clear Block intra-zone traffic.
  5. In the Interface Members list, select the IPsec interfaces that are part of your VPN.
  6. Select OK.

Using a zone with a policy as a concentrator

If you put all of the hub IPsec interfaces involved in the VPN into a zone, you can enable communication among all of the spokes and apply UTM features with just one security policy.

Creating a zone for the VPN
  1. Go to Network > Interfaces.
  2. Select the down-arrow on the Create New button and select Zone.
  3. In the Zone Name field, enter a name, such as Our_VPN_zone.
  4. Select Block intra-zone traffic.
  5. In the Interface Members list, select the IPsec interfaces that are part of your VPN.
  6. Select OK.
Creating a security policy for the zone
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter the settings: and select OK.
Incoming Interface Select the zone you created for your VPN.

spokes

Source Address Select All.
Outgoing Interface Select the zone you created for your VPN.
Destination Address Select All.
Action Select ACCEPT.
Enable NAT Enable.

Using security policies as a concentrator

To enable communication between two spokes, you need to define an ACCEPT security policy for them. To allow either spoke to initiate communication, you must create a policy for each direction. This procedure describes a security policy for communication from Spoke 1 to Spoke 2. Others are similar.

  1. Define names for the addresses or address ranges of the private networks behind each spoke. For more information, see Defining policy addresses on page 1.
  2. Go to Policy & Objects > IPv4 Policy and select Create New.
  3. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  4. Enter the settings and select OK.
Incoming Interface Select the IPsec interface that connects to Spoke 1.
Source Address Select the address of the private network behind Spoke 1.
Outgoing Interface Select the IPsec interface that connects to Spoke 2.
Destination Address Select the address of the private network behind Spoke 2.
Action Select ACCEPT.
Enable NAT Enable.

Configure the spokes

Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.

Perform these steps at each FortiGate unit that will act as a spoke.

Creating the Phase 1 and phase_2 configurations

  1. At the spoke, define the Phase 1 parameters that the spoke will use to establish a secure connection with the hub. See Phase 1 parameters on page 52. Enter these settings:
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the interface that connects to the hub.

 

Configure the spokes

  1. Create the Phase 2 tunnel definition. See Phase 2 parameters on page 72. Select the set of Phase 1 parameters that you defined for the hub. You can select the name of the hub from the Static IP Address part of the list.

Configuring security policies for hub-to-spoke communication

  1. Create an address for this spoke. See Defining policy addresses on page 1. Enter the IP address and netmask of the private network behind the spoke.
  2. Create an address to represent the hub. See Defining policy addresses on page 1. Enter the IP address and netmask of the private network behind the hub.
  3. Define the security policy to enable communication with the hub.

Route-based VPN security policy

Define two security policies to permit communications to and from the hub.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings:
Incoming Interface Select the virtual IPsec interface you created.
Source Address Select the hub address you defined in Step 1.
Outgoing Interface Select the spoke’s interface to the internal (private) network.
Destination Address Select the spoke addresses you defined in Step 2.
Action Select ACCEPT.
Enable NAT Enable

 

Incoming Interface Select the spoke’s interface to the internal (private) network.
Source Address Select the spoke address you defined in Step 1.
Outgoing Interface Select the virtual IPsec interface you created.
Destination Address Select the hub destination addresses you defined in Step 2.
Action Select ACCEPT.
Enable NAT Enable

Policy-based VPN security policy

Define an IPsec security policy to permit communications with the hub. See Defining VPN security policies on page 1.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter these settings in particular:

spokes

Incoming Interface Select the spoke’s interface to the internal (private) network.
Source Address Select the spoke address you defined in Step 1.
Outgoing Interface Select the spoke’s interface to the external (public) network.
Destination Address Select the hub address you defined in Step 2.
VPN Tunnel Select Use Existing and select the name of the Phase 1 configuration you defined.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

Configuring security policies for spoke-to-spoke communication

Each spoke requires security policies to enable communication with the other spokes. Instead of creating separate security policies for each spoke, you can create an address group that contains the addresses of the networks behind the other spokes. The security policy then applies to all of the spokes in the group.

  1. Define destination addresses to represent the networks behind each of the other spokes. Add these addresses to an address group.
  2. Define the security policy to enable communication between this spoke and the spokes in the address group you created.

Policy-based VPN security policy

Define an IPsec security policy to permit communications with the other spokes. See Defining VPN security policies on page 1. Enter these settings in particular:

Route-based VPN security policy

Define two security policies to permit communications to and from the other spokes.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address. Enter these settings in particular:
Incoming Interface Select the virtual IPsec interface you created.
Source Address Select the spoke address group you defined in Step “Configure the spokes ” on page 107.
Outgoing Interface Select the spoke’s interface to the internal (private) network.
Destination Address Select this spoke’s address name.
Action Select ACCEPT.
Enable NAT Enable
  1. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
Incoming Interface Select the spoke’s interface to the internal (private) network.
Source Address Select this spoke’s address name.
Outgoing Interface Select the virtual IPsec interface you created.
Destination Address Select the spoke address group you defined in Step 1.
Action Select ACCEPT.
Enable NAT Enable

Policy-based VPN security policy

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following:
Incoming Interface Select this spoke’s internal (private) network interface.
Source Address Select this spoke’s source address.
Outgoing Interface Select the spoke’s interface to the external (public) network.
Destination Address Select the spoke address group you defined in Step 1.
VPN Tunnel Select Use Existing and select the name of the Phase 1 configuration you defined.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

Place this policy or policies in the policy list above any other policies having similar source and destination addresses.

Dynamic spokes configuration example

This example demonstrates how to set up a basic route-based hub-and-spoke IPsec VPN that uses preshared keys to authenticate VPN peers.

 

Example hub-and-spoke configuration

In the example configuration, the protected networks 10.1.0.0/24, 10.1.1.0/24 and 10.1.2.0/24 are all part of the larger subnet 10.1.0.0/16. The steps for setting up the example hub-and-spoke configuration create a VPN among Site 1, Site 2, and the HR Network.

The spokes are dialup. Their addresses are not part of the configuration on the hub, so only one spoke definition is required no matter the number of spokes. For simplicity, only two spokes are shown.

In an ADVPN topology, any two pair of peers can create a shortcut, as long as one of the devices is not behind NAT.

The on-the-wire format of the ADVPN messages  use TLV encoding.  Because of this, this feature is not compatible with any previous ADVPN builds.

Configure the hub (FortiGate_1)

The Phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate spokes and establish secure connections.

For the purposes of this example, one preshared key will be used to authenticate all of the spokes. Each key must contain at least 6 printable characters and best practices dictates that it only be known by network administrators. For optimum protection against currently known attacks, each key must consist of a minimum of 16 randomly chosen alphanumeric characters.

Define the IPsec configuration

  1. At FortiGate_1, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

Define the Phase 1 parameters that the hub will use to establish a secure connection to the spokes.

Name Enter a name (for example, toSpokes).
Remote Gateway Dialup user
Local Interface External
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Any peer ID

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration and specify the remote end points of the VPN tunnels.

  1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
  2. Enter the following information, and select OK:
Name Enter a name for the Phase 2 definition (for example, toSpokes_ph2).
Phase 1 Select the Phase 1 configuration that you defined previously (for example, toSpokes).

Define the security policies

security policies control all IP traffic passing between a source address and a destination address. For a routebased VPN, the policies are simpler than for a policy-based VPN. Instead of an IPSEC policy, you use an ACCEPT policy with the virtual IPsec interface as the external interface.

Before you define security policies, you must first define firewall addresses to use in those policies. You need addresses for:

  • The HR network behind FortiGate_1
  • The aggregate subnet address for the protected networks
Defining the IP address of the HR network behind FortiGate_1
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:
Name Enter an address name (for example, HR_Network).
Type Subnet
Subnet/IP Range Enter the IP address of the HR network behind FortiGate_1 (for example, 10.1.0.0/24).
Specifying the IP address the aggregate protected subnet
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:
Address Name Enter an address name (for example, Spoke_net).
Type Subnet
Subnet/IP Range Enter the IP address of the aggregate protected network, 10.1.0.0/16
Defining the security policy for traffic from the hub to the spokes  1. Go to Policy & Objects > IPv4 Policy and select Create New,
  1. Leave the Policy Type as Firewall and leave the Policy Subtype as Address. 3. Enter the following information, and select OK:
Incoming Interface Select the interface to the HR network, port 1.
Source Address Select HR_Network.
Outgoing Interface Select the virtual IPsec interface that connects to the spokes, toSpokes.
Destination Address Select Spoke_net.
Action Select ACCEPT.

Place the policy in the policy list above any other policies having similar source and destination addresses.

Configure communication between spokes

Spokes communicate with each other through the hub. You need to configure the hub to allow this

communication. An easy way to do this is to create a zone containing the virtual IPsec interfaces even if there is only one, and create a zone-to-zone security policy.

  1. Go to Network > Interfaces.
  2. Select the down-arrow on the Create New button and select Zone.
  3. In the Zone Name field, enter a name, such as Our_VPN_zone.
  4. Select Block intra-zone traffic.

You could enable intra-zone traffic and then you would not need to create a security policy. But, you would not be able to apply UTM features.

  1. In Interface Members, select the virtual IPsec interface, toSpokes.
  2. Select OK.
Creating a security policy for the zone
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings:
Incoming Interface Select Our_VPN_zone.
Source Address Select All.
Outgoing Interface Select Our_VPN_zone.
Destination Address Select All.
Action Select ACCEPT.
Enable NAT Enable.
  1. Select OK.

Configure the spokes

In this example, all spokes have nearly identical configuration, requiring the following:

  • Phase 1 authentication parameters to initiate a connection with the hub.
  • Phase 2 tunnel creation parameters to establish a VPN tunnel with the hub.
  • A source address that represents the network behind the spoke. This is the only part of the configuration that is different for each spoke.
  • A destination address that represents the aggregate protected network.
  • A security policy to ena.ble communications between the spoke and the aggregate protected network Define the IPsec configuration

At each spoke, create the following configuration.

  1. At the spoke, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button). Enter the following information:
Name Type a name, for example, toHub.
Remote Gateway Select Static IP Address.
IP Address Enter 172.16.10.1.
Local Interface Select Port2.
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be identical to the preshared key that you specified previously in the FortiGate_1 configuration
Peer Options Select Any peer ID.
  1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
  2. Enter the following information and select OK:
Name Enter a name for the tunnel, for example, toHub_ph2.
Phase 1 Select the name of the Phase 1 configuration that you defined previously, for example, toHub.
Advanced Select to show the following Quick Mode Selector settings.
Source Enter the address of the protected network at this spoke.

For spoke_1, this is 10.1.1.0/24.

For spoke_2, this is 10.1.2.0/24.

Destination Enter the aggregate protected subnet address, 10.1.0.0/16.

Define the security policies

You need to define firewall addresses for the spokes and the aggregate protected network and then create a security policy to enable communication between them.

Defining the IP address of the network behind the spoke
  1. Go to Policy & Objects > Addresses.
  2. Select Create New and enter the following information:
Address Name Enter an address name, for example LocalNet.
Type Subnet
Subnet/IP Range Enter the IP address of the private network behind the spoke.

For spoke_1, this is 10.1.1.0/24.

For spoke_2, this is 10.1.2.0/24.

Specifying the IP address of the aggregate protected network
  1. Go to Policy & Objects > Addresses.
  2. Select Create New and enter the following information:
Address Name Enter an address name, for example,  Spoke_net.
Type Subnet
Subnet/IP Range Enter the IP address of the aggregate protected network, 10.1.0.0/16.
Defining the security policy
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter the following information:
Incoming Interface Select the virtual IPsec interface, toHub.
Source Address Select the aggregate protected network address Spoke_net.
Outgoing Interface Select the interface to the internal (private) network, port1.
Destination Address Select the address for this spoke’s protected network LocalNet.
Action Select ACCEPT.
  1. Select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address. Enter the following information, and select OK:
Incoming Interface Select the interface to the internal private network, port1.
Source Address Select the address for this spoke’s protected network, LocalNet.
Outgoing Interface Select the virtual IPsec interface, toHub.
Destination Address Select the aggregate protected network address, Spoke_net.
Action Select ACCEPT.

Place these policies in the policy list above any other policies having similar source and destination addresses.

 

IPSec Gateway-to-gateway

Gateway-to-gateway

This section explains how to set up a basic gateway-to-gateway (site-to-site) IPsec VPN.

The following topics are included in this section:

Configuration overview

Gateway-to-gateway configuration

How to work with overlapping subnets Testing

Configuration overview

In a gateway-to-gateway configuration, two FortiGate units create a VPN tunnel between two separate private networks. All traffic between the two networks is encrypted and protected by FortiGate security policies.

Example gateway-to-gateway configuration

In some cases, computers on the private network behind one VPN peer may (by co-incidence) have IP addresses that are already used by computers on the network behind the other VPN peer. In this type of situation

(ambiguous routing), conflicts may occur in one or both of the FortiGate routing tables and traffic destined for the remote network through the tunnel may not be sent. To resolve issues related to ambiguous routing, see Configuration overview on page 84.

Configuration overview

In other cases, computers on the private network behind one VPN peer may obtain IP addresses from a local DHCP server. However, unless the local and remote networks use different private network address spaces, unintended ambiguous routing and/or IP-address overlap issues may arise. For a discussion of the related issues, see FortiGate dialup-client configurations  on page 1.

Configuration overview

You can set up a fully meshed or partially meshed configuration (see below).

Fully meshed configuration

In a fully meshed network, all VPN peers are connected to each other, with one hop between peers. This topology is the most fault-tolerant: if one peer goes down, the rest of the network is not affected. This topology is difficult to scale because it requires connections between all peers. In addition, unnecessary communication can occur between peers. Best practices dictates a hub-and-spoke configuration instead (see Hub-and-spoke configurations on page 1).

 

Partially meshed configuration

A partially meshed network is similar to a fully meshed network, but instead of having tunnels between all peers, tunnels are only configured between peers that communicate with each other regularly.

Gateway-to-gateway configuration

The FortiGate units at both ends of the tunnel must be operating in NAT mode and have static public IP addresses.

When a FortiGate unit receives a connection request from a remote VPN peer, it uses IPsec Phase 1 parameters to establish a secure connection and authenticate that VPN peer. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec Phase 2 parameters and applies the IPsec security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed by both FortiGate units:

  • Define the Phase 1 parameters that the FortiGate unit needs to authenticate the remote peer and establish a secure connection.
  • Define the Phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with the remote peer.
  • Create security policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses.

Gateway-to-gateway configuration

Configuring Phase 1 and Phase 2 for both peers

This procedure applies to both peers. Repeat the procedure on each FortiGate unit, using the correct IP address for each. You may wish to vary the Phase 1 names but this is optional. Otherwise all steps are the same for each peer.

The Phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate FortiGate_2 and establish a secure connection. For the purposes of this example, a preshared key will be used to authenticate FortiGate_2. The same preshared key must be specified at both FortiGate units. Before you define the Phase 1 parameters, you need to:

  • Reserve a name for the remote gateway.
  • Obtain the IP address of the public interface to the remote peer. l Reserve a unique value for the preshared key.

The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must have a minimum of 16 randomly chosen alphanumeric characters.

At the local FortiGate unit, define the Phase 1 configuration needed to establish a secure connection with the remote peer. See IPsec VPN in the web-based manager on page 38.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button). Enter the following information, and select OK.
Name Enter peer_1.

A name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.

Remote Gateway Select Static IP Address.
IP Address Enter 172.20.0.2 when configuring FortiGate_1.

Enter 172.18.0.2 when configuring FortiGate_2. The IP address of the remote peer public interface.

Local Interface Select wan1.

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the Phase 2 parameters, you need to reserve a name for the tunnel. See IPsec VPN in the web-based manager on page 38.

  1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
  2. Enter a Name of peer_1_p2.
  3. Select peer_1 from the Phase 1 drop-down menu.

Creating security policies

Security policies control all IP traffic passing between a source address and a destination address.

An IPsec security policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel.

Before you define security policies, you must first specify the IP source and destination addresses. In a gatewayto-gateway configuration:

  • The IP source address corresponds to the private network behind the local FortiGate unit. l The IP destination address refers to the private network behind the remote VPN peer.

When you are creating security policies, choose one of either route-based or policy-based methods and follow it for both VPN peers. DO NOT configure both route-based and policy-based policies on the same FortiGate unit for the same VPN tunnel.

The configuration of FortiGate_2 is similar to that of FortiGate_1. You must:

  • Define the Phase 1 parameters that FortiGate_2 needs to authenticate FortiGate_1 and establish a secure connection.
  • Define the Phase 2 parameters that FortiGate_2 needs to create a VPN tunnel with FortiGate_1.
  • Create the security policy and define the scope of permitted services between the IP source and destination addresses.

When creating security policies it is good practice to include a comment describing what the policy does.

Creating firewall addresses

Define names for the addresses or address ranges of the private networks that the VPN links. These addresses are used in the security policies that permit communication between the networks.

To define the IP address of the network behind FortiGate_1
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter the Name of Finance_network. Select a Type of Subnet.
  3. Enter the Subnet of 21.101.0/24.
  4. Select OK.
To specify the address of the network behind FortiGate_2
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter the Name of HR_network.
  3. Select a Type of Subnet.
  4. Enter the Subnet/IP Range of 31.101.0/24. 5. Select OK.

Creating route-based VPN security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses.

To create route-based VPN security policies  1. Go to Policy & Objects > IPv4 Policy and select Create New
  1. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

Gateway-to-gateway configuration

  1. Enter the following, and select OK.
Incoming Interface Select internal.

The interface that connects to the private network behind this FortiGate unit.

Source Address Select Finance_network when configuring FortiGate_1.

Select HR_network when configuring FortiGate_2.

The address name for the private network behind this FortiGate unit.

Outgoing Interface Select peer_1.

The VPN Tunnel (IPsec Interface) you configured earlier.

Destination Address Select HR_network when configuring FortiGate_1.

Select Finance_network when configuring FortiGate_2.

The address name that you defined for the private network behind the remote peer.

Action Select ACCEPT.
Enable NAT Disable.
Comments Allow Internal to remote VPN network traffic.
  1. Optionally, configure any additional features you may want, such as UTM or traffic shaping.
  2. Select Create New to create another policy for the other direction.
  3. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  4. Enter the following information, and select OK.
Incoming Interface Select peer_1.

The VPN Tunnel (IPsec Interface) you configured.

Source Address Select HR_network when configuring FortiGate_1.

Select Finance_Network when configuring FortiGate_2.

The address name defined for the private network behind the remote peer.

Outgoing Interface Select internal.

The interface that connects to the private network behind this FortiGate unit.

Destination Address Select Finance_Network when configuring FortiGate_1.

Select HR_network when configuring FortiGate_2.

The address name defined for the private network behind this FortiGate unit.

Action Select ACCEPT.
Enable NAT Disable.
Comments Allow remote VPN network traffic to Internal.
  1. Configure any additional features such as UTM or traffic shaping you may want. (optional).

All network traffic must have a static route to direct its traffic to the proper destination. Without a route, traffic will not flow even if the security policies are configured properly. You may need to create a static route entry for both directions of VPN traffic if your security policies allow bi-directional tunnel initiation.

To configure the route for a route-based VPN:

  1. On FortiGate_2, go to Network > Static Routes and select Create New.
  2. Enter the following information, and then select OK:
Destination IP / Mask 10.21.101.0/24
Device FGT2_to_FGT1_Tunnel
Gateway Leave as default: 0.0.0.0.
Distance (Advanced) Leave this at its default.

If there are other routes on this FortiGate unit, you may need to set the distance on this route so the VPN traffic will use it as the default route. However, this normally happens by default because this route is typically a better match than the generic default route.

Creating policy-based VPN security policy

Define an IPsec security policy to permit communications between the source and destination addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Complete the following:
Incoming Interface Select internal.

The interface that connects to the private network behind this FortiGate unit.

 

Source Address Select Finance_network when configuring FortiGate_1.

Select HR_network when configuring FortiGate_2.

The address name defined for the private network behind this FortiGate unit.

Outgoing Interface Select wan1.

The FortiGate unit’s public interface.

Destination Address Select HR_network when configuring FortiGate_1.

Select Finance_network when configuring FortiGate_2.

VPN Tunnel Select Use Existing and select peer_1 from the VPN Tunnel drop-down list.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

Comments Bidirectional policy-based VPN policy.

Place VPN policies in the policy list above any other policies having similar source and destination addresses.

How to work with overlapping subnets

A site-to-site VPN configuration sometimes has the problem that the private subnet addresses at each end are the same. You can resolve this problem by remapping the private addresses using virtual IP addresses (VIP).

VIPs allow computers on those overlapping private subnets to each have another set of IP addresses that can be used without confusion. The FortiGate unit maps the VIP addresses to the original addresses. This means if PC1 starts a session with PC2 at 10.31.101.10, FortiGate_2 directs that session to 10.11.101.10 — the actual IP address of PC2.The figure below demonstrates this — Finance network VIP is 10.21.101.0/24 and the HR network is 10.31.101.0/24.

How to work with overlapping subnets

Overlapped subnets example

Solution for route-based VPN

You need to:

  • Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In this example, the resulting IPsec interface is named FGT1_to_FGT2.
  • Configure virtual IP (VIP) mapping:
  • the 10.21.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_1
  • the 10.31.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_2 l Configure an outgoing security policy with ordinary source NAT on both FortiGates.
  • Configure an incoming security policy with the VIP as the destination on both FortiGates.
  • Configure a route to the remote private network over the IPsec interface on both FortiGates.

To configure VIP mapping on both FortiGates

  1. Go to Policy & Objects > Virtual IPs and create a new Virtual IP.
  2. Enter the following information, and select OK:
Name Enter a name, for example, my_vip.
External Interface Select FGT1_to_FGT2. The IPsec interface.
VIP Type Depending on both FortiGates, select one of the following options:

l    IPv4: If both FortiGates use IPv4 (Static NAT).

l    IPv6: If both FortiGates use IPv6 (Static NAT).

l    NAT46: Maps the IPv4 address into an IPv6 prefix.

l    NAT64: Maps the IPv6 address into an IPv4 prefix.

External IP Address/Range For the External IP Address field enter:

10.21.101.1  when configuring FortiGate_1, or

10.31.101.1  when configuring FortiGate_2.

Mapped IP Address/Range For the Mapped IP Address enter 10.11.101.1.

For the Range enter 10.11.101.254.

Port Forwarding Disable
  1. Repeat this procedure on both FortiGate_1 and FortiGate_2.

To configure the outbound security policy on both FortiGates

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK:
Incoming Interface Select Port 1.
Outgoing Interface Select FGT1_to_FGT2.

The IPsec interface.

Source Select all.
Destination Address Select all.
Action Select ACCEPT
NAT Enable NAT.
  1. Repeat this procedure on both FortiGate_1 and FortiGate_2.

To configure the inbound security policy on both FortiGates

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and then select OK:
Incoming Interface Select FGT1_to_FGT2.

How to work with overlapping subnets

Outgoing Interface Select Port 1.

The IPsec interface.

Source Select all.
Destination Address Select my-vip.
Action Select ACCEPT
NAT Disable NAT.
  1. Repeat this procedure on both FortiGate_1 and FortiGate_2.

To configure the static route for both FortiGates

  1. Go to Network > Static Routes and create a new Route (or IPv6 Route as necessary).
  2. Enter the following information, and then select OK:
Destination Enter a subnet of 10.31.101.0/24 when configuring FortiGate_1. Enter a subnet of 10.21.101.0/24 when configuring FortiGate_2.
Device Select FGT1_to_FGT2.
Gateway Leave as default: 0.0.0.0.
Administrative Distance Leave at default (10).

If you have advanced routing on your network, you may have to change this value.

Advanced Options If you have advanced routing on your network, enable Advanced Options and enter a Priority.

Solution for policy-based VPN

As with the route-based solution, users contact hosts at the other end of the VPN using an alternate subnet address. PC1 communicates with PC2 using IP address 10.31.101.10, and PC2 communicates with PC1 using IP address 10.21.101.10.

In this solution however, outbound NAT is used to translate the source address of packets from the

10.11.101.0/24 network to the alternate subnet address that hosts at the other end of the VPN use to reply. Inbound packets from the remote end have their destination addresses translated back to the 10.11.101.0/24 network.

For example, PC1 uses the destination address 10.31.101.10 to contact PC2. Outbound NAT on FortiGate_1 translates the PC1 source address to 10.21.101.10. At the FortiGate_2 end of the tunnel, the outbound NAT configuration translates the destination address to the actual PC2 address of 10.11.101.10. Similarly, PC2 replies to PC1 using destination address 10.21.101.10, with the PC2 source address translated to 10.31.101.10. PC1 and PC2 can communicate over the VPN even though they both have the same IP address.

You need to:

  • Configure IPsec Phase 1 as you usually would for a policy-based VPN. l Configure IPsec Phase 2 with the use-natip disable CLI option.  l Define a firewall address for the local private network, 10.11.101.0/24.
  • Define a firewall address for the remote private network:
  • Define a firewall address for 10.31.101.0/24 on FortiGate_1
  • Define a firewall address for 10.21.101.0/24 on FortiGate_2
  • Configure an outgoing IPsec security policy with outbound NAT to map 10.11.101.0/24 source addresses:
  • To the 10.21.101.0/24 network on FortiGate_1
  • To the 10.31.101.0/24 network on FortiGate_2

To configure IPsec Phase 2 – CLI

config vpn ipsec phase2 edit “FGT1_FGT2_p2” set keepalive enable set pfs enable set phase1name FGT1_to_FGT2 set proposal 3des-sha1 3des-md5 set replay enable set use-natip disable

end

In this example, your Phase 1 definition is named FGT1_to_FGT2. use-natip is set to disable, so you can specify the source selector using the src-addr-type, src-start-ip / src-end-ip or src-subnet keywords. This example leaves these keywords at their default values, which specify the subnet 0.0.0.0/0.

The pfs keyword ensures that perfect forward secrecy (PFS) is used. This ensures that each Phase 2 key created is unrelated to any other keys in use.

To define the local private network firewall address

  1. Go to Policy & Objects > Addresses and create a new Address. 2. Enter the following information and select OK.
Category Set to Address.
Name Enter vpn-local. A meaningful name for the local private network.
Type Set to IP/Netmask.
Subnet / IP Range 10.11.101.0 255.255.255.0
Interface Set to any.

To define the remote private network firewall address

  1. Go to Policy & Objects > Addresses and create a new Address.
  2. Enter the following information, and select OK:
Category Set to Address.

Testing

Name Enter vpn-remote. A meaningful name for the remote private network.
Type Set to IP/Netmask.
Subnet / IP Range 10.31.101.0 255.255.255.0 on FortiGate_1.

10.21.101.0 255.255.255.0 on FortiGate_2.

Interface Any

To configure the IPsec security policy

In the CLI on FortiGate_1, enter the commands:

config firewall policy edit 1 set srcintf “port1” set dstintf “port2” set srcaddr “vpn-local” set dstaddr “vpn-remote” set action ipsec set schedule “always” set service “ANY” set inbound enable set outbound enable set vpntunnel “FGT1_to_FGT2” set natoutbound enable

set natip 10.31.101.0 255.255.255.0

end

Optionally, you can set everything except natip in the web-based manager and then use the CLI to set natip.

Enter the same commands on FortiGate_2, but set natip be 10.21.101.0 255.255.255.0.

Testing

The best testing is to look at the packets both as the VPN tunnel is negotiated, and when the tunnel is up.

Determining what the other end of the VPN tunnel is proposing

  1. Start a terminal program such as PuTTY and set it to log all output.

When necessary refer to the logs to locate information when output is verbose.

  1. Logon to the FortiGate unit using a super_admin account.
  2. Enter the following CLI commands.
  3. Display all the possible IKE error types and the number of times they have occurred:

 

diag vpn ike errors

 

  1. Check for existing debug sessions:

 

diag debug info

 

 

Testing

If a debug session is running, to halt it enter:

diag debug disable

 

  1. Confirm your proposal settings:

 

diag vpn ike config list

 

  1. If your proposal settings do not match what you expect, make a change to it and save it to force an update in memory. If that fixes the problem, stop here.
  2. List the current vpn filter:

 

diag vpn ike filter

 

  1. If all fields are set to any, there are no filters set and all VPN IKE packets will be displayed in the debug output. If your system has only a few VPNs, skip setting the filter.

If your system has many VPN connections this will result in very verbose output and make it very difficult to locate the correct connection attempt.

  1. Set the VPN filter to display only information from the destination IP address for example 10.10.10.10:

 

diag vpn ike log-filter dst-addr4 10.10.10.10

To add more filter options, enter them one per line as above. Other filter options are:

clear erase the current filter
dst-addr6 the IPv6 destination address range to filter by
dst-port the destination port range to filter by
interface interface that IKE connection is negotiated over
list display the current filter
name the phase1 name to filter by
negate negate the specified filter parameter
src-addr4 the IPv4 source address range to filter by
src-addr6 the IPv6 source address range to filter by
src-port the source port range to filter by
vd index of virtual domain. 0 matches all
  1. Start debugging:

diag debug app ike 255 diag debug enable

 

  1. Have the remote end attempt a VPN connection.

If the remote end attempts the connection they become the initiator. This situation makes it easier to debug VPN tunnels because then you have the remote information and all of your local information. by initiate the connection, Testing

you will not see the other end’s information.

  1. If possible go to the web-based manager on your FortiGate unit, go to the VPN monitor and try to bring the tunnel up.
  2. Stop the debug output:

 

diag debug disable

 

  1. Go back through the output to determine what proposal information the initiator is using, and how it is different from your VPN P1 proposal settings.

Things to look for in the debug output of attempted VPN connections are shown below.

Important terms to look for in VPN debug output

initiator Starts the VPN attempt, in the above procedure that is the remote end
responder Answers the initiator’s request
local ID In aggressive mode, this is not encrypted
error no SA proposal chosen There was no proposal match — there was no encryption-authentication pair in common, usually occurs after a long list of proposal attempts
R U THERE and R U THERE ack dead peer detection (dpd), also known as dead gateway detection — after three failed attempts to contact the remote end it will be declared dead, no farther attempts will be made to contact it
negotiation result lists the proposal settings that were agreed on
SA_life_soft and SA_life_ hard negotiating a new key, and the key life
R U THERE If you see this, it means Phase 1 was successful
tunnel up the negotiation was successful, the VPN tunnel is operational

Defining VPN security policies

Defining VPN security policies

This section explains how to specify the source and destination IP addresses of traffic transmitted through an IPsec VPN, and how to define appropriate security policies.

The following topics are included in this section:

Defining policy addresses

Defining security policies for policy-based and route-based VPNs

Defining policy addresses

A VPN tunnel has two end points. These end points may be VPN peers such as two FortiGate gateways. Encrypted packets are transmitted between the end points. At each end of the VPN tunnel, a VPN peer intercepts encrypted packets, decrypts the packets, and forwards the decrypted IP packets to the intended destination.

You need to define firewall addresses for the private networks behind each peer. You will use these addresses as the source or destination address depending on the security policy.

policy addresses

Example topology for the following policies

In general:

  • In a gateway-to-gateway, hub-and-spoke, dynamic DNS, redundant-tunnel, or transparent configuration, you need to define a policy address for the private IP address of the network behind the remote VPN peer (for example,

192.168.10.0/255.255.255.0 or 192.168.10.0/24).

  • In a peer-to-peer configuration, you need to define a policy address for the private IP address of a server or host behind the remote VPN peer (for example, 16.5.1/255.255.255.255 or 172.16.5.1/32 or 172.16.5.1).

For a FortiGate dialup server in a dialup-client or Internet-browsing configuration:

  • If you are not using VIP addresses, or if the FortiGate dialup server assigns VIP addresses to FortiClient dialup clients through FortiGate DHCP relay, select the predefined destination address “all” in the security policy to refer to the dialup clients.
  • If you assign VIP addresses to FortiClient dialup clients manually, you need to define a policy address for the VIP address assigned to the dialup client (for example, 254.254.1/32), or a subnet address from which the VIP addresses are assigned (for example, 10.254.254.0/24 or 10.254.254.0/255.255.255.0).
  • For a FortiGate dialup client in a dialup-client or Internet-browsing configuration, you need to define a policy address for the private IP address of a host, server, or network behind the FortiGate dialup server.

VPN security policies                                  Defining security policies for policy-based and route-based VPNs

Defining a security IP address

  1. Go to Policy & Objects > Addresses and select Create New.
  2. In the Name field, type a descriptive name that represents the network, server(s), or host(s).
  3. In Type, select Subnet.
  4. In the Subnet/IP Range field, type the corresponding IP address and subnet mask.

For a subnet you could use the format 172.16.5.0/24 or its equivalent 172.16.5.0/255.255.255.0. For a server or host it would likely be 172.16.5.1/32. Alternately you can use an IP address range such as

192.168.10.[80-100] or 192.168.10.80-192.168.10.100.

  1. Select OK.

Defining security policies for policy-based and route-based VPNs

Security policies allow IP traffic to pass between interfaces on a FortiGate unit. You can limit communication to particular traffic by specifying source address and destination addresses. Then only traffic from those addresses will be allowed.

Policy-based and route-based VPNs require different security policies.

  • A policy-based VPN requires an IPsec security policy. You specify the interface to the private network, the interface to the remote peer and the VPN tunnel. A single policy can enable traffic inbound, outbound, or in both directions.
  • A route-based VPN requires an Accept security policy for each direction. As source and destination interfaces, you specify the interface to the private network and the virtual IPsec interface (Phase 1 configuration) of the VPN. The IPsec interface is the destination interface for the outbound policy and the source interface for the inbound policy. One security policy must be configured for each direction of each VPN interface.

There are examples of security policies for both policy-based and route-based VPNs throughout this guide. See Route-based or policy-based VPN on page 119.

If the security policy, which grants the VPN Connection is limited to certain services,

DHCP must be included, otherwise the client won’t be able to retrieve a lease from the FortiGate’s (IPsec) DHCP server, because the DHCP Request (coming out of the tunnel) will be blocked.

Policy-based VPN

An IPsec security policy enables the transmission and reception of encrypted packets, specifies the permitted direction of VPN traffic, and selects the VPN tunnel. In most cases, a single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. Be aware of the following considerations below before creating an IPsec security policy.

Allow traffic to be initiated from the remote site

Security policies specify which IP addresses can initiate a tunnel. By default, traffic from the local private network initiates the tunnel. When the Allow traffic to be initiated form the remote site option is selected, traffic from a dialup client, or a computer on a remote network, initiates the tunnel. Both can be enabled at the same time for bi-directional initiation of the tunnel.

security policies for policy-based and route-based VPNs

Outbound and inbound NAT

When a FortiGate unit operates in NAT mode, you can also enable inbound or outbound NAT. Outbound NAT may be performed on outbound encrypted packets or IP packets in order to change their source address before they are sent through the tunnel. Inbound NAT is performed to intercept and decrypt emerging IP packets from the tunnel.

By default, these options are not selected in security policies and can only be set through the CLI. For more information on this, see the “config firewall” chapter of the FortiGate CLI Reference.

Source and destination addresses

Most security policies control outbound IP traffic. A VPN outbound policy usually has a source address originating on the private network behind the local FortiGate unit, and a destination address belonging to a dialup VPN client or a network behind the remote VPN peer. The source address that you choose for the security policy identifies from where outbound cleartext IP packets may originate, and also defines the local IP address or addresses that a remote server or client will be allowed to access through the VPN tunnel. The destination address that you choose identifies where IP packets must be forwarded after they are decrypted at the far end of the tunnel, and determines the IP address or addresses that the local network will be able to access at the far end of the tunnel.

Enabling other policy features

You can fine-tune a policy for services such as HTTP, FTP, and POP3, enable logging, traffic shaping, antivirus protection, web filtering, email filtering, file transfer, email services, and optionally allow connections according to a predefined schedule.

As an option, differentiated services (diffserv or DSCP) for the security policy can be enabled through the CLI. For more information on this feature, see the Traffic Shaping handbook chapter,  or the “firewall” chapter of the FortiGate CLI Reference.

Before you begin

Before you define the IPsec policy, you must:

  • Define the IP source and destination addresses. See Defining policy addresses on page 78.
  • Specify the Phase 1 authentication parameters. See Phase 1 parameters on page 52.
  • Specify the Phase 2 parameters. See Phase 2 parameters on page 72.
Defining an IPsec security policy
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New and set the following options:
Name Enter a name for the security policy.
Incoming Interface Select the local interface to the internal (private) network.
Outgoing Interface Select the local interface to the external (public) network.
Source Select the name that corresponds to the local network, server(s), or host(s) from which IP packets may originate.

VPN security policies                                  Defining security policies for policy-based and route-based VPNs

Destination Address Select the name that corresponds to the remote network, server(s), or host (s) to which IP packets may be delivered.
Schedule Keep the default setting (always) unless changes are needed to meet specific requirements.
Service Keep the default setting (ANY) unless changes are needed to meet your specific requirements.
Action For the purpose of this configuration, set Action to IPsec. Doing this will close Firewall / Network Options and open VPN Tunnel options. Select the VPN tunnel of your choice, and select Allow traffic to be initiated from the remote site, which will allow traffic from the remote network to initiate the tunnel.
  1. You may enable UTM features, and/or event logging, or select advanced settings to authenticate a user group, or shape traffic. For more information, see the Firewall handbook chapter.
  2. Select OK.
  3. Place the policy in the policy list above any other policies having similar source and destination addresses.

Defining multiple IPsec policies for the same tunnel

You must define at least one IPsec policy for each VPN tunnel. If the same remote server or client requires access to more than one network behind a local FortiGate unit, the FortiGate unit must be configured with an IPsec policy for each network. Multiple policies may be required to configure redundant connections to a remote destination or control access to different services at different times.

To ensure a secure connection, the FortiGate unit must evaluate policies with Action set to IPsec  before

ACCEPT and DENY. Because the FortiGate unit reads policies starting at the top of the list, you must move all IPsec policies to the top of the list, and be sure to  reorder your multiple IPsec policies that apply to the tunnel so that specific constraints can be evaluated before general constraints.

Adding multiple IPsec policies for the same VPN tunnel can cause conflicts if the policies specify similar source and destination addresses, but have different settings for the same service. When policies overlap in this manner, the system may apply the wrong IPsec policy or the tunnel may fail.

For example, if you create two equivalent IPsec policies for two different tunnels, it does not matter which one comes first in the list of IPsec policies — the system will select the correct policy based on the specified source and destination addresses. If you create two different IPsec policies for the same tunnel (that is, the two policies treat traffic differently depending on the nature of the connection request), you might have to reorder the IPsec policies to ensure that the system selects the correct IPsec policy.

Route-based VPN

When you define a route-based VPN, you create a virtual IPsec interface on the physical interface that connects to the remote peer. You create ordinary Accept security policies to enable traffic between the IPsec interface and the interface that connects to the private network. This makes configuration simpler than for policy-based VPNs, which require IPsec security policies.

security policies for policy-based and route-based VPNs

Defining security policies for a route-based VPN

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New and define an ACCEPT security policy to permit communication between the local private network and the private network behind the remote peer. Enter these settings in particular:
Name Enter a name for the security policy.
Incoming Interface Select the interface that connects to the private network behind this FortiGate unit.
Outgoing Interface Select the IPsec Interface you configured.
Source Select the address name that you defined for the private network behind this FortiGate unit.
Destination Address Select the address name that you defined for the private network behind the remote peer.
Action Select ACCEPT.
NAT Disable NAT.

To permit the remote client to initiate communication, you need to define a security policy for communication in that direction.

  1. Select Create New and enter these settings in particular:
Name Enter a name for the security policy.
Incoming Interface Select the IPsec Interface you configured.
Outgoing Interface Select the interface that connects to the private network behind this FortiGate unit.
Source Select the address name that you defined for the private network behind the remote peer.
Destination Address Select the address name that you defined for the private network behind this FortiGate unit.
Action Select ACCEPT.
NAT Disable NAT.

 

IPSec Phase 2 parameters

Phase 2 parameters

This section describes the Phase 2 parameters that are required to establish communication through a VPN. The following topics are included in this section:

Phase 2 settings

Configuring the Phase 2 parameters

Phase 2 settings

After IPsec VPN Phase 1 negotiations complete successfully, Phase 2 negotiation begins. Phase 2 parameters define the algorithms that the FortiGate unit can use to encrypt and transfer data for the remainder of the session. The basic Phase 2 settings associate IPsec Phase 2 parameters with a Phase 1 configuration.

When defining Phase 2 parameters, you can choose any set of Phase 1 parameters to set up a secure connection and authenticate the remote peer.

For more information on Phase 2 settings in the web-based manager, see IPsec VPN in the web-based manager on page 38.

The information and procedures in this section do not apply to VPN peers that perform negotiations using manual keys.

Phase 2 Proposals

In Phase 2, the VPN peer or client and the FortiGate unit exchange keys again to establish a secure communication channel. The Phase 2 Proposal parameters select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). The keys are generated automatically using a Diffie-Hellman algorithm.

Replay Detection

IPsec tunnels can be vulnerable to replay attacks. Replay Detection enables the FortiGate unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the FortiGate unit discards them.

IKE/IPsec Extended Sequence Number (ESN) support

64-bit Extended Sequence numbers (as described in RFC 4303, RFC 4304 as an addition to IKEv1, and RFC 5996 for IKEv2.) are supported for IPsec when Replay Detection is enabled.

Perfect Forward Secrecy (PFS)

By default, Phase 2 keys are derived from the session key created in Phase 1. Perfect Forward Secrecy (PFS) forces a new Diffie-Hellman exchange when the tunnel starts and whenever the Phase 2 keylife expires, causing a new key to be generated each time. This exchange ensures that the keys created in Phase 2 are unrelated to the Phase 1 keys or any other keys generated automatically in Phase 2.

Phase 2 settings

Keylife

The Keylife setting sets a limit on the length of time that a Phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the Phase 2 key expires, a new key is generated without interrupting service.

Quick mode selectors

Quick mode selectors determine which IP addresses can perform IKE negotiations to establish a tunnel. By only allowing authorized IP addresses access to the VPN tunnel, the network is more secure.

The default settings are as broad as possible: any IP address or configured address object, using any protocol, on any port.

While the drop down menus for specifying an address also show address groups, the use of address groups may not be supported on a remote endpoint device that is not a FortiGate.

The address groups are at the bottom of the list to make it easy to distinguish between addresses and address groups.

When configuring Quick Mode selector Source address and Destination address, valid options include IPv4 and IPv6 single addresses, IPv4 subnet, or IPv6 subnet. For more information on IPv6 IPsec VPN, see Overview of IPv6 IPsec support on page 1.

There are some configurations that require specific selectors:

  • The VPN peer is a third-party device that uses specific phase2 selectors.
  • The FortiGate unit connects as a dialup client to another FortiGate unit, in which case (usually) you must specify a source IP address, IP address range, or subnet. However, this is not required if you are using dynamic routing and mode-cfg.

With FortiOS VPNs, your network has multiple layers of security, with quick mode selectors being an important line of defence.

  • Routes guide traffic from one IP address to another.
  • Phase 1 and Phase 2 connection settings ensure there is a valid remote end point for the VPN tunnel that agrees on the encryption and parameters.
  • Quick mode selectors allow IKE negotiations only for allowed peers. l Security policies control which IP addresses can connect to the VPN.
  • Security policies also control what protocols are allowed over the VPN along with any bandwidth limiting.

FortiOS is limited with IKEv2 selector matching. When using IKEv2 with a named traffic selector, no more than 32 subnets per traffic selector are added, since FortiOS doesn’t fully implement the IKEv2 selector matching rules.

The workaround is to use multiple Phase 2s. If the configuration is FGT <-> FGT, then the better alternative is to just use 0.0.0.0 <-> 0.0.0.0 and use the firewall policy for enforcement.

Phase 2 parameters                                                                                          Configuring the

Using the add-route option

Consider using the add-route option to add a route to a peer destination selector. Phase 2 includes the option of allowing the add-route to automatically match the settings in Phase 1. For more information, refer to Phase 1 parameters on page 52.

Syntax

Phase 2

config vpn ipsec {phase2 | phase2-interface} edit <name> set add-route {phase1 | enable | disable}

end

end

Configuring the Phase 2 parameters

If you are creating a hub-and-spoke configuration or an Internet-browsing configuration, you may have already started defining some of the required Phase 2 parameters. If so, edit the existing definition to complete the configuration.

Specifying the Phase 2 parameters

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Enter a Name for the Phase 2 configuration, and select a Phase 1 configuration from the drop-down list.
  4. Select Advanced.
  5. Include the appropriate entries as follows:
Phase 2 Proposal Select the encryption and authentication algorithms that will be used to change data into encrypted code.

Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.

It is invalid to set both Encryption and Authentication to null.

Configuring the Phase 2 parameters

Encryption Select a symmetric-key algorithms:

NULL — Do not use an encryption algorithm.

DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.

3DES — Triple-DES; plain text is encrypted three times by three keys.

AES128 — A 128-bit block algorithm that uses a 128-bit key.

AES192 — A 128-bit block algorithm that uses a 192-bit key.

AES256 — A 128-bit block algorithm that uses a 256-bit key.

Authentication You can select either of the following message digests to check the authenticity of messages during an encrypted session:

NULL — Do not use a message digest.

MD5 — Message Digest 5.

SHA1 — Secure Hash Algorithm 1 – a 160-bit message digest.

To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.

For information regarding NP accelerated offloading of IPsec VPN authentication algorithms, please refer to the Hardware Acceleration handbook chapter.

Enable replay detection Optionally enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.
Enable perfect forward secrecy (PFS) Enable or disable PFS. Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires.
Diffie-Hellman Group Select one Diffie-Hellman group (1, 2, 5, 14 through 21, or 27 through 30). The remote peer or dialup client must be configured to use the same group.
Keylife Select the method for determining when the Phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed. The range is from 120 to 172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep Alive Enable the option if you want the tunnel to remain active when no data is being processed.
Auto-negotiate Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires.

Phase 2 parameters                                                                                          Configuring the

DHCP-IPsec Select Enable if the FortiGate unit acts as a dialup server and FortiGate DHCP server or relay will be used to assign VIP addresses to FortiClient dialup clients. The DHCP server or relay parameters must be configured separately.

If the FortiGate unit acts as a dialup server and the FortiClient dialup client VIP addresses match the network behind the dialup server, select Enable to cause the FortiGate unit to act as a proxy for the dialup clients.

This is available only for Phase 2 configurations associated with a dialup Phase 1 configuration. It works only on policy-based VPNs.

Autokey Keep Alive

The Phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, however, the SA expires (by default) and the VPN tunnel goes down. A new SA will not be generated until there is traffic.

The Autokey Keep Alive option ensures that a new Phase 2 SA is negotiated, even if there is no traffic, so that the VPN tunnel stays up.

Auto-negotiate

By default, the Phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established. Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.

If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel. Autonegotiate initiates the Phase 2 SA negotiation automatically, repeating every five seconds until the SA is established.

Automatically establishing the SA can be important for a dialup peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dialup peer. Otherwise, the VPN tunnel does not exist until the dialup peer initiates traffic.

The auto-negotiate feature is available through the Command Line Interface (CLI) via the following commands:

config vpn ipsec phase2 edit <phase2_name> set auto-negotiate enable

end

Installing dynamic selectors via auto-negotiate

The IPsec SA connect message generated is used to install dynamic selectors. These selectors can now be installed via the auto-negotiate mechanism. When phase 2 has auto-negotiate enabled, and phase 1 has meshselector-type set to subnet, a new dynamic selector will be installed for each combination of source and destination subnets. Each dynamic selector will inherit the auto-negotiate option from the template selector and begin SA negotiation. Phase 2 selector sources from dial-up clients will all establish SAs without traffic being initiated from the client subnets to the hub.

Configuring the Phase 2 parameters

DHCP-IPsec

Select this option if the FortiGate unit assigns VIP addresses to FortiClient dialup clients through a DHCP server or relay. This option is available only if the Remote Gateway in the Phase 1 configuration is set to Dialup User and it works only on policy-based VPNs.

With the DHCP-IPsec option, the FortiGate dialup server acts as a proxy for FortiClient dialup clients that have VIP addresses on the subnet of the private network behind the FortiGate unit. In this case, the FortiGate dialup server acts as a proxy on the local private network for the FortiClient dialup client. When a host on the network behind the dialup server issues an ARP request that corresponds to the device MAC address of the FortiClient host (when a remote server sends an ARP to the local FortiClient dialup client), the FortiGate unit answers the ARP request on behalf of the FortiClient host and forwards the associated traffic to the FortiClient host through the tunnel.

This feature prevents the VIP address assigned to the FortiClient dialup client from causing possible arp broadcast problems — the normal and VIP addresses can confuse some network switches by two addresses having the same MAC address.

 

IPSec Phase 1 parameters

Phase 1 parameters

This chapter provides detailed step-by-step procedures for configuring a FortiGate unit to accept a connection from a remote peer or dialup client. The Phase 1 parameters identify the remote peer or clients and supports authentication through preshared keys or digital certificates. You can increase access security further using peer identifiers, certificate distinguished names, group names, or the FortiGate extended authentication (XAuth) option for authentication purposes.

For more information on Phase 1 parameters in the web-based manager, see IPsec VPN in the web-based manager on page 38.

The information and procedures in this section do not apply to VPN peers that perform negotiations using manual keys.

The following topics are included in this section:

Overview

Defining the tunnel ends

Choosing Main mode or Aggressive mode

Choosing the IKE version

Authenticating the FortiGate unit

Authenticating remote peers and clients

Defining IKE negotiation parameters

Using XAuth authentication

Dynamic IPsec route control

Overview

To configure IPsec Phase 1 settings, go to VPN > IPsec Tunnels and edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

IPsec Phase 1 settings define:

  • The remote and local ends of the IPsec tunnel
  • If Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information (main mode) or in a single message with authentication information that is not encrypted (aggressive mode)
  • If a preshared key or digital certificates will be used to authenticate the FortiGate unit to the VPN peer or dialup client
  • If the VPN peer or dialup client is required to authenticate to the FortiGate unit. A remote peer or dialup client can authenticate by peer ID or, if the FortiGate unit authenticates by certificate, it can authenticate by peer certificate.
  • The IKE negotiation proposals for encryption and authentication
  • Optional XAuth authentication, which requires the remote user to enter a user name and password. A FortiGate VPN server can act as an XAuth server to authenticate dialup users. A FortiGate unit that is a dialup client can also be configured as an XAuth client to authenticate itself to the VPN server.

For all the Phase 1 web-based manager fields, see IPsec VPN in the web-based manager on page 38.

 

Defining the tunnel ends

If you want to control how IKE is negotiated when there is no traffic, as well as the length of time the unit waits for negotiations to occur, use the negotiation-timeout and auto-negotiate commands in the CLI.

Defining the tunnel ends

To begin defining the Phase 1 configuration, go to VPN > IPsec Tunnels and select Create New. Enter a unique descriptive name for the VPN tunnel and follow the instructions in the VPN Creation Wizard.

The Phase 1 configuration mainly defines the ends of the IPsec tunnel. The remote end is the remote gateway with which the FortiGate unit exchanges IPsec packets. The local end is the FortiGate interface that sends and receives IPsec packets.

The remote gateway can be:

  • A static IP address
  • A domain name with a dynamic IP address
  • A dialup client

A statically addressed remote gateway is the simplest to configure. You specify the IP address. Unless restricted in the security policy, either the remote peer or a peer on the network behind the FortiGate unit can bring up the tunnel.

If the remote peer has a domain name and subscribes to a dynamic DNS service, you need to specify only the domain name. The FortiGate unit performs a DNS query to determine the appropriate IP address. Unless restricted in the security policy, either the remote peer or a peer on the network behind the FortiGate unit can bring up the tunnel.

If the remote peer is a dialup client, only the dialup client can bring up the tunnel. The IP address of the client is not known until it connects to the FortiGate unit. This configuration is a typical way to provide a VPN for client PCs running VPN client software such as the FortiClient Endpoint Security application.

The local end of the VPN tunnel, the Local Interface, is the FortiGate interface that sends and receives the IPsec packets. This is usually the public interface of the FortiGate unit that is connected to the Internet (typically the WAN1 port). Packets from this interface pass to the private network through a security policy.

By default, the local VPN gateway is the IP address of the selected Local Interface. If you are configuring an interface mode VPN, you can optionally use a secondary IP address of the Local Interface as the local gateway.

Choosing Main mode or Aggressive mode

The FortiGate unit and the remote peer or dialup client exchange Phase 1 parameters in either Main mode or Aggressive mode. This choice does not apply if you use IKE version 2, which is available only for route-based configurations.

  • In Main mode, the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information
  • In Aggressive mode, the Phase 1 parameters are exchanged in a single message with unencrypted authentication information.

Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup Phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier local ID. Aggressive mode might not be as secure as Main mode, but the advantage to Aggressive mode is that it Choosing the IKE version

is faster than Main mode (since fewer packets are exchanged). Aggressive mode is typically used for remote access VPNs. But you would also use aggressive mode if one or both peers have dynamic external IP addresses. Descriptions of the peer options in this guide indicate whether Main or Aggressive mode is required.

Choosing the IKE version

If you create a route-based VPN, you have the option of selecting IKE version 2. Otherwise, IKE version 1 is used. IKEv2, defined in RFC 4306, simplifies the negotiation process that creates the security association (SA). If you select IKEv2:

  • There is no choice in Phase 1 of Aggressive or Main mode. l FortiOS does not support Peer Options or Local ID.
  • Extended Authentication (XAUTH) is not available. l You can select only one Diffie-Hellman Group.  l You can utilize EAP and MOBIKE.

Repeated authentication in IKEv2

This feature provides the option to control whether a device requires its peer to re-authenticate or whether re-key is sufficient. It does not influence the re-authentication or re-key behavior of the device itself, which is controlled by the peer (with the default being to re-key). This solution is in response to RFC 4478. As described by the IETF, “the purpose of this is to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer”.

Syntax

config vpn ipsec phase1-interface edit p1 set reauth [enable | disable]

next

end

IKEv2 cookie notification for IKE_SA_INIT

IKEv2 offers an optional exchange within IKE_SA_INIT (the initial exchange between peers when establishing a secure tunnel) as a result of an inherent vulnerability in IPsec implementations, as described in RFC 5996.

Two expected attacks against IKE are state and CPU exhaustion, where the target is flooded with session initiation requests from forged IP addresses. These attacks can be made less effective if a responder uses minimal CPU and commits no state to an SA until it knows the initiator can receive packets at the address from which it claims to be sending them.

If the IKE_SA_INIT response includes the cookie notification, the initiator MUST then retry the IKE_SA_INIT request, and include the cookie notification containing the received data as the first payload, and all other payloads unchanged.

Upon detecting that the number of half-open IKEv2 SAs is above the threshold value, the VPN dialup server requires all future SA_INIT requests to include a valid cookie notification payload that the server sends back, in order to preserve CPU and memory resources.

the FortiGate unit

For most devices, the threshold value is set to 500, half of the maximum 1,000 connections.

This feature is enabled by default in FortiOS 5.4.

IKEv2 Quick Crash Detection

There is support for IKEv2 Quick Crash Detection (QCD) as described in RFC 6290.

RFC 6290 describes a method in which an IKE peer can quickly detect that the gateway peer that it has and established an IKE session with has rebooted, crashed, or otherwise lost IKE state. When the gateway receives IKE messages or ESP packets with unknown IKE or IPsec SPIs, the IKEv2 protocol allows the gateway to send the peer an unprotected IKE message containing INVALID_IKE_SPI or INVALID_SPI notification payloads.

RFC 6290 introduces the concept of a QCD token, which is generated from the IKE SPIs and a private QCD secret, and exchanged between peers during the protected IKE AUTH exchange.

Adding Quick Crash Detection – CLI Syntax

config system settings set ike-quick-crash-detect [enable | disable]

end

IKEv1 Quick Crash Detection

Based on the IKEv2 QCD feature described above, IKEv1 QCD is implemented using a new IKE vendor ID,

“Fortinet Quick Crash Detection”, and so both endpoints must be FortiGate devices. The QCD token is sent in the Phase 1 exchange and must be encrypted, so this is only implemented for IKEv1 in Main mode (Aggressive mode is not supported as there is no available AUTH message in which to include the token).

Otherwise, the feature works the same as in IKEv2 (RFC 6290).

Authenticating the FortiGate unit

The FortiGate unit can authenticate itself to remote peers or dialup clients using either a pre-shared key or an RSA Signature (certificate).

Authenticating the FortiGate unit with digital certificates

To authenticate the FortiGate unit using digital certificates, you must have the required certificates installed on the remote peer and on the FortiGate unit. The signed server certificate on one peer is validated by the presence of the root certificate installed on the other peer. If you use certificates to authenticate the FortiGate unit, you can also require the remote peers or dialup clients to authenticate using certificates.

For more information about obtaining and installing certificates, see the FortiOS User Authentication guide.

Authenticating the FortiGate unit using digital certificates

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button):

Authenticating the FortiGate unit

Name Enter a name that reflects the origination of the remote connection. For interface mode, the name can be up to 15 characters long.
Remote Gateway Select the nature of the remote connection.

Each option changes the available fields you must configure. For more information, see Authenticating the FortiGate unit on page 55.

Local Interface Select the interface that is the local end of the IPsec tunnel. For more information, see Authenticating the FortiGate unit on page 55. The local interface is typically the WAN1 port.
Mode Select a mode. It is easier to use Aggressive mode.

In Main mode, parameters are exchanged in multiple encrypted rounds.

In Aggressive mode, parameters are exchanged in a single unencrypted message.

Aggressive mode must be used when the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID).

For more information, see Authenticating the FortiGate unit on page 55.

Authentication Method Select Signature.
Certificate Name Select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations.

You must obtain and load the required server certificate before this selection. See the FortiOS User Authentication guide. If you have not loaded any certificates, use the certificate named Fortinet_Factory.

Peer Options Peer options define the authentication requirements for remote peers or dialup clients. They are not for your FortiGate unit itself.

See Authenticating the FortiGate unit on page 55.

Advanced You can use the default settings for most Phase 1 configurations. Changes are required only if your network requires them. These settings includes IKE version, DNS server, P1 proposal encryption and authentication settings, and XAuth settings. See Authenticating the FortiGate unit on page 55.
  1. If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters in the Advanced section. See Authenticating the FortiGate unit on page 55. Select OK.

the FortiGate unit

Authenticating the FortiGate unit with a pre-shared key

The simplest way to authenticate a FortiGate unit to its remote peers or dialup clients is by means of a pre-shared

key. This is less secure than using certificates, especially if it is used alone, without requiring peer IDs or extended authentication (XAuth). Also, you need to have a secure way to distribute the pre-shared key to the peers.

If you use pre-shared key authentication alone, all remote peers and dialup clients must be configured with the same pre-shared key. Optionally, you can configure remote peers and dialup clients with unique pre-shared keys. On the FortiGate unit, these are configured in user accounts, not in the phase_1 settings. For more information, see Authenticating the FortiGate unit on page 55.

The pre-shared key must contain at least 6 printable characters and best practices dictate that it be known only to network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.

If you authenticate the FortiGate unit using a pre-shared key, you can require remote peers or dialup clients to authenticate using peer IDs, but not client certificates.

Authenticating the FortiGate unit with a pre-shared key

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button):
Name Enter a name that reflects the origination of the remote connection.
Remote Gateway Select the nature of the remote connection. For more information, see Authenticating the FortiGate unit on page 55.
Local Interface Select the interface that is the local end of the IPsec tunnel. For more information, see Authenticating the FortiGate unit on page 55. The local interface is typically the WAN1 port.
Mode Select Main or Aggressive mode.

In Main mode, the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

In Aggressive mode, the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted.

When the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID), you must select Aggressive mode if there is more than one dialup Phase 1 configuration for the interface IP address.

For more information, see Authenticating the FortiGate unit on page 55.

Authentication Method Select Pre-shared Key.

 

Pre-shared Key Enter the preshared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters.
Peer options Peer options define the authentication requirements for remote peers or dialup clients, not for the FortiGate unit itself. You can require the use of

peer IDs, but not client certificates. For more information, see Authenticating the FortiGate unit on page 55.

Advanced You can retain the default settings unless changes are needed to meet your specific requirements. See Authenticating the FortiGate unit on page 55.
  1. If you are configuring authentication parameters for a dialup user group, optionally define extended authentication (XAuth) parameters. See Authenticating the FortiGate unit on page 55.
  2. Select OK.

Authenticating remote peers and clients

Certificates or pre-shared keys restrict who can access the VPN tunnel, but they do not identify or authenticate the remote peers or dialup clients. You have the following options for authentication:

Methods of authenticating remote VPN peers

Certificates or Pre-shared key Local ID User account pre-shared keys Reference
Certificates See Enabling VPN access for specific certificate holders  on page 59.
Either X See Enabling VPN access by peer identifier on page 61.
Pre-shared key X See Enabling VPN access with user accounts and pre-shared keys on page 62.
Pre-shared key X X See Enabling VPN access with user accounts and pre-shared keys on page 62.

remote peers and clients

Repeated Authentication in Internet Key Exchange (IKEv2) Protocol

This feature provides the option to control whether a device requires its peer to re-authenticate or whether re-key is sufficient. It does not influence the re-authentication or re-key behavior of the device itself, which is controlled by the peer (with the default being to re-key).

This solution is in response to RFC 4478. This solution is intended to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer.

CLI Syntax:

config vpn ipsec phase1-interface edit p1 set reauth [enable | disable]

next

end

 

disable: Disable IKE SA re-authentication. enable: Enable IKE SA re-authentication.

Enabling VPN access for specific certificate holders

When a VPN peer or dialup client is configured to authenticate using digital certificates, it sends the Distinguished Name (DN) of its certificate to the FortiGate unit. This DN can be used to allow VPN access for the certificate holder. That is, a FortiGate unit can be configured to deny connections to all remote peers and dialup clients except the one having the specified DN.

Before you begin

The following procedures assume that you already have an existing Phase 1 configuration (see Authenticating remote peers and clients on page 58). Follow the procedures below to add certificate-based authentication parameters to the existing configuration.

Before you begin, you must obtain the certificate DN of the remote peer or dialup client. If you are using the FortiClient application as a dialup client, refer to FortiClient online help for information about how to view the certificate DN. To view the certificate DN of a FortiGate unit, see Viewing server  certificate information and obtaining the local DN  on page 60.

Use the config user peer CLI command to load the DN value into the FortiGate configuration. For example, if a remote VPN peer uses server certificates issued by your own organization, you would enter information similar to the following:

config user peer edit DN_FG1000 set cn 192.168.2.160 set cn-type ipv4

end

The value that you specify to identify the entry (for example, DN_FG1000) is displayed in the Accept this peer certificate only list in the IPsec Phase 1 configuration when you return to the web-based manager.

If the remote VPN peer has a CA-issued certificate to support a higher level of credibility, you would enter information similar to the following in the CLI:

config user peer edit CA_FG1000 set ca CA_Cert_1 set subject FG1000_at_site1

end

The value that you specify to identify the entry (for example, CA_FG1000) is displayed in the Accept this peer certificate only list in the IPsec Phase 1 configuration when you return to the web-based manager. For more information about these CLI commands, see the “user” chapter of the FortiGate CLI Reference.

A group of certificate holders can be created based on existing user accounts for dialup clients. To create the user accounts for dialup clients, see the “User” chapter of the FortiGate Administration Guide. To create the certificate group afterward, use the config user peergrp CLI command. See the “user” chapter of the FortiGate CLI Reference.

Viewing server  certificate information and obtaining the local DN
  1. Go to System > Certificates.
  2. Note the CN value in the Subject field (for example, CN = 172.16.10.125, CN = info@fortinet.com, or CN = www.example.com).
Viewing CA root certificate information and obtaining the CA certificate name
  1. Go to System > Certificates > CA Certificates.
  2. Note the value in the Name column (for example, CA_Cert_1).

Configuring certificate authentication for a VPN

With peer certificates loaded, peer users and peer groups defined, you can configure your VPN to authenticate users by certificate.

Enabling access for a specific certificate holder or a group of certificate holders
  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. From the Authentication Method list, select RSA Signature.
  4. From the Certificate Name list, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client Under Peer Options, select one of these options:
    • To accept a specific certificate holder, select Accept this peer certificate only and select the name of the certificate that belongs to the remote peer or dialup client. The certificate DN must be added to the FortiGate configuration through CLI commands before it can be selected here. See Before you begin on page 59.
    • To accept dialup clients who are members of a certificate group, select Accept this peer certificate group only and select the name of the group. The group must be added to the FortiGate configuration through CLI commands before it can be selected here. See Before you begin on page 59.
  5. If you want the FortiGate VPN server to supply the DN of a local server certificate for authentication purposes, select Advanced and then from the Local ID list, select the DN of the certificate that the FortiGate VPN server is to use.
  6. Select OK.

remote peers and clients

Enabling VPN access by peer identifier

Whether you use certificates or pre-shared keys to authenticate the FortiGate unit, you can require that remote peers or clients have a particular peer ID. This adds another piece of information that is required to gain access to the VPN. More than one FortiGate/FortiClient dialup client may connect through the same VPN tunnel when the dialup clients share a preshared key and assume the same identifier.

A peer ID, also called local ID, can be up to 63 characters long containing standard regular expression characters. Local ID is set in phase1 Aggressive Mode configuration.

You cannot require a peer ID for a remote peer or client that uses a pre-shared key and has a static IP address.

Authenticating remote peers or dialup clients using one peer ID

  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Select Aggressive mode in any of the following cases:
    • The FortiGate VPN server authenticates a FortiGate dialup client that uses a dedicated tunnel
    • A FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service
    • FortiGate/FortiClient dialup clients sharing the same preshared key and local ID connect through the same VPN tunnel
  4. For the Peer Options, select This peer ID and type the identifier into the corresponding field.
  5. Select OK.

Assigning an identifier (local ID) to a FortiGate unit

Use this procedure to assign a peer ID to a FortiGate unit that acts as a remote peer or dialup client.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Select Advanced.
  4. In the Local ID field, type the identifier that the FortiGate unit will use to identify itself.
  5. Set Mode to Aggressive if any of the following conditions apply:
    • The FortiGate unit is a dialup client that will use a unique ID to connect to a FortiGate dialup server through a dedicated tunnel.
    • The FortiGate unit has a dynamic IP address, subscribes to a dynamic DNS service, and will use a unique ID to connect to the remote VPN peer through a dedicated tunnel.
    • The FortiGate unit is a dialup client that shares the specified ID with multiple dialup clients to connect to a FortiGate dialup server through the same tunnel.
  6. Select OK.

Configuring the FortiClient application

Follow this procedure to add a peer ID to an existing FortiClient configuration:

  1. Start the FortiClient application.
  2. Go to VPN > Connections, select the existing configuration.
  3. Select Advanced > Edit > Advanced.
  4. Under Policy, select Config.
  5. In the Local ID field, type the identifier that will be shared by all dialup clients. This value must match the This peer ID value that you specified previously in the Phase 1 gateway configuration on the FortiGate unit.
  6. Select OK to close all dialog boxes.
  7. Configure all dialup clients the same way using the same preshared key and local ID.

Enabling VPN access with user accounts and pre-shared keys

You can permit access only to remote peers or dialup clients that have pre-shared keys and/or peer IDs configured in user accounts on the FortiGate unit.

If you want two VPN peers (or a FortiGate unit and a dialup client) to accept reciprocal connections based on peer IDs, you must enable the exchange of their identifiers when you define the Phase 1 parameters.

The following procedures assume that you already have an existing Phase 1 configuration (see Authenticating remote peers and clients on page 58). Follow the procedures below to add ID checking to the existing configuration.

Before you begin, you must obtain the identifier (local ID) of the remote peer or dialup client. If you are using the

FortiClient Endpoint Security application as a dialup client, refer to the Authenticating FortiClient Dialup Clients Technical Note to view or assign an identifier. To assign an identifier to a FortiGate dialup client or a FortiGate unit that has a dynamic IP address and subscribes to a dynamic DNS service, see Assigning an identifier (local ID) to a FortiGate unit  on page 61.

If required, a dialup user group can be created from existing user accounts for dialup clients. To create the user accounts and user groups, see the User Authentication handbook chapter.

The following procedure supports FortiGate/FortiClient dialup clients that use unique preshared keys and/or peer IDs. The client must have an account on the FortiGate unit and be a member of the dialup user group.

The dialup user group must be added to the FortiGate configuration before it can be selected. For more information, see the User Authentication handbook chapter.

The FortiGate dialup server compares the local ID that you specify at each dialup client to the FortiGate useraccount user name. The dialup-client preshared key is compared to a FortiGate user-account password.

Authenticating dialup clients using unique preshared keys and/or peer IDs

  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. If the clients have unique peer IDs, set Mode to Aggressive.
  4. Clear the Pre-shared Key

The user account password will be used as the preshared key.

  1. Select Peer ID from dialup group and then select the group name from the list of user groups. Select OK.

 

Follow this procedure to add a unique pre-shared key and unique peer ID to an existing FortiClient configuration.

Configuring FortiClient – pre-shared key and peer ID

  1. Start the FortiClient Endpoint Security application.
  2. Go to VPN > Connections, select the existing configuration. Select Advanced > Edit.
  3. In the Preshared Key field, type the FortiGate password that belongs to the dialup client (for example,

1234546).

The user account password will be used as the preshared key.  5. Select Advanced.

  1. Under Policy, select Config.
  2. In the Local ID field, type the FortiGate user name that you assigned previously to the dialup client (for example, FortiC1ient1).
  3. Select OK to close all dialog boxes.

Configure all FortiClient dialup clients this way using unique preshared keys and local IDs.

Follow this procedure to add a unique pre-shared key to an existing FortiClient configuration.

Configuring FortiClient – preshared key only

  1. Start the FortiClient Endpoint Security application.
  2. Go to VPN > Connections, select the existing configuration Select Advanced > Edit.
  3. In the Preshared Key field, type the user name, followed by a “+” sign, followed by the password that you specified previously in the user account settings on the FortiGate unit (for example, FC2+1FG6LK) 5. Select OK to close all dialog boxes.

Configure all the FortiClient dialup clients this way using their unique peer ID and pre-shared key values.

Defining IKE negotiation parameters

In Phase 1, the two peers exchange keys to establish a secure communication channel between them. As part of the Phase 1 process, the two peers authenticate each other and negotiate a way to encrypt further communications for the duration of the session. For more information see Defining IKE negotiation parameters on page 63. The Phase 1 Proposal parameters select the encryption and authentication algorithms that are used to generate keys for protecting negotiations. The IKE negotiation parameters determine:

  • Which encryption algorithms may be applied for converting messages into a form that only the intended recipient can read
  • Which authentication hash may be used for creating a keyed hash from a preshared or private key
  • Which Diffie-Hellman group (DH Group) will be used to generate a secret session key

Phase 1 negotiations (in main mode or aggressive mode) begin as soon as a remote VPN peer or client attempts to establish a connection with the FortiGate unit. Initially, the remote peer or dialup client sends the FortiGate unit a list of potential cryptographic parameters along with a session ID. The FortiGate unit compares those parameters to its own list of advanced Phase 1 parameters and responds with its choice of matching parameters 63

Defining IKE negotiation

to use for authenticating and encrypting packets. The two peers handle the exchange of encryption keys between them, and authenticate the exchange through a preshared key or a digital signature.

Generating keys to authenticate an exchange

The FortiGate unit supports the generation of secret session keys automatically using a Diffie-Hellman algorithm. These algorithms are defined in RFC 2409. The Keylife setting in the Phase 1 Proposal area determines the amount of time before the Phase 1 key expires. Phase 1 negotiations are re-keyed automatically when there is an active security association. See Dead Peer Detection  on page 67.

You can enable or disable automatic re-keying between IKE peers through the phase1-rekey attribute of the config system global CLI command. For more information, see the “System” chapter of the FortiGate CLI Reference.

When in FIPS-CC mode, the FortiGate unit requires DH key exchange to use values at least 3072 bits long. However most browsers need the key size set to 1024. You can set the minimum size of the DH keys in the CLI.

config system global    set dh-params 3072 end

When you use a preshared key (shared secret) to set up two-party authentication, the remote VPN peer or client and the FortiGate unit must both be configured with the same preshared key. Each party uses a session key derived from the Diffie-Hellman exchange to create an authentication key, which is used to sign a known combination of inputs using an authentication algorithm (such as HMAC-MD5, HMAC-SHA-1, or HMAC-SHA256). Hash-based Message Authentication Code (HMAC) is a method for calculating an authentication code using a hash function plus a secret key, and is defined in RFC 2104. Each party signs a different combination of inputs and the other party verifies that the same result can be computed.

When you use preshared keys to authenticate VPN peers or clients, you must distribute matching information to all VPN peers and/or clients whenever the preshared key changes.

As an alternative, the remote peer or dialup client and FortiGate unit can exchange digital signatures to validate each other’s identity with respect to their public keys. In this case, the required digital certificates must be installed on the remote peer and on the FortiGate unit. By exchanging certificate DNs, the signed server certificate on one peer is validated by the presence of the root certificate installed on the other peer.

The following procedure assumes that you already have a Phase 1 definition that describes how remote VPN peers and clients will be authenticated when they attempt to connect to a local FortiGate unit. For information about the Local ID and XAuth options, see Defining IKE negotiation parameters on page 63 and Defining IKE negotiation parameters on page 63. Follow this procedure to add IKE negotiation parameters to the existing definition.

Defining IKE negotiation parameters

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Select Phase 1 Proposal and include the appropriate entries as follows:
Phase 1 Proposal Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations.

Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.

It is invalid to set both Encryption and Authentication to null.

Encryption Select a symmetric-key algorithms:

NULL — Do not use an encryption algorithm.

DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.

3DES — Triple-DES; plain text is encrypted three times by three keys.

AES128 — A 128-bit block algorithm that uses a 128-bit key.

AES192 — A 128-bit block algorithm that uses a 192-bit key.

AES256 — A 128-bit block algorithm that uses a 256-bit key.

Authentication You can select either of the following message digests to check the authenticity of messages during an encrypted session:

NULL — Do not use a message digest.

MD5 — Message Digest 5.

SHA1 — Secure Hash Algorithm 1 – a 160-bit message digest.

To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.

For information regarding NP accelerated offloading of IPsec VPN authentication algorithms, please refer to the Hardware Acceleration handbook chapter.

Defining IKE negotiation

Diffie-Hellman Group Select one or more Diffie-Hellman groups from DH groups 1, 2, 5, 14 through 21, and 27 through 30. When using aggressive mode, DH groups cannot be negotiated. By default, DH group 14 is selected, to provide sufficient protection for stronger cipher suites that include AES and SHA2. If you select multiple DH groups, the order they appear in the configuration is the order in which they are negotiates.

If both VPN peers (or a VPN server and its client) have static IP addresses and use aggressive mode, select a single DH group. The setting on the FortiGate unit must be identical to the setting on the remote peer or dialup client.

When the remote VPN peer or client has a dynamic IP address and uses aggressive mode, select up to three DH groups on the FortiGate unit and one DH group on the remote peer or dialup client. The setting on the remote peer or dialup client must be identical to one of the selections on the FortiGate unit.

If the VPN peer or client employs main mode, you can select multiple DH groups. At least one of the settings on the remote peer or dialup client must be identical to the selections on the FortiGate unit.

Keylife Type the amount of time (in seconds) that will be allowed to pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172800 seconds.
Nat-traversal Enable this option if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared). When in doubt, enable NAT-traversal. See NAT traversal  on page 66.
Keepalive Frequency If you enabled NAT traversal, enter a keepalive frequency setting. The value represents an interval from 0 to 900 seconds where the connection will be maintained with no activity. For additional security this value must be as low as possible. See NAT keepalive frequency  on page 67.
Dead Peer Detection Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. This feature minimizes the traffic required to check if a VPN peer is available or unavailable (dead). See Dead Peer Detection  on page 67.

NAT traversal

Network Address Translation (NAT) is a way to convert private IP addresses to publicly routable Internet addresses and vise versa. When an IP packet passes through a NAT device, the source or destination address in the IP header is modified. FortiGate units support NAT version 1 (encapsulate on port 500 with non-IKE marker), version 3 (encapsulate on port 4500 with non-ESP marker), and compatible versions.

NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number. As a result, the packets cannot be demultiplexed. To work around this, the FortiGate unit provides a way to protect IPsec packet headers from NAT modifications. When the Nat-traversal option is enabled, outbound encrypted packets are wrapped inside a UDP IP header that contains a port number. This extra encapsulation allows NAT devices to change the port number without modifying the IPsec packet directly.

To provide the extra layer of encapsulation on IPsec packets, the Nat-traversal option must be enabled whenever a NAT device exists between two FortiGate VPN peers or a FortiGate unit and a dialup client such as FortiClient. On the receiving end, the FortiGate unit or FortiClient removes the extra layer of encapsulation before decrypting the packet.

Additionally, you can force IPsec to use NAT traversal. If NAT is set to Forced, the FortiGate will use a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

NAT keepalive frequency

When a NAT device performs network address translation on a flow of packets, the NAT device determines how long the new address will remain valid if the flow of traffic stops (for example, the connected VPN peer may be idle). The device may reclaim and reuse a NAT address when a connection remains idle for too long.

To work around this, when you enable NAT traversal specify how often the FortiGate unit sends periodic keepalive packets through the NAT device in order to ensure that the NAT address mapping does not change during the lifetime of a session. To be effective, the keepalive interval must be smaller than the session lifetime value used by the NAT device.

The keepalive packet is a 138-byte ISAKMP exchange.

Dead Peer Detection

Sometimes, due to routing issues or other difficulties, the communication link between a FortiGate unit and a

VPN peer or client may go down. Packets could be lost if the connection is left to time out on its own. The FortiGate unit provides a mechanism called Dead Peer Detection (DPD), sometimes referred to as gateway detection or ping server, to prevent this situation and reestablish IKE negotiations automatically before a connection times out: the active Phase 1 security associations are caught and renegotiated (rekeyed) before the Phase 1 encryption key expires.

By default, Dead Peer Detection sends probe messages every five seconds by default (see dpdretryinterval in the FortiGate CLI Reference). If you are experiencing high network traffic, you can experiment with increasing the ping interval. However longer intervals will require more traffic to detect dead peers which will result in more traffic.

In the web-based manager, the Dead Peer Detection option can be enabled when you define advanced Phase 1 options. The config vpn ipsec phase1 CLI command supports additional options for specifying a retry count and a retry interval.

For more information about these commands and the related config router gwdetect CLI command, see the FortiGate CLI Reference.

For example, enter the following CLI commands to configure dead peer detection on the existing IPsec Phase 1 configuration called test to use 15 second intervals and to wait for 3 missed attempts before declaring the peer dead and taking action.

config vpn ipsec phase1-interface edit <value> set dpd [disable | on-idle | on-demand] set dpd-retryinveral 15 set dpd-retrycount 3

 

Using XAuth authentication

next

end

DPD Scalability

On a dial-up server, if a multitude of VPN connections are idle, the increased DPD exchange could negatively impact the performance/load of the daemon. For this reason, an option is available in the CLI to send DPD passively in a mode called “on-demand”.

  • When there is no traffic and the last DPD-ACK had been received, IKE will not send DPDs periodically.
  • IKE will only send out DPDs if there are outgoing packets to send but no inbound packets had since been received.
Syntax

Set DPD to on-demand to trigger DPD when IPsec traffic is sent but no reply is received from the peer.

config vpn ipsec phase1-interface edit <value> set dpd [disable | on-idle | on-demand]

next

end

Certificate key size control

Proxy will choose the same SSL key size as the HTTPS server. If the key size from the server is 512, the proxy will choose 1024. If the key size is bigger than 1024, the proxy will choose 2048.

As a result, the firewall ssl-ssh-profile commands certname-rsa, certname-dsa, and certname-ecdsa have been replaced with more specific key size control commands under vpn certificate setting.

CLI syntax

config vpn certificate setting set certname-rsa1024 <name> set certname-rsa2048 <name> set certname-dsa1024 <name> set certname-dsa2048 <name> set certname-ecdsa256 <name> set certname-ecdsa384 <name>

end

Using XAuth authentication

Extended authentication (XAuth) increases security by requiring the remote dialup client user to authenticate in a separate exchange at the end of Phase 1. XAuth draws on existing FortiGate user group definitions and uses established authentication mechanisms such as PAP, CHAP, RADIUS, and LDAP to authenticate dialup clients. You can configure a FortiGate unit to function either as an XAuth server or an XAuth client.If the server or client is Using XAuth authentication

attempting a connection using XAuth and the other end is not using XAuth, the failed connection attempts that are logged will not specify XAuth as the reason.

Using the FortiGate unit as an XAuth server

A FortiGate unit can act as an XAuth server for dialup clients. When the Phase 1 negotiation completes, the FortiGate unit challenges the user for a user name and password. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification.

If the user records on the RADIUS server have suitably configured Framed-IP-Address fields, you can assign client virtual IP addresses by XAuth instead of from a DHCP address range. See Assigning VIPs by RADIUS user group on page 1.

The authentication protocol to use for XAuth depends on the capabilities of the authentication server and the XAuth client:

  • Select PAP Server whenever possible.
  • You must select PAP Server for all implementations of LDAP and some implementations of Microsoft RADIUS.
  • Select Auto Server when the authentication server supports CHAP Server but the XAuth client does not. The FortiGate unit will use PAP to communicate with the XAuth client and CHAP to communicate with the authentication server. You can also use Auto Server to allows multiple source interfaces to be defined in an IPsec/IKE policy

Before you begin, create user accounts and user groups to identify the dialup clients that need to access the network behind the FortiGate dialup server. If password protection will be provided through an external RADIUS or LDAP server, you must configure the FortiGate dialup server to forward authentication requests to the authentication server. For information about these topics, see the FortiGate User Authentication Guide.

Authenticating a dialup user group using XAuth settings

  1. At the FortiGate dialup server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Select Convert To Custom Tunnel.
  3. Edit XAUTH, select the Type setting, which determines the type of encryption method to use between the XAuth client, the FortiGate unit and the authentication server. Select one of the following options:
    • Disabled — Disables XAuth settings.
    • PAP Server — Password Authentication Protocol.
    • CHAP Server — Challenge-Handshake Authentication Protocol.
    • Auto Server — Use PAP between the XAuth client and the FortiGate unit, and CHAP between the FortiGate unit and the authentication server.
  4. From the User Group list, select the user group that needs to access the private network behind the FortiGate unit. The group must be added to the FortiGate configuration before it can be selected here. For multiple user groups to be defined in the IPsec/IKE policy, select Inherit from policy.
  5. Select OK.
  6. Create as many policies as needed, specifying Source User(s) and Destination Address.

For example, one policy could have user1 have access to test_local_subnet_1, while user2 has access to test_ local_subnet_2.

Dynamic IPsec route control

As of FortiOS 5.4.1, when XAuth settings are enabled, Inherit from policy is only available under PAP Server and CHAP Server, not Auto Server. Because of this, only one user group may be defined for Auto Server.

Using the FortiGate unit as an XAuth client

If the FortiGate unit acts as a dialup client, the remote peer, acting as an XAuth server, might require a username and password. You can configure the FortiGate unit as an XAuth client, with its own username and password, which it provides when challenged.

Configuring the FortiGate dialup client as an XAuth client

  1. At the FortiGate dialup client, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Under XAuth, select Enable as Client.
  4. In the Username field, type the FortiGate PAP, CHAP, RADIUS, or LDAP user name that the FortiGate XAuth server will compare to its records when the FortiGate XAuth client attempts to connect.
  5. In the Password field, type the password to associate with the user name.
  6. Select OK.

Dynamic IPsec route control

You can add a route to a peer destination selector by using the add-route option, which is available for all dynamic IPsec Phases 1 and 2, for both policy-based and route-based IPsec VPNs. This option was previously only available when mode-cfg was enabled in Phase 1.

The add-route option adds a route to the FortiGate unit’s routing information base when the dynamic tunnel is negotiated. You can use the distance and priority options to set the distance and priority of this route. If this results in a route with the lowest distance, it is added to the FortiGate unit’s forwarding information base.

You can also enable add-route in any policy-based or route-based Phase 2 configuration that is associated with a dynamic (dialup) Phase 1. In Phase 2, add-route can be enabled, disabled, or set to use the same route as Phase 1.

The add-route feature is enabled by default and is configured in the CLI.

Syntax

Phase 1

config vpn ipsec edit <name> set type dynamic

set add-route {enable | disable}

end

end

 

Phase 2

Dynamic IPsec route control

config vpn ipsec {phase2 | phase2-interface} edit <name> set add-route {phase1 | enable | disable}

end

end

Blocking IPsec SA Negotiation

For interface-based IPsec, IPsec SA negotiation blocking can only be removed if the peer offers a wildcard selector. If a wildcard selector is offered then the wildcard route will be added to the routing table with the distance/priority value configured in Phase 1 and, if that is the route with the lowest distance, it is installed into the forwarding information base.

In cases where this occurs, it is important to ensure that the distance value configured on Phase 1 is set appropriately.

 

FortiOS 5.4.6 Release Notes

Introduction

This document provides the following information for FortiOS 5.4.6 build 1165:

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-

600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D,

FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C,

FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN

FortiOS 5.4.6 supports the additional CPU cores through a license update on the following VM models:

l     VMware 16, 32, unlimited l KVM 16

l     Hyper-V 16, 32, unlimited

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.4.6 images are delivered upon request and are not available on the customer support firmware download page.

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.6 supports the following models.

Introduction                                                                                                                              Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.6. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1165.

FGR-30D is released on build 7686.
FGR-35D is released on build 7686.
FGR-30D-A is released on build 7686.
FG-30E-MI is released on build 6406.
FG-30E-MN is released on build 6406.
FWF-30E-MI is released on build 6406.
FWF-30E-MN is released on build 6406.
FWF-50E-2R is released on build 7688.
FG-52E is released on build 6401.
FG-60E is released on build 6408.
FWF-60E is released on build 6408.
FG-61E is released on build 6408.
FWF-61E is released on build 6408.
FG-80E is released on build 6408.
FG-80E-POE is released on build 6408.
FG-81E is released on build 6408.
FG-81E-POE is released on build 6408.
FG-90E is released on build 6405.
FG-90E-POE is released on build 6405.
FG-91E is released on build 6405.
FWF-92D is released on build 7687.
FG-100E is released on build 6408.

 

What’s new in FortiOS 5.4.6                                                                                                                Introduction

FG-100EF is released on build 6408.
FG-101E is released on build 6408.
FG-140E is released on build 6408.
FG-140E-POE is released on build 6408.
FG-200E is released on build 6402.
FG-201E is released on build 6402.
FG-300E is released on build 4075.
FG-301E is released on build 4075.
FG-500E is released on build 4075.
FG-501E is released on build 4075.
FG-2000E is released on build 6403.
FG-2500E is released on build 6403.
FG-3960E is released on build 6404.
FG-3980E is released on build 6404.
FG-5001E is released on build 6400.
FG-VM64-AZURE is released on build 6399.
FG-VM64-AZUREONDEMAND is released on build 6399.

What’s new in FortiOS 5.4.6

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.6, see the What’s New forFortiOS 5.4.6 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate with an RSA 2048-bit key; and FortiOS supports DH group 14 for key-exchange.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

FG-900D and FG-1000D                                                                                                               Special Notices

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Consider the FortiClient license before upgrading. Full featured FortiClient 5.2 and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on your organization’s needs, you might need to purchase a FortiClient EMS license for endpoint provisioning. Contact your sales representative for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. You need to purchase a new license for either FortiClient EMS or FortiGate. A license is compatible with 5.4.1 and later if the SKU begins with FC-10-C010.

 

Special Notices                                                                                FortiClient (Mac OS X) SSL VPN Requirements

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.6, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page                                                                                                                   Special Notices

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

DLP, AV

In 5.2, Block page was sent to client with HTTP status code 200 by default. In 5.4 and later, Block page is sent to client with a clearer HTTP status code of 403 Forbidden.

Upgrade Information

Upgrading to FortiOS 5.4.6

FortiOS version 5.4.6 officially supports upgrading from version 5.4.4 and later, and 5.2.10 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths.

Upgrading to FortiOS 5.6.0

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

  • FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

  • Cooperative Security Fabric – Upgrade Guide
  • FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi                                                                                          Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.6, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

 

Upgrade Information                                                                                                             FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.6 support

The following table lists 5.4.6 product integration and support information:

Web Browsers l Microsoft Edge 38 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager For the latest information, see the FortiManagerand FortiOS Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer For the latest information, see the FortiAnalyzerand FortiOS Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

l 5.4.1 and later

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate.

FortiClient iOS l 5.4.1 and later
FortiClient Android and FortiClient VPN Android l 5.4.0 and later

FortiOS 5.4.6

FortiAP l 5.4.1 and later l 5.2.5 and later

Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available.

FortiAP-S l 5.4.1 and later
FortiSwitch OS

(FortiLink support)

l 3.5.0 and later
FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0264 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2016 Server Edition l Windows Server 2016 Datacenter l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer l 2.6.0 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

 

FortiOS 5.4.6 support                                                                                             Product Integration and Support

FortiExplorer iOS l 1.0.6 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

FortiExtender l 3.0.0 l 2.0.2 and later
AV Engine l 5.247
IPS Engine l 3.438
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support                                                                                                  Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 53
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 53

Google Chrome version 58

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

It is recommended to verify the accuracy of the GUID for the software you are using for SSLVPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.

After verifying GUIDs, you can update GUIDs in FortiOS by using this command: config vpn ssl web host-check-software

SSL VPN

Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.

To update GUIDs in FortiOS:

  1. Use the config vpn ssl web host-check-software command to edit the AVG-InternetSecurity-AV variable to set the following GUID for AVG Internet Security 2017:

4D41356F-32AD-7C42-C820-63775EE4F413

  1. Edit the AVG-Internet-Security-FW variable to set the following GUID: 757AB44A-78C2-7D1A-E37F-CA42A037B368

 

Resolved Issues

The following issues have been fixed in version 5.4.6. For inquires about a particular bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
300206 Proxy-AV POP3 44k throughput test constantly has aborted transactions with low stress level.
442328 Replacement message image fails to load.
Bug ID Description
422755 memory_tension_drop increase even though memory usage is very low.

DNS Filter

Bug ID Description
402831 DNS Filter and Interface page botnet DB check should be updated.
420170 Skip the rating for Dynamic DNS update type queries.
422407 dnsproxy process runing high CPU causing degradation of DNS traffic.
438834 DNS Filter blocks access when rating error occurs, even with allow request on rating error enabled.

Firewall

Bug ID Description
403514 Broadcast packets are not forwarded through VIP.
415035 Policy64 with VIP64 assigns incorrect SNAT IP 0.0.0.0.
421381 IPsec traffic matching NAT64 policy dropped by NP IPSEC0_IQUEUE.
424558 Renaming onetime schedule causes policy activation.
435070 Full Cone NAT not working for WhatsApp Video and Voice Call.

FortiGate-60D

FortiGate-5001D

Bug ID Description
392883 SLBC slave blades with TP VDOMs cannot connect to FSSO Collector Agent.

FortiGate and FortiWifi E Series

Bug ID Description
413699 In some FortiGate and FortiWifi E series models, the default Inspection Mode is flow-based instead of proxy-based.

Affected models: FG-60E, FG-61E, FWF-60E, FWF-61E, FG-80E, FG-81E, FG-80E-POE, FG-81E-POE, FG-100E, FG-101E, FG-100EF, FG-140E, FG-140E-POE.

FortiSwitch

Bug ID Description
435219 cu_acd causing memory leak leading to conserve mode.

GUI

Bug ID Description
367394 Colors configured for firewall address objects are not visible in firewall policy list.
368070 Custom category is not referenced when used in a web filter profile.
372907 Reference page shows no matching entries found for VPN tunnel with special characters in tunnel name.
378575 Disabled local rating categories are incorrectly added into new web filter profiles.
392500 In the GUI Interface Bandwidth widget, the speed keep jumping from real value to 0 bps.
397233 GUI improve visibility of hardware acceleration features and memory usage.
406486 Permission denied error is shown when changing AntiVirus configuration even when AntiVirus privilege is set to Read-Write.
408577 Admin and FortiClient profile cannot be displayed when language is Japanese.
409100 Edit admin/user, enable FortiToken mobile, click send activation email before saving would send empty activation code.
411415 Update FortiOS API to remove IPS sessions in parallel with firewall sessions.
Bug ID Description
421263 Multiple wildcard login accounts gives wrong guest account provisioning when Post-login-banner is enabled.
439160 Address object references are not displayed.

HA

Bug ID Description
389861 SNMP query for fgHaStatsSyncStatus on slave unit reports master as unsynchronized- “0”.
392677 The HA widget shows the slave status as not synchronized when the status is synchronized.
412652 Unexpected behavior occurs when one cluster unit has a monitored port down and the other cluster unit has ping server issues.
421639 HA kernel routes are not flushed after failover, when cluster learns a high number of routes.
423144 Reliable syslog using dedicated HA management interface doesn’t work.
437390 HA failover triggered before pingserver-failover-threshold is reached.
438197 PPPoE connection is disrupted by HA failover/failback.
442085 After HA failover, the new master unit uses an OSPF MD5 authentication encryption sequence that is lower than the previous sequence number.
442663 No NTP sync and feature license invalid at backup device in FGSP cluster.

IPS

Bug ID Description
422666 New mechanism to load IPS/App rules into CMDB to avoid FortiGate bootup failure or lockup.
434478 Information incorrect in diag test app ipsmonitor 13.
439245 When the firewall policy was applied by FortiManager, a crash log of the IPS engine occurred.
445900 SSL negotiation not completed when IPS and SSL Inspection profiles are present.

IPsec VPN

Bug ID Description
396953 “Encapsulation GRE” (GRE over IPsec) does not allow self-originated traffic to enter the tunnel.
401847 Half of IPsec tunnels traffic lost 26 minutes after power on a spare 1500D.
416102 Traffic over IPsec VPN getting dropped after 2 pings when it is getting offloaded to NPU.
416950 NP6 stop process traffic through IPsec tunnel.

Logging & Report

Bug ID Description
420147 Getting Errorconnecting to FortiCloud message when trying to access FortiCloud Reports in GUI.
445522 In Local report -Web Usage section, Top users by bandwidth seems to show the download as upload.

Router

Bug ID Description
424381 Random TCP sessions get stuck or time out.

Spam

Bug ID Description
410420 Spam emails are exempted if they are sent in one session.
416790 (no.x pattern matched) is not logged when bwl matches envelop MAIL FROM.

SSL VPN

Bug ID Description
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
380974 SSL VPN sometimes gets key conflict when loading system provided keys.
401807 SSL VPN web mode for VNC could not launch pop up menu with F8.
Bug ID Description
412456 SSL VPN realm should be kept in the idle timeout redirected URL.
412850 SSL VPN Portal redirect not working. Fails with a Javascript error.
421261 Access to web sites via Webbase SSL VPN returns empty page after browsing for some time.
448852 OTP for RSA Server are truncated if they are longer than eight digits.

System

Bug ID Description
383624 Sending multicast traffic across NP6 inter-VDOM link may cause interfaces to stop sending/receiving.
392436 Slow throughput using 10G interfaces.
392655 Conserve mode – 4096 SLAB leak suspected.
393006 NPU offloading causes issues with Arista.
397266 Disable unnecessary FGT queries and RSS feeds.
407383 LACP will not negotiate on 100D ports 15 and 16 using FG-TRAN-SX.
408977 802.1AX L4 algorithm and NP4 do not distribute UDP evenly on egress LAG bundle.
415555 IPv6 ipv6-neighbor-cache configuration doesn’t survive after a reboot or flush command.
415910 CPU cores utilization shows 0% while handling CPS.
416678 FG101E/100E has reports of firewall lockups in production.
420150 NTPv3 with authentication enabled fails with error receive: authentication failed.
421714 Merge kxp D state fix into 5.4.6.
423375 Some configurations are missing in the output of show full-configuration.
424213 Cluster Virtual MAC address changed to Physical port MAC address when Ports are assigned on MGMT-VDOM.
434480 Admin user session does not time out.
Bug ID Description
436211 Kernel conserve mode occurs due to memory leak.
437589 Slow throughput on 1000D between 10G and 1G interfaces.
437925 FWF-81CM dnsproxy daemon has high memory usage.
438088 U-Turn traffic in Transparent mode VDOM does not work anymore.
438205 Packets in reply direction get dropped if ingress interface is not the same as egress in original direction.
438405 HRX/PKTCHK Drops over NP6 with 1.5 Gbps.
439115 IP-to-IP-Tunnel does not forward packets after rebooting.
439469 Dropped packets only on the LACP Interface but not on the physicals that is part of the LAG.
439897 Virtual wire pair on asymmetric environment.
440412 Added SNMP trap for per-CPU usage.
440923 The FortiGate interface DHCP client does not work properly in some situations.
441532 Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.

Upgrade

Bug ID Description
404089 Uninterruptible upgrade failed because routes are not yet synced on new master.

User and FSSO

Bug ID Description
378085 User authentication timeout max. setting change.
378207 authd process running high CPU when only RSSO logging is configured.
412487 RSSO Endpoint Storage limits the number of characters to 48.
437204 authd sends malformed NTLM TYPE2 to browser and breaks NTLM authentication.
438758 A CRL update on the FortiGate does not trigger an auto-update to the FortiManager.

VM

Bug ID Description
424452 SNMP traps not being sent when interface is down.
441294 The network bandwidth show a zero value.

VoIP

Bug ID Description
423437 SIP ALG does not translate all MSRP SEND messages if more than one SEND message is contained within a single packet.

Web Filter

Bug ID Description
409110 Web page override login page loads slowly.
420967 Proxy AV + Proxy WF + SSL Certificate Inspection (Inspect All Ports) results in HTTPS traffic bypassing WiFi.
423020 Regex value changes in the URL filter.
435258 Send Fin/Ack to the client during HTTP POST request.
436354 Replace Message Group Web FilterBlock Override page not working.

WebProxy

Bug ID Description
415385 Explicit FTP proxy issue on zero file size transfers.
416208 WAD Dispatcher reached FD limit with large number of CLOSE_WAIT sockets, some workers entered “D” state.
417001 Explicit HTTP proxy drops HTTPS connections on WiFi rating failures.
417491 WAD crashed when handling FTP over HTTP traffic.
418193 Some HTTPS sites show Secure Connection Failed with flow-based web filter (static URL filter only) and SSL certificate inspection.
423077 WAD crashed after upgrading from 5.2.10 to 5.4.4 GA release.
Bug ID Description
434787 FortiGate deep inspection is causing nonconforming extension certificate error on MAC, Android, and Chromebook devices.
435283 block-page-status-code doesn’t work for HTTP status code of the DLP replacement message.

WiFi

Bug ID             Description
364688            Packet loss when offloading CAPWAP traffic.
434991            WTP tablesize limitation cause WTP entry to be lost after upgrade from 5.4.4 to 5.4.5.

Affected models: FG-30D, FG-30D-POE, FG-30E, FWF-30D, FWF-30D-POE, FWF-30E.

437949 Split tunnel enhancement: set split-tunneling-acl-path [tunnel | local].

Common Vulnerabilities and Exposures

Bug ID CVE references
405122 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-3732 l 2017-7055

Visit https://fortiguard.com/psirt for more information.

415416 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-7733

Visit https://fortiguard.com/psirt for more information.

416322 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-2636

Visit https://fortiguard.com/psirt for more information.

422133 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-3555

Visit https://fortiguard.com/psirt for more information.

440744 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-7739

Visit https://fortiguard.com/psirt for more information.

442365 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-7738

Visit https://fortiguard.com/psirt for more information.

 

Bug ID CVE references
446892 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-13077 l 2017-13078 l 2017-13079 l 2017-13080 l 2017-13081 l 2017-13082

Visit https://fortiguard.com/psirt for more information.

449257 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-14182

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.4.6. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).
Bug ID Description
375246 invalid hbdev dmz may be received if the default hbdev is used.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control (fortiheartbeat) is enabled but no AV profile is used.
391537 Buffer size is too small when sending large vulnerability list to FortiGate.

Firewall

Bug ID Description
364589 LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID Description
385860 FortiGate-3815D does not support 1 GE SFP transceivers.

FortiRugged-60D

Known

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.

FortiView

Bug ID Description
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350 Threat view: Threat Type and Event information is missing in the last level of the threat view.
373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
375187 Using realtime auto update may increase chrome browser memory usage.

GUI

Bug ID Description
289297 Threat map may not be fully displayed when screen resolution is not big enough.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388 The Select window for remote server in remote user group may not work as expected.
365223 In Security Fabric topology, a downstream FortiGate may be shown twice when it uses hardware switch to connect upstream.
365317 Unable to add new AD group in second FSSO local polling agent.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155 There is no Archived Data tab for email attachment in the DLP log detail page.
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.

Known Issues

Bug ID Description
372943 Explicit proxy policy may show a blank for default authentication method.
373363 Multicast policy interface may list the wan-load-balance interface.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374081 wan-load-balance interface may be shown in the address associated interface list.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374320 Editing a user from the Policy list page may redirect to an empty user edit page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374521 Unable to Revert revisions in GUI.
374525 When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
375036 The Archived Data in the SnifferTraffic log may not display detailed content and download.
375227 You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375346 You may not be able to download the application control packet capture from the forward traffic log.
375369 May not be able to change IPsec manualkey config in GUI.
375383 The Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
379050 User Definition intermittently not showing assigned token.

Known

Bug ID Description
398397 Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
403146 Slow GUI Policy tab when there are more than 600 policies.
453751 In IE11, the Policy and Address page keeps reloading when there are many entries.
454259 The Policy list page does not display tooltips for policy comments.

HA

Bug ID Description
399115 ID for the new policy (when using edit 0) is different on master and on slave unit.

IPsec

Bug ID Description
393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

439923 IKE static tunnels using set peertype one may fail to negotiate.

Router

Bug ID Description
299490 During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN

Bug ID Description
303661 The Start Tunnel feature may have been removed.
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644 SSL VPN tunnel mode Fortinet bar may not be displayed.
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.
404863 In SSL VPN Web Mode, clicking new bookmark gets error Internal: invalid parameter.

Known Issues

Bug ID Description
364280 ssh-dss may not work on FG-VM-LENC.

System

Bug ID Description
287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to log in to FortiGate via SSH.
371320 show system interface may not show the Port list in sequential order.
372717 Option admin-https-banned-cipher in sys global may not work as expected.
392960 FOS support for V4 BIOS.
445383 Traffic cannot go through LACP static mode interface with NP6 offload enabled.

Upgrade

Bug ID Description
289491 When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

VM

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

IPsec VPN in the web-based manager

IPsec VPN in the web-based manager

To configure an IPsec VPN, use the general procedure below. With these steps, your FortiGate unit will automatically generate unique IPsec encryption and authentication keys. If a remote VPN peer or client requires a specific IPsec encryption or authentication key, you must configure your FortiGate unit to use manual keys instead.

  1. Define Phase 1 parameters to authenticate remote peers and clients for a secure connection. See IPsec VPN in the web-based manager on page 38.
  2. Define Phase 2 parameters to create a VPN tunnel with a remote peer or dialup client. See IPsec VPN in the webbased manager on page 38.
  3. Create a security policy to permit communication between your private network and the VPN. Policy-based VPNs have an action of IPSEC, where for interface-based VPNs the security policy action is ACCEPT. See Defining VPN security policies on page 1.

The FortiGate unit implements the Encapsulated Security Payload (ESP) protocol. Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates. Interface mode, supported in NAT mode only, creates a virtual interface for the local end of a VPN tunnel.

This chapter contains the following sections:

Phase 1 configuration

Phase 2 configuration

Concentrator

IPsec Monitor

Phase 1 configuration

To begin defining the Phase 1 configuration, go to VPN > IPsec Tunnels and select Create New. Enter a unique descriptive name for the VPN tunnel and follow the instructions in the VPN Creation Wizard.

The Phase 1 configuration mainly defines the ends of the IPsec tunnel. The remote end is the remote gateway with which the FortiGate unit exchanges IPsec packets. The local end is the FortiGate interface that sends and receives IPsec packets.

If you want to control how the IKE negotiation is processed when there is no traffic, as well as the length of time the FortiGate unit waits for negotiations to occur, you can use the negotiation-timeout and autonegotiate commands in the CLI.

For more information, refer to  Phase 2 parameters on page 72 and Phase 2 parameters on page 72.

 

Name Type a name for the Phase 1 definition. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. If Remote Gateway is Dialup User, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on.

For a tunnel mode VPN, the name normally reflects where the remote connection originates. For a route-based tunnel, the FortiGate unit also uses the name for the virtual IPsec interface that it creates automatically.

Remote Gateway Select the category of the remote connection:

Static IP Address — If the remote peer has a static IP address.

Dialup User — If one or more FortiClient or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit.

Dynamic DNS — If a remote peer that has a domain name and subscribes to a dynamic DNS service will connect to the FortiGate unit.

IP Address If you selected Static IP Address, enter the IP address of the remote peer.
Dynamic DNS If you selected Dynamic DNS, enter the domain name of the remote peer.
Local Interface This option is available in NAT mode only. Select the name of the interface through which remote peers or dialup clients connect to the FortiGate unit.

By default, the local VPN gateway IP address is the IP address of the interface that you selected.

Mode Main mode — the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Aggressive mode — the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted.

When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key, you must select Aggressive mode if there is more than one dialup phase1 configuration for the interface IP address.

When the remote VPN peer has a dynamic IP address and is authenticated by a certificate, you must select Aggressive mode if there is more than one Phase 1 configuration for the interface IP address and these Phase 1 configurations use different proposals.

Authentication Method Select Preshared Key or RSA Signature.

 

Pre-shared Key If you selected Pre-shared Key, enter the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. You must define the same key at the remote peer or client.

The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

Certificate Name If you selected RSA Signature, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during Phase 1 negotiations. For information about obtaining

and loading the required server certificate, see the FortiOS User Authentication guide.

Peer Options Peer options are available to authenticate VPN peers or clients, depending on the Remote Gateway and Authentication Method settings.
Any peer ID Accept the local ID of any remote VPN peer or client. The FortiGate unit does not check identifiers (local IDs). You can set Mode to Aggressive or Main.

You can use this option with RSA Signature authentication. But, for highest security, configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only.

This peer ID This option is available when Aggressive Mode is enabled. Enter the identifier that is used to authenticate the remote peer. This identifier must match the Local ID that the remote peer’s administrator has configured.

If the remote peer is a FortiGate unit, the identifier is specified in the Local ID field of the Advanced Phase 1 configuration.

If the remote peer is a FortiClient user, the identifier is specified in the Local ID field, accessed by selecting Config in the Policy section of the VPN connection’s Advanced Settings.

In circumstances where multiple remote dialup VPN tunnels exist, each tunnel must have a peer ID set.

Peer ID from dialup group Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre-shared keys only) through the same VPN tunnel.

You must create a dialup user group for authentication purposes. Select the group from the list next to the Peer ID from dialup group option.

You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. If the dialup clients use unique preshared keys only, you can set Mode to Main if there is only one dialup Phase 1 configuration for this interface IP address.

Phase 1 advanced configuration settings

You can use the following advanced parameters to select the encryption and authentication algorithms that the FortiGate unit uses to generate keys for the IKE exchange. You can also use the following advanced parameters to ensure the smooth operation of Phase 1 negotiations.

These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).

If the FortiGate unit will act as a VPN client, and you are using security certificates for authentication, set the Local ID to the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes.

Note that, since FortiOS 5.4, an exact match is required to optimize IKE’s gateway search utilizing binary trees. However, it is also possible to have partial matching of ‘user.peer:cn’ to match peers to gateways by performing a secondary match. When IKE receives IDi of type ASN1.DN, the first search is done with the whole DN string. If none is found, IKE will extract just the CN attribute value and perform a second search.

VXLAN over IPsec Packets with VXLAN header are encapsulated within IPsec tunnel mode.

To configure VXLAN over IPsec – CLI:

config vpn ipsec phase1-interface/phase1 edit ipsec set interface <name> set encapsulation vxlan/gre

set encapsulation-address ike/ipv4/ipv6 set encap-local-gw4 xxx.xxx.xxx.xxx  set encap-remote-gw xxx.xxx.xxx.xxx

next end

 

IPsec tunnel idle timer You can define an idle timer for IPsec tunnels. When no traffic has passed through the tunnel for the configured idle-timeout value, the IPsec tunnel will be flushed.

To configure IPsec tunnel idle timeout – CLI:

config vpn ipsec phase1-interface edit p1 set idle-timeout [enable | disable]

set idle-timeoutinterval <integer> //IPsec tunnel idle timeout in minutes (10 – 43200). end end

IPv6 Version Select if you want to use IPv6 addresses for the remote gateway and interface IP addresses.
Local Gateway IP Specify an IP address for the local end of the VPN tunnel. Select one of the following:

Main Interface IP — The FortiGate unit obtains the IP address of the interface from the network interface settings.

Specify — Enter a secondary address of the interface selected in the Phase 1 Local Interface field.

You cannot configure Interface mode in a transparent mode VDOM.

Phase 1 Proposal Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of three combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

Select one of the following symmetric-key encryption algorithms:

DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.

3DES — Triple-DES; plain text is encrypted three times by three keys.

AES128 — A 128-bit block algorithm that uses a 128-bit key.

AES192 — A 128-bit block algorithm that uses a 192-bit key.

AES256 — A 128-bit block algorithm that uses a 256-bit key.

 

  You can select either of the following message digests to check the authenticity of messages during an encrypted session:

MD5 — Message Digest 5.

SHA1 — Secure Hash Algorithm 1 – a 160-bit message digest.

To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.

Diffie-Hellman Group Select one or more Diffie-Hellman groups from DH groups 1, 2, 5, and 14 through 21. At least one of the Diffie-Hellman Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.
Keylife Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172 800 seconds.
Local ID If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the Phase 1 exchange.

If the FortiGate unit will act as a VPN client, and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes.

If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is, the tunnel will be dedicated to this Fortinet dialup client), set Mode to Aggressive.

Note that this Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.

 

XAuth This option supports the authentication of dialup clients. It is available for IKE v1 only.

Disable — Select if you do not use XAuth.

Enable as Client — If the FortiGate unit is a dialup client, enter the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server.

Enable as Server — This is available only if Remote Gateway is set to Dialup User. Dialup clients authenticate as members of a dialup user group. You must first create a user group for the dialup clients that need access to the network behind the FortiGate unit.

You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server.

Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit, the XAuth client and the external authentication server, and then select the user group from the User Group list.

Username Enter the user name that is used for authentication.
Password Enter the password that is used for authentication.
NAT Traversal Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

Additionally, you can force IPsec to use NAT traversal. If NAT is set to

Forced, the FortiGate will use a port value of zero when constructing the

NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

Keepalive Frequency If you enabled NAT-traversal, enter a keepalive frequency setting.
Dead Peer Detection Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes.

With Dead Peer Detection selected, you can use the config vpn ipsec phase1 (tunnel mode) or config vpn ipsec phase1-

interface (interface mode) CLI command to optionally specify a retry count and a retry interval.

 

IKEv1 fragmentation

UDP fragmentation can cause issues in IPsec when either the ISP or perimeter firewall(s) cannot pass or fragment the oversized UDP packets that occur when using a very large public security key (PSK). The result is that IPsec tunnels do not come up. The solution is IKE fragmentation.

For most configurations, enabling IKE fragmentation allows connections to automatically establish when they otherwise might have failed due to intermediate nodes dropping IKE messages containing large certificates, which typically push the packet size over 1500 bytes.

FortiOS will fragment a packet on sending if, and only if, all the following are true:

  • Phase 1 contains “set fragmentation enable”.
  • The packet is larger than the minimum MTU (576 for IPv4, 1280 for IPv6). l The packet is being re-transmitted.

By default, IKE fragmentation is enabled, but upon upgrading, any existing phase1-interface may have have “set fragmentation disable” added in order to preserve the existing behaviour of not supporting fragmentation.

Enabling or disabling IKE fragmentation – CLI

config vpn ipsec phase1-interface edit 1 set fragmentation [enable | disable]

next

end

IKEv2 fragmentation

With IKEv2, because RFC 7383 requires each fragment to be individually encrypted and authenticated, we would have to keep a copy of the unencrypted payloads around for each outgoing packet, in case the original single packet was never answered and we wanted to retry with fragments. With the following implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.

CLI syntax

config vpn ipsec phase1-interface edit ike set ike-version 2

set fragmentation [enable|disable] set fragmentation-mtu [500-16000]

next

end

Phase 2 configuration

After IPsec Phase 1 negotiations end successfully, you begin Phase 2. You can configure the Phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. During Phase 2, you select specific IPsec security associations needed to implement security services and establish a tunnel.

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic Phase 2 settings.

2

These settings are mainly configured in the CLI, although some options are available after the tunnel is created using the VPN Creation Wizard (using the Convert to Custom Tunnel option).

Name Type a name to identify the Phase 2 configuration.
Phase 1 Select the Phase 1 tunnel configuration. For more information on configuring Phase 1, see Phase 1 configuration on page 38. The Phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured.
Advanced Define advanced Phase 2 parameters. For more information, see Phase 2 advanced configuration settings below.

Phase 2 advanced configuration settings

In Phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). These are called Phase 2 Proposal parameters. The keys are generated automatically using a Diffie-Hellman algorithm.

You can use a number of additional advanced Phase 2 settings to enhance the operation of the tunnel.

Phase 2 Proposal Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.

Initially there are two proposals. Add and Delete icons are next to the second Authentication field.

It is invalid to set both Encryption and Authentication to NULL.

Encryption Select a symmetric-key algorithms:

NULL — Do not use an encryption algorithm.

DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.

3DES — Triple-DES; plain text is encrypted three times by three keys.

AES128 — A 128-bit block algorithm that uses a 128-bit key.

AES192 — A 128-bit block algorithm that uses a 192-bit key.

AES256 — A 128-bit block algorithm that uses a 256-bit key.

 

Authentication You can select either of the following message digests to check the authenticity of messages during an encrypted session:

NULL — Do not use a message digest.

MD5 — Message Digest 5.

SHA1 — Secure Hash Algorithm 1 – a 160-bit message digest.

To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.

Enable replay detection Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel.
Enable perfect forward secrecy (PFS) Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires.
Diffie-Hellman Group Select one Diffie-Hellman group (1, 2, 5, or 14 through 21). This must match the DH Group that the remote peer or dialup client uses.
Keylife Select the method for determining when the Phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed.
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is being processed.
Auto-negotiate Enable the option if you want the tunnel to be automatically renegotiated when the tunnel expires.
DHCP-IPsec Provide IP addresses dynamically to VPN clients. This is available for

Phase 2 configurations associated with a dialup Phase 1 configuration.

You also need configure a DHCP server or relay on the private network interface. You must configure the DHCP parameters separately.

If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the Phase 1 Peer Options to Peer ID from dialup group and select the appropriate user group. See Phase 1 configuration on page 38.

If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients.

2

Quick Mode Selector Specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, keep the default value of 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and a protocol number.

If you are editing an existing Phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI.

Source address If the FortiGate unit is a dialup server, enter the source IP address that corresponds to the local senders or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer.

If the FortiGate unit is a dialup client, source address must refer to the private network behind the Fortinet dialup client.

Source port Enter the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0.
Destination address Enter the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10. [80-100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.
Destination port Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). To specify all ports, enter 0.
Protocol Enter the IP protocol number of the service. To specify all services, enter 0.

FortiClient VPN

Use the FortiClient VPN for OS X, Windows, and Android VPN Wizard option when configuring an IPsec VPN for remote users to connect to the VPN tunnel using FortiClient.

When configuring a FortiClient VPN connection, the settings for Phase 1 and Phase 2 settings are automatically configured by the FortiGate unit. They are set to:

  • Remote Gateway — Dialup User
  • Mode — Aggressive
  • Default settings for Phase 1 and 2 Proposals
  • XAUTH Enable as Server (Auto)
  • IKE mode-config will be enabled
  • Peer Option — “Any peer ID”

The remainder of the settings use the current FortiGate defaults. Note that FortiClient settings need to match these FortiGate defaults. If you need to configure advanced settings for the FortiClient VPN, you must do so using the CLI.

Name Enter a name for the FortiClient VPN.
Local Outgoing Interface Select the local outgoing interface for the VPN.
Authentication Method Select the type of authentication used when logging in to the VPN.
Preshared Key If Pre-shared Key was selected in Authentication Method, enter the pre-shared key in the field provided.
User Group Select a user group. You can also create a user group from the drop-down list by selecting Create New.
Address Range Start IP Enter the start IP address for the DHCP address range for the client.
Address Range End IP Enter the end IP address for the address range.
Subnet Mask Enter the subnet mask.
Enable IPv4 Split Tunnel Enabled by default, this option enables the FortiClient user to use the VPN to access internal resources while other Internet access is not sent over the VPN, alleviating potential traffic bottlenecks in the VPN connection. Disable this option to have all traffic sent through the VPN tunnel.
Accessible Networks Select from a list of internal networks that the FortiClient user can access.
Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

Save Password – When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.

Auto Connect – When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

Always Up (Keep Alive) – When enabled, if the user selects this option, the FortiClient connection will not shut down. When not selected, during periods of inactivity, FortiClient will attempt to stay connected every three minutes for a maximum of 10 minutes.

 

Concentrator

Endpoint Registration When selected, the FortiGate unit requests a registration key from FortiClient before a connection can be established. A registration key is defined by going to System > Advanced.

For more information on FortiClient VPN connections to a FortiGate unit, see the FortiClient Administration Guide.

DNS Server Select which DNS server to use for this VPN:

Use System DNS — Use the same DNS servers as the FortiGate unit. These are configured at Network > DNS. This is the default option.

Specify — Specify the IP address of a different DNS server.

Concentrator

In a hub-and-spoke configuration, policy-based VPN connections to a number of remote peers radiate from a single, central FortiGate unit. Site-to-site connections between the remote peers do not exist; however, you can establish VPN tunnels between any two of the remote peers through the FortiGate unit’s “hub”.

In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as “spokes”. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub.

You define a concentrator to include spokes in the hub-and-spoke configuration. You create the concentrator in VPN > IPsec Concentrator and select Create New. A concentrator configuration specifies which spokes to include in an IPsec hub-and-spoke configuration.

Concentrator Name Type a name for the concentrator.
Available Tunnels A list of defined IPsec VPN tunnels. Select a tunnel from the list and then select the right arrow.
Members A list of tunnels that are members of the concentrator. To remove a tunnel from the concentrator, select the tunnel and select the left arrow.

IPsec Monitor

You can use the IPsec Monitor to view activity on IPsec VPN tunnels and start or stop those tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all active tunnels, including tunnel mode and route-based (interface mode) tunnels.

To view the IPsec monitor, go to Monitor > IPsec Monitor.

Tunnels are considered as “up” if at least one phase 2 selector is active. To avoid confusion, when a tunnel is down, IPsec Monitor will keep the Phase 2 Selectors column, but hide it by default and be replaced with Phase 1 status column.

IPsec Monitor

For dialup VPNs, the list provides status information about the VPN tunnels established by dialup clients, and their IP addresses.

For static IP or dynamic DNS VPNs, the list provides status and IP addressing information about VPN tunnels, active or not, to remote peers that have static IP addresses or domain names. You can also start and stop individual tunnels from the list.