FortiWAN NAT

NAT

FortiWAN is an edge server that is usually placed on the boundary between WAN and LAN. When a connection is established from a private IP address (in LAN or DMZ) to the internet (WAN), it is necessary to translate the private IP address into one of the public IP addresses assigned to the FortiWAN’s WAN link. This process is called NAT (Network Address Translation). FortiWAN provides the typical NAT (called S-NAT also) for sessions established from internal area. Once the private source IP address of outgoing packet of a session is translated to a public IP address, the mapping is kept in translation table and therefore the inbound traffic (from public area) of the session can be accepted and forwarded to the internal host who established the session.

With the typical NAT, two-way data transmission between an internal host and an external host is achieved, only if the internal host starts the sessions. An external host is unable to starts a session with an internal host via the typical NAT. FortiWAN’s 1-to-1 NAT gives the availability of two-way transmission between an internal host and an external host not only for sessions starting from the internal host but also for sessions starting from the external host.

FortiWAN provides log mechanism to the NAT service, see “Log”.

Default Rules

FortiWAN’s NAT Default Rules are the NAT rules (and IPv6 NAT rules) generated automatically by system according to the Network Setting of WAN links. Once a WAN link is sat up (See “Configuring your WAN”), the default rules are generated at the same time so that FortiWAN performs NAT automatically to packets coming from anywhere (except subnets in WAN or/and DMZ and static routing subnets of the WAN link) and going to be transferred via the WAN link. NAT default rules are varies according to how the WAN link is deployed. For example,

WAN link 1: Routing mode with a basic subnet (125.227.251.0/255.255.255.0) in WAN and DMZ, and the IP(s) on localhost are 128.227.251.80 and 128.227.251.81. System adds the default rules to WAN link 1 as following:

When = All-Time, Source = 125.227.251.0/255.255.255.0, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.251.80

WAN link 2: Bridge mode: One Static IP, the IP on localhost is 125.227.250.10. System adds the default rules to WAN link 2 as following:

When = All-Time, Source = 125.227.250.10, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.250.10

WAN link 3: Bridge mode: Multiple Static IP, 125.227.252.100-125.227.252.101 are deployed on localhost, 125.227.252.102-125.227.252.103 are deployed in WAN, 125.227.252.104-125.227.252.105 are deployed in DMZ. System adds the default rules to WAN link 3 as following:

When = All-Time, Source = 125.227.252.100-125.227.252.101, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = 125.227.252.104-125.227.252.105, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.252.100

WAN link 4: Bridge mode: PPPoE, system adds the default rule to WAN link 4 as following:

When = All-Time, Source = Any Address, Destination = Any Address, Service =

Any, Translated = DynamicIP(DHCP/PPPoE)

The last rule translates source IP address of all packets into an IP address (localhost) of the WAN link. The second (or third) rule from the bottom ignores NAT to packets coming from subnets of the WAN link. Those default rules are added as the bottom rules to the top-down rule table. They are unable to be deleted and edited, unless the correspondent deployment of the WAN link changes. The default rules will translate source IP address of a matched packet into the first of the IP addresses that are assigned to localhost of the WAN link, which normally is a public IPv4 address or global IPv6 address. Therefore, packets with private source address (IPv4) or Link-Local source address (IPv6) are acceptable to Internet after the NAT process. However, even a packet comes with public source address (IPv4) or Global source address (IPv6), NAT is also performed if it matches the last rule. NAT default rules are based on deployment of a WAN link, deployment of LAN is regardless. Set NAT rules manually for advanced applications.

Similarly, system generates default rules for IPv6/IPv4 dual stack WAN links. Take the WAN link 1 above as example, if a IPv6 basic subnet 2001::/64 is deployed on WAN link 1 and the localhost is 2001::1, system adds the IPv6 default rules to WAN link 1 as following:

When = All-Time, Source = 2001::/64, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 2001::1

Note that for FortiWAN V4.0.x, system does note generate IPv6 default rules for IPv6/IPv4 dual stack WAN link. It is necessary to add IPv6 default rules manually, or the IPv6 transmission might fail if its source IP address is a Link-Local address. Please refer to the examples above for this.

Non-NAT

Non-NAT is used for Private Network and MPLS Network where the host in WAN can directly access the host in DMZ, and where FortiWAN is used to balance VPN load and backup lines.

FortiWAN’s inbound and outbound load balancing (Auto Routing and Multihoming) distribute session over multiple WAN links. It’s necessary to make sure the correct NAT rules are applied to every enabled WAN link.

Enable NAT : Enable the function, and NAT will translate any private IP to a fixed public IP assigned to a given WAN link. Disable the function; FortiWAN will act as a general router for the host in WAN to directly access the host in DMZ.
WAN : Enabled WAN links are listed in the menu. Select the WAN link to set and apply NAT rules to.

FortiWAN Optional Services

Optional Services

As an edge device, FortiWAN provides other functions except the major traffic load balancing and fault tolerance. These optional functions are helpful to manage the network in all the ways.

Firewall

This section introduces how to set up the firewall. Unlimited number of rules can be added to the firewall rule list. The rules are prioritized from top to bottom that is rules at the top of the table will be given higher precedence over lower ranked ones. [IPv4 Rules] and [IPv6 Rules] are for configurations of IPv4 and IPv6 respectively.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Firewall service, see “Log” and “Reports: Firewall”.

E Check the box to enable the rule
When Three options available: Busy hour, Idle hour and All-Time (See “Busyhour Settings”).
Source Packets sent from specified source will be matched (See “Using the web UI”).
Destination Packets sent to a specific destination will be matched. This field is the same as the “Source” field, except that packets are matched with specified destination (See “Using the web UI”).
Service The TCP/UDP service type to be matched. Select the matching criteria from publicly known service types (e.g. FTP), or enter the port number in TCP/UDP packets and specify the range.

Type the starting port number plus hyphen “-“ and then the ending port number. e.g.

“TCP@123-234” (See “Using the web UI”).

Action Choose the actions when the rule is matched: Accept: The firewall will let the matched packets pass. Deny: The firewall will drop the matched packets.
L Check to enable logging. Whenever the rule is matched, the system will record the event to the log file.

Default rules

By default, FortiWAN’s firewall enables the following IPv4/IPv6 rules to deny some accesses coming from the Internet, which might cause general security issues:

  1. When=All-Time & Source=WAN & Destination=Localhost & Service=HTTP(80) & Action=Deny
  2. When=All-Time & Source=WAN & Destination=Localhost & Service=HTTPS(443) & Action=Deny
  3. When=All-Time & Source=WAN & Destination=Localhost & Service=SSH(22) & Action=Deny
  4. When=All-Time & Source=WAN & Destination=Localhost & Service=SNMP(61) & Action=Deny

Firewall

  1. When=All-Time & Source=WAN & Destination=Localhost & Service=RIP(520) & Action=Deny
  2. When=All-Time & Source=WAN & Destination=Any Address & Service=TCP@139 & Action=Deny
  3. When=All-Time & Source=WAN & Destination=Any Address & Service=TCP@445 & Action=Deny
  4. When=All-Time & Source=WAN & Destination=Localhost & Service=TCP@5432 & Action=Deny
  5. When=All-Time & Source=Any Address & Destination=Any Address & Service=Any & Action=Accept

The ninth rule is fixed to be the last rule at the bottom for evaluation. Packets that do not match any other rule will match this rule and be accepted. This rule is unmodifiable. The second rule denies any HTTPS access to FortiWAN’s localhost from the Internet, which means it is unable to access to the Web UI through any WAN port. You can disable this rule or change Action to Accept to allow Web UI accessing throught WAN ports if no security issues are concerned. The sixth, seventh and eighth rules deny any access (coming from the Internet) of NetBIOS, Microsoft-DS Active Directory, Windows shares and Microsoft-DS SMB file sharing, and the Postgre SQL database system that FortiWAN uses for Reports.

Example 1

Rules for Filtering Packets l The users from the internet (WAN) can only access FTP Server 211.21.48.195 through port 21.

  • The users from LAN can access all servers and hosts on the internet (WAN) through port 25 (SMTP), port 80 (HTTP), port 21 (FTP), and port 110 (POP3).
  • All other packets are blocked.

The rules table for the example will look like this:

Firewall

Source Destination Service Action
WAN 211.21.48.195 FTP (21) Accept
WAN DMZ Any Deny
LAN WAN HTTP (80) Accept
LAN WAN SMTP (25) Accept
LAN WAN FTP (21) Accept
LAN WAN POP3 (110) Accept
LAN WAN Any Deny

Example 2

Rules for Filtering Packets l The users from the internet (WAN) can access server 211.21.48.195 inside DMZ through TCP port 7000. l The hosts 192.168.0.100 – 192.168.0.150 in the LAN can access the Internet (WAN) but the others cannot.

 

  • Users from the Internet (WAN) cannot connect to the port 443 on FortiWAN (i.e. Web Administration on FortiWAN). Note: “Localhost” represents the address of FortiWAN host machine. l Users from LAN can access FTP server 192.192.10.1 through port 21.
  • Users from the internet cannot ping FortiWAN . Note: To intercept ping messages, users can deny “ICMP” protocol in service type because ping is a type of “ICMP”. l Users from the LAN cannot access DMZ. l Users from the internet (WAN) cannot access LAN and DMZ.

The rules table for the example will look like this:

Source Destination Service Action
WAN 211.21.48.195 TCP@7000 Accept
192.168.0.100-

192.168.0.150

WAN Any Accept
WAN Localhost TCP@443 Deny
LAN 192.192.10.1 FTP (21) Accept
WAN Localhost ICMP Deny
LAN DMZ Any Deny
WAN DMZ Any Deny
WAN LAN Any Deny

See also

l Busyhour Settings l Using the web UI l Reports: Firewall

Establish IPSec VPN with FortiGate

Establish IPSec VPN with FortiGate

FortiWAN supports the IPSec VPN established with a FortiGate unit. However, the deployment of IPSec VPN established between FortiWAN and FortiGate is limited by the Spec. of FortiWAN’s IPSec (See “About FortiWAN IPSec VPN”). For example, IPSec Transport mode, IKE v2, authentication with certificates, IKE phase 1 aggressive mode, NAT traversal, dynamic IP address, and some algorithms are not supported for this deployment. An example for explaining how to set up a simple IPSec VPN (Tunnel mode) between a FortiWAN and a FortiGate is introduced below:

In this example, the common parameters for establishing IPSec SAs between the two units are as follows:

l Authentication Method: Pre-shared Key l Phase 1 Mode: Main (ID protection) l Dead Peer Detection: disable l Phase 1 Encryption: DES l Phase 1 Authentication: MD5 l Phase 1 DH Group: 5 l Phase 1 Keylife: 1200 Secs l Phase 2 Encryption: DES l Phase 2 Authentication: MD5 l Perfect Forward Secrecy (PFS): enable l Phase 2 DH Group: 5 l Phase 2 Keylife: 120 Secs

Configurations on FortiWAN

To set up the IPSec VPN, configurations of Network Setting, Auto Routing, NAT and IPSec are required on FortiWAN (See “Define routing policies for an IPSec VPN”).

Network Setting

WAN settings

Go to System > Network Setting > WAN Setting, and create a WAN link configuration:

WAN Link 1
WAN Type Routing Mode
WAN Port Port1
IPv4 Localhost IP 10.12.102.42
IPv4 Netmask 255.255.255.0
IPv4 Default Gateway 10.12.102.254

For the details of WAN link setting, see “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP”.

LAN private subnets

Go to System > Network Setting > LAN Private Subnet, and create a LAN subnet configuration:

IP(s) on Localhost 2.2.2.254
Netmask 255.255.255.0
LAN Port Port3

For the details of LAN private subnet setting, see “LAN Private Subnet”.

Auto Routing

Go to Service > Auto Routing, and create a policy and two IPv4 filters for IKE negotiations and IPSec communication.

Policy
Label IPSec_WAN1 (Any name you desire)
T Enable Threshold or not
Algorithm Fixed
Parameter Only 1 is checked
IPv4 Filter

Two IPv4 filters: one for IKE negotiations, and another for general IPSec communication.

When All-Time   All-Time
Input Port Any Port Any Port (or the LAN port, PortX)
Source Localhost 2.2.2.0/255.255.255.0
Destination 10.12.136.180 1.1.1.0/255.255.255.0
Service Any or IKE(500) Any
Routing Policy IPSec_WAN1 IPSec_WAN1
Fail-Over Policy NO-ACTION NO-ACTION

For the details of Auto Routing, see “Auto Routing”.

NAT

Go to Service > NAT, and create a NAT rule:

When All-Time
Source 2.2.2.0/255.255.255.0
Destination 1.1.1.0/255.255.255.0
Service Any
Translated No NAT

For the details of NAT, see “NAT”.

IPSec

Go to Service > IPSec, and create a Tunnel Mode:

Phase 1
Name IPSec_FGT_P1
Local IP 10.12.102.42
Remote IP 10.12.136.180
Authentication Method Pre-shared Key: 12345
Internet Key Exchange v1
Mode Main (ID protection)
Dead Peer Detection Disable
Proposal  
Encryption DES
Authentication MD5
DH Group 5
Keylife 1200 Secs
Phase 2
Name IPSec_FGT_P2
Proposal  
Encryption DES
Authentication MD5
PFS Group 5
Keylife 120 Secs
Quick Mode  
Source 2.2.2.0/255.255.255.0
Port Any
Destination 1.1.1.0/255.255.255.0
Port Any
Protocol Any

So far, it is complete to set up the IPSec VPN on the FortiWAN side, configurations on the FortiGate side are introduced next. For the details of IPSec parameters, see “IPSec VPN in the Web UI”.

Configurations on FortiGate

To set up the IPSec VPN, configurations of Network, Router and VPN are required on FortiGate. For further information of FortiGate configurations, see FortiOS Handbook on Fortinet document site.

Network

Go to System > Network > Interface. Configure the setting for WAN 1 with IP address 10.12.136.180 on a physical interface.

Interface Name wan1
Type Physical Interface
Addressing mode Manual
IP/Network Mask 10.12.136.180/255.255.255.0

VPN

Go to VPN > IPsec > Tunnels and click Create New.

Name IPSec_to_FWN_P1

Select “Custom VPN Tunnel (No Template)” and click Next to configure the settings as follows: Network

IP Version IPv4
Remote Gateway Static IP Address
IP Address 10.12.102.42
Interface WAN1
Mode Config Disable
NAT Traversal Disable
Dead Peer Detection Disable
Authentication
Method Pre-shared key
Pre-shared key 12345
IKE  
Version V1
Mode Main (ID protection)
Phase 1 Proposal
Encryption DES
Authentication MD5
Diffie-Hellman Group 5
Key Lifetime (seconds) 1200
Local ID Keep it blank
XAUTH
Type Disable
Phase 2 Selectors
Name IPSec_to_FWN_P2
Local Address Subnet: 1.1.1.0/255.255.255.0
Remote Address Subnet: 2.2.2.0/255.255.255.0
Phase 2 Proposal
Encryption DES
Authentication MD5
Enable Replay Detection disable
Enable Perfect Forward Secrecy (PFS) enable
Diffie-Hellman Group 5
Local Port All check
Remote Port All check
Protocol All All check
Autokey keep Alive disable
Auto-negotiate disable
Key Lifetime Seconds
Seconds 120

Router

Go to Router > Static > Static Routes, and click Create New to create two rules for WAN1 and the IPSec tunnel – IPSec_to_FWN_P1:

Destination IP/Mask 0.0.0.0/0.0.0.0 2.2.2.0/255.255.255.0
Device wan1 IPSec_to_FWN_P1
Gateway 10.12.136.254 N/A

 

Firewall

FortiWAN Planning your VPN

Planning your VPN

Building a VPN between sites might involve complex association with sites and confusing configurations. Beginning hastily to configure settings without a comprehensive plan usually causes failure. Making a plan in advance for your VPN topology is a great help to the next VPN configurations. The following considerations help you determine the VPN topology and necessary information for configurations.

The locations of the sites that the site-to-site traffic originates from and needs to be delivered to l Choose the network sites that they need to communicate to each other through the VPN and define what kind of communication it is (what kind of services provided in a network site and what kind of services that users in a network site need to access).

The networks, individual hosts or server frames participating in the VPN communications l A network site consists of hosts, servers, and/or networks (private IP addresses deployment). You need to determine the participating private IP addresses (the source and destination of traffic) and make policies to permit traffic to pass through the VPN.

The VPN devices used to build the VPN

  • A site-to-site VPN (tunnels) between two FortiWAN units, or a FortiWAN unit and a FortiGate unit. The network interfaces that two VPN devices communicate through l For any VPN tunnel between two VPN devices, you need to determine the participating network interface for each end-point. This implies the public IP addresses (local IP and remote IP) used to establish a VPN tunnel through Internet. Note that only static IP addresses are supported.
  • One WAN interface cannot serve for more than one IPSec connectivity between any two FortiWAN devices. You need to take this for consideration when you determine the topology. See “Limitation in the IPSec deployment” for the details.

The VPN device interfaces that a private network accesses the VPN through l The private IP addresses associated with the VPN device interfaces to the private networks. Hosts in the private network behind the VPN device access VPN through these interface. Traffic is forwarded between the VPN tunnels and the private networks on each site. The types used to build the VPN l IPSec protected VPN without bandwidth aggregation and fault tolerance: IPSec Tunnel mode.

  • IPSec protected VPN with bandwidth aggregation and fault tolerance: Tunnel Routing over IPSec Transport mode. l VPN with bandwidth aggregation and fault tolerance: Tunnel Routing (See “Tunnel Routing”).

IPSec VPN in the Web UI

The configurations introduced in this section are based on the deployment of FortiWAN-to-FortiWAN. For the IPSec VPN established between a FortiWAN unit and a FortiGate unit, see “Establish IPSec VPN with FortiGate”. This section focus on the configurations of IPSec protected VPN, IPSec Tunnel mode and Tunnel Routing over IPSec Transport mode. For configurations of Tunnel Routing, see “Tunnel Routing”.

To set up the IPSec VPN between two FortiWAN units, the following steps are necessary for each of the endpoints.

  1. Define IKE Phase 1 parameters for establishment of ISAKMP Security Association with authenticated a remote peer.
  2. Define IKE Phase 2 parameters for establishment of IPSec Security Association with authenticated a remote peer.
  3. Create correspondent policies of NAT, Auto Routing (AR) and Tunnel Routing (TR) to correctly route the packets of IKE negotiations and IPSec VPN communications (will be discussed in next section, see “Define routing policies for an IPSec VPN”).

Configurations of IKE Phase 1

An IPSec VPN tunnel involves the connection of two FortiWAN units. Most of the settings used to establish an IPSec VPN tunnel are required to be corresponding on the both endpoints. Therefore, it is better to collect enough information in preparation for the configurations of an IPSec VPN tunnel.

Here are the items and information that you need to determine for IKE Phase 1 settings:

Defining the remote and local ends of the IPSec VPN tunnel

Basically, this is to specify the public IP addresses for the two ends (a local FortiWAN unit and a remote FortiWAN unit) of the IPSec VPN tunnel. The IPSec VPN tunnel is established through connection of the two public IP addresses. You need to determine the WAN link of a FortiWAN unit to connect with each other for an IPSec VPN tunnel; and the IP addresses deployed on the two WAN ports are actually the two ends (local IP and remote IP) of the IPSec VPN tunnel. FortiWAN’s IPSec VPN does not support dynamic IP addresses; it is only available for the WAN links that are deployed as Routing Mode, Bridge Mode: One Static IP or Bridge Mode: Multiple Static IP (see “Configuring your WAN” for details). For the settings of a IPSec VPN tunnel configured on the two endpoints, the Local IP of a FortiWAN unit becomes the Remote IP of the opposite FortiWAN unit and vice versa. An IPSec VPN tunnel consists of the IKE negotiations (for the security associations, SAs) and the data transmission tunnel; both are established through the two public IP addresses. You also have to give consideration to the limitation that we cannot deploy multiple IPSec connections between any two FortiWANs on the same local or remote IP address. See “Limitation in the IPSec deployment” for details.

A pre-shared key used to authenticate the FortiWAN unit to the remote unit

During the IKE Phase 1 negotiations, a FortiWAN unit need to authenticate itself to the remote unit by a preshared key. The two endpoints of an IPSec VPN tunnel share a common key in advance, so that they can authenticate itself to each other with the common key, like a password. You need to distribute the pre-shared key in a secure way. The pre-shared key configured on the two endpoints of a IPSec VPN tunnel must be equal, or the establishment of IPSec Security Association goes to failure (failed authentication results in failure of IKE Phase 1

and Phase 2.

The modes for parameters exchanging, Main mode and Aggressive mode, used for IKE Phase 1 negotiations

A FortiWAN unit exchange Phase 1 parameters with the remote unit in only Main mode. In Main mode, the Phase 1 parameters are exchanged in six messages with encrypted authentication information. As the previous introductions, Main mode gives securer authentication by a encryption with the negotiated secret key. By comparison, Aggressive mode is weak in authentication since the lack of encryption. However, with the simplified exchanging process, Aggressive mode is faster than Main mode indeed. Security and efficiency are the considerations you need to evaluate for IKE Phase 1 negotiations. Once it is determined, both the two endpoints must be configured with the same mode.

Enable Dead Peer Detection (DPD) or not

The connectivity between two endpoints communicating through IPSec may goes down unexpectedly due to routing problems, hardware broken, host rebooting, etc. In the situation, however, the IPSec entities are not aware of the loss of peer connectivity (availability of peer), and the security associations (SAs) of each peer remains. Packets of communication will continue being sent to oblivion, and reestablishment goes to failure. Dead Peer Detection (DPD) is such a method, by sending periodic HELLO/ACK messages, to confirm the availability of an IPSec endpoint, recognize a disconnection, reclaim the lost resources (SAs) and reestablish IKE negotiations automatically. When a disconnection is detected, the active ISAKMP SA and the correspondent IPSec SAs are removed and renegotiated immediately whether the secret keys expire or not.FortiWAN’s IPSec DPD is performed in the Always Send mode, which the detection messages are sent at configured intervals regardless of traffic activity between the peers (some products probe for a idle tunnel before sending DPD detection messages, but FortiWAN does not). Related SAs would be removed once a disconnection is recognized by FortiWAN’s IPSec DPD, but FortiWAN would not automatically perform the reestablishment (new establishment of the SAs is triggered only if an outgoing packets of the IPSec communication arrive at the FortiWAN unit).

FortiWAN IPSec set up

IPSec set up

After basic concept of IPSec introduced previously, this section focus on the introduction of FortiWAN’s IPSec and the configurations to set up FortiWAN’s IPSec. FortiWAN provides a complete VPN solution through the cooperation of Tunnel Routing and IPSec. FortiWAN’s Tunnel Routing is used to build a site-to-site VPN with bandwidth aggregation and fault tolerance over multiple WAN links. Moreover, with FortiWAN’s IPSec protection, Tunnel Routing delivers packets over secure channels.

About FortiWAN IPSec VPN

Specifications of FortiWAN’s IPsec VPN

Since FortiWAN’s IPSec is designed for applications of site-to-site VPN, it is functionally-limited comparing with standard IPSec protocol suite. However, FortiWAN’s IPsec still provides basic protections for tunneling communications. The specifications is listed as following:

IKE Support IKE v1 and IKE v2

(A specific procedure is required to switch the version, see IKE Phase 1 Web UI fields – Internet Key Exchange)

Authentication method   Support pre-shared key only
IKE Phase 1 modes   Support Main mode only
Encryption algorithm   DES, 3DES, AES128, AES192, AES256
Authentication algorithm   MD5, SHA1, SHA256, SHA384, SHA512
DH group   1 (modp768), 2 (modp1024), 5 (modp1536), 14 (modp2048)
Transmission mode   Tunnel mode and limited Transport mode. Transport mode is only available for Tunnel Routing.
Security protocol   Support Encapsulating Security Payload (ESP) only
NAT traversal   Not Support
DPD   Support
PFS   Support
IP deployment   Support static IPv4 only, the supported WAN link types (See Configuring your WAN):
  l Routing mode
  l Bridge Mode: One Static IP
  l Bridge Mode: Multiple Static IP
IPv6   Not Support
Peer device   Support FortiWAN/FortiGate
Fail over   Not Support (Both IPSec Tunnel mode and Transport mode themselves have no ability to do fail over, only Tunnel Routing over IPSec Transport mode supports fail over)

Tunnel mode, Transport mode and Tunnel Routing

FortiWAN provides standard Tunnel mode to build IPSec VPN as the previous descriptions. By encapsulating the encrypted packet with a new IP header, a tunnel is established between two FortiWAN units so that IPSec packets can be delivered to the private networks deployed behind the two units through Internet (the public and untrusted network). This is what called IPsec VPN typically. Compare with FortiWAN’s Tunnel Routing, IPSec Tunnel mode can also establish multiple tunnels through different WAN ports (WAN interfaces) between two FortiWAN units, but bandwidth aggregation and fault tolerance are not available for the IPSec VPN transmission. It is unable to distribute the IPSec packets of a connection or the connections of a specified group over multiple IPSec tunnels; they are delivered through one of the tunnels fixedly.

Although FortiWAN’s Tunnel Routing (See “Tunnel Routing”) is the technology to distribute packets of one tunneling connection over multiple tunnels (bandwidth aggregation and fault tolerance are so that supported), it does not provide strict protection to the tunneling communications (the encryption function built-in Tunnel Routing is very simple and low security). For this reason, the major purpose of FortiWAN’s IPSec Transport mode is to provide Tunnel Routing transmissions an IPSec protection. Actually, the FortiWAN’s IPSec Transport mode is designed for Tunnel Routing only; an Transport mode IPSec SA can not be applied to the traffic except Tunnel Routing. By establishing an IPSec SA on every TR tunnel, Tunnel Routing’s GRE packets will be encrypted (ESP encapsulated) and be transferred through the specified interface (according to the specified TR algorithm) in IPSec Transport mode (the original routing of the GRE packet remains intact as the previous description). The ESP packets are decrypted on the opposite FortiWAN unit to recover the original GRE packets, and the subsequence is the normal Tunnel Routing processes, packet decapsulation, reassembly and forwarding (to the hosts behind the FortiWAN). The way for IPSec Transport mode to protect Tunnel Routing transmission is very flexible. For every TR tunnel of a tunnel group, it is your options to establish a IPSec SA protecting the TR tunnel or not. Tunnel Routing works normally under full and partial IPSec protection (full protection: each TR tunnel of a tunnel group is protected by a IPSec SA; partial protection: parts of the TR tunnels of a tunnel group are protected by IPSec SAs).

In conclusion, FortiWAN provides three methods to build a VPN network, which are Tunnel Routing, IPSec Tunnel mode and Tunnel Routing over IPSec Transport mode. Note that Tunnel Routing can not support dynamic IP and NAT pass-through (one of the features of Tunnel Routing, see “Dynamic IP addresses and NAT pass through” in “Tunnel Routing > How the Tunnel Routing Works”), if it is protected by IPSec.

Type IPSec protection Tunneling Bandwidth

Aggregation &

Fault Tolerance

Peer device
IPSec Tunnel mode Yes Yes No Peer can be a

FortiWAN or a

FortiGate

Tunnel Routing No Yes Yes Peer must be a FortiWAN
Tunnel Routing over IPSec Transport mode Yes Yes Yes Peer must be a FortiWAN

Limitation in the IPSec deployment

FortiWAN IPsec has an intrinsic limitation in establishing ISAKMP Security Associations. For the establishment of ISAKMP SA between any two devices, one IP address of a WAN link of a FortiWAN device is restricted to participate in only one ISAKMP SA. The mapping of WAN link IP addresses for establishing ISAKMP SAs between any two devices must be one-to-one. The negotiations of ISAKMP SAs go to failure (the subsequent negotiations of IPSec SAs abort so that) if those Phase 1 configurations on any two FortiWAN devices contain a common WAN link IP address, no matter on the local side or remote side. The following diagrams give the clear explanation of this in details.

In the example above, the WAN link IP address mapping of ISAKMP SA 1 between FortWAN 1 and FortiWAN 2 is typical and correct. Both the WAN link IP addresses, 2.2.2.2 and 4.4.4.4, participate in only one ISAKMP SA, the ISAKMP SA 1. As for WAN link 3 on FortiWAN 2, its IP address 3.3.3.3 participates in ISAKMP SA 2 and ISAKMP SA 3 (more than one ISAKMP SA), which causes failure to establish ISAKMP SA 2 and ISAKMP SA 3. IPSec connections thus can not be established.

The above example indicates a valid IPSec deployment. The mapping of WAN link IP address for all the ISAKMP SAs between the two devices are in one-to-one relationship:

  • ISAKMP SA 1: 2.2.2.2 – 4.4.4.4 l ISAKMP SA 2: 3.3.3.3 – 5.5.5.5 l ISAKMP SA 3: 1.1.1.1 – 6.6.6.6

The above diagram is anther example of valid IPSec deployment. There are three IPs deployed on FortiWAN 2’s WAN link 2 (See “Configuring your WAN”), and each IP address participates in only one ISAKMP SA.

  • ISAKMP SA 1: 2.2.2.1 – 4.4.4.4 l ISAKMP SA 2: 2.2.2.2 – 5.5.5.5 l ISAKMP SA 3: 2.2.2.3 – 6.6.6.6

Considering the IPSec deployment among more than two FortiWAN devices as the above example.

ISAKMP SA State Reason
ISAKMP SA 1 established For the two FortiWAN devices (FortiWAN1 and FortiWAN 2), the two WAN link IP addresses, 3.3.3.3 and 5.5.5.5, participate in only ISAKMP SA 1. Although 3.3.3.3 also participates in ISAKMP SA 2, it takes no influence on ISAKMP SA 1 since it is the thing about another device, FortiWAN 3. The deployment limitation is about any two devices, others can be ignored.
ISAKMP SA 2 established For the two FortiWAN devices (FortiWAN 2 and FortiWAN 3), the two WAN link IP addresses, 3.3.3.3 and 8.8.8.8, participate in only ISAKMP SA 2.
ISAKMP SA 3 failed For the two FortiWAN devices (FortiWAN 1 and FortiWAN 2), the WAN link IP addresses 6.6.6.6 participates in not only ISAKMP SA 3 but also ISAKMP SA 4.
ISAKMP SA 4 failed For the two FortiWAN devices (FortiWAN 1 and FortiWAN 2), the WAN link IP addresses 6.6.6.6 participates in not only ISAKMP SA 3 but also ISAKMP SA 4.
ISAKMP SA 5 established For the two FortiWAN devices (FortiWAN 2 and FortiWAN 3), thetwo WAN link IP addresses, 2.2.2.2 and 9.9.9.9, participate in only ISAKMP SA 5. Although 2.2.2.2 also participates in ISAKMP SA 4, it takes no influence on ISAKMP SA 5 since it is the thing about another device, FortiWAN 1. The deployment limitation is about any two devices, others can be ignored.

Between any two FortiWANs, we cannot terminate traffic through multiple IPSec connections on the same local or remote IP address. This limitation exists in both of the IPSec types: IPSec Tunnel mode and IPSec Transport mode, so that Tunnel Routing over IPSec Transport mode is involved indirectly. You have to give careful consideration to the issue when planing how to deploy the IPSec VPN (and Tunnel Routing) between multiple FortiWANs.

FortiWAN – How IPSec VPN Works

How IPSec VPN Works

So far we have a overview of IPSec concept and how the Security Associations are established. Before a further discussion, here is the IPSec VPN’s operation broken down into five main steps:

  1. The initial packet matching correspondent IPSec VPN policies and attempting to pass through the IPSec VPN gateway triggers the IKE processes to establish Security Associations.
  2. During IKE Phase 1, IKE proposals are negotiated, secret keys are shared and the two IPSec endpoints are authenticated. The ISAKMP SA is established for IKE Phase 2.
  3. IKE Phase 2 negotiates new parameters and calculates new secret keys. The IPSec SA is established for VPN communications.
  4. Communications over the two IPSec VPN gateways are protected according on the security parameters and keys stored in Security Association database. Data packets are encapsulated with ESP header and new IP header,and transferred over the IPSec VPN tunnel.
  5. IPSec SAs terminate by timing out.

 

Modes of IPSec VPN data transmission

IPSec transfers the encrypted or authenticated IP packets (ESP or AH encapsulated packets) in a host-to-host transport mode, as well as in a tunneling mode. Packet exchanges during IKE Phase 1 and Phase 2 are nothing about the two modes.

Tunnel mode

IPSec Tunnel mode is commonly used for site-to-site communications by tunneling through incompatible networks. For example, it delivers protected communications between two private networks through Internet, which is a typical IPSec VPN. In IPSec tunnel mode, the original IP packet is entirely encrypted (not only the payload data but also the routing information are encrypted), and is encapsulated with a new IP header. With the new IP header encapsulation and decapsulation, two incompatible networks deliver encrypted packets to each other by tunneling through Internet.

Transport mode

IPSec Transport mode is used for communications between two end-stations (host-to-host). An end-station can be a IPSec gateway or just a host running IPSec server/client. Both are actually the destination to each other while communicating. The basic concept of IPsec Transport mode is that the original IP header is intact; the routing is neither modified nor encrypted. Transport mode only provides protection of the payload of the original IP packet by encryption. The two endpoints are supposed to be accessible to each other originally. Usually, Transport mode is applied to other tunneling protocols to provide protection of GRE/L2TP encapsulated IP data packets ( GRE/L2TP transmission over IPSec protection). FortiWAN IPSec Transport mode is only available for Tunnel Routing.

FortiWAN – IPSec VPN overview

IPSec VPN overview

VPN Tunnels

Tunneling is a technique to perform data transmission for a foreign protocol over a incompatible network; such as running IPv6 over IPv4, and the transmission of data for use within a private, corporate network through a public network. Tunneling is done by encapsulating and decapsulating data and information of the particular protocol within the incompatible transmission units symmetrically. IPSec protocol sets define the processes, which is the Tunnel Mode we will introduce later (See Modes of IPSec VPN data transmission), to deliver encryption protected data between incompatible networks by tunneling through an intermediate network. IPSec offers another option to deliver protected data end-to-end without tunneling, which is called Transport Mode (See Modes of IPSec VPN data transmission). It provides the flexibility to integrate other tunneling protocols with IPSec to establish a VPN network.

Secure data transmission

IPSec employs encryption and authentication of data packets for VPN transmission to ensures that any third-party from public network who intercepts the packets can not access the data and impersonate each endpoint. It protects the communications between two endpoints against malicious attacks from intermediate, untrusted network, so that privacy and authenticity are guaranteed to the communications. However, it is concerned that how the two endpoints securely share the encryption and authentication methods, and the correspondent secret key without compromising them to others. This is the major object that IPSec functions for. Once these security parameters are shared securely between the two entities, which is called a establishment of Security Association (See IPSec key exchange), the privacy and authentication of data transmission are guaranteed.

Basic IPSec VPN scenario

To connect two incompatible networks within an IPSec VPN network over an intermediate network, an IPSec VPN device is required to be deployed in front of each the network. The IPSec VPN devices (the FortiWAN units) establish an IPSec VPN tunnel with each other. Each of the IPSec VPN devices performs the processes to encrypt and encapsulate, or decapsulate and decrypt the incoming packets (from the network behind it or the opposite IPSec VPN device), and then forwards the packets to the destination (the opposite IPSec VPN device or the network behind it). The two incompatible networks, therefore, have the secure access to each other through the two IPSec VPN devices (the IPSec VPN tunnel established between the two devices). A host in the network communicates with a opposite host (in the opposite network) without running any IPSec VPN software; what they do is like performing a communication in the same network as usual. All the processes and details for a IPSec VPN communication are taken by the two IPSec VPN devices; hosts are not aware of this. The IPSec VPN devices are so-called IPSec VPN gateways, and this is the typical site-to-site VPN.

VPN tunnel between two private networks

The above diagram shows an IPSec VPN connection between two private networks, which two FortiWAN units (two endpoints of the VPN tunnel) functions as the IPSec VPN gateways for. The IPSec VPN tunnel is established through public IP addresses (for example 1.1.1.1 and 2.2.2.2) of FortiWAN’s WAN interfaces. FortiWAN A receives packets from site A network (192.168.1.0/24) with source IP 192.168.1.10 and destination IP 192.168.2.10 (site B network), and then performs:

  • encrypt packets with shared security parameters (algorithms and secret keys) l encapsulate packets with a new IP header that source IP is 1.1.1.1 and destination IP is 2.2.2.2. l forward packets to the site B network (FortiWAN B) FortiWAN B receives the packets and performs:
  • recover the encrypted packets by decapsulation l recover the original data and IP header by decryption l forward packets to host 192.168.2.10

Processes for traffic in the opposite direction are the same. From the standpoint of FortiWAN A, FortiWAN A is local unit and FortiWAN B is the remote unit, vice versa.

IPSec key exchange

After the basic concept of IPSec VPN introduced above, here comes the details of IPSec’s key exchange processes which is the major part to configure an IPSec VPN. As the previous discussion, IPSec performs data encryption and authentication for the VPN communications. The way to securely distribute a common secret key to each endpoint is essential to make the secure data transmission complete. After all, a encrypted data is no longer secure if its secret key is not safe or compromised. Before we take look into IPSec’s key exchange, a basic concept of encryption and authentication is introduced first.

Encryption

Encryption mathematically transforms data to meaningless random numbers. The original data is called plaintext and the encrypted data is called ciphertext. The opposite process, called decryption, performs the inverse operation to recover the original plaintext from the ciphertext. The process by which the plaintext is transformed to ciphertext and back again is called an algorithm. All algorithms use a small piece of information, a key, in the arithmetic process of converted plaintext to ciphertext, or vice-versa. IPSec uses symmetrical algorithms, which the same key is used for both encrypt and decrypt the data. The length of the key is one of the factors determining the security of an encryption algorithm. FortiWAN IPsec VPNs offer the following encryption algorithms, in descending order of security:

AES256 A 128-bit block algorithm that uses a 256-bit key.
AES192 A 128-bit block algorithm that uses a 192-bit key.
AES128 A 128-bit block algorithm that uses a 128-bit key.
3DES Triple-DES, in which plain text is DES-encrypted three times by three keys.
DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.

Authentication

In Information Security (or Cryptography), Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In authentication, one has to prove its identity to the remote one, and the identity will be verified by the remote one. A typical providing proof can be a certificate or username and password. In cryptography, a message authentication code (MAC) is a short piece of information used to authenticate a message—in other words, to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message’s origin. A MAC algorithm, sometimes called a keyed (cryptographic) hash function (however, cryptographic hash function is only one of the possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message’s data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content. As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message. FortiWAN IPsec VPNs offer the following MAC algorithms, in descending order of security:

hmac-sha512 A SHA512-based MAC algorithm with 512-bit hash output.
hmac-sha384 A SHA384-based MAC algorithm with 384-bit hash output.
hmac-sha256 A SHA256-based MAC algorithm with 256-bit hash output.
hmac-sha1 A SHA1-based MAC algorithm with 160-bit hash output.
hmac-md5 A MD5-based MAC algorithm with 128-bit hash output.

Security Association

To support secure communications (data encryption and authentication) between two VPN gateways, the common security attributes must be shared in advance, which are the cryptographic and authentication algorithms, encryption secret key and other necessary parameters. A common set of the security attributes maintained by two IPSec VPN gateways for an IPSec VPN tunnel is what called Security Association (SA), which is used to provide a secure channel and protect the communications between the two site networks. Each of the two IPSec VPN gateways encrypts/decrypts data according to the established Security Association. The process to establish a Security Association involves sharing and negotiation of the security attributes.

IKE key exchange

Internet Key Exchange (IKE) is the protocol used to establish a Security Association (SA), which is included in the IPSec protocol suite. The purposes of IKE are to l Negotiate an encrypt algorithm and an authentication algorithm l Generate a shared secret key to encrypt/decrypt IPSec VPN communications (data transmission).

Both are used by IPSec VPN to provide secure communications between two endpoints.

IKE consists of two phases, Phase 1 and Phase 2. The purpose of IKE Phase 1 is to establish a secure and authenticated channel, which is actually a Security Association (called ISAKMP SA as well), between two entities for further IKE Phase 2 negotiations. With the protection of ISAKMP SA, Phase 2 will then be performed to establish the final Security Association (called IPSec SA as well) used to protect the VPN communications (data transmission) between two sites. In other words, before users’ VPN communication starts (data packet being transferred to each other), the corresponding IKE Phase 1 and Phase 2 must be done to establish the SAs between the two VPN gateways. With the established SA between two VPN gateways, privacy and authenticity are so that guaranteed to the VPN communications (by encryption and authentication). Basically, IKE Phase 1 authenticates a remote peer and sets up a secure channel for going forward Phase 2 negotiations to establish the IPSec SA.

IKE Phase 1

Before we talk about the details of IKE Phase 1, let us have an overview on Phase 1’s Identity Verification (Authentication). The endpoint who begins the IKE Phase1 negotiation makes a declaration of who it is to the opposite endpoint, and the opposite endpoint verifies the identity. FortiWAN’s IPSec employs a pre-shared key to achieve the identity verification. The pre-shared key is a common key (similar to a password) pre-shared between the two entities who join in the Phase 1 negotiations. This pre-shared key is used for verification of the declared identity in a cryptographic system (MAC calculation of the identity). This mechanism is on the premise that the pre-shared key is never compromised to the third-party. Although it looks like a password, the pre-shared key, also known as a shared secret, is never sent by either endpoint during the processes of authentication. Actually, the pre-shared key is involved in the calculations of encryption keys, which is actually used for the authentication, at each endpoint.Unmatched pre-shared keys result in unmatched encryption keys, and indirectly cause the authentication in IKE Phase 1 failed.

Now back to the IKE Phase 1. Phase 1 achieves the following objectives to establish ISAKMP Security Association:

IKE Proposals negotiation

An IKE proposal is a set of necessary parameters for negotiations to establish a Security Association. The negotiation initiator offers opposite endpoint the proposals of the suggested encryption and authentication algorithms, the time-period that keys should remain active, and the strength of the keys used in Diffie-Hellman key exchange process. The opposite endpoint chooses an appropriate proposal and responds it to the initiator, so that the algorithms and other parameters used to protect data transmission between two endpoints are determined.

Generate the secret key for encryption

A secret key is necessary for the established ISAKMP Security Association to work with the determined encryption and authentication protocols. Therefore, except the negotiations of IKE proposals, a secret key must be determined and shared between the two entities during IKE Phase 1 negotiations. However, it is insecure to send a secret key directly to the opposite endpoint over the public network (no SA protection is offered during Phase 1 negotiations). Diffie-Hellman key exchange, which is a method used to securely exchange cryptographic keys over a public channel, is introduced to IKE to generate the secret key. The two entities running a Diffie-Hellman key exchange will start by exchanging key materials, which are public to third-party, via the public network. With the key materials, calculation of Diffie-Hellman key exchange performed on each of the endpoints derives a common value, which is a seed to generate the secret key we need. With the private and common seed, the two endpoints further calculate the common secret key, and so that the secret key is securely shared. Actually, the pre-shared key used for identity authentication is involved in the final calculations generating the secret key.

Authentication
Identity protection

The two endpoints running the Phase 1 processes declare its identity to each other. A pre-shared key between the two entities is used to verify the declared identity and thus prevent malicious attacks from counterfeit identity. With cryptographic method and the pre-shared key, one can prove its identity to the opposite end. Although it looks like a password, the pre-shared key, also known as a shared secret, is never sent by either gateway. Actually, it is involved in the generation of encryption secret key.

Message integrity

A message authentication code (MAC) not only verifies identity but also provides integrity and authenticity assurances on the exchanged messages. The MAC value protects both a message’s data integrity as well as its authenticity against man-in-the-middle attacks or tampering.

Main mode and Aggressive mode

Phase 1 parameters are exchanged in either Main mode or Aggressive mode:

In Main mode, the processes of IKE Phase 1 consists of six message exchanges. An IKE Phase 1 session begins with IKE proposals negotiations between initiator and responder (as the previous description). In the next two message exchanges, the necessary keying materials are exchanged to calculate the common secret key at both ends. For the last two exchanges, encrypted authentication information is exchanged to verify the identity and message integrity on each end.

In Aggressive mode, the processes of IKE Phase 1 is squeezed into three message exchanges. All data required for IKE proposal negotiation and Diffie-Hellman key exchange passed by the initiator and responder in the first two message exchanges. Unencrypted authentication information for sessions passed in the second and third message exchanges. Comparing with main mode, aggressive mode might not be such secure (weak identity protection and risk of pre-shared key crack), the advantage to aggressive mode is that it is faster than Main mode however. FortiWAN’s IPSec, however, does not support IKE Phase 1 in Aggressive mode, only Main mode is available.

The successful outcome of Phase 1 negotiations (either aggressive mode or main mode) establishes the ISAKMP Security Association, and the Phase 2 negotiation begins immediately. Phase 2 negotiations will be protected (encryption) within the ISAKMP Security Association.

IKE Phase 2

Under the protection of ISAKMP Security Association, IKE Phase 2 performs parameters negotiations to establish the IPsec Security Association which protects the subsequent IPSec VPN communications. IKE Phase 2 is processed in one mode called Quick Mode (New Group Mode is not supported by FortiWAN). Similar to Phase 1, in IKE Phase 2, another proposal of encryption and authentication algorithms is negotiated, shared secret keys are derived, and the negotiation sessions are authenticated. The negotiated encryption and authentication algorithms, derived secret keys and other necessary parameters, which are the successful outcome of IKE Phase 2, constitute the IPSec Security Association. So that the security association between two IPSec VPN gateways is established, and the VPN communications are so that protected.

Perfect Forward Secrecy, PFS

Perfect Forward Secrecy is a property of communication security that past session keys can not be compromised by the compromise of long-term keys if a session key is associated to the long-term key in some way. Actually, the shared secret key we introduced in IKE Phase 2 is derived by calculation with the secret key derived in IKE Phase 1 and some insecure (is public to any third-party) parameters (a Diffie-Hellman exchange is not involved in the calculation), if PFS is not enabled for IKE Phase 2. Once the secret key of IKE Phase 1 is compromised to an attacker, all the secret session keys derived in IKE Phase 2 might become compromised. With enabling PFS, the calculation of secret keys involves a new Diffie-Hellman exchange. The private key material of Diffie-Hellman exchange protects the session secret keys of IKE Phase 2 from the compromise of IKE Phase 1’s keys. However, system performance might be concerned if Diffie-Hellman exchange is performed twice (Phase 1 and Phase 2 individually) for a establishment of IPsec Security Association.

FortiWAN IPSec

IPSec

FortiWAN’s IPSec VPN is based on the standard two-phase Internet Key Exchange (IKE) protocol, and two communication modes: tunnel mode and transport mode. IPSec is one of the popular standards for establishing a site-to-site VPN network. It contains the tunneling technology and strict security mechanisms. Different from the tunneling of IPSec VPN, FortiWAN’s Tunnel Routing has the advantages of bandwidth aggregation and fault tolerance. By integrating IPSec and Tunnel Routing, FortiWAN is fit for the requirement that an IPSec VPN with ability of bandwidth aggregation and fault tolerance.

We start the topic with IPSec VPN Concepts, which includes the descriptions of IPSec VPN overview, IPSec key exchange and How IPSec VPN works. The next topic describes how to set up FortiWAN IPSec VPN, see IPSec set up. IPSec VPN installation is divided into the stages as follows:

  • The specifications of FortiWAN IPSec, see About FortiWAN IPSec VPN.
  • Concern of planning a VPN deployment, see Planning your VPN. l Operations and configurations on Web UI, see IPSec VPN in the Web UI. l Necessary routing policies for the VPN (with scenarios), see Define routing policies for an IPSec VPN. l Basic setting for establishing IPSec VPN with FortiGate, see Establish IPSec VPN with FortiGate.

If you already have Tunnel Routing running and desire IPSec protection (IPSec Transport mode) on it, you could refer to the descriptions in IPSec VPN in the Web UI and the examples in Define routing policies for an IPSec VPN directly.

IPSec VPN Concepts

As we know, a private network (deployment of private IP addresses) is invisible, closed to public network (usually the Internet). Two private networks in geographically different location can not directly access each other through Internet. Virtual Private Network (VPN) is a concept that connects local and remote private networks over Internet to logically become one private network. An user in a local private network is capable to have accesses to resource in remote private network in a secure way through Internet, such as the access to remote private network of the headquarters office from (branch) local private network. Users of the two private networks access to each other without being aware of the VPN transmissions, just like they are physically in the same network.

The VPN concept implies two critical elements, a tunnel connecting two private networks over an intermediate network and a secure way transferring data through the tunnel (over an untrusted network), which make the virtual private network matches the properties of a physical private network, accesses among private IP address and invisibility to public network (data privacy). IPSec is just the technology designed to implement the two properties of VPN concept. A VPN network established by IPSec can be called IPSec VPN. It not only gives the tunneling implementation for connectivity of two incompatible networks, but also put emphasis on the strict security definitions.