Académique Documents
Professionnel Documents
Culture Documents
Module 15
Review
In the 201 course, the IPSec module covered:
IPSec protocol basics
Interface-based VPN
Policy-based VPN
Overlapping subnets
Site-to-site deployment
VPN configuration
Log messages
Module Objectives
By the end of this module participants will be able to:
Configure dialup VPN access
IPSec Review
Suite of protocols for securing IP communications by authenticating
and/or encrypting packets:
Internet Key Exchange (IKE)
Encapsulation Security Payload (ESP)
IP protocol number 50
Provides data integrity and encryption
IKE Review
UDP port 500 (and UDP port 4500 when NAT-T is used)
Based on the Internet Security Association and Key Management
Protocol (ISAKMP)
Protocol for the establishment of Security Associations (SAs)
A Security Association (SA) is a bundle of algorithms and parameters
for processing the secured packets from one node to another:
One IPSec SA is required per each traffic direction
So, if there are 4 IPSec tunnels, there are 8 IPSec SAs
IKE phases:
One phase 1 per VPN tunnel
One or more phase 2s per phase 1
Diffie-Hellman
The Diffie-Hellman protocol is a key-agreement protocol to allow a
pair of peers to communicate over an unsecure channel and
independently calculate a shared secret key using only public keys
The shared secret key is then used to calculate keys for symmetric
encryption algorithms (such as 3DES, AES) and symmetric
authentication (HMACs)
With Perfect Forward Secrecy (PFS) a new common secret key is
recalculated each time the phase 2 session key expires
Initiator
As the first packet coming from the Initiator does not include its peer ID,
the responder can only identify the peer by its IP address
Because the peer IP address for dial-up VPNs might change, there
cannot be more than one dial-up VPN in the responder configuration
Initiator
Responder
Peer can be identified using a wide range of identifiers, not only the
source IP address, but also the peer ID
So, there can be more than one dial-up VPN
The responder will use the peer ID included in the first packet to
identify the peer and apply the right VPN configuration
9
Selectors support:
Destination and source IP addresses
Protocol number, and source and destination ports
10
NAT-T detects if there are any devices along the transmission path
doing NAT
If that is the case, the phase 1 negotiation changes from using UDP
port 500 to UDP port 4500:
All the subsequent packets (including phase 2s and encrypted user data) is
transmitted using UDP port 4500 instead of ESP
If that is not the case, the phase 1 and phase 2s keep using UDP port
500 and the encrypted user data is sent using ESP
11
12
Dialup (point-to-multipoint)
The remote peer does not have a dynamic DNS name and its IP address might
change
13
VPN Topologies
Point-to-point (covered in the 201 course)
Dial-Up (point-to-multipoint)
Hub-and-Spoke *
Full Meshed *
Partial Meshed *
* These 3 topologies are built combining or using point-to-point and/or dial-up VPNs
14
Dialup VPN
Headquarters
Dialup
Mobile User
15
Hub-and-Spoke
Headquarters
Branch office
Branch office
Hub-and-Spoke
Branch office
16
Branch office
Full Mesh
Partial Mesh
17
Easy to maintain
Bandwidth requirements at central hub
Single point of failure
Full/Partial Mesh
More VPN tunnels (more resources)
18
19
20
21
22
23
24
Aggressive mode
It creates a phase 2
It does not add the required firewall policies and routing
25
Redundant VPNs
Only fully supported by interface-based VPNs
If the primary VPN connection fails, the FortiGate units re-route the
traffic through the backup VPN
Partially redundant: Only one peer has redundant connections
WAN1
WAN1
WAN2
Branch office
Headquarter
Branch office
26
WAN2
WAN1
WAN2
Headquarter
Branch office
27
Distance=10
Backup VPN
Distance=5
Distance=10
Headquarter
Pre-shared keys
Client must have at least one set of matching Phase 1 and Phase 2 settings as
configured on FortiGate unit
Ping and trace to the remote network or client to verify that the
connection is up
28
VPN Troubleshooting
For IPSec real-time debugging:
diagnose debug reset
The output is long and shows details about what is happening with the
phase 1 and phase 2 negotiations
29
30
31
32
Labs
Lab 1: IPSec VPN
Ex 1: Configuring IPSec VPNs
Ex 2: Testing the IPSec VPN Configuration
Ex 3: Configuring Semi-Redundant IPSec VPNs
Ex 4: Testing the Semi-Redundant IPSec VPN Configuration
Ex 5: Configuring OSPF
Ex 6: Testing the OSPF Configuration
Ex 7: Enabling Bi-Directional Forwarding Detection
(Optional)
Lab 2: IPSec VPN with FortiClient
Ex 1: Configuring the FortiGate as a VPN Gateway
Ex 2: Configuring FortiClient Connect
Ex 3: Testing the FortiGate to FortiClient IPSec VPN Connection
33
34