IPsec tunnel idle timer (244180)

Add a command to define an idle timer for IPsec tunnels when no traffic has passed through the tunnel for the configured idle-timeout value, the IPsec tunnel will be flushed.

 

config vpn ipsec phase1-interface edit p1

set idle-timeout enable/disable

set idle-timeoutinterval <integer> //IPsec tunnel idle timeout in minutes (10 – 43200).

end end

 

 

SAs negotiation improvement (245872)

The IPsec SA connect message generated is used to install dynamic selectors. These selectors can now be installed via the auto-negotiate mechanism. When phase 2 has auto-negotiate enabled, and phase 1 has mesh- selector-type set to subnet, a new dynamic selector will be installed for each combination of source and destination subnets. Each dynamic selector will inherit the auto-negotiate option from the template selector and begin SA negotiation. Phase 2 selector sources from dial-up clients will all establish SAs without traffic being initiated from the client subnets to the hub.

 

 

Add VXLAN over IPsec (265556)

Packets with VXLAN header are encapsulated within IPsec tunnel mode. New attributes in IPsec phase1 settings have been added.

config vpn ipsec phase1-interface/phase1 edit ipsec

set interface <name>

set encapsulation vxlan/gre (new)

set encapsulation-address ike/ipv4/ipv6 (New)

set encap-local-gw4 xxx.xxx.xxx.xxx (New)

set encap-remote-gw xxx.xxx.xxx.xxx (New)

next end

 

Ability to enable/disable IPsec ASIC-offloading (269555)

Much like NPU-offload in IKE phase1 configuration, this feature enables/disables the usage of ASIC hardware for IPsec Diffie-Hellman key exchange and IPsec ESP traffic. Currently by default hardware offloading is used. For debugging purposes, sometimes we want all the traffic to be processed by software.

 

config sys global

set ipsec-asic-offload [enable | disable]

end

Added an option to force IPsec to use NAT Traversal (275010)

Added a new option for NAT. If NAT is set to Forced, then the FGT will use a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

 

Add a feature to support IKEv2 Session Resumption described in RFC 5723 (289914)

If a gateway loses connectivity to the network, clients can attempt to re-establish the lost session by presenting the ticket to the gateway. As a result, sessions can be resumed much faster, as DH exchange that is necessary to establish a brand new connection is skipped. This feature implements “ticket-by-value”, whereby all information necessary to restore the state of a particular IKE SA is stored in the ticket and sent to the client.

 

Added support for IKEv2 Quick Crash Detection (298970)

A new feature has been added to support IKEv2 Quick Crash Detection as described in RFC 6290.

 

RFC 6290 describes a method in which an IKE peer can quickly detect that the gateway peer that it has and established IKE session with, has rebooted, crashed, or otherwise lost IKE state. When the gateway receives IKE messages or ESP packets with unknown IKE or IPsec SPIs, the IKEv2 protocol allows the gateway to send the peer an unprotected IKE message containing INVALID_IKE_SPI or INVALID_SPI notification payloads.

 

RFC 6290 introduces the concept of a QCD token, which is generated from the IKE SPIs and a private QCD

secret, and exchanged between peers during the protected IKE AUTH exchange.

 

 

CLI Syntax

config system settings

set ike-quick-crash-detect [enable | disable]

end

 

 

Remove support for IPsec auto-discovery VPN (300893)

IPsec auto-VPN support (auto-IPsec) has been removed. This feature was added in FortiOS 5.0 prior to any usable VPN creation support on the GUI. As of 5.2, and now in 5.4, the wizard solves many of the problems introduced by the auto-IPsec feature, and so auto-IPsec has been deprecated.

 

 

Improved scalability for IPsec DPD (292500)

On a dial-up server, if a multitude of VPN connections are idle, the increased DPD exchange could negatively impact the performance/load of the daemon. For this reason, an option has been added to send DPD passively in a mode called “on-demand”.

config vpn ipsec phase1-interface edit <value>

set dpd [disable | on-idle | on-demand]

next end

 

Notes

 

• When there is no traffic and the last DPD-ACK had been received, IKE will not send DPDs periodically.
• IKE will only send out DPDs if there are outgoing packets to send but no inbound packets had since been received.

 

 

Syntax

 

The set dpd enable command has changed to set dpd on-idle (to trigger DPD when IPsec is idle). Set

DPD to on-demand to trigger DPD when IPsec traffic is sent but no reply is received from the peer.

 

configure vpn ipsec phase1-interface edit <value>

set dpd [on-idle|on-demand]

next end

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!