IPSec set up
After basic concept of IPSec introduced previously, this section focus on the introduction of FortiWAN’s IPSec and the configurations to set up FortiWAN’s IPSec. FortiWAN provides a complete VPN solution through the cooperation of Tunnel Routing and IPSec. FortiWAN’s Tunnel Routing is used to build a site-to-site VPN with bandwidth aggregation and fault tolerance over multiple WAN links. Moreover, with FortiWAN’s IPSec protection, Tunnel Routing delivers packets over secure channels.
About FortiWAN IPSec VPN
Specifications of FortiWAN’s IPsec VPN
Since FortiWAN’s IPSec is designed for applications of site-to-site VPN, it is functionally-limited comparing with standard IPSec protocol suite. However, FortiWAN’s IPsec still provides basic protections for tunneling communications. The specifications is listed as following:
|IKE||Support IKE v1 and IKE v2
(A specific procedure is required to switch the version, see IKE Phase 1 Web UI fields – Internet Key Exchange)
|Authentication method||Support pre-shared key only|
|IKE Phase 1 modes||Support Main mode only|
|Encryption algorithm||DES, 3DES, AES128, AES192, AES256|
|Authentication algorithm||MD5, SHA1, SHA256, SHA384, SHA512|
|DH group||1 (modp768), 2 (modp1024), 5 (modp1536), 14 (modp2048)|
|Transmission mode||Tunnel mode and limited Transport mode. Transport mode is only available for Tunnel Routing.|
|Security protocol||Support Encapsulating Security Payload (ESP) only|
|NAT traversal||Not Support|
|IP deployment||Support static IPv4 only, the supported WAN link types (See Configuring your WAN):|
|l||Bridge Mode: One Static IP|
|l||Bridge Mode: Multiple Static IP|
|Peer device||Support FortiWAN/FortiGate|
|Fail over||Not Support (Both IPSec Tunnel mode and Transport mode themselves have no ability to do fail over, only Tunnel Routing over IPSec Transport mode supports fail over)|
Tunnel mode, Transport mode and Tunnel Routing
FortiWAN provides standard Tunnel mode to build IPSec VPN as the previous descriptions. By encapsulating the encrypted packet with a new IP header, a tunnel is established between two FortiWAN units so that IPSec packets can be delivered to the private networks deployed behind the two units through Internet (the public and untrusted network). This is what called IPsec VPN typically. Compare with FortiWAN’s Tunnel Routing, IPSec Tunnel mode can also establish multiple tunnels through different WAN ports (WAN interfaces) between two FortiWAN units, but bandwidth aggregation and fault tolerance are not available for the IPSec VPN transmission. It is unable to distribute the IPSec packets of a connection or the connections of a specified group over multiple IPSec tunnels; they are delivered through one of the tunnels fixedly.
Although FortiWAN’s Tunnel Routing (See “Tunnel Routing”) is the technology to distribute packets of one tunneling connection over multiple tunnels (bandwidth aggregation and fault tolerance are so that supported), it does not provide strict protection to the tunneling communications (the encryption function built-in Tunnel Routing is very simple and low security). For this reason, the major purpose of FortiWAN’s IPSec Transport mode is to provide Tunnel Routing transmissions an IPSec protection. Actually, the FortiWAN’s IPSec Transport mode is designed for Tunnel Routing only; an Transport mode IPSec SA can not be applied to the traffic except Tunnel Routing. By establishing an IPSec SA on every TR tunnel, Tunnel Routing’s GRE packets will be encrypted (ESP encapsulated) and be transferred through the specified interface (according to the specified TR algorithm) in IPSec Transport mode (the original routing of the GRE packet remains intact as the previous description). The ESP packets are decrypted on the opposite FortiWAN unit to recover the original GRE packets, and the subsequence is the normal Tunnel Routing processes, packet decapsulation, reassembly and forwarding (to the hosts behind the FortiWAN). The way for IPSec Transport mode to protect Tunnel Routing transmission is very flexible. For every TR tunnel of a tunnel group, it is your options to establish a IPSec SA protecting the TR tunnel or not. Tunnel Routing works normally under full and partial IPSec protection (full protection: each TR tunnel of a tunnel group is protected by a IPSec SA; partial protection: parts of the TR tunnels of a tunnel group are protected by IPSec SAs).
In conclusion, FortiWAN provides three methods to build a VPN network, which are Tunnel Routing, IPSec Tunnel mode and Tunnel Routing over IPSec Transport mode. Note that Tunnel Routing can not support dynamic IP and NAT pass-through (one of the features of Tunnel Routing, see “Dynamic IP addresses and NAT pass through” in “Tunnel Routing > How the Tunnel Routing Works”), if it is protected by IPSec.
|IPSec Tunnel mode||Yes||Yes||No||Peer can be a
FortiWAN or a
|Tunnel Routing||No||Yes||Yes||Peer must be a FortiWAN|
|Tunnel Routing over IPSec Transport mode||Yes||Yes||Yes||Peer must be a FortiWAN|
Limitation in the IPSec deployment
FortiWAN IPsec has an intrinsic limitation in establishing ISAKMP Security Associations. For the establishment of ISAKMP SA between any two devices, one IP address of a WAN link of a FortiWAN device is restricted to participate in only one ISAKMP SA. The mapping of WAN link IP addresses for establishing ISAKMP SAs between any two devices must be one-to-one. The negotiations of ISAKMP SAs go to failure (the subsequent negotiations of IPSec SAs abort so that) if those Phase 1 configurations on any two FortiWAN devices contain a common WAN link IP address, no matter on the local side or remote side. The following diagrams give the clear explanation of this in details.
In the example above, the WAN link IP address mapping of ISAKMP SA 1 between FortWAN 1 and FortiWAN 2 is typical and correct. Both the WAN link IP addresses, 126.96.36.199 and 188.8.131.52, participate in only one ISAKMP SA, the ISAKMP SA 1. As for WAN link 3 on FortiWAN 2, its IP address 184.108.40.206 participates in ISAKMP SA 2 and ISAKMP SA 3 (more than one ISAKMP SA), which causes failure to establish ISAKMP SA 2 and ISAKMP SA 3. IPSec connections thus can not be established.
The above example indicates a valid IPSec deployment. The mapping of WAN link IP address for all the ISAKMP SAs between the two devices are in one-to-one relationship:
- ISAKMP SA 1: 220.127.116.11 – 18.104.22.168 l ISAKMP SA 2: 22.214.171.124 – 126.96.36.199 l ISAKMP SA 3: 188.8.131.52 – 184.108.40.206
The above diagram is anther example of valid IPSec deployment. There are three IPs deployed on FortiWAN 2’s WAN link 2 (See “Configuring your WAN”), and each IP address participates in only one ISAKMP SA.
- ISAKMP SA 1: 220.127.116.11 – 18.104.22.168 l ISAKMP SA 2: 22.214.171.124 – 126.96.36.199 l ISAKMP SA 3: 188.8.131.52 – 184.108.40.206
Considering the IPSec deployment among more than two FortiWAN devices as the above example.
|ISAKMP SA 1||established||For the two FortiWAN devices (FortiWAN1 and FortiWAN 2), the two WAN link IP addresses, 220.127.116.11 and 18.104.22.168, participate in only ISAKMP SA 1. Although 22.214.171.124 also participates in ISAKMP SA 2, it takes no influence on ISAKMP SA 1 since it is the thing about another device, FortiWAN 3. The deployment limitation is about any two devices, others can be ignored.|
|ISAKMP SA 2||established||For the two FortiWAN devices (FortiWAN 2 and FortiWAN 3), the two WAN link IP addresses, 126.96.36.199 and 188.8.131.52, participate in only ISAKMP SA 2.|
|ISAKMP SA 3||failed||For the two FortiWAN devices (FortiWAN 1 and FortiWAN 2), the WAN link IP addresses 184.108.40.206 participates in not only ISAKMP SA 3 but also ISAKMP SA 4.|
|ISAKMP SA 4||failed||For the two FortiWAN devices (FortiWAN 1 and FortiWAN 2), the WAN link IP addresses 220.127.116.11 participates in not only ISAKMP SA 3 but also ISAKMP SA 4.|
|ISAKMP SA 5||established||For the two FortiWAN devices (FortiWAN 2 and FortiWAN 3), thetwo WAN link IP addresses, 18.104.22.168 and 22.214.171.124, participate in only ISAKMP SA 5. Although 126.96.36.199 also participates in ISAKMP SA 4, it takes no influence on ISAKMP SA 5 since it is the thing about another device, FortiWAN 1. The deployment limitation is about any two devices, others can be ignored.|
Between any two FortiWANs, we cannot terminate traffic through multiple IPSec connections on the same local or remote IP address. This limitation exists in both of the IPSec types: IPSec Tunnel mode and IPSec Transport mode, so that Tunnel Routing over IPSec Transport mode is involved indirectly. You have to give careful consideration to the issue when planing how to deploy the IPSec VPN (and Tunnel Routing) between multiple FortiWANs.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos