FortiWAN IPSec set up

IPSec set up

After basic concept of IPSec introduced previously, this section focus on the introduction of FortiWAN’s IPSec and the configurations to set up FortiWAN’s IPSec. FortiWAN provides a complete VPN solution through the cooperation of Tunnel Routing and IPSec. FortiWAN’s Tunnel Routing is used to build a site-to-site VPN with bandwidth aggregation and fault tolerance over multiple WAN links. Moreover, with FortiWAN’s IPSec protection, Tunnel Routing delivers packets over secure channels.

About FortiWAN IPSec VPN

Specifications of FortiWAN’s IPsec VPN

Since FortiWAN’s IPSec is designed for applications of site-to-site VPN, it is functionally-limited comparing with standard IPSec protocol suite. However, FortiWAN’s IPsec still provides basic protections for tunneling communications. The specifications is listed as following:

IKE Support IKE v1 and IKE v2

(A specific procedure is required to switch the version, see IKE Phase 1 Web UI fields – Internet Key Exchange)

Authentication method   Support pre-shared key only
IKE Phase 1 modes   Support Main mode only
Encryption algorithm   DES, 3DES, AES128, AES192, AES256
Authentication algorithm   MD5, SHA1, SHA256, SHA384, SHA512
DH group   1 (modp768), 2 (modp1024), 5 (modp1536), 14 (modp2048)
Transmission mode   Tunnel mode and limited Transport mode. Transport mode is only available for Tunnel Routing.
Security protocol   Support Encapsulating Security Payload (ESP) only
NAT traversal   Not Support
DPD   Support
PFS   Support
IP deployment   Support static IPv4 only, the supported WAN link types (See Configuring your WAN):
  l Routing mode
  l Bridge Mode: One Static IP
  l Bridge Mode: Multiple Static IP
IPv6   Not Support
Peer device   Support FortiWAN/FortiGate
Fail over   Not Support (Both IPSec Tunnel mode and Transport mode themselves have no ability to do fail over, only Tunnel Routing over IPSec Transport mode supports fail over)

Tunnel mode, Transport mode and Tunnel Routing

FortiWAN provides standard Tunnel mode to build IPSec VPN as the previous descriptions. By encapsulating the encrypted packet with a new IP header, a tunnel is established between two FortiWAN units so that IPSec packets can be delivered to the private networks deployed behind the two units through Internet (the public and untrusted network). This is what called IPsec VPN typically. Compare with FortiWAN’s Tunnel Routing, IPSec Tunnel mode can also establish multiple tunnels through different WAN ports (WAN interfaces) between two FortiWAN units, but bandwidth aggregation and fault tolerance are not available for the IPSec VPN transmission. It is unable to distribute the IPSec packets of a connection or the connections of a specified group over multiple IPSec tunnels; they are delivered through one of the tunnels fixedly.

Although FortiWAN’s Tunnel Routing (See “Tunnel Routing”) is the technology to distribute packets of one tunneling connection over multiple tunnels (bandwidth aggregation and fault tolerance are so that supported), it does not provide strict protection to the tunneling communications (the encryption function built-in Tunnel Routing is very simple and low security). For this reason, the major purpose of FortiWAN’s IPSec Transport mode is to provide Tunnel Routing transmissions an IPSec protection. Actually, the FortiWAN’s IPSec Transport mode is designed for Tunnel Routing only; an Transport mode IPSec SA can not be applied to the traffic except Tunnel Routing. By establishing an IPSec SA on every TR tunnel, Tunnel Routing’s GRE packets will be encrypted (ESP encapsulated) and be transferred through the specified interface (according to the specified TR algorithm) in IPSec Transport mode (the original routing of the GRE packet remains intact as the previous description). The ESP packets are decrypted on the opposite FortiWAN unit to recover the original GRE packets, and the subsequence is the normal Tunnel Routing processes, packet decapsulation, reassembly and forwarding (to the hosts behind the FortiWAN). The way for IPSec Transport mode to protect Tunnel Routing transmission is very flexible. For every TR tunnel of a tunnel group, it is your options to establish a IPSec SA protecting the TR tunnel or not. Tunnel Routing works normally under full and partial IPSec protection (full protection: each TR tunnel of a tunnel group is protected by a IPSec SA; partial protection: parts of the TR tunnels of a tunnel group are protected by IPSec SAs).

In conclusion, FortiWAN provides three methods to build a VPN network, which are Tunnel Routing, IPSec Tunnel mode and Tunnel Routing over IPSec Transport mode. Note that Tunnel Routing can not support dynamic IP and NAT pass-through (one of the features of Tunnel Routing, see “Dynamic IP addresses and NAT pass through” in “Tunnel Routing > How the Tunnel Routing Works”), if it is protected by IPSec.

Type IPSec protection Tunneling Bandwidth

Aggregation &

Fault Tolerance

Peer device
IPSec Tunnel mode Yes Yes No Peer can be a

FortiWAN or a

FortiGate

Tunnel Routing No Yes Yes Peer must be a FortiWAN
Tunnel Routing over IPSec Transport mode Yes Yes Yes Peer must be a FortiWAN

Limitation in the IPSec deployment

FortiWAN IPsec has an intrinsic limitation in establishing ISAKMP Security Associations. For the establishment of ISAKMP SA between any two devices, one IP address of a WAN link of a FortiWAN device is restricted to participate in only one ISAKMP SA. The mapping of WAN link IP addresses for establishing ISAKMP SAs between any two devices must be one-to-one. The negotiations of ISAKMP SAs go to failure (the subsequent negotiations of IPSec SAs abort so that) if those Phase 1 configurations on any two FortiWAN devices contain a common WAN link IP address, no matter on the local side or remote side. The following diagrams give the clear explanation of this in details.

In the example above, the WAN link IP address mapping of ISAKMP SA 1 between FortWAN 1 and FortiWAN 2 is typical and correct. Both the WAN link IP addresses, 2.2.2.2 and 4.4.4.4, participate in only one ISAKMP SA, the ISAKMP SA 1. As for WAN link 3 on FortiWAN 2, its IP address 3.3.3.3 participates in ISAKMP SA 2 and ISAKMP SA 3 (more than one ISAKMP SA), which causes failure to establish ISAKMP SA 2 and ISAKMP SA 3. IPSec connections thus can not be established.

The above example indicates a valid IPSec deployment. The mapping of WAN link IP address for all the ISAKMP SAs between the two devices are in one-to-one relationship:

  • ISAKMP SA 1: 2.2.2.2 – 4.4.4.4 l ISAKMP SA 2: 3.3.3.3 – 5.5.5.5 l ISAKMP SA 3: 1.1.1.1 – 6.6.6.6

The above diagram is anther example of valid IPSec deployment. There are three IPs deployed on FortiWAN 2’s WAN link 2 (See “Configuring your WAN”), and each IP address participates in only one ISAKMP SA.

  • ISAKMP SA 1: 2.2.2.1 – 4.4.4.4 l ISAKMP SA 2: 2.2.2.2 – 5.5.5.5 l ISAKMP SA 3: 2.2.2.3 – 6.6.6.6

Considering the IPSec deployment among more than two FortiWAN devices as the above example.

ISAKMP SA State Reason
ISAKMP SA 1 established For the two FortiWAN devices (FortiWAN1 and FortiWAN 2), the two WAN link IP addresses, 3.3.3.3 and 5.5.5.5, participate in only ISAKMP SA 1. Although 3.3.3.3 also participates in ISAKMP SA 2, it takes no influence on ISAKMP SA 1 since it is the thing about another device, FortiWAN 3. The deployment limitation is about any two devices, others can be ignored.
ISAKMP SA 2 established For the two FortiWAN devices (FortiWAN 2 and FortiWAN 3), the two WAN link IP addresses, 3.3.3.3 and 8.8.8.8, participate in only ISAKMP SA 2.
ISAKMP SA 3 failed For the two FortiWAN devices (FortiWAN 1 and FortiWAN 2), the WAN link IP addresses 6.6.6.6 participates in not only ISAKMP SA 3 but also ISAKMP SA 4.
ISAKMP SA 4 failed For the two FortiWAN devices (FortiWAN 1 and FortiWAN 2), the WAN link IP addresses 6.6.6.6 participates in not only ISAKMP SA 3 but also ISAKMP SA 4.
ISAKMP SA 5 established For the two FortiWAN devices (FortiWAN 2 and FortiWAN 3), thetwo WAN link IP addresses, 2.2.2.2 and 9.9.9.9, participate in only ISAKMP SA 5. Although 2.2.2.2 also participates in ISAKMP SA 4, it takes no influence on ISAKMP SA 5 since it is the thing about another device, FortiWAN 1. The deployment limitation is about any two devices, others can be ignored.

Between any two FortiWANs, we cannot terminate traffic through multiple IPSec connections on the same local or remote IP address. This limitation exists in both of the IPSec types: IPSec Tunnel mode and IPSec Transport mode, so that Tunnel Routing over IPSec Transport mode is involved indirectly. You have to give careful consideration to the issue when planing how to deploy the IPSec VPN (and Tunnel Routing) between multiple FortiWANs.

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.