Yearly Archives: 2019

Policy-based IPsec tunnel

1 Reply

Policy-based IPsec tunnel

This recipe provides an example configuration of policy-based IPsec tunnel. Site-to-site VPN between branch and HQ is used and HQ is the IPsec concentrator.

The following shows the network topology for this example:

To configure a policy-based IPsec tunnel using the GUI:

  1. Configure the IPsec VPN at HQ:
    1. Go to VPN > IPsec Wizard, enter a VPN name (to_branch1 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
    2. Go to VPN > IPsec Wizard, enter a VPN name (to_branch2 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
    3. Configure the IPsec concentrator at HQ:
      1. Go to VPN > IPsec Concentrator, enter a name, in this example, branch.
      2. Add to_branch1 and to_branch2 as Members.
      3. Click OK.
    4. Configure the firewall policy:
      1. Choose the Incoming Interface, in this example, port10.
      2. Choose the Outgoing Interface, in this example, port9.
      3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
      4. Select the VPN Tunnel, in this example, Branch1/Branch2.
      5. In this example, turn on Allow traffic to be initiated from the remote site.
      6. Click OK.
    5. Configure IPsec VPN at branch 1:
      1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
        • Uncheck Enable IPsec Interface Mode.
        • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
        • Click OK.
      2. Configure the firewall policy:
        1. Choose the Incoming Interface, in this example, internal.
        2. Choose the Outgoing Interface, in this example, wan1.
        3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
        4. Select the VPN Tunnel, in this example, to_HQ.
        5. In this example, turn on Allow traffic to be initiated from the remote site.
        6. Click OK.
      3. Configure IPsec VPN at branch 2:
        1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
          • Uncheck Enable IPsec Interface Mode.
          • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface.
          • In this example, set Authentication Method to Pre-shared Key and the Pre-shared Key is sample. In other cases, use the default.
          • Click OK.
        2. Configure the firewall policy:
          1. Choose the Incoming Interface, in this example, internal.
          2. Choose the Outgoing Interface, in this example, wan1.
          3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
          4. Select the VPN Tunnel, in this example, to_HQ.
          5. In this example, turn on Allow traffic to be initiated from the remote site.
          6. Click OK.

To configure a policy-based IPsec tunnel using the CLI:

  1. Configure the HQ WAN interface and static route:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0 next

edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

  1. Configure the HQ IPsec phase1 and phase2:

config vpn ipsec phase1 edit “to_branch1” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 15.1.1.2 set psksecret sample

next

edit “to_branch2” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 13.1.1.2 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_branch1” set phase1name “to_branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next edit “to_branch2” set phase1name “to_branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the HQ firewall policy:

config firewall policy edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “10.1.100.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch1” next

edit 2

set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “192.168.4.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch2”

next

end

  1. Configure the HQ concentrator:

config vpn ipsec concentrator

edit “branch”

set member “to_branch1” “to_branch2”

next

end

  1. Configure the branch WAN interface and static route:
  2. Branch1:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “internal”

set ip 10.1.100.1 255.255.255.0

next

end config router static

edit 1

set gateway 15.1.1.1 set device “wan1”

next

end

  1. Branch2:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “internal”

set ip 192.168.4.1 255.255.255.0

next

end config router static

edit 1

set gateway 13.1.1.1 set device “wan1”

next end

  1. Configure the branch IPsec phase1 and phase2:
  2. Branch1:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Branch2:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the branch firewall policy:
    1. Branch1:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “10.1.100.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next end

  1. Branch2:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “192.168.4.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next

end

  1. Optionally, view the IPsec VPN tunnel list at HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0 stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42932/43200

dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8 ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a

enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1 ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5

dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354

npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2

—-

name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909 ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe

enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259 ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0

  1. Optionally, view the IPsec VPN concentrator at HQ with the diagnose vpn concentrator list command:

list all ipsec concentrator in vd 0

name=branch              ref=3          tuns=2 flags=0

 

IPSEC IKEv2 phase2 encryption algorithm

Leave a reply

IKEv2 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

  • null-md5 l null-sha1 l null-sha256 null-sha384 null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • des-null l des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • 3des-null l 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • aes128-null l aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes192-null l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-null l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU. CP9 supports AESGCM offloading. FortiGate supports:

  • aes128gcm l aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • chacha20poly1305

 

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aria128-null l aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-null l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-null l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • seed-null l seed-md5 l seed-sha1 l seed-sha256 l seed-sha384 l seed-sha512

IPSEC IKEv2 phase1 encryption algorithm

Leave a reply

IKEv2 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes128gcm-prfsha1 l aes128gcm-prfsha256 l aes128gcm-prfsha384 l aes128gcm-prfsha512 l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512 l aes256gcm-prfsha1 l aes256gcm-prfsha256 aes256gcm-prfsha384 aes256gcm-prfsha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In chacha20poly1305 encryption algorithm, FortiGate supports:

  • chacha20poly1305-prfsha1 l chacha20poly1305-prfsha256 l chacha20poly1305-prfsha384 l chacha20poly1305-prfsha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5 l seed128-sha1 l seed128-sha256 l seed128-sha384 l seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128 l suite-b-gcm-256

IPSEC IKEv1 phase2 encryption algorithm

Leave a reply

IKEv1 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

  • null-md5 l null-sha1 l null-sha256 l null-sha384 l null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • des-null l des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • 3des-null l 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • aes128-null l aes128-md5 l aes128-sha1 aes128-sha256 aes128-sha384 l aes128-sha512 l aes192-null l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-null l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aes128gcm l aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • chacha20poly1305

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aria128-null l aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-null l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-null l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • seed-null l seed-md5 l seed-sha1 seed-sha256 seed-sha384 l seed-sha512

IPSEC Encryption algorithms

4 Replies

Encryption algorithms

IKEv1 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-md5 l aria256-sha1 l aria256-sha256

 

aria256-sha384 aria256-sha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5 l seed128-sha1 l seed128-sha256 l seed128-sha384 l seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128 l suite-b-gcm-256

LT2P over IPsec

Leave a reply

LT2P over IPsec

This recipe provides an example configuration of LT2P over IPsec. A locally defined user is used for authentication, a Windows PC or Android tablet is acting as the client, and net-device is set to enable in the phase1-interface settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.

The following shows the network topology for this example:

To configure LT2P over an IPsec tunnel using the CLI:

  1. Configure the WAN interface and static route on HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next end

  1. Configure IPsec phase1-interface and phase2-interface on HQ:

config vpn ipsec phase1-interface edit “L2tpoIPsec” set type dynamic set interface “port9” set peertype any

set proposal aes256-md5 3des-sha1 aes192-sha1 set dpd on-idle set dhgrp 2 set net-device enable set psksecret sample set dpd-retryinterval 60

next

end

config vpn ipsec phase2-interface edit “L2tpoIPsec” set phase1name “L2tpoIPsec”

set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable

set encapsulation transport-mode

set l2tp enable

next

end

  1. Configure a user and user group on HQ:

config user local edit “usera” set type password set passwd usera

next

end config user group edit “L2tpusergroup” set member “usera”

next

end

  1. Configure L2TP on HQ:

config vpn l2tp set status enable set eip 10.10.10.100 set sip 10.10.10.1 set usrgrp “L2tpusergroup”

end

  1. Configure a firewall address, that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel is established:

config firewall address edit “L2TPclients” set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.100

next end

  1. Configure a firewall policy:

config firewall policy edit 1 set name “Bridge_IPsec_port9_for_l2tp negotiation” set srcintf “L2tpoIPsec” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “L2TP”

next edit 2 set srcintf “L2tpoIPsec” set dstintf “port10” set srcaddr “L2TPclients” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL” set nat enable

next

end

  1. Optionally, view the VPN tunnel list on HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu create_dev no-sysctl rgwy-chg

parent=L2tpoIPsec index=0

proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0 stat: rxp=470 txp=267 rxb=57192 txb=12679

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:10.1.100.15-10.1.100.15:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048 seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0

life: type=01 bytes=0/0 timeout=3585/3600

dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432

enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9 ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a

dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744

npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0

—-

name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu create_dev no-sysctl rgwy-chg rport-chg

parent=L2tpoIPsec index=1

proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0 stat: rxp=5 txp=4 rxb=592 txb=249

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:22.1.1.2-22.1.1.2:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=28786/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000005 itn=0

life: type=01 bytes=0/0 timeout=28790/28800 dec: spi=ca646446 esp=aes key=32

ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec

enc: spi=0b514df2 esp=aes key=32

a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196 ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d

dec:pkts/bytes=5/245, enc:pkts/bytes=4/464

npu_flag=00 npu_rgwy=22.1.1.2 npu_lgwy=22.1.1.1 npu_selid=8 dec_npuid=0 enc_npuid=0

  1. Optionally, view the L2TP VPN status, by enabling debug (diagnose debug enable), then using the diagnose vpn l2tp status command:

—-

—-

HQ # Num of tunnels: 2

—-

Tunnel ID = 1 (local id), 42 (remote id) to 10.1.100.15:1701 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1, assigned ip = 10.10.10.2 data_seq_num = 0,

tx = 152 bytes (2), rx= 21179 bytes (205)

Tunnel ID = 3 (local id), 34183 (remote id) to 22.1.1.2:58825 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2, assigned ip = 10.10.10.3 data_seq_num = 0,

tx = 152 bytes (2), rx= 0 bytes (0)

—-

–VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100 enforece-ipsec = false

—-

To configure LT2P over an IPsec tunnel using the GUI:

  1. Go to VPN > IPsec Wizard.
  2. Enter a name for the VPN in the Name In this example L2tpoIPsec is used.
  3. Set the following, then click Next: l Template Type to Remote Access l Remote Device Type to Native and Windows Native
  4. Set the following, then click Next:
    • Incoming Interface to port9 l Authentication Method to Pre-shared Key l Pre-shared Key to your-psk l UserGroup to L2tpusergroup
  5. Set the following, then click Create: l Local Interface as port10 l Local Address as 16.101.0
    • Client Address Range as 10.10.1-10.10.10.100 l Subnet Mask is left as its default value.

VxLAN over IPsec tunnel

This recipe provides an example configuration of VxLAN over IPsec tunnel. VxLAN encapsulation is used in the phase1-interface setting and virtual-switch is used to bridge the internal with VxLAN over IPsec tunnel.

The following shows the network topology for this example:

To configure GRE over an IPsec tunnel:

  1. Configure the WAN interface and default route:
  2. HQ1:

config system interface edit “port1” set ip 172.16.200.1 255.255.255.0

next

end config router static edit 1 set gateway 172.16.200.3 set device “port1”

next

end

  1. HQ2:

config system interface edit “port25” set ip 172.16.202.1 255.255.255.0

next

end config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

  1. Configure IPsec phase1-interface:
  2. HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan

set encapsulation-address ipv4 set encap-local-gw4 172.16.200.1 set encap-remote-gw4 172.16.202.1 set remote-gw 172.16.202.1 set psksecret sample

next

end

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 172.16.202.1 set encap-remote-gw4 172.16.200.1 set remote-gw 172.16.200.1 set psksecret sample

next

end

config vpn ipsec phase2-interface edit “to_HQ1” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the firewall policy:
  2. HQ1:

config firewall policy edit 1 set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept

set schedule “always” set service “ALL”

next

end

  1. HQ2:

config firewall policy edit 1 set srcintf “port9” set dstintf “to_HQ1” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the virtual switch:
    1. HQ1:

config system switch-interface edit “vxlan-HQ2” set member “dmz” “to_HQ2” set intra-switch-policy explicit

next

end

  1. HQ2:

config system switch-interface edit “vxlan-HQ1” set member “port9” “to_HQ1” set intra-switch-policy explicit

next

end

  1. Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_HQ2 ver=1 serial=2 172.16.200.1:0->172.16.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/2 options[0002]= encap-addr: 172.16.200.1->172.16.202.1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=0 ad=/0 stat: rxp=13 txp=3693 rxb=5512 txb=224900

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=45 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=41944/0B replaywin=2048 seqno=e6e esn=0 replaywin_lastseq=0000000e itn=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=635e9bb1 esp=aes key=16 c8a374905ef9156e66504195f46a650c ah=sha1 key=20 a09265de7d3b0620b45441fb5af44dab125f2afe

enc: spi=a4d0cd1e esp=aes key=16 e9d0f3f0bb7e15a833f80c42615a3b91 ah=sha1 key=20 609a315c385471b8909b771c76e4fa7214996e50

dec:pkts/bytes=13/4640, enc:pkts/bytes=3693/623240

  1. Optionally, view the bridge control interface on HQ1 with the diagnose netlink brctl name host vxlan-HQ1 command:

show bridge control interface vxlan-HQ1 host.

fdb: size=2048, used=17, num=17, depth=1 Bridge vxlan-a host table

port no device devname mac addr                ttl     attributes

1      1.       dmz     00:0c:29:4e:33:c9        1.        Hit(1)

1      1.       dmz     00:0c:29:a8:c3:ea       105      Hit(105)

1      1.       dmz     90:6c:ac:53:76:29       18       Hit(18)

1      1.       dmz     08:5b:0e:dd:69:cb        1.       Local Static

1      1.       dmz     90:6c:ac:84:3e:5d        1.        Hit(5)

  • dmz    00:0b:fd:eb:21:d6   1.     Hit(0)
  • 38 to_HQ2 56:45:c3:3f:57:b4        Local Static
  • dmz    00:0c:29:d2:66:40   78     Hit(78)
  • 38 to_HQ2 90:6c:ac:5b:a6:eb   124    Hit(124)

1      1.       dmz     00:0c:29:a6:bc:e6       19       Hit(19)

1      1.       dmz     00:0c:29:f0:a2:e7        1.        Hit(0)

1      1.       dmz     00:0c:29:d6:c4:66       164      Hit(164)

1      1.       dmz     00:0c:29:e7:68:19        1.        Hit(0)

1      1.       dmz     00:0c:29:bf:79:30       19       Hit(19)

1      1.       dmz     00:0c:29:e0:64:7d        1.        Hit(0)

1      1.       dmz     36:ea:c7:30:c0:f1       25       Hit(25)

1      1.       dmz     36:ea:c7:30:cc:71        1.        Hit(0)

Disable automatic ASIC offloading

Leave a reply

Disable automatic ASIC offloading

When auto-asic-offload is set to disable in the firewall policy, traffic is nt offloaded and the NPU hosting counter is ticked.

# diagnose vpn ipsec status All ipsec crypto devices in use:

NP6_0:

Encryption (encrypted/decrypted)

 

null  
                   des                0 1.
                   3des             : 0 1.
                   aes              : 0 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 0 1.
                   sha1             : 0 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NP6_1:

Encryption (encrypted/decrypted)

 1.
                   null             : 14976 15357
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 110080 2175
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 110080 2175
                   sha1             : 14976 15357
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NPU Host Offloading:

Encryption (encrypted/decrypted)

 1.
                   null             : 3 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 111090 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 111090 1.
                   sha1             : 3 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

CP8:

Encryption (encrypted/decrypted)

 1.
                   null             : 1 1.
                   des              : 0 1.

VPN and ASIC offload

Leave a reply

VPN and ASIC offload

  1. Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.

# get hardware status

Model name: [[QualityAssurance62/FortiGate]]-900D

ASIC version: CP8

ASIC SRAM: 64M

CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz

Number of CPUs: 4

RAM: 16065 MB

Compact Flash: 1925 MB /dev/sda

Hard disk: 244198 MB /dev/sdb

USB Flash: not available

Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)

  1. Check port to NPU mapping.
# diagnose npu np6 port-list
Chip

—-

 XAUI Ports Max Cross-chip Speed offloading
np6_0 0      
  1. port17 1G Yes
  1. port18 1G Yes
  1. port19 1G Yes
  1. port20 1G Yes
  1. port21 1G Yes
  1. port22 1G Yes
  1. port23 1G Yes
  1. port24 1G Yes
  1. port27 1G Yes
  1. port28 1G Yes
  1. port25 1G Yes
  1. port26 1G Yes
  1. port31 1G Yes
  1. port32 1G Yes
  1. port29 1G Yes
  1. port30 1G Yes
—- 1. 1. portB 10G Yes
np6_1 0      
  1. port1 1G Yes
  1. port2 1G Yes
  1. port3 1G Yes
  1. port4 1G Yes
  1. port5 1G Yes
  1. port6 1G Yes
  1. port7 1G Yes
  1. port8 1G Yes
  1. port11 1G Yes
  1. port12 1G Yes
  1. port9 1G Yes
  1. port10 1G Yes
  1. port15 1G Yes
  1. port16 1G Yes
  1. port13 1G Yes  
  1. port14 1G Yes  
  1. 1. portA 10G Yes  

—-

  1. Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).

config vpn ipsec phase1/phase1-interface edit “vpn_name” set npu-offload enable/disable

next

end

  1. Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=12231 txp=12617 rxb=1316052 txb=674314 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=4 serial=7

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048 seqno=802 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958 ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660

enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529 ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e

dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2

FGT_900D # diagnose vpn ipsec st All ipsec crypto devices in use: NP6_0:

Encryption (encrypted/decrypted)  
         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 0 1.
         aria             : 0 1.
         seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
         null             : 0 1.
         md5              : 0 1.
         sha1             : 0 1.
         sha256           : 0 1.
         sha384           : 0 1.

 

                   sha512           : 0

NP6_1:

Encryption (encrypted/decrypted)

 1.
                   null             : 14976 15357
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 1664 2047
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 1664 2047
                   sha1             : 14976 15357
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NPU Host Offloading:

Encryption (encrypted/decrypted)

 1.
                   null             : 3 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 3 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 3 1.
                   sha1             : 3 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

CP8:

Encryption (encrypted/decrypted)

 1.
                   null             : 1 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 1 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 1 1.
                   sha1             : 1 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0 1.

SOFTWARE:

Encryption (encrypted/decrypted)  
         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 29882 29882
         aria             : 21688 21688
         seed             : 153774 153774
chacha20poly1305 : 29521

Integrity (generated/validated)

 29521
         null             : 59403 59403
         md5              : 0 1.
         sha1             : 175462 175462
         sha256           : 0 1.
         sha384           : 0 1.
         sha512           : 0 1.
  1. If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.