IPsec Flashcards
IKEv2 Features
Superior to IKEv1. * = IKEv1 doesn’t have it
DH Groups:
14,15,16,19,20*
Authentication:
EAP*, Pre-Shared Key, Digital Signatures
MODP and ECP
Modular Exponential and Elliptic Curve are two types of encryption protocols.
Mathematical Theories, Large Prime Numbers and exponents
Discrete logarithm problem
MODP uses longer keys, ECP has shorter keys but comparable security
PFS enhances security in phase 2
DPD Modes
Dead Peer Detection ensures VPN stability by detecting unreachable peers
On-demand mode is best for unpredictable traffic, and immediate response to connectivity issues is crucial
On-idle mode is best for regular traffic patterns, providing a balance between connectivity assurance and resource utilization
Disable Mode is suitable in highly stable environments.
set dpd-retrycount 3
set dpd-retryinterval 20
Phase Selectors
Can allow multiple phase 2 selectors to operate over a single phase 1 selectors.
Phase 1 - IKE Phase, authenticated channel
Phase 2 - IPsec Phase, specific network segment
IPsec Tunnel Aggregation
Aggregate multiple IPsec tunnels
Establish Redundancy
Use different load balancing methods
VPN > IPsec Tunnels > Create New > IPsec Tunnel > Network > Enable Aggregate member
VPN > IPsec Tunnels > Create New > IPsec Aggregate
config system IPsec-aggregate
edit “NAME”
set member “Tunnel1” “Tunnel2”
set algorithm round-robin | L3 | L4 | Redundant | weighted-round-robin
next
end
Overlapping Routes
Dynamic routes
Phase 2 configuration
Route-overlap options
Avoid overlaps with NAT
config IPsec VPN phase2-interface
edit “Phase1”
set phase1name “Phase1”
set route-overlap <use-old | use-new* | allow>
end
use-new: Default. Disconnects the existing dialup VPN and accepts the new VPN
use-old: Maintains the existing dialup VPN and rejects the new one
allow: Keeps existing and accepts the new one, with traffic from the central FortiGate load balanced, ECMP between both VPNs
IPsec Interfaces
NAT uses the IP address of an IPsec interface
IPsec interfaces do not require an IP address, but you can assign one to use the following features:
Identify and route traffic for tunnel establishment
Facilitate ADVPN discovery
Help manage and troubleshoot
FEC
Forward Error correction
Phase 1 setting that:
adds redundant data
reconstructs lost packets
Improves reliability over IPsec tunnels
boosts voice and video quality
Phase 1 Authentication options
Pre-shared Key
Digital signature - make sure to use a valid certificate Authority (CA) or add your own certificates. select both your certificate and peer certificate
Automated Digital Certificate Enrollment
Using FortiAuthenticator and the online Simple Certificate Enrollment Protocol (SCEP) process on FGT.
Configuration SCEP Server -> CSR Generation -> SCEP Server Interaction -> Certificate Issuance -> Retrival of Certificate -> Operational Use
Consequences of IP fragmentation
Exceeding MTU causes Fragmentation
Fragmentation impacts network performance and can cause data loss
IP Flag Roles in Fragmentation
Filter on PCAP files - ip.flags.mf == 1
First bit always zero
second bit, DF (Don’t Fragment bit), prevents fragmentation
third bit, MF (More fragments) bit, indicates more fragments
FGT defaults to Honors DF command, meaning FGT won’t fragment IP packets larger than the interface MTU.
config system global
set honor-df enable
end
PMTUD
Path MTU Discovery - technique used to determine the MTU size on the network path between two IP hosts, ensuring that IP
Protocol Bytes
Usually 1500 bytes transmit smoothly, but certain protocols can add bytes and cause fragmentation:
Layer 4 –
VXLAN adds 50
NVGRE adds 42
STT adds 54
Layer 3 –
GRE (RFC 2784) adds 24 bytes
6in4 encapsulation (RFC 4213) adds 20
4in6 encapsulation (RFC 6333) adds 40
Outer IPv4 header add 20
LISP adds 36
Layer 2 –
MPLS adds 4 for each label in the stack
Layer 1 –
PPPoE adds 8
IEEE 802.1ad (Q-in-Q) adds 8
MTU size Adjustment
set on interfaces and managed in internal networks and data centers. Very challenging to adjust for external communications.
config system interface
…
set mtu-override enable
set mtu 1700
TCP MSS
Maximum segment size (MSS) is only the payload size and does not include the TCP headers
TCP segment payload limit, applied in firewall policies
Smaller MSS increases header count and decreases efficiency
Proper MSS optimizes performance
config firewall policy
edit <policy>
set tcp-mss-sender <mss>
set tcp-mss-receiver <mss>
end</mss></mss></policy>
Process to Install IPsec Templates for IPsec VPN
Keep a diagram
Identify interfaces
Identify remote networks
Metadata variables: remote gateway, outgoing interface, local ID, remote subnet, tunnel interface setup, IP, remote IP
Choose IKEv1 or IKEv2
Identify Phase 1 and Phase 2 DH groups
Recognize Phase 1 and Phase 2 proposals
Status when assigning IPsec Template
When IPsec template is assigned, the status of each firewall device database and the provisioning template status are flagged as modified, indicated by an orange warning.
This is expected since assignment =/= installation.
Also ideal to sync layers before assignment
Interface in a Hub
Can create a zone interface if you need to manage the traffic of all your spokes under the same interface.
Link the zone to normalized interface
Be cautious when using per-platform mapping because of case-sensitive names
Interfaces for Spokes
Do not need a zone interface for spokes since they use only one IPsec VPN connection to connect to the hub.
Verify normalized interfaces
Device layer: quick identification
