IPsec VPN DatasheetThe VPN Datasheet below can be exchange with your VPN partner in order to work on the same information basis. VPN Site 1VPN Site 2Company ACompany BRequested by:Requested by:Planning contact:Planning contact:Responsible for installation:Responsible for installation: VPN GatewayHardware Vendor & Version: FortiGate V _._._Hardware Vendor & Version:External IP address:External IP address:Encryption Domain / Crypto Map:Encryption Domain / Crypto Map: VPN Phase 1 (IKE)Key Management:• IKEv1 (Aggressive)• IKEv1 (Main ID protection)• IKEv2 Key Management:DH-Group (Diffie-Hellman):• Group 1 (768 bit MODP)• Group 2 (1024 bit MODP)• Group 5 (1536 bit MODP)• Group 14 (2048 bit MODP)• Group 15 (3072-bit MODP)• Group 16 (4096-bit MODP)• Group 17 (6144-bit MODP)• Group 18 (8192-bit MODP)• Group 19 (256-bit ECP)• Group 20 (384-bit ECP)• Group 21(521-bit ECP)• Group 27 (6144-bit MODP)• Group 28 (BP256 ECP)• Group 29 (BP381 ECP• Group 30 (BP512 ECP)• Group 31 (Curve25519)• Group 32 (Curve448) DH-Group (Diffie-Hellman):Encryption Algorithm:• DES• 3DES• AES-128• AES-128GCM (Only available for IKEv2)• AES-192• AES-256• AES-256GCM (Only available for IKEv2)• CHACHA20POLY1305: 128-bit (Only available for IKEv2)Encryption Algorithm:Hash / Data Integrity:• MD5• SHA1• SHA-256 → highest compatibility• SHA-384• SHA512 → highest securityHash:Pseudo Random Function (PRF):• No• Yes: (PRFSHA1, PRFSHA256, PRFSHA384, PRFSHA512)Pseudo Random Function (PRF):• No• Yes:Authentication Method:• Signature• Pre-Shared SecretAuthentication Method:SA Lifetime / Renegotiation time: 86400 sec. (Default)SA Lifetime: VPN Phase 2 (IPSec)Encapsulation: ESPEncapsulation: ESPPerfect Forward Secrecy (PFS): Yes / NoPerfect Forward Secrecy (PFS): Yes / NoDH-Group (Diffie-Hellman):• Group 1 (768 bit MODP)• Group 2 (1024 bit MODP)• Group 5 (1536 bit MODP)• Group 14 (2048 bit MODP)• Group 15 (3072-bit MODP)• Group 16 (4096-bit MODP)• Group 17 (6144-bit MODP)• Group 18 (8192-bit MODP)• Group 19 (256-bit ECP)• Group 20 (384-bit ECP)• Group 21(521-bit ECP)• Group 27 (6144-bit MODP)• Group 28 (BP256 ECP)• Group 29 (BP381 ECP• Group 30 (BP512 ECP)• Group 31 (Curve25519)• Group 32 (Curve448) DH-Group (Diffie-Hellman):Encryption Algorithm:• NULL• DES• 3DES• AES-128• AES128GCM (Only available for IKEv2)• AES-192• AES-256• AES-256GCM (Only available for IKEv2)• CHACHA20POLY1305: a 128-bit (Only available for IKEv2)Encryption Algorithm:Hash / Data Integrity:• NULL• MD5• SHA1• SHA-256• SHA-384• SHA-512Hash:Aggressive Mode: Yes / NoAggressive Mode: Yes / NoSA Lifetime: 43200 sec. (Default)SA Lifetime: VPN NAT OptionsDisable NAT inside the VPN traffic: Yes / No VPN Interesting TrafficInbound from Site 2:Inbound from Site 1:Outbound to Site 2:Outbound to Site 1: I didn't find a lot of best practices from official Fortinet documentation, so I'm hoping to get in touch with you all to establish a set of best practices. Let's discuss!

Explorer III

Question

IPsec VPN Datasheet

Forum|Forum|2 years ago
April 27, 2023
3 replies
6608 views

IPsec VPN Datasheet

The VPN Datasheet below can be exchange with your VPN partner in order to work on the same information basis.

VPN Site 1	VPN Site 2
Company A	Company B
Requested by:	Requested by:
Planning contact:	Planning contact:
Responsible for installation:	Responsible for installation:

VPN Gateway

Hardware Vendor & Version: FortiGate V _._._	Hardware Vendor & Version:
External IP address:	External IP address:
Encryption Domain / Crypto Map:	Encryption Domain / Crypto Map:

VPN Phase 1 (IKE)

Key Management: • IKEv1 (Aggressive) • IKEv1 (Main ID protection) • IKEv2	Key Management:
DH-Group (Diffie-Hellman): • Group 1 (768 bit MODP) • Group 2 (1024 bit MODP) • Group 5 (1536 bit MODP) • Group 14 (2048 bit MODP) • Group 15 (3072-bit MODP) • Group 16 (4096-bit MODP) • Group 17 (6144-bit MODP) • Group 18 (8192-bit MODP) • Group 19 (256-bit ECP) • Group 20 (384-bit ECP) • Group 21(521-bit ECP) • Group 27 (6144-bit MODP) • Group 28 (BP256 ECP) • Group 29 (BP381 ECP • Group 30 (BP512 ECP) • Group 31 (Curve25519) • Group 32 (Curve448)	DH-Group (Diffie-Hellman):
Encryption Algorithm: • DES • 3DES • AES-128 • AES-128GCM (Only available for IKEv2) • AES-192 • AES-256 • AES-256GCM (Only available for IKEv2) • CHACHA20POLY1305: 128-bit (Only available for IKEv2)	Encryption Algorithm:
Hash / Data Integrity: • MD5 • SHA1 • SHA-256 → highest compatibility • SHA-384 • SHA512 → highest security	Hash:
Pseudo Random Function (PRF): • No • Yes: (PRFSHA1, PRFSHA256, PRFSHA384, PRFSHA512)	Pseudo Random Function (PRF): • No • Yes:
Authentication Method: • Signature • Pre-Shared Secret	Authentication Method:
SA Lifetime / Renegotiation time: 86400 sec. (Default)	SA Lifetime:

VPN Phase 2 (IPSec)

Encapsulation: ESP	Encapsulation: ESP
Perfect Forward Secrecy (PFS): Yes / No	Perfect Forward Secrecy (PFS): Yes / No
DH-Group (Diffie-Hellman): • Group 1 (768 bit MODP) • Group 2 (1024 bit MODP) • Group 5 (1536 bit MODP) • Group 14 (2048 bit MODP) • Group 15 (3072-bit MODP) • Group 16 (4096-bit MODP) • Group 17 (6144-bit MODP) • Group 18 (8192-bit MODP) • Group 19 (256-bit ECP) • Group 20 (384-bit ECP) • Group 21(521-bit ECP) • Group 27 (6144-bit MODP) • Group 28 (BP256 ECP) • Group 29 (BP381 ECP • Group 30 (BP512 ECP) • Group 31 (Curve25519) • Group 32 (Curve448)	DH-Group (Diffie-Hellman):
Encryption Algorithm: • NULL • DES • 3DES • AES-128 • AES128GCM (Only available for IKEv2) • AES-192 • AES-256 • AES-256GCM (Only available for IKEv2) • CHACHA20POLY1305: a 128-bit (Only available for IKEv2)	Encryption Algorithm:
Hash / Data Integrity: • NULL • MD5 • SHA1 • SHA-256 • SHA-384 • SHA-512	Hash:
Aggressive Mode: Yes / No	Aggressive Mode: Yes / No
SA Lifetime: 43200 sec. (Default)	SA Lifetime:

VPN NAT Options

Disable NAT inside the VPN traffic: Yes / No

VPN Interesting Traffic

Inbound from Site 2:	Inbound from Site 1:
Outbound to Site 2:	Outbound to Site 1:

I didn't find a lot of best practices from official Fortinet documentation, so I'm hoping to get in touch with you all to establish a set of best practices. Let's discuss!

FortiGate

akristof

Staff

Hello,

I am not sure what best practicu you are looking for. You can say that the settings, that are used when you create VPN via GUI VPN WIZARD can be considered as best practice. But most of the settings depends on the requirement of your network and your VPN peer. Higher the encryption and DH group means better security but you need to have in mind also offloading capabilities. Usually you need to decide on what security level you want to have and based on that you will adjust settings.

YannicS

Explorer II

Thanks for sharing this helpful datasheet!
I copied it into a word document and used it to agree on VPN details with a VPN partner.

DaniKust

Explorer

Nice table was searching for a long time
For offloading i recommend adding a * to the ones that can be offloaded found this link.
https://www.fortinetguru.com/2019/12/ipsec-ikev1-phase2-encryption-algorithm/

Also found this research document that list "SafeCurves:choosing safe curves for elliptic-curve cryptography" this does not mean they are safe but at least the unsafe ones should probably be avoided...?
http://safecurves.cr.yp.to/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded