FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbanica
Staff
Staff
Article Id 191616

Description

 

This article describes that VPNC is a renowned open-source VPN client designed to be compatible with Cisco's VPN Concentrator 3000 series.

This compatibility is essential for individuals or organizations that have historically invested in Cisco's networking solutions and wish to connect from Linux-based systems:

  • Encryption Protocols: The varied encryption protocols that VPNC offers include AES (with 128, 192, and 256-bit encryption), 3DES, and DES. These are commonly used encryption protocols, with AES being the most secure among them.

  • Hash Algorithms: SHA1 and MD5 are cryptographic hash functions. It's noteworthy that MD5, while faster, is considered less secure than SHA1. In modern setups, SHA-256 or higher is preferred due to increased security.

  • Authentication Methods: The authentication mechanisms include Pre-Shared Key (PSK) and XAUTH (Extended Authentication). The difference primarily lies in their application and security level, with XAUTH providing an added layer of authentication on top of PSK.

 

No. Encryption - Hash Authentication - DH Group - Lifetime (Seconds)

1. AES/256 - SHA1 - XAUTH 2 (MODP 1024) - 2,147,483
2. AES/256 - MD5 - XAUTH 2 (MODP 1024) - 2,147,483
3. AES/192 - SHA1 - XAUTH 2 (MODP 1024) - 2,147,483
4. AES/192 - MD5 - XAUTH 2 (MODP 1024) - 2,147,483
5. AES/128 - SHA1 - XAUTH 2 (MODP 1024) - 2,147,483
6. AES/128 - MD5 - XAUTH 2 (MODP 1024) - 2,147,483
7. 3DES - SHA1 - XAUTH 2 (MODP 1024) - 2,147,483
8. 3DES - MD5 - XAUTH 2 (MODP 1024) - 2,147,483
9. DES - SHA1 - XAUTH 2 (MODP 1024) - 2,147,483
10. DES - MD5 - XAUTH 2 (MODP 1024) - 2,147,483
11. RESERVED(0) - SHA1 - XAUTH 2 (MODP 1024) - 2,147,483
12. RESERVED(0) - MD5 - XAUTH 2 (MODP 1024) - 2,147,483
13. AES/256 - SHA1 - PSK 2 (MODP 1024) - 2,147,483
14. AES/256 - MD5 - PSK 2 (MODP 1024) - 2,147,483
15. AES/192 - SHA1 - PSK 2 (MODP 1024) - 2,147,483
16. AES/192 - MD5 - PSK 2 (MODP 1024) - 2,147,483
17. AES/128 - SHA1 - PSK 2 (MODP 1024) - 2,147,483
18. AES/128 - MD5 - PSK 2 (MODP 1024) - 2,147,483
19. 3DES - SHA1 - PSK 2 (MODP 1024) - 2,147,483
20. 3DES - MD5 - PSK 2 (MODP 1024) - 2,147,483
21. DES - SHA1 - PSK 2 (MODP 1024) - 2,147,483
22. DES - MD5 - PSK 2 (MODP 1024) - 2,147,483
23. RESERVED(0) SHA1 - PSK 2 (MODP 1024) 2,147,483
24. RESERVED(0) MD5 - PSK 2 (MODP 1024) 2,147,483 For the authentication methods, PSK is Pre-Shared Key (value 1), and XAUTH is XAUTH Init PreShared (value 65001).

The lifetime of 2,147,483 seconds is the same as the Cisco VPN Client. This corresponds to a SA lifetime of about 24 days. 
FortiOS maximum SA lifetime is 172,800 seconds which corresponds to 4 days.

Before FortiOS v5.0.8 VPNC works with FortiOS, however after v5.0.8, the behavior of FortiOS changed:

To ensure the RESPONDER-LIFETIME payload in Informational message exchange is delivered, FortiOS sends the RESPONDER-LIFETIME notification payload in the 1st quick mode response.

Based on RFC:https://tools.ietf.org/html/draft-ietf-ipsec-ike-lifetime-00 FortiOS from v5.0.8 and above performs the following action in handling lifetimes ISAKMP:
 
'Complete the negotiation and send an advisory notification to the initiator indicating the responder's true lifetime.  Since altering the proposal from the initiator is a violation of the IKE, there is no way to communicate to the initiator what IKE SA lifetime is being used by the responder another method of communicating this is required.'The RESPONDER-LIFETIME SHOULD be sent by the responder if the initiating peer lifetime for IKE is longer than the lifetime defined in the responder's local policy.

VPNC will perform the following action:  MAY terminate the negotiation if the initiating peer insists on that lifetime. This action does not facilitate communication, but no unexpected loss of traffic will occur.

Alternatives for Linux Users:

For Linux users who find VPNs's behavior incompatible with newer FortiOS versions, there are alternatives:

Shrewsoft VPN Client: A popular alternative, Shrewsoft offers a broad range of compatibility with different VPN gateways and provides a lot of flexibility in its configuration.

openSWAN: This is another solution for Linux users. It focuses on establishing IPsec-based VPNs and is known for its robustness and flexibility.