FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description In certain dynamic IPsec VPN configurations where an incoming connection matches the configurations of two or more IPsec tunnel configurations, the Responder IPsec VPN gateway selects the tunnel based on the following criteria
Solution When the first phase-1 IPsec packet arrives, the FortiGate acting as the responder uses the first phase 1 configuration (in alphabetical order) that matches the following:
- Local gateway. - Mode (aggressive or main). - Peer ID (if aggressive). - Authentication method (pre-shared key or certificate). - Certificate information (if certificate). - Proposal. - DH group.
Important: Pre-shared key itself is not a part of the matching criteria.
However, in some circumstances, FortiOS can switch to a different phase 1, if it finds that it initially selected the wrong phase 1. This is called gateway re-validation and only applies to the following:
- IKEv1 with certificate authentication. - IKEv2 with pre-shared key authentication. - IKEv2 with certificate authentication.
- Multiple dialup VPNs with pre-shared keys, the same local gateway, and the same SA settings, should use aggressive mode and different peer IDs. Using this method, the FortiGate identifies the right VPN configuration for each incoming IPsec proposal.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.