FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nkorea
Staff
Staff
Article Id 315548
Description This article describes how FortiGate manages PRF configurations, including configuring them and the algorithms supported.
Scope FortiGate.
Solution

PRF settings are done by the RFC:

  • The PRF settings in the initial tunnel negotiation are visible when running an IKE debug.


FortiGate uses GCM encryption or CHACHA20POLY1305 to set PRF encryptions. Opting for a different encryption, like AES192, eliminates the PRF flag and any prior PRF settings. Consequently, selecting standard encryptions such as SHA256 becomes necessary to complement AES192.

The PRF encryption set for the tunnel is visible right below, but it is necessary to use a custom tunnel setup to access this information.

Here is an example from my configuration:

FortiGate-61E (ipsec1) # show
config vpn ipsec phase1-interface
    edit "ipsec1"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set remote-gw 1.1.1.1
        set psksecret ENC ILAM2oHbSIjJnrpmlPIs27GdUU/4ZNgGRKW785oM4L7iG0jG1LZW6tWF7KSXxEf2L5pn7eIr1cdUTwwnLUD782kNHj8jGLq5OeniDbwNMbzeNnjCD9g71kve/L+fhicdPt49E23THqHAz00MjQbjJXSxve6QkgJw7NTvpNO4rm9YSoP09MbaZxvvdsfiMFNb+qW/LQ==
    next
end

FortiGate-61E (ipsec1) # show full-configuration | grep prf set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

 

Related documents :
https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf

Encryption algorithms
Contributors