Technical Tip: IPSec with no IKE, manual key

arydlewski · ‎08-09-2019

Description
This article describes how to configure IPSec without IKE ( Internet Key Exchange )

Useful links:

Fortinet Documentation
https://help.fortinet.com/fos40hlp/42/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=vpn.7.8...

Solution
Manual keying is a mechanism enabling key exchange with encryption and authentication set in advance.

The configuration presented in this article is not recommended for production network although this is the simplest method of defining SA. One time compromised SPI can result in decrypting ESP packets until the keys are changed manually.

For sake of simulating directly connected networks loopback interfaces have been used.

Site A:

#config system interface
edit "loopback"
set ip 1.1.1.1 255.255.255.0
set type loopback
next
end

#config vpn ipsec manualkey-interface
edit "REMOTESITE"
set interface "wan1"
set auth-alg md5
set local-spi 0x1234
set remote-spi 0x4321
set remote-gw 192.168.10.1
set auth-key 'ENC xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
next
end
config router static
edit 1
set dst 2.2.2.2 255.255.255.255
set device "REMOTESITE"
next
end

#config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set nat enable
next
edit 2
set srcintf "loopback"
set dstintf "REMOTESITE"
set srcaddr "all"
set dstaddr "all"
next
edit 3
set srcintf "REMOTESITE"
set dstintf "loopback"
set srcaddr "all"
set dstaddr "all"
next
end

Site B:

#config system interface
edit "loopback"
set vdom "root"
set ip 2.2.2.2 255.255.255.0
set type loopback
next
end

#config vpn ipsec manualkey-interface
edit "REMOTESITE"
set interface "wan1"
set local-gw 192.168.10.1
set auth-alg md5
set local-spi 0x4321
set remote-spi 0x1234
set remote-gw 192.168.10.2
set auth-key 'ENC xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
next
end

#config router static
edit 1
set dst 1.1.1.1 255.255.255.255
set device "REMOTESITE"
next
end

#config firewall policy
edit 1
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set nat enable
next
edit 2
set srcintf "loopback"
set dstintf "REMOTESITE"
set srcaddr "all"
set dstaddr "all"
next
edit 3
set srcintf "REMOTESITE"
set dstintf "loopback"
set srcaddr "all"
set dstaddr "all"
next
end

Troubleshooting:

SPI verification

FGT60E4Q16****** # diagnose sniffer packet any 'esp'
interfaces=[any]
filters=[esp]
4.835915 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x16)
4.836164 192.168.10.2 -> 192.168.10.1: ESP(spi=0x00004321,seq=0x411)
5.843944 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x17)
5.844035 192.168.10.2 -> 192.168.10.1: ESP(spi=0x00004321,seq=0x412)
6.853880 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x18)
6.853965 192.168.10.2 -> 192.168.10.1: ESP(spi=0x00004321,seq=0x413)
7.863872 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x19)
7.863994 192.168.10.2 -> 192.168.10.1: ESP(spi=0x00004321,seq=0x414)
8.873889 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x1a)
8.873981 192.168.10.2 -> 192.168.10.1: ESP(spi=0x00004321,seq=0x415)

AND

FortiGate-80E # diagnose sniffer packet any 'host 192.168.10.2'
interfaces=[any]
filters=[host 192.168.10.2]
8.070154 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x11)
9.081555 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x12)
10.091554 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x13)
11.101554 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x14)
12.111572 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x15)
13.071475 arp who-has 192.168.10.2 tell 192.168.10.1
13.071536 arp reply 192.168.10.2 is-at 90:6c:ac:6a:d3:68
48.213616 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x16)
49.221659 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x17)
50.231593 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x18)
51.241583 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x19)
52.251602 192.168.10.1 -> 192.168.10.2: ESP(spi=0x00001234,seq=0x1a)
53.219308 arp who-has 192.168.10.1 tell 192.168.10.2
53.219342 arp reply 192.168.10.1 is-at 0:9:f:9:0:f