Description
This article describes the process through which IPsec VPN is established in Phase 1 - aggressive mode with some example from Wireshark.
Useful links:
Fortinet Documentation.
Solution
The IPsec VPN communications build up with 2-step negotiation:
Phase1: Authenticates and/or encrypt the peers.
Phase2 (Quick mode): Negotiates the algorithm and agree on which traffic will be sent across the VPN.
In this KB, the focus will be on Phase1 aggressive mode. Aggressive mode usually used for remote access VPN or if one or both peers have dynamic external IP addresses.
IKEv1 aggressive mode only requires three messages to establish the security association.
Network Topology:
FortiClient (Remote VPN) ----------- L3 Network --------- LAB FortiGate
[192.168.242.57] [Port1(WAN): 10.47.2.72]
The first message will be from initiator (192.168.242.57) to responder (10.47.2.72).
In this 1st message, the security associations attributes, DH nonces and the identification (in clear text) is available. This is the difference with main mode, as main mode will have identification info encrypted.
In this message, the responder will generate the DH shared key and send some messages to the initiator so that it can calculate the DH shared key.
The last message from initiator is a hash that is used for authentication.
If there is NAT-traversal being used, this message will be communicate using port UDP 4500. In this example, NAT-traversal is not in use, and hence port UDP 500 is used.
Related articles:
- Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
- Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)
- Troubleshooting Tip: IPsec VPNs tunnels
- Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
- Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
- Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
- Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
- Technical Tip: IPSec dial-up full tunnel with FortiClient
- Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations
- Technical Note: Dynamic routing (BGP) over IPsec tunnel
- Technical Tip: OSPF with IPSec VPN for network redundancy
- Technical Tip: Dynamic dial-up VPN with OSPF
- Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
- Technical Tip: 'set net-device' new route-based IPsec logic
- Technical Tip: Simple OCVPN deployment
- Technical Tip: SD-WAN integration with OCVPN
- Technical Tip: Configure IPsec VPN with SD-WAN
- Technical Tip: SD-WAN with DDNS type IPsec
- Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario
- Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a...
- Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
- Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel
