IPsec VPN Datasheet
The VPN Datasheet below can be exchange with your VPN partner in order to work on the same information basis.
VPN Site 1 | VPN Site 2 |
Company A | Company B |
Requested by: | Requested by: |
Planning contact: | Planning contact: |
Responsible for installation: | Responsible for installation: |
VPN Gateway
Hardware Vendor & Version: FortiGate V _._._ | Hardware Vendor & Version: |
External IP address: | External IP address: |
Encryption Domain / Crypto Map: | Encryption Domain / Crypto Map: |
VPN Phase 1 (IKE)
• IKEv1 (Aggressive) • IKEv1 (Main ID protection) • IKEv2
| Key Management: |
DH-Group (Diffie-Hellman): • Group 1 (768 bit MODP) • Group 2 (1024 bit MODP) • Group 5 (1536 bit MODP) • Group 14 (2048 bit MODP) • Group 15 (3072-bit MODP) • Group 16 (4096-bit MODP) • Group 17 (6144-bit MODP) • Group 18 (8192-bit MODP) • Group 19 (256-bit ECP) • Group 20 (384-bit ECP) • Group 21(521-bit ECP) • Group 27 (6144-bit MODP) • Group 28 (BP256 ECP) • Group 29 (BP381 ECP • Group 30 (BP512 ECP) • Group 31 (Curve25519) • Group 32 (Curve448)
| DH-Group (Diffie-Hellman): |
Encryption Algorithm: • DES • 3DES • AES-128 • AES-128GCM (Only available for IKEv2) • AES-192 • AES-256 • AES-256GCM (Only available for IKEv2) • CHACHA20POLY1305: 128-bit (Only available for IKEv2) | Encryption Algorithm: |
Hash / Data Integrity: • MD5 • SHA1 • SHA-256 → highest compatibility • SHA-384 • SHA512 → highest security | Hash: |
Pseudo Random Function (PRF): • No • Yes: (PRFSHA1, PRFSHA256, PRFSHA384, PRFSHA512) | Pseudo Random Function (PRF): • No • Yes: |
Authentication Method: • Signature • Pre-Shared Secret | Authentication Method: |
SA Lifetime / Renegotiation time: 86400 sec. (Default) | SA Lifetime: |
VPN Phase 2 (IPSec)
Encapsulation: ESP | Encapsulation: ESP |
Perfect Forward Secrecy (PFS): Yes / No | Perfect Forward Secrecy (PFS): Yes / No |
DH-Group (Diffie-Hellman): • Group 1 (768 bit MODP) • Group 2 (1024 bit MODP) • Group 5 (1536 bit MODP) • Group 14 (2048 bit MODP) • Group 15 (3072-bit MODP) • Group 16 (4096-bit MODP) • Group 17 (6144-bit MODP) • Group 18 (8192-bit MODP) • Group 19 (256-bit ECP) • Group 20 (384-bit ECP) • Group 21(521-bit ECP) • Group 27 (6144-bit MODP) • Group 28 (BP256 ECP) • Group 29 (BP381 ECP • Group 30 (BP512 ECP) • Group 31 (Curve25519) • Group 32 (Curve448)
| DH-Group (Diffie-Hellman): |
Encryption Algorithm: • NULL • DES • 3DES • AES-128 • AES128GCM (Only available for IKEv2) • AES-192 • AES-256 • AES-256GCM (Only available for IKEv2) • CHACHA20POLY1305: a 128-bit (Only available for IKEv2) | Encryption Algorithm: |
Hash / Data Integrity: • NULL • MD5 • SHA1 • SHA-256 • SHA-384 • SHA-512 | Hash: |
Aggressive Mode: Yes / No | Aggressive Mode: Yes / No |
SA Lifetime: 43200 sec. (Default) | SA Lifetime: |
VPN NAT Options |
Disable NAT inside the VPN traffic: Yes / No |
VPN Interesting Traffic
Inbound from Site 2: | Inbound from Site 1: |
Outbound to Site 2: | Outbound to Site 1: |
I didn't find a lot of best practices from official Fortinet documentation, so I'm hoping to get in touch with you all to establish a set of best practices. Let's discuss!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
I am not sure what best practicu you are looking for. You can say that the settings, that are used when you create VPN via GUI VPN WIZARD can be considered as best practice. But most of the settings depends on the requirement of your network and your VPN peer. Higher the encryption and DH group means better security but you need to have in mind also offloading capabilities. Usually you need to decide on what security level you want to have and based on that you will adjust settings.
Thanks for sharing this helpful datasheet!
I copied it into a word document and used it to agree on VPN details with a VPN partner.
Nice table was searching for a long time
For offloading i recommend adding a * to the ones that can be offloaded found this link.
https://www.fortinetguru.com/2019/12/ipsec-ikev1-phase2-encryption-algorithm/
Also found this research document that list "SafeCurves:choosing safe curves for elliptic-curve cryptography" this does not mean they are safe but at least the unsafe ones should probably be avoided...?
http://safecurves.cr.yp.to/
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.