Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Henny
New Contributor II

IPsec VPN Datasheet

IPsec VPN Datasheet

The VPN Datasheet below can be exchange with your VPN partner in order to work on the same information basis.

 

VPN Site 1

VPN Site 2

Company A

Company B

Requested by:

Requested by:

Planning contact:

Planning contact:

Responsible for installation:

Responsible for installation:

 

 VPN Gateway

Hardware Vendor & Version: FortiGate V _._._

Hardware Vendor & Version:

External IP address:

External IP address:

Encryption Domain / Crypto Map:

Encryption Domain / Crypto Map:

 

 VPN Phase 1 (IKE)

Key Management:

•    IKEv1 (Aggressive)

•    IKEv1 (Main ID protection)

•    IKEv2

 

Key Management:

DH-Group (Diffie-Hellman):

•    Group 1 (768 bit MODP)

•    Group 2 (1024 bit MODP)

•    Group 5 (1536 bit MODP)

•    Group 14 (2048 bit MODP)

•    Group 15 (3072-bit MODP)

•    Group 16 (4096-bit MODP)

•    Group 17 (6144-bit MODP)

•    Group 18 (8192-bit MODP)

•    Group 19 (256-bit ECP)

•    Group 20 (384-bit ECP)

•    Group 21(521-bit ECP)

•    Group 27 (6144-bit MODP)

•    Group 28 (BP256 ECP)

•    Group 29 (BP381 ECP

•    Group 30 (BP512 ECP)

•    Group 31 (Curve25519)

•    Group 32 (Curve448)

 

DH-Group (Diffie-Hellman):

Encryption Algorithm:

•    DES

•    3DES

•    AES-128

•    AES-128GCM (Only available for IKEv2)

•    AES-192

•    AES-256

•    AES-256GCM (Only available for IKEv2)

•    CHACHA20POLY1305: 128-bit (Only available for IKEv2)

Encryption Algorithm:

Hash / Data Integrity:

•    MD5

•    SHA1

•    SHA-256 → highest compatibility

•    SHA-384

•    SHA512highest security

Hash:

Pseudo Random Function (PRF):

•    No

•    Yes: (PRFSHA1, PRFSHA256, PRFSHA384, PRFSHA512)

Pseudo Random Function (PRF):

•    No

•    Yes:

Authentication Method:

•    Signature

•    Pre-Shared Secret

Authentication Method:

SA Lifetime / Renegotiation time: 86400 sec. (Default)

SA Lifetime:

 

 VPN Phase 2 (IPSec)

Encapsulation: ESP

Encapsulation: ESP

Perfect Forward Secrecy (PFS): Yes / No

Perfect Forward Secrecy (PFS): Yes / No

DH-Group (Diffie-Hellman):

•    Group 1 (768 bit MODP)

•    Group 2 (1024 bit MODP)

•    Group 5 (1536 bit MODP)

•    Group 14 (2048 bit MODP)

•    Group 15 (3072-bit MODP)

•    Group 16 (4096-bit MODP)

•    Group 17 (6144-bit MODP)

•    Group 18 (8192-bit MODP)

•    Group 19 (256-bit ECP)

•    Group 20 (384-bit ECP)

•    Group 21(521-bit ECP)

•    Group 27 (6144-bit MODP)

•    Group 28 (BP256 ECP)

•    Group 29 (BP381 ECP

•    Group 30 (BP512 ECP)

•    Group 31 (Curve25519)

•    Group 32 (Curve448)

 

DH-Group (Diffie-Hellman):

Encryption Algorithm:

•    NULL

•    DES

•    3DES

•    AES-128

•    AES128GCM (Only available for IKEv2)

•    AES-192

•    AES-256

•    AES-256GCM (Only available for IKEv2)

•    CHACHA20POLY1305: a 128-bit (Only available for IKEv2)

Encryption Algorithm:

Hash / Data Integrity:

•    NULL

•    MD5

•    SHA1

•    SHA-256

•    SHA-384

•    SHA-512

Hash:

Aggressive Mode: Yes / No

Aggressive Mode: Yes / No

SA Lifetime: 43200 sec. (Default)

SA Lifetime:

 

VPN NAT Options

Disable NAT inside the VPN traffic: Yes / No

 

 VPN Interesting Traffic

Inbound from Site 2:

Inbound from Site 1:

Outbound to Site 2:

Outbound to Site 1:

 

I didn't find a lot of best practices from official Fortinet documentation, so I'm hoping to get in touch with you all to establish a set of best practices. Let's discuss!

3 REPLIES 3
akristof
Staff
Staff

Hello,

I am not sure what best practicu you are looking for. You can say that the settings, that are used when you create VPN via GUI VPN WIZARD can be considered as best practice. But most of the settings depends on the requirement of your network and your VPN peer. Higher the encryption and DH group means better security but you need to have in mind also offloading capabilities. Usually you need to decide on what security level you want to have and based on that you will adjust settings.

Adrian
YannicS
New Contributor II

Thanks for sharing this helpful datasheet!
I copied it into a word document and used it to agree on VPN details with a VPN partner.

DaniKust
New Contributor

Nice table was searching for a long time 
For offloading i recommend adding a * to the ones that can be offloaded found this link.
https://www.fortinetguru.com/2019/12/ipsec-ikev1-phase2-encryption-algorithm/

Also found this research document that list  "SafeCurves:choosing safe curves for elliptic-curve cryptography" this does not mean they are safe but at least the unsafe ones should probably be avoided...?
http://safecurves.cr.yp.to/

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors