Site-to-Site IPSec VPN I

The three most used protocols in the suite are the following: (Select 3)

[blank_start]lnternet Key Exchange (IKE)[blank_end], which does the handshake, tunnel maintenance, and disconnection. [blank_start]Encapsulation Security Payload (ESP)[blank_end], which ensures data integrity andencryption. [blank_start]Authentication Header (AH)[blank_end], which offers only data integrity-not encryption.

FortiGate uses ESP to transport the packet payload and authenticate.

IKE uses port

IKE uses if NAT-T is enabled in a NAT scenario:

SA

For phase 1, there are two possible negotiation modes that can be used:

Phase 2 uses only one negotiation mode:

AH is used by FortiGate

IKE

ESP is

Authenticates or encrypts packets using the following protocols: (Select 3)

Provides both data integrity and encryption:

Easy configuration Few tunnels High central bandwidth Not fault tolerant Low system requirements on average, but high for center Scalable No direct communication between spokes

Moderate configuration Medium number of tunnels Medium bandwidth in hub sites Some fault tolerance Medium system requirements Somewhat scalable Direct communication between some sites

Complex configuration Many tunnels Low bandwidth Fault tolerant High system requirements Difficult to scale Direct communication between all sites

FortiOS provides two options for IPsec VPNs: route-based (also known as [blank_start]interface-based[blank_end]) or policy-based (also known as [blank_start]tunnel-mode[blank_end]).