Dialup IPsec VPN II

Uses UDP port 500 (and UDP port 4500 when crossing NAT) Negotiates a tunnel’s private keys, authentication, and encryption One lPsec SA is used per traffic direction. Phases: Phase1 Phase2

Phase 1 negotiation modes

Phase 2 negotiation mode

takes place when each endpoint of the tunnel—the initiator and the responder—connects and begins to set up the VPN.

[blank_start]2.[blank_end] Negotiate one bidirectional SA (called IKE SA) *ln IKE v1, two possible ways: -Main mode: six packets exchanged -Aggressive mode: three packets exchanged *Not the same as final SAs later *Encrypted tunnel for Diffie-Hellman (DH) [blank_start]1 .[blank_end] Authenticate peers *Pre—shared key or digital signature *Extended authentication (XAuth) [blank_start]3.[blank_end] DH exchange for secret keys

Key agreement method: Independently calculate a private key using only public keys Each FortiGate uses a shared secret key plus a nonce to calculate keys for the following: Symmetric encryption algorithms (such as 3DES, AES) Symmetric authentication (HMACs)

ESP can´t support NAT because it has no port numbers.

Negotiates two unidirectional SAs for ESP (called lPsec SAS) Protected by phase IKE SA When SAs are about to expire, it renegotiates Optionally, if Perfect Forward Secrecy is set to Enabled, FortiGate uses Diffie-Hellman to generate new keys each time phase 2 expires. Each phase 1 can have multiple phase 2s. High security subnets can have stronger ESP.

Also, if you set ____________ to Enable, each time phase 2 expires, FortiGate will use Diffie-Hellman to recalculate new secret keys. In this way, new keys are not derived from older keys, making it much harder for an attacker to crack the tunnel.

If multiple phase 2 exist, FortiGate directs traffic to the correct phase 2. Allows granular security settings for each LAN. If traffic does not match an lPsec SA selector, it is dropped. ln point-to-pointVPNs, selectors must match. - The source on one FortiGate is the destination setting on the other. Select which SA to apply using: Destination and source IP subnet(s) Protocol number Source port and destination port

During phase 2, you must configure a pair of settings called quick mode selectors. They identify and direct traffic to the appropriate phase 2. In other words, they allow granular SAs.

In aggressive mode, how many packets are exchanged to establish phase 1 of the lPsec tunnel?

Which statement about quick mode selectors is true?

Settings need in Dialup VPN between two fortigates

Dialup IPsec is also known as

IKE mode configuration automatically configures network settings?