FortiGate

General

Since we connected to another company managed by their IT I can just post the experiences from settings on our side or in general about the tunnel.

Known working configuration

IKE Phase-1 (IKE)

Name on FortiGate               Setting                 Name on IPFire          Setting
Encryption Scheme               IKEv2 only mode         Keyexchange             IKEv2
Key Exchange Method             AES256                  Encryption              256 bit AES-CBC
Hashing Algorithm               SHA256                  Integrity               SHA2 256 bit
Authentication Method           Pre-Shared key          
Aggressive Mode Support         Main mode           
Diffie Helman Group for Phase1  Group 20                Grouptype               ECP-521 (NIST)
IKE SA (phase 1 ) lifetime      10800s/10hrs            Lifetime                10 hours

In the log it will be shown as:selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/E CP_521

IKE Phase-2 (ESP)

Name on FortiGate               Setting                 Name on IPFire          Setting
Encryption Scheme               IKEv2 only mode
Transform (IPSec Protocol)      ESP
Encryption Algorithm            AES256                  Encryption              256 bit AES-CBC
Data Integrity                  SHA256                  Integrity               SHA2 256 bit
Diffie Helman group for PFS     Group 20                Grouptype               ECP-521 (NIST)
IPSec SA (Phase 2) lifetime     3600s/1hr               Lifetime                1 hour
Key Exchange for subnets        yes                     
Perfect Forward Secrecy (PFS)   yes                     PFS                     activated

In the log it will be shown as:selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Additionally, we activated:

IKE+ESP: Use only proposed settings
Edit Page ‐ Yes, you can edit!
Last changed by Alexander Weber, October 11 View Older Revisions