What should you consider when choosing a VPN topology?
Click to see answer
Select the topology that is most appropriate to your situation.
Click to see question
What should you consider when choosing a VPN topology?
Select the topology that is most appropriate to your situation.
What should you be cautious about when using 'diagnose vpn ike gateway clear'?
It has a global effect and clears all phase 1s of all VDOMs if no specific name is provided.
How can you review the settings of a template in the IPsec wizard?
By selecting the template and then clicking 'View'.
What does the IPsec wizard assist with?
The FortiClient VPN configuration process.
What does the incoming policy for an IPsec VPN allow?
Traffic initiated from the remote site.
What does the outgoing policy for an IPsec VPN allow?
Traffic to be initiated from the local network.
Is hardware offloading enabled by default for supported algorithms on FortiGate?
Yes, it is enabled by default.
What protocol is the focus of the lesson?
IPsec protocol.
What is a common use of the IPsec wizard?
Configuring a remote access VPN for FortiClient users.
What will you learn more about in this lesson?
IKE mode config and XAuth.
Can you change the settings of a template in the IPsec wizard?
No, you cannot change the template settings.
What should you use if the IPsec tunnel doesn’t come up?
Use the IKE real-time debug.
What happens if the primary IPsec VPN fails?
Another tunnel can be used instead.
What happens after peers negotiate the IPsec SAs of a tunnel?
The tunnel is considered up, and peers usually don’t negotiate another IPsec SA until it expires.
What is the role of FortiGate in a redundant VPN setup?
FortiGate can use an alternative VPN if the main ISP is down.
What can you do if you need to disable hardware offloading for a specific tunnel on FortiGate?
Use specific commands to disable it per tunnel.
Who is the initiator in Phase 1 negotiation?
The peer that starts the Phase 1 negotiation.
What type of routing does this lesson focus on for IPsec VPNs?
Static routes.
What happens when you set the remote gateway to Dialup User and enable add-route?
FortiGate automatically adds a static route for the local network during phase 2 negotiation.
When is the static route added to the routing table?
Only after phase 2 is up.
What does IKE establish for IPsec?
An IPsec VPN tunnel.
What happens when you set the remote gateway to Dialup User and disable add-route?
FortiGate does not add static routes automatically, and a dynamic routing protocol is used instead.
What options does the 'diagnose vpn tunnel' command offer?
Listing, shutting down, activating, or flushing a VPN tunnel.
How many steps are in the process used by the IPsec wizard?
Four-step process.
Where can you find more information about IPsec logs?
Visit https://docs.fortinet.com.
What is a fully-redundant VPN?
A setup where both peers terminate their VPNs on different physical ports, making them both fault tolerant.
Which IKE mode is considered more secure?
Main mode.
What occurs during Phase 1 of the VPN setup?
Each peer connects and begins to set up the VPN.
What does the 'On Idle' DPD mode do?
Sends DPD probes when no traffic is observed in the tunnel.
What does the 'Disabled' DPD mode imply?
FortiGate replies only to DPD probes received and never sends DPD probes to detect a dead tunnel.
How should static routes be configured for the primary and backup VPNs?
Routes for the primary VPN must have a lower distance (or lower priority) than the backup.
When should you use main mode?
When both peers know each other's IP address or FQDN to take advantage of its more secure negotiation.
What solution was added to the IPsec specifications to address ESP issues with NAT?
NAT traversal (NAT-T).
What must be defined in phase 2 of an IPsec tunnel?
The encryption domain (or interesting traffic).
What does the encryption domain refer to?
The traffic that you want to protect with IPsec.
What command is used to diagnose a VPN tunnel?
The command is 'diagnose vpn tunnel'.
What do the IPsec VPN logs track?
The progress of phase 1 and phase 2 negotiations, tunnel up and down events, and DPD failures.
What feature allows FortiGate models to enhance IPsec traffic processing?
Offloading encryption and decryption to hardware.
What should you do if the tunnel is up but traffic isn’t passing through?
Use the debug flow.
What are the two negotiation modes supported by IKE?
Main mode and aggressive mode.
Can you combine different types of remote gateways in a VPN setup?
Yes, you can combine different types, but both set to Dialup user won’t work.
What does the 'On Demand' DPD mode do?
Sends DPD probes if there is only outbound traffic through the tunnel, indicating a potential network failure.
What is a drawback of the 'On Idle' DPD mode?
It can be resource-intensive if there are many tunnels.
What does the Key Lifetime define in the Phase 1 Proposal?
The lifetime of the IKE SA, after which a new IKE SA is negotiated.
What should be entered in the Local ID field?
The specific peer ID accepted by the peer.
What occurs if phase 2 goes down?
The static route is removed from the routing table.
What is the primary purpose of IPsec?
To secure Internet Protocol communications by authenticating and encrypting each IP packet.
What are the two main modes of IPsec?
Transport mode and Tunnel mode.
What is a disadvantage of the hub-and-spoke topology?
Communication between branch offices through HQ is slower than in a direct connection.
What is IKE in the context of IPsec?
Internet Key Exchange, a protocol used to set up a security association (SA) in the IPsec protocol suite.
What are the four sections of Phase 1 configuration in the GUI?
Network, Authentication, Phase 1 Proposal, and XAUTH.
What can you monitor using the IPsec widget on the GUI dashboard?
The status of your IPsec VPNs, including phase 1 and phase 2 status.
What does the command 'diagnose vpn ike gateway list' provide?
Details about a tunnel.
What does the IPsec wizard use when applying configuration for a new IPsec tunnel?
One of the templates shown on the slide.
What are the two authentication methods supported by FortiGate in phase 1 configuration?
Pre-shared Key and Signature.
What happens during the tunnel establishment in IPsec?
Both ends negotiate the encryption and authentication algorithms to use.
How does the Signature authentication method work?
It is based on digital certificate signatures validated by the CA certificate on the other peer.
How often do IPsec SAs typically expire?
Every few hours.
What are the two modes in which IPsec can operate?
Transport mode and tunnel mode.
How many packets are exchanged in main mode?
Six packets.
How many packets are exchanged in aggressive mode?
Three packets.
What is the security status of the channel when peers first connect?
The channel is not secure.
When should you use the Dialup User option?
When the remote peer IP address is unknown.
Why is it important to select secure algorithms for phase 2 proposals?
Some algorithms are more secure than others and should conform to your security policy.
What does the behavior of phase 1 negotiation allow FortiGate to do?
Match interesting traffic to the right tunnel.
What do you select as the outgoing interface when configuring a static route?
The virtual interface of the IPsec tunnel.
What is the difference between Transport mode and Tunnel mode?
Transport mode encrypts only the payload of the IP packet, while Tunnel mode encrypts the entire IP packet.
What are the key network parameters specified in a phase 2 selector?
Local Address, Remote Address, Protocol, Local Port, and Remote Port.
What is the default setting for the Protocol in the Advanced section?
All.
What happens to traffic that does not match any phase 2 selectors?
It is dropped before entering the IPsec tunnel.
What is a recommended approach if you don't want to use phase 2 selector filtering?
Create one phase 2 selector with both local and remote addresses set to any subnet and use firewall policies to control traffic.
Who are the typical dial-up clients in IKE Mode Config?
FortiClient peers, but they can also be FortiGate peers.
What does the Network settings section in Phase 1 configuration include?
Settings related to the connectivity of the IPsec tunnel.
Which version of FortiGate is referenced in the study guide?
FortiGate 7.4.
What is required for an IPsec tunnel to come up?
At least one firewall policy that accepts traffic on the IPsec tunnel.
How many firewall policies are usually configured for an IPsec VPN?
At least two: one incoming policy and one outgoing policy.
How can you enhance the resilience of your IPsec VPN deployment?
By providing a second ISP connection and configuring two IPsec VPNs.
What determines the supported algorithms for IPsec hardware offloading on FortiGate?
The NP unit model present on the FortiGate.
What is required on the local peer when using Signature authentication?
The local peer’s certificate and the CA certificate that issued the remote peer's certificate must be installed.
Why might FortiGate drop packets even if the tunnel is established?
The packets don’t match the quick mode selectors.
What are the two options available for IKEv1 mode?
Aggressive and Main (ID protection).
What should be enabled on both ends of the VPN?
Dead Peer Detection (DPD).
What role does the responder play in Phase 1?
The peer that responds to the initiator's request.
Which DPD mode is considered better for scalability?
'On Demand' is better than 'On Idle'.
What problem does the ESP protocol face when crossing NAT devices?
ESP does not use port numbers to differentiate tunnels.
Why can't a transport mode packet be transmitted further?
Because it has no second IP header inside, making it not routable.
How is phase 1 negotiation started in FortiGate?
Automatically, because automatic negotiation is enabled by default.
What does the IPsec security association (SA) define?
The authentication, keys, and settings for encrypting and decrypting packets.
On what protocol is the IPsec SA based?
Internet Security Association and Key Management Protocol (ISAKMP).
Why do branch office FortiGate devices require fewer resources in a hub-and-spoke topology?
They maintain only one tunnel.
What device is typically used as a VPN server in a remote access VPN?
FortiGate.
Why does the lesson focus on IKEv1?
Because of its much wider adoption despite IKEv2 being a newer version.
What does enabling Perfect Forward Secrecy do during IPsec negotiation?
FortiGate uses DH to enhance security during the negotiation of IPsec SAs.
What does the command 'get vpn ipsec tunnel details' provide?
Information for the active IPsec tunnels.
What can you learn to configure and monitor in this lesson?
IPsec VPNs on FortiGate.
What is the purpose of DPD in IPsec VPNs?
To detect dead peers and maintain the tunnel.
What occurs after the tunnel has been negotiated and is up in IPsec?
Data is encrypted and encapsulated into ESP packets.
What might cause packets to be dropped when the tunnel is up?
One of the peers might be dropping packets or routing traffic incorrectly.
What happens when IKE version 2 is selected?
Aggressive and main modes disappear because they don’t apply to IKEv2.
What is the first step in configuring a redundant VPN?
Create one phase 1 for each path—one for the primary VPN and one for the backup VPN.
What is another name for a site-to-site VPN?
LAN-to-LAN VPN.
What topology is used to connect more than two locations in a VPN?
Hub-and-spoke topology.
What is the main challenge in exchanging sensitive private keys during Phase 1?
Neither peer has a strong guarantee of the other peer’s identity.
Who can initiate the VPN tunnel in a Dialup User configuration?
Only the dial-up client.
What does enabling the NAT Traversal setting to 'Forced' do?
Always uses UDP port 4500, even without NAT devices.
What are the two versions of IKE?
IKEv1 and IKEv2.
Does phase 2 end when ESP begins?
No, phase 2 does not end when ESP begins.
When is NAT-T particularly needed?
When there are one or more routers along the path performing NAT.
What happens periodically during phase 2?
IPsec SAs are renegotiated to maintain security.
What type of IP address do remote internet users typically have?
Dynamic.
What does the NAT Traversal option control?
It controls the behavior for NAT traversal.
What happens when Remote Gateway is set to Dialup User?
FortiGate acts as the authentication server.
What can you configure for IPsec traffic in a route-based VPN?
Routing and firewall policies in the same way as non-IPsec traffic.
What are the two variations of mesh topology?
Full mesh and partial mesh.
What methods can peers use to authenticate each other in phase 1?
Pre-shared key or digital signature.
What is a consequence of enabling Forward Error Correction?
It uses more bandwidth.
What does the command 'diagnose vpn tunnel list' do?
Displays the current IPsec SA information for all active tunnels.
How can you get SA information about a specific tunnel?
By using the command 'diagnose vpn tunnel list name '.
What settings does the IPsec wizard enable for FortiClient users?
IKE mode config, XAuth, and other appropriate settings.
How can you view IPsec VPN event logs in FortiGate?
Click Log & Report > System Events > VPN Events.
What must be configured when using the Pre-shared Key method?
Both peers must have the same pre-shared key.
What is a partially redundant VPN?
A setup where one peer (usually the hub) has a backup ISP available, with each VPN terminating on different physical ports, while the other peer has both VPNs on the same port.
In a dial-up setup, how is the dial-up client configured?
As a VPN peer with the remote gateway set to static IP address or dynamic DNS.
What is the purpose of enabling Dead Peer Detection (DPD)?
To detect a failed tunnel and bring it down before its IPsec SAs expire.
What is the role of the Diffie-Hellman (DH) algorithm in Phase 1?
It is used during IKE SA negotiation and is mandatory.
What UDP port does IKE use?
UDP port 500.
What are the three options for configuring the remote gateway type of a VPN?
Dialup User, Static IP Address, and Dynamic DNS.
What happens when the remote gateway is set to Static IP Address or Dynamic DNS?
Static routes for these tunnels become active in the routing table after phase 1 comes up.
What does a simple site-to-site VPN deployment involve?
Two peers communicating directly to connect two networks at different offices.
How do peers ensure secure key exchange?
They first create a secure tunnel before negotiating real keys.
What dynamic routing protocols can be used as an alternative for redundancy?
OSPF or BGP.
What must you configure when the remote gateway is set to Static IP Address or Dynamic DNS?
Static routes.
What begins after phase 1 establishes a secure channel?
Phase 2.
How many phases does IKE define?
Two phases: phase 1 and phase 2.
What type of information is included in the output of the 'get vpn ipsec tunnel details' command?
Traffic counters, negotiated quick mode selectors, and negotiated encryption, authentication, and keys.
Which version of FortiGate is mentioned in the context of IPsec VPNs?
FortiGate 7.4.
At which layer does IPsec provide services?
At the IP (network) layer.
What indicates that there might be a problem on the ISP side when the tunnel is unstable?
Loss of DPD packets.
What interface is used to configure firewall policies for IPsec traffic?
The virtual tunnel interface (or phase 1 name).
What is the purpose of the Phase 1 Proposal section in FortiGate?
To enable different proposals for negotiating the IKE SA (or phase 1 SA).
What must be configured in the Phase 1 Proposal?
At least one combination of encryption and authentication algorithms.
When is aggressive mode preferred?
When performance is a concern and many tunnels terminate on the same FortiGate device.
What is a use case for aggressive mode regarding dynamic IP addresses?
When there is more than one dial-up tunnel terminating on the same FortiGate IP address and the remote peer is authenticated using a peer ID.
What is the purpose of a phase 2 proposal in IPsec?
It defines the algorithms supported by the peer for encrypting and decrypting data over the tunnel.
What does FortiGate use IKE for?
To negotiate with the peer and determine the IPsec security association (SA).
What must be configured to allow traffic through both VPNs?
Firewall policies.
What triggers a phase 2 negotiation if phase 2 is not up?
Traffic matching the static route.
Which encryption algorithms are recommended for higher IPsec performance on FortiGate devices?
AES or DES, as they are supported for IPsec offload by NP unit models.
What is the function of the 'Enable Replay Detection' option in phase 2 proposals?
It detects antireplay attacks on ESP packets.
What happens after a remote user is authenticated in a remote access VPN?
FortiGate provides access to network resources based on the user's permissions.
What is the purpose of enabling Perfect Forward Secrecy in phase 2?
To recalculate new secret keys each time phase 2 expires, making it harder for attackers.
What is the first step in the IPsec Wizard?
To select a template type.
Who can initiate a VPN connection request in a remote access VPN?
Only the remote user.
What template types can you choose from in the IPsec Wizard?
Site to Site, Hub-and-Spoke, or Remote Access.
How many SAs are typically used in normal two-way traffic?
A pair of SAs, one for each traffic direction.
What key information does the wizard ask for?
Remote gateway information, authentication method, interfaces involved, and subnets.
What is a key advantage of IKEv2 over IKEv1 in terms of operation?
IKEv2 provides a simpler operation with a single exchange mode and fewer messages to establish the tunnel.
How does a full mesh topology function?
It connects every location to every other location.
What must occur after a Security Association (SA) reaches its lifetime?
It needs to be renegotiated by the peers.
What additional feature does the IPsec widget offer when right-clicking columns?
A menu opens with a list of all available columns to enable for further details.
What are the two modes for IKE SA negotiation in IKEv1?
Main mode and aggressive mode.
What is the effect of the command 'diagnose vpn ike gateway clear'?
It closes a phase 1.
When should you use a Static IP Address for VPN configuration?
When you know the remote peer address and must provide an IP address.
What must you provide when selecting Dynamic DNS for VPN configuration?
A fully qualified domain name (FQDN) and ensure FortiGate can resolve that FQDN.
What happens when both peers know the remote peer address?
Any peer can initiate the VPN tunnel.
Where can you find a list of supported encryption algorithms for IPsec hardware offloading?
On the Fortinet documentation website.
Why is main mode more secure than aggressive mode?
Because the pre-shared key hash is exchanged encrypted in main mode.
What does transport mode encapsulate?
It encapsulates and protects the fourth layer (transport) and above.
What happens if a higher DH group number is selected?
It increases security but also results in longer compute time.
What is the main feature of tunnel mode?
It encapsulates the whole IP packet and adds a new IP header at the beginning.
What UDP port does IKE use when NAT-T is enabled?
UDP port 4500.
What risk exists when the channel is not secure?
An attacker could intercept unencrypted keys.
Who acts as the dial-up client in a Dialup User configuration?
The remote peer whose IP address is unknown.
In what scenarios is transport mode usually used?
For end-to-end (or client-to-client) VPNs.
What must the dial-up client know in a Dialup User configuration?
The IP address or FQDN of the remote gateway.
What is the purpose of encapsulating ESP packets in UDP port 4500?
To allow ESP packets to traverse NAT devices.
Who typically uses the Dialup User configuration?
Remote and mobile employees with FortiClient on their devices.
What does ESP use IPsec SAs for?
To encrypt and decrypt traffic exchanged between sites.
What determines the expiration of an IPsec Security Association (SA)?
The lifetime type and threshold configured on the phase 2 proposal.
What is the purpose of the XAuth extension in Phase 1?
To force remote users to authenticate with their credentials (username and password).
What happens when you enable NAT traversal on FortiGate?
FortiGate sends keepalive probes at the configured frequency.
Is Mode Config enabled by default on FortiClient?
Yes, it is enabled by default.
What are the authentication server type options in the XAUTH section?
PAP Server, CHAP Server, and Auto Server.
What is the function of the Encapsulating Security Payload (ESP) in IPsec?
It provides the encrypted payload, which is essentially the data channel.
What are the two options for user group matching in XAuth?
Inherit from policy and Choose.
What does the 'Interface' setting refer to in the Network section?
The interface where the IPsec tunnel terminates on the local FortiGate.
What is the consequence of a network disruption before the IPsec SA expires?
Peers will continue to send traffic through the tunnel even though communication is disrupted.
What are the three DPD modes supported by FortiGate?
On Demand, On Idle, and Disabled.
Does transport mode protect the original IP header?
No, it does not protect the original IP header and does not add an additional IP header.
What is the requirement for phase 2 definitions in a redundant VPN setup?
Create at least one phase 2 definition for each phase 1.
What happens to the original packet in tunnel mode after it reaches the remote LAN?
The original packet can continue on its journey after being unwrapped.
What happens if the primary VPN fails?
FortiGate automatically uses the backup route.
What does IPsec stand for?
Internet Protocol Security.
In a hub-and-spoke topology, how do branch offices connect?
All clients connect through a central hub.
What is one advantage of the hub-and-spoke topology?
The configuration needed is easy to manage.
What does phase 2 negotiate for IPsec?
Security parameters for two IPsec Security Associations (SAs).
What does the Keepalive Frequency option do when NAT-T is enabled?
Shows the interval at which keepalive probes are sent.
Why are keepalive probes necessary in an IPsec connection?
To keep the connection active across routers performing NAT.
What are the two types of authentication supported in Phase 1?
Pre-shared keys and digital signatures.
How is FortiGate usually configured in a remote access VPN?
As a dial-up server.
What are the two types of IPsec VPNs supported by FortiGate?
Route-based and policy-based.
What does ESP stand for in IPsec?
Encapsulating Security Payload, which provides confidentiality, along with optional authentication.
How does FortiGate select which phase 2 to use?
By checking which phase 2 selector matches the traffic.
What happens if you select 'Custom' as the template type?
FortiGate takes you directly to the phase 1 and phase 2 settings of the new VPN.
What does the Authentication Header (AH) in IPsec do?
Contains checksums that verify the integrity of the data.
What is the name of the secure channel negotiated in phase 1?
IKE SA (Internet Key Exchange Security Association).
What is the effect of enabling Autokey Keep Alive with Auto-negotiate disabled?
The tunnel does not come up automatically unless there is interesting traffic.
What indicates that an IPsec VPN is up?
At least one of its phase 2 selectors is up.
Why doesn't FortiGate use the Authentication Header (AH)?
Because AH does not offer encryption, which is an important benefit.
What does FortiGate do when IPsec SA renegotiation takes too long?
It might drop interesting traffic due to the absence of active SAs.
What is a benefit of mesh topology compared to hub-and-spoke?
It causes less latency and requires less HQ bandwidth.
What is the significance of using a custom port for IKE and IKE NAT-T?
It is used to initiate and respond to tunnel requests.
What happens during IKE negotiation when NAT is detected?
Negotiation switches to using UDP port 4500.
How does the choice of encryption algorithm affect FortiGate IPsec performance?
Some algorithms, like 3DES, are more resource-intensive and can negatively impact IPsec throughput.
What happens if NULL is selected as the encryption algorithm?
Traffic is not encrypted.
What is the primary use of remote access VPNs?
To securely connect remote internet users to the office for accessing corporate resources.
Can a FortiGate device act as a dial-up client?
Yes, for a remote office.
How many IPsec tunnels can one dial-up server configuration support?
Multiple IPsec tunnels from many remote offices or users.
What happens if the FortiGate device at HQ fails?
VPN failure is company-wide.
What does AH stand for in IPsec?
Authentication Header, which provides connectionless integrity and data origin authentication.
What happens when the SA duration reaches the configured seconds?
The SA is considered expired.
Why is policy-based IPsec VPN not recommended for new deployments?
It is a legacy IPsec VPN supported only for backward compatibility reasons.
What is the default setting for Local Port and Remote Port in the Advanced section?
All.
What is the purpose of phase 1 in IPsec?
To authenticate peers and set up a secure channel for negotiating phase 2 SAs.
What software is needed on the remote user side to connect to the VPN?
A VPN client, such as FortiClient.
How can you bring down an IPsec VPN?
By bringing down a particular phase 2 selector, all selectors, or the entire tunnel.
What is one benefit of route-based IPsec VPNs regarding connections?
It allows for redundancy through multiple connections to the same destination.
What happens if both sides of the IPsec tunnel cannot agree on security rules?
The tunnel is not established.
What is Forward Error Correction (FEC) used for?
To reduce the number of retransmissions in IPsec tunnels over noisy links.
Can you select Mode Config on the FortiGate device acting as a dial-up client?
Yes, but additional settings are not displayed.
What additional authentication method can be enabled to enhance authentication in phase 1?
XAuth.
What happens when the remote gateway is set to Dialup User?
A static route for the destination network is added after phase 2 comes up.
What is the distance set for the static route when the remote gateway is Dialup User?
What is IKE Mode Config similar to?
DHCP, as it assigns network settings like IP address, netmask, and DNS servers to clients.
What is the benefit of enabling XAuth?
Stronger authentication.
What are the two types of key lifetime settings for IPsec SAs?
Kilobytes (volume-based) and Seconds (time-based).
What is the purpose of a Security Association (SA) in IPsec?
To bundle algorithms and parameters for encrypting and authenticating data.
What are the three types of remote gateways in the Network settings?
Static IP Address, Dialup User, and Dynamic DNS.
What does FortiClient do once configured?
Establishes the tunnel and routes traffic through it.
What are the default ports for standard IKE traffic and IKE NAT-T traffic?
UDP 500 for standard IKE traffic and UDP 4500 for IKE NAT-T traffic.
What happens if the VPN settings do not match on both ends?
The tunnel setup fails.
Who is recommended to use the IPsec Wizard?
Administrators who are new to FortiGate or lack experience with IPsec VPNs.
What is the SA negotiated during phase 2 called?
IPsec SA.
What is the purpose of the Aggregate Member option?
To aggregate multiple IPsec tunnels into a single interface.
How does mesh topology affect central location strain?
It places less strain on the central location.
What is FortiGate?
A network security appliance that provides firewall, VPN, and other security features.
What occurs if phase 2 goes down?
The route is removed from the routing table.
What is the default key lifetime setting for IPsec SAs?
Seconds (time-based).
What does the IPsec Wizard in FortiGate help with?
It simplifies the creation of a new VPN through a four to five-step process.
What is the purpose of Internet Key Exchange (IKE) in IPsec?
To authenticate peers, exchange keys, and negotiate encryption and checksums.
What does FortiGate automatically add in a route-based IPsec VPN?
A virtual interface with the VPN name.
When might multiple phase 2s be used for a single phase 1?
When different encryption keys are needed for each subnet crossing the tunnel.
What is a key advantage of mesh topology in connecting FortiGate devices?
It allows direct connections between devices, bypassing HQ.
How do you enable Mode Config on FortiGate?
You must manually enable it.
What happens when IPsec SAs expire?
FortiGate needs to negotiate new SAs to continue traffic over the IPsec tunnel.
What does the wizard provide based on the input given?
It applies one of the preconfigured IPsec tunnel templates comprising phase 1 and 2 settings.
Can one remote access VPN configuration on FortiGate support multiple users?
Yes, FortiGate establishes a separate tunnel for each user.
What unique feature does IKEv1 support that IKEv2 does not?
IKEv1 supports XAuth, while IKEv2 supports EAP, which is equivalent to XAuth.
How many tunnels need to be configured for five FortiGate devices in a full mesh topology?
20 tunnels (4 tunnels per device).
How does FortiOS handle EAP in IKEv2?
FortiOS IKEv2 EAP implementation is pass-through only, meaning it does not support EAP as a client.
What device acts as a dial-up server in IKE Mode Config?
FortiGate device.
What must match on both peers for a point-to-point tunnel?
The phase 2 selector network parameters.
What must be enabled on both peers for IKE Mode Config to work?
The Mode Config feature.
What does the 'IP Version' setting define in the Network section?
The IP version of the outer layer of the tunnel after encapsulation.
What protocol facilitates the establishment of Security Associations (SAs) and secret keys for an IPsec tunnel?
IKE protocol.
What does enabling Auto-negotiate do for IPsec SAs?
It negotiates new SAs before the current ones expire and starts using them immediately.
When does the IP Address field appear in the Network settings?
When Static IP Address is selected as the Remote Gateway.
When are IKE Mode Config settings displayed on the FortiGate GUI?
When Remote Gateway is set to Dialup User.
What happens when you bring up a phase 2 selector in an IPsec VPN?
Its phase 1 also comes up automatically.
What does selecting 'Auto Server' mean?
FortiGate automatically detects the authentication protocol used by the client.
What is the purpose of Dead Peer Detection (DPD)?
To detect dead tunnels.
What must be configured on FortiClient to establish a VPN connection?
It must match the VPN server settings.
How is the IKE SA characterized in terms of directionality?
It is bidirectional, using the same session key for both inbound and outbound traffic.
What is the default mode for Dead Peer Detection?
On Demand.
What variations of IPsec VPNs can be deployed with route-based IPsec?
L2TP-over-IPsec and GRE-over-IPsec.
What does the 'Choose' option require when configuring user groups?
A separate dial-up VPN for every group of users that require a different network access policy.
What information do the Phase 1 and Phase 2 Selectors columns provide?
The status of phase 1 and phase 2 selectors, respectively.
What is the relationship between the number of FortiGate devices and the number of tunnels in a full mesh topology?
The higher the number of devices, the higher the number of tunnels to configure.
What should be ensured for the IPsec tunnel to come up?
There must be an active route to the remote gateway through the interface.
What is the purpose of enabling dynamic routing protocols in route-based IPsec VPNs?
For scalability purposes and best path selection.
What does enabling the 'Local Gateway' setting allow you to do?
Specify which address to use for the tunnel when multiple addresses are assigned.
What is the function of the Auto Discovery Sender setting?
Facilitates ADVPN shortcut negotiation for spokes by sending a shortcut offer.
What version of IKE will be covered in this lesson?
IKEv1 configuration.
How does Diffie-Hellman (DH) generate a common private key?
By using a public key known to both ends and a nonce.
What authentication methods do both IKEv1 and IKEv2 support?
Both versions support PSK (Pre-Shared Key) and certificate signature.
What can be enabled in route-based IPsec VPNs for scalability?
Dynamic routing protocols.
What are the two distinct phases used by IKE?
Phase 1 and Phase 2.
What does the IPsec widget display regarding data?
The amount of data sent and received through the tunnel.
What is the purpose of the network diagram shown by the wizard?
To give the administrator a visual understanding of the IPsec VPN deployment.
What does the 'Add route' setting do?
Disables automatic addition of static routes when using a dynamic routing protocol over IPsec.
What is the benefit of enabling Auto-negotiate?
It prevents traffic disruption by negotiating new SAs before the current ones expire.
What does the 'Inherit from policy' option simplify?
The configuration for controlling network access by matching IPsec policy.
What is a drawback of mesh topology?
It requires each FortiGate device to be more powerful.
What does the Device Creation setting instruct FortiOS to do?
Create an interface for every dial-up client.
How does IKEv2 simplify the configuration of multiple dial-up IPsec VPNs?
IKEv2 allows matching the intended gateway by using either the standard peer ID or the Fortinet proprietary network ID attribute.
What does the wizard provide at the end of the process?
A summary of the configuration changes made in the system.
What is the SA negotiated during phase 1 called?
IKE SA.
What does FortiGate always listen for, regardless of custom port settings?
Port UDP 4500.
What does partial mesh topology aim to achieve?
It minimizes required resources while reducing latency.
What does FortiGate use IPsec SAs for?
For encrypting and decrypting data sent and received through the tunnel.
In the example shown, why is the ToRemote VPN considered up?
Because at least one of its phase 2 selectors (ToRemote) is up.
What does enabling the Exchange Interface IP setting allow?
It allows the exchange of IPsec interface IP addresses for point-to-multipoint connections.
Why is Diffie-Hellman secure against eavesdropping?
An attacker cannot determine the secret key even if they listen to messages containing the public keys.
Why is IKEv2 considered more reliable than IKEv1?
IKEv2 requires peers to acknowledge messages exchanged, similar to TCP, while IKEv1 does not have this mechanism.
What happens if the settings on both ends do not agree during phase 1 negotiation?
Phase 1 negotiation fails, and both IPsec peers cannot establish a secure channel.
What is negotiated at the end of phase 1?
The IKE SA is used to negotiate the DH keys for phase 2.
What happens when Remote Gateway is set to Static IP Address or Dynamic DNS?
FortiGate acts as the client and shows the Client option in the XAUTH section.
What role does FortiGate play when 'Mode Config' is enabled and Remote Gateway is set to Static IP or Dynamic DNS?
FortiGate acts as an IKE mode config client.
What is a disadvantage of partial mesh topology?
The configuration of each FortiGate device is more complex than in hub-and-spoke.
What is a characteristic of mesh topology regarding fault tolerance?
It is more fault-tolerant than hub-and-spoke.
What is the function of 'Mode Config' in the Network settings?
Enables automatic configuration through IKE.
What does IKEv2 support that enhances authentication flexibility?
IKEv2 supports asymmetric authentication, allowing each peer to use a different authentication method.
What is a significant difference in access control between IKEv1 and IKEv2?
With IKEv1, you can deny access to VPN peers using XAuth without a certificate signature, while IKEv2 requires a certificate signature for revoking access.
What does FortiGate use IKE SAs for?
To set up a secure channel to negotiate IPsec SAs.
How does IKEv2 handle NAT-T compared to IKEv1?
IKEv2 supports NAT-T natively, while IKEv1 supports it as an extension.
What should you remember when passing IPsec traffic through a firewall?
Allowing only one protocol or port number is usually not enough.
What happens when Remote Gateway is set to Dialup User with 'Mode Config' enabled?
FortiGate acts as an IKE mode config server, revealing more configuration options.
When is partial mesh topology appropriate?
When communication is not required between every location.
What is traffic selector narrowing in IKEv2?
Traffic selector narrowing allows the responder to choose a subset of the traffic proposed by the initiator, enabling more flexible phase 2 selector configurations.
How does the cost of mesh topology compare to hub-and-spoke?
Mesh topology is generally more expensive.
