Description

A secure site-to-site VPN tunnel helps to establish secure connections between multiple private networks in remote branch offices or departments. With the help of the FortiGate solutions, you can configure IPsec VPN between your infrastructure in Selectel data centers and the cloud or office where other infrastructure and workspaces are located. Learn more about the advantages of the hardware solution on our website.

Learn more about how to order and get started with Fortinet in the instruction.

This subsection will cover configuring the IPsec VPN between two FortiGate firewalls.

Glossary

Term Definition
Site-to-site VPN A VPN connection known as a “point-to-point” connection. In an internetwork interaction, two peers communicate directly. Site-to-site VPN provides transparent communication between two networks located in different offices
IPsec A group of protocols that is used to authenticate and encrypt traffic between two peers. There are three common protocols:
Internet Key Exchange (IKE) — for the “handshake”, tunnel maintenance, and its shutdown;
Encapsulation Security Payload (ESP) — provides data integrity and encryption.
Authentication Header (AH) — provides only data integrity, not encryption.

FortiGate only uses ESP to transmit packet payload. It does not use AH
IKE (The Internet Key Exchange)* The standard protocol of the IPsec group of protocols used to secure communication in VPN, that is, IKE establishes an IPsec VPN tunnel.
In order for the protocols in IPsec to secure the transmitted data, IKE establishes a logical connection between the two endpoints — a Security Association (SA).
SA defines the authentication, keys and settings that will be used to encrypt and decrypt packets

* IKE defines two phases (Phase 1 and Phase 2):

  • Phase 1 is the negotiation of secure configuration communications, which happens when each endpoint in the tunnel connects and starts configuring the VPN. During Phase 1, the participants authenticate each other and agree on the parameters for setting up a special channel that is necessary only to exchange information about the desired encryption algorithms and other details of the future IPsec tunnel, that is:
    • creating one bidirectional IKE SA to define a secure channel and negotiate configurations;
    • Diffie-Hellman (DH) key exchange that will be used in Phase 2;
    • authentication of both tunnel endpoints based on a Pre-Shared Key or digital signature (certificate);
  • Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins, where the participants (who already trust each other) agree on how to create a main tunnel to transfer data directly;
  • Phase 2 is the negotiation of security parameters for transmitted traffic between endpoints. Security parameters are negotiated for two unidirectional IPsec SA (do not confuse with IKE SA). These are the SAs for Phase 2, which ESP uses to transfer data between networks.

As a result, the participants now have an encrypted tunnel with the established parameters that everybody are happy with, and send there the data streams that need to be encrypted.

The encryption keys for the main tunnel are updated periodically: the participants re-associate to the tunnel established in Phase 1, then go through Phase 2 and re-establish the SA.

Each Phase 1 can have multiple Phase 2’s, for example, if you want to use different encryption keys for each subnet whose traffic crosses the tunnel.

At the end of Phase 2, a VPN connection is established.