Fortigate tech

Main Mode 1st Message: Generation of the initiator cookie — An 8-byte pseudo-random number used for anticlogging CKY-I = md5{(src_ip, dest_ip), random number, time, and date} Generation of the responder cookie — An 8-byte pseudo-random number used for anticlogging CKY-R = md5{(src_ip, dest_ip), random number, time, and date} Main Mode 2nd Message: Before 3rd and 4th message: Public key: Xa ,Xb Nonce = Ni, Nr How public key is created? DH public value = Xa  Xa = g^a mod p g is the generator  p is a large prime number  a is a private secret known only to the initiator Main Mode 3rd message: Key exchange Public key NAT-D Main Mode 4th Message: Key exchange Public key NAT-D NAT-D Before 5th and 6th message: Initiator secret = (Xb)a mod p = (Xa)b mod p = responder secret  This value is the shared secret between the two parties and is also equal to g^ab PRF => Pseudo random function based on negotiated hash SKEYID's = PRF [ Pre-shared key , Ni ,Nr ]    SKEYID...

Phase-1 of IPSEC In 1st two message it negotiate proposal and IKE version and NAT-T capability  Proposal/transform >> HAGLE - HASH, AUTH, DH Group, Lifetime ,Encryption   1st Message IPSec main mode: SA Payload  Proposal payload Trasform payload SPI/cookie 2nd IPsec Main mode message 3rd Message IPSec main mode: In 3rd and 4th message, it will do key exchange and Nonce and NAT-D (IP & Port hash) DH key exchange :: DH algo used to agree on same shared secret and generate key material DH public value is calculated  (public value is mathematical calculation of private keys) -->>It generate public and private key's --->>It share public key's (x^b) (x^b)==>g^a mod p (MOD(generator of private key=a)) g^ab=>(x^b)^a mod p (large prime no) ==>Each side has their public key and nonce ( Ni_b is the Initiator's Nonce, and Nr_B is the Responder's Nonce) ==>It generate   SKEYID = prf(pre-shared-key, Ni_b | Nr_b) The See...

In first two packet, it will negotiate NAT-T compatibility  1st Message in Main mode: 2nd Message in main mode: In 3rd and 4th Message, it will exchange hash of IP address and Port. 3rd Message main mode: 4th Message in main mode Debug on FGT: ike 0: comes 10.1.1.20:500->10.1.1.10:500,ifindex=4.... ike 0: IKEv1 exchange=Identity Protection id=987e2067d9c61bc0/3954de8f43e2c2c0 len=348 ike 0: in 987E2067D9C61BC03954DE8F43E2C2C004100200000000000000015C0A000104CD2F264257D538BA3EC01D4446EB541E8923 ike 0:VPN:14: responder:main mode get 2nd message... ike 0:VPN:14: received NAT-D payload type 20    ike 0:VPN:14: received NAT-D payload type 20 ike 0:VPN:14: NAT not detected   <<-----------------------       If hash matches, there is no NAT device in between and It continue to use same port 500 for remaining communication If there is NAT device in between both peer:==> 3rd message in main mode: 4th message in main mode: ike 0:VPN:3: ...

==> TCP checksum is combination of Data + TCP Header + Pseudo Header We all aware about DATA and TCP header but what is this Pseudo Header? Pseudo header is combination of [SIP + DIP + Protocol ID (TCP or UDP) + TCP length (including both header and data) + Reserved(all 0) ] Pseudo Header:=> Sometimes, question may arise whether router changes TCP checksum as it changes (decrement) TTL value   ==>Pseudo header doesn't include TTL value 

        Encryption is good thing when you send your traffic on public network, but sometimes we may need to decrypt packet to troubleshoot the issues and need to see what is going on under the hood. Here, I am going to explain how to decode the ESP packet using Wireshark You can see in below image that after phase2 negotiation, data is getting encapsulated using ESP header (Note: I am using FortiGate firewall here but it would be same process for different vendors as well provided you need to collect authentication and encryption parameters) =>In Wireshark navigate to edit -> preferences -> protocol -> esp. =>As per image, enable the last 3 checkboxes and select "edit" next to ESP SAs ==>Create two entries for the incoming and outgoing SA ==>We need add information obtained from the VPN tunnel list in each line ==>Save the changes Finally, you can see the ESP packet is decrypted Thanks for reading the article...😃

        It is very important to go through debug logs if there is an issue with SSL VPN. I have tried here to break down the debug flow so we can understand the flow of VPN and figure out the exact issue. 1st step: Fortigate (FW) and client establish SSL tunnel  It checks client cert requirements and TLS version supported by the client At the end of this flow, you can see the TLS version and cypher used  IMP: If you are facing any issue at this stage, you can try to verify the TLS version, ciphers and client cert requirement  2nd step: It matches the authentication rule and checks user credentials It validates the authentication rule (if you have more than one auth role, it use the top to bottom approach You can see authentication successful at last IMP: If an issue occurs in this stage, you need to verify the auth rule and credentials 3rd step In this step, it does hostcheck (hostcheck is basically checking whether the system support specified OS, reg...