FortiGate

From royhills
Jump to: navigation, search

Platform Notes

FortiGate is a Firewall/VPN appliance, manufactured by Fortinet, that runs on proprietary hardware. The operating system is FortiOS.

It supports both site-to-site and remote access VPN.

Version History

Backoff Patterns

Vendor IDs

Authentication Methods

Fortigate supports Pre-Shared Key (PSK) and RSA Signature authentication methods.

ISAKMP SA Lifetime

Lifetime in Seconds

Fortigate supports no lifetime, or any lifetime represented as a 4-byte variable length attribute from 1 to 0xffffffff inclusive. It also accepts a 2-byte variable length attribute for the lifetime.

It always responds with the same lifetime value that was sent, and always replies with a variable-length attribute, even when the lifetime could be represented in a fixed-length attribute.

$ ike-scan --lifetime=none --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=4a042096419a6a6a)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan --lifetime=1 --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=bced7c438593d6e2)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00000001)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan --lifetime=0xffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=d30dd144316d4fb7)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(2)=0xffff)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan --lifetime=0xffffffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=9cb6b714252c1a3e)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0xffffffff)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

It does not accept a 1-byte variable length attribute or anything above 4-bytes.

$ ike-scan --lifetime=0xff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
$ ike-scan --lifetime=0xffffffffffffffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

It also accepts a lifetime value as a basic attribute, and in this case will use a basic attribute in its reply.

$ ike-scan --trans="(1=5,2=2,3=1,4=2,11=1,12=28800)" -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=cbacb2f23b0a5476)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Lifetime in Kilobytes

$ ike-scan --lifetime=none --lifesize=1 --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=9ed2e4db1135635e)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Kilobytes LifeDuration(4)=0x00000001)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan --lifetime=none --lifesize=0xffffffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=c085e4212a28afa3)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Kilobytes LifeDuration(4)=0xffffffff)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan --lifetime=none --lifesize=0xffffffffffffffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Transform Ordering and Rewriting

Aggressive Mode

Response to Noncompliant and malformed packets

No Acceptable Transforms

Bad IKE version

Invalid DOI

Invalid Situation

Invalid Initiator Cookie

Invalid Flags

Invalid Protocol

Invalid SPI

Non-Zero Reserved Fields

NAT Traversal

IKEv2

Remote Access VPN Client

Other Interesting Behaviour

Default Configuration

Discovered Vulnerabilities

Misc stuff