FortiGate

From NTA-Wiki

---

Contents 1 Platform Notes 2 Version History 3 Backoff Patterns 4 Vendor IDs 5 Authentication Methods 6 ISAKMP SA Lifetime 6.1 Lifetime in Seconds 6.2 Lifetime in Kilobytes 7 Transform Ordering and Rewriting 8 Aggressive Mode 9 Response to Noncompliant and malformed packets 9.1 No Acceptable Transforms 9.2 Bad IKE version 9.3 Invalid DOI 9.4 Invalid Situation 9.5 Invalid Initiator Cookie 9.6 Invalid Flags 9.7 Invalid Protocol 9.8 Invalid SPI 9.9 Non-Zero Reserved Fields 10 NAT Traversal 11 IKEv2 12 Remote Access VPN Client 13 Other Interesting Behaviour 14 Default Configuration 15 Discovered Vulnerabilities 16 Misc stuff

Platform Notes

FortiGate is a Firewall/VPN appliance, manufactured by Fortinet, that runs on proprietary hardware. The operating system is FortiOS.

It supports both site-to-site and remote access VPN.

Version History

Backoff Patterns

Vendor IDs

Authentication Methods

Fortigate supports Pre-Shared Key (PSK) and RSA Signature authentication methods.

ISAKMP SA Lifetime

Lifetime in Seconds

Fortigate supports no lifetime, or any lifetime represented as a 4-byte variable length attribute from 1 to 0xffffffff inclusive. It also accepts a 2-byte variable length attribute for the lifetime.

It always responds with the same lifetime value that was sent, and always replies with a variable-length attribute, even when the lifetime could be represented in a fixed-length attribute.

$ ike-scan --lifetime=none --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=4a042096419a6a6a)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

$ ike-scan --lifetime=1 --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=bced7c438593d6e2)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00000001)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

$ ike-scan --lifetime=0xffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=d30dd144316d4fb7)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(2)=0xffff)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

$ ike-scan --lifetime=0xffffffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=9cb6b714252c1a3e)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0xffffffff)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

It does not accept a 1-byte variable length attribute or anything above 4-bytes.

$ ike-scan --lifetime=0xff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

$ ike-scan --lifetime=0xffffffffffffffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

It also accepts a lifetime value as a basic attribute, and in this case will use a basic attribute in its reply.

$ ike-scan --trans="(1=5,2=2,3=1,4=2,11=1,12=28800)" -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=cbacb2f23b0a5476)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Lifetime in Kilobytes

$ ike-scan --lifetime=none --lifesize=1 --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=9ed2e4db1135635e)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Kilobytes LifeDuration(4)=0x00000001)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

$ ike-scan --lifetime=none --lifesize=0xffffffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.115.68.203   Main Mode Handshake returned
        HDR=(CKY-R=c085e4212a28afa3)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Kilobytes LifeDuration(4)=0xffffffff)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

$ ike-scan --lifetime=none --lifesize=0xffffffffffffffff --trans=5,2,1,2 -M 10.115.68.203
Starting ike-scan 1.9.2 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Transform Ordering and Rewriting

Aggressive Mode

Response to Noncompliant and malformed packets

No Acceptable Transforms

Bad IKE version

Invalid DOI

Invalid Situation

Invalid Initiator Cookie

Invalid Flags

Invalid Protocol

Invalid SPI

Non-Zero Reserved Fields

NAT Traversal

IKEv2

Remote Access VPN Client

Other Interesting Behaviour

Default Configuration

Discovered Vulnerabilities

Misc stuff