Tagged: IPsec
6 posts · browse all tags
-
IPsec Deep Dive Part 1: ESP, AH, and How IKE Phase 1 Actually Brings a Tunnel Up
IPsec underpins every Fortinet SD-WAN overlay this blog has built, and it's never had its own deep dive. Part 1 fixes that: the SA model, ESP vs AH, tunnel vs transport, and a message-by-message walk through IKEv1 main mode, aggressive mode, and IKEv2.
-
IPsec Deep Dive Part 2: Phase 2, Child SAs, and the Anatomy of an ESP Packet
Phase 1 built a control channel and protected nothing. Part 2 covers the negotiation that actually moves data: quick mode and child SAs, traffic selectors, PFS, rekeying, and anti-replay — then dissects an ESP packet field by field, down to the MTU math.
-
IPsec Deep Dive Part 3: NAT vs IPsec — NAT-T, Port Forwarding, and the Fortinet SD-WAN Reality
NAT breaks IPsec three distinct ways — AH's ICV, ESP's missing ports, and IKE's rewritten source port. Part 3 covers each break, how NAT-D detects it and NAT-T's UDP 4500 encapsulation repairs it, when port forwarding is still required, and what it all means for SD-WAN spokes behind CPE NAT.
-
SDWAN Resilience Part 2: BGP on Loopback
Why we peer BGP on loopbacks instead of tunnel-interface IPs, the FortiOS dynamic-IPsec config that makes it work, the spoke-side reciprocal config, and why hub-to-hub iBGP is the wrong answer in a no-DCI active/standby topology.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 5: Egress, NPU Offload, and the Full Troubleshooting Cookbook
The packet is decided. Now it has to actually leave. Egress shaping, NPU offload re-evaluation, IPsec encap, ARP, transmit. Then a single-page reference of every diagnose, get, and show command from across this series.
-
NSE4 Part 8: IPsec VPN
Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.