Postquantum Security IKEv2 PPK fortios

 In this blog you will see a simple PPK deployment to ensure PSK are not crackable. 

1st PPK is a IKEv2 feature

2nd you can make it option or mandatory in the fortios . This allows for a simple PSK and the choice of enforcing PPK

here's the fgt1 cfg

the 2nd fgt is exactly the same in this the fgt1 is a dynamic-ipsec peer

To verify PPK was used run the "diag vpn ike gateway" cmd from cli

To craft a strong ppk-secret is suggest 64 characters or more. Openssl or python can be used for this. Just make it random.

or

$ cat ran.py

import random

import string

ppk = [random.choice(string.ascii_letters + string.digits) for n in xrange(64)]

str = "".join(ppk)

print str

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

ipv6 policy in 6.4

 

A friend of mine freaked out when he loaded 6.4 fortios and found out that firewall policy6  are no longer an option.

fortios 6.4

fortios 6.2

A sample ipv6 policy within fortios 6.4 "config firewall policy" hierarchy .

Now for  the million down question;    if you upgrade from fortios6.2 and have "firewall policy6"  policies  are they automatically converted and carried over to "firewall policy" policies ?

So  if you have auto policy scripts, these will need to be rewritten if you upgrade to 6.4.x fortios version .

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \