Extreme Networks XOS VRRP Host Mobility Technology

https://documentation.extremenetworks.com/exos/EXOS_21_1/VRRP/c_vrrp-host-mobility.shtml?_ga=2.267477966.1989213406.1519211819-2053840118.1499241466

FortiOS VPN - GRE over IPSec

http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD40312&languageId=

Default Encryption Settings for the Microsoft L2TP/IPSec Virtual Private Network Client

---

Summary

---

The following list contains the default encryption settings for the Microsoft L2TP/IPSec virtual private network (VPN) client for earlier version clients:

• Data Encryption Standard
• Secure Hash Algorithm
• Diffie-hellman Medium
• Transport Mode
• Encapsulating Security Payload

The client does not support the following settings:

• Tunnel mode
• AH (Authentication Header)

These values are hard-coded in the client and you cannot change them.

More Information

---

Data Encryption Standard

Data Encryption Standard (3DES) provides confidentiality. 3DES is the most secure of the DES combinations, and has a bit slower performance. 3DES processes each block three times, using a unique key each time.

Secure Hash Algorithm

Secure Hash Algorithm 1(SHA1), with a 160-bit key, provides data integrity. 

Diffie-Hellman Medium

Diffie-Hellman groups determine the length of the base prime numbers that are used during the key exchange. The strength of any key derived depends in part on the strength of the Diffie-Hellman group on which the prime numbers are based.

Group 2 (medium) is stronger than Group 1 (low). Group 1 provides 768 bits of keying material, and Group 2 provides 1,024 bits. If mismatched groups are specified on each peer, negotiation does not succeed. You cannot switch the group during the negotiation.

A larger group results in more entropy and therefore a key that is harder to break.

Transport Mode

There are two modes of operation for IPSec:

• Transport mode - In transport mode, only the payload of the message is encrypted.
• Tunnel mode (not supported) - In tunnel mode, the payload, the header, and the routing information are all encrypted.

IPSec Security Protocols

Encapsulating Security Payload

Encapsulating Security Payload (ESP) provides confidentiality, authentication, integrity, and anti-replay. ESP does not ordinarily sign the whole packet unless the packet is being tunneled. Ordinarily, only the data is protected, not the IP header. ESP does not provide integrity for the IP header (addressing).

Authentication Header (Not Supported)

Authentication Header (AH) provides authentication, integrity, and anti-replay for the whole packet (both the IP header and the data carried in the packet). AH signs the whole packet. It does not encrypt the data, so it does not provide confidentiality. You can read the data, but you cannot modify it. AH uses HMAC algorithms to sign the packet.

References

---

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

325035 Limitations and Compatibility Issues of Microsoft L2TP/IPSec VPN

325032 Using the Microsoft L2TP/IPSec VPN Client with Windows 98, Windows Millennium Edition, and Windows NT 4.0

325033 Configuring Microsoft L2TP/IPSec VPN for Earlier Clients

325034 Troubleshooting Microsoft L2TP/IPSec VPN Client Connection

перезапуск процессов на Fortigate

FGT80C # diagnose test application
smtp              SMTP proxy.
ftpd              FTP proxy.
pop3              POP3 proxy.
imap              IMAP proxy.
nntp              NNTP proxy.
scanunit          Scanning unit.
harelay           HA relay daemon.
hasync            HA sync daemon.
hatalk            HA talk daemon.
sessionsync       session sync daemon.
forticldd         FortiCloud daemon.
miglogd           Miglog logging daemon.
urlfilter         URL filter daemon.
ovrd              Override daemon.
ipsmonitor        ips monitor
ipsengine         ips sensor
ipldbd            IP load balancing daemon.
ddnscd            DDNS client daemon.
snmpd             SNMP daemon.
dnsproxy          DNS proxy.
sflowd            sFlow daemon.
init              init process.
l2tpcd            L2TP client daemon.
dhcprelay         DHCP relay daemon.
pptpcd            PPTP client.
wccpd             WCCP daemon.
wad               WAD related processes.
radiusd           RADIUS daemon.
wpad              WPA daemon.
fsd               FortiExplorer daemon.
ipsufd            IPS urlfilter daemon.
lted              USB LTE daemon.
forticron         Forticron daemon.
uploadd           Upload daemon.
quarantined       Quarantine daemon.
dhcp6c            DHCP6 client daemon.
info-sslvpnd      SSL-VPN info daemon.
dsd               DLP Statistics daemon.
lnkmtd            Link monitor daemon.
dhcp6r            DHCP6 relay daemon.
netxd             VMWare NetX service manager daemon.
fnbamd            Fortigate non-blocking auth daemon.
mrd               Mobile router daemon.
zebos_launcher    ZEBOS Launcher daemon
radius-das        Radius-das daemon.
csfd              Security Fabric daemon.
fsvrd             FortiService daemon.
radvd             radvd daemon.
fcnacd            FortiClient NAC daemon.
sdncd             SDN Connector daemon.

FGT80C # diagnose test application ipsmonitor

IPS Engine Test Usage:

    1: Display IPS engine information

    2: Toggle IPS engine enable/disable status

    3: Display restart log

    4: Clear restart log

    5: Toggle bypass status

    6: Submit attack characteristics now

   10: IPS queue length

   11: Clear IPS queue length

   12: IPS L7 socket statistics

   13: IPS session list

   14: IPS NTurbo statistics

   15: IPSA statistics

   16: Display device identification cache

   17: Clear device identification cache

   18: Display session info cache

   19: Clear session info cache

   21: Reload FSA malicious URL database

   22: Reload whitelist URL database

   24: Display Flow AV statistics

   25: Reset Flow AV statistics

   96: Toggle IPS engines watchdog timer

   97: Start all IPS engines

   98: Stop all IPS engines

   99: Restart all IPS engines and monitor