Fortinet black logo

Handbook

Key exchange

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:298987
Download PDF

Key exchange

Keys are generated automatically by OCVPN, but without explicit acknowledgment and state management, it would be impossible for the cloud to destroy keys after distribution to customer devices. Permanently storing customer keys in the cloud is undesirable for a host of reasons, so the RegAck request was introduced to effectively address the problem and allow the cloud to destroy keys after they have been installed. One key is generated per customer. When a new member joins, a new key is generated and distributed to all group members at the next poll interval (the default is 60 seconds).

Authentication is handled by SSL and proof of identity is established by the device serial number in the signed RSA certificate. The SN is sent in all messages to the cloud.

If you have a FortiWeb server performing authentication, the process is different. Since the OCVPN microservice doesn't run on the FortiWeb server, OCVPN authentication and secure segregation of customer data is handled as follows:

  • FortiWeb extracts the ASN1 CN from the certificate and attaches it to the decrypted HTTP messages forwarded to OCVPN.
  • OCVPN checks the presented device SN against the SN included in the certificate ID.
  • If they don't match, OCVPN returns '401 Unauthorized' and the authentication transaction is cancelled.

Key exchange

Keys are generated automatically by OCVPN, but without explicit acknowledgment and state management, it would be impossible for the cloud to destroy keys after distribution to customer devices. Permanently storing customer keys in the cloud is undesirable for a host of reasons, so the RegAck request was introduced to effectively address the problem and allow the cloud to destroy keys after they have been installed. One key is generated per customer. When a new member joins, a new key is generated and distributed to all group members at the next poll interval (the default is 60 seconds).

Authentication is handled by SSL and proof of identity is established by the device serial number in the signed RSA certificate. The SN is sent in all messages to the cloud.

If you have a FortiWeb server performing authentication, the process is different. Since the OCVPN microservice doesn't run on the FortiWeb server, OCVPN authentication and secure segregation of customer data is handled as follows:

  • FortiWeb extracts the ASN1 CN from the certificate and attaches it to the decrypted HTTP messages forwarded to OCVPN.
  • OCVPN checks the presented device SN against the SN included in the certificate ID.
  • If they don't match, OCVPN returns '401 Unauthorized' and the authentication transaction is cancelled.