fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
FortiClient-to-FortiGate VPN configuration steps FortiClient dialup-client configurations<br />
If the FortiGate interface to the private network is not the default gateway, the private<br />
network behind the FortiGate unit must be configured to route IP traffic destined for<br />
dialup clients back (through an appropriate gateway) to the FortiGate interface to the<br />
private network. As an alternative, you can configure the IPsec security policy on the<br />
FortiGate unit to perform inbound NAT on IP packets. Inbound NAT translates the<br />
source addresses of inbound decrypted packets into the IP address of the FortiGate<br />
interface to the local private network.<br />
FortiClient-to-FortiGate VPN configuration steps<br />
Configuring dialup client capability for FortiClient dialup clients involves the following<br />
general configuration steps:<br />
1 If you will be using VIP addresses to identify dialup clients, determine which VIP<br />
addresses to use. As a precaution, consider using VIP addresses that are not<br />
commonly used.<br />
2 Configure the FortiGate unit to act as a dialup server. See “Configure the FortiGate<br />
unit” on page 120.<br />
3 If the dialup clients will be configured to obtain VIP addresses through DHCP over<br />
IPsec, configure the FortiGate unit to act as a DHCP server or to relay DHCP requests<br />
to an external DHCP server.<br />
4 Configure the dialup clients. See “Configure the FortiClient Endpoint Security<br />
application” on page 125.<br />
When a FortiGate unit has been configured to accept connections from FortiClient dialupclients,<br />
you can optionally arrange to have an IPsec VPN configuration downloaded to<br />
FortiClient dialup clients automatically. For more information, see “Configuring the<br />
FortiGate unit as a VPN policy server” on page 123.<br />
Configure the FortiGate unit<br />
Configuring the FortiGate unit to establish VPN connections with FortiClient Endpoint<br />
Security users involves the following steps:<br />
1 configure the VPN settings<br />
2 if the dialup clients use automatic configuration, configure the FortiGate unit as a VPN<br />
policy server<br />
3 if the dialup clients obtain VIP addresses by DHCP over IPsec, configure an IPsec<br />
DHCP server or relay<br />
The procedures in this section cover basic setup of policy-based and route-based VPNs<br />
compatible with FortiClient Endpoint Security. A route-based VPN is simpler to configure.<br />
Configuring FortiGate unit VPN settings<br />
To configure FortiGate unit VPN settings to support FortiClient users, you need to:<br />
configure the FortiGate Phase 1 VPN settings<br />
configure the FortiGate Phase 2 VPN settings<br />
add the security policy<br />
1 At the local FortiGate unit, define the phase 1 configuration needed to establish a<br />
secure connection with the FortiClient peer. See “Auto Key phase 1 parameters” on<br />
page 39. Enter these settings in particular:<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
120 01-434-112804-20120111<br />
http://docs.fortinet.com/