fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuration overview Transparent mode VPNs<br />
If there are additional routers behind the FortiGate unit (see Figure 29 on page 178) and<br />
the destination IP address of an inbound packet is on a network behind one of those<br />
routers, the FortiGate routing table must include routes to those networks. For example,<br />
in Figure 29, the FortiGate unit must be configured with static routes to interfaces A and<br />
B in order to forward packets to Network_1 and Network_2 respectively.<br />
Figure 29: Destinations on remote networks behind internal routers<br />
Router_1<br />
A<br />
Network_1<br />
FortiGate_1<br />
FortiGate_<br />
Network_3<br />
Network_2<br />
Transparent VPN infrastructure requirements<br />
The local FortiGate unit must be operating in transparent mode.<br />
The management IP address of the local FortiGate unit specifies the local VPN<br />
gateway. The management IP address is considered a static IP address for the local<br />
VPN peer.<br />
If the local FortiGate unit is managed through the Internet, or if the VPN peer connects<br />
through the Internet, the edge router must be configured to perform inbound NAT and<br />
forward management traffic and/or encrypted packets to the FortiGate unit.<br />
If the remote peer is operating in NAT mode, it must have a static public IP address.<br />
A FortiGate unit operating in transparent mode requires the following basic configuration<br />
to operate as a node on the IP network:<br />
The unit must have sufficient routing information to reach the management station.<br />
For any traffic to reach external destinations, a default static route to an edge router<br />
that forwards packets to the Internet must be present in the FortiGate routing table.<br />
When all of the destinations are located on the external network, the FortiGate unit<br />
may route packets using a single default static route. If the network topology is more<br />
complex, one or more static routes in addition to the default static route may be<br />
required in the FortiGate routing table.<br />
Only policy-based VPN configurations are possible in transparent mode.<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
178 01-434-112804-20120111<br />
http://docs.fortinet.com/<br />
B<br />
Router_2