fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
General preparation steps IPsec VPN Overview<br />
General preparation steps<br />
These sections contain high-level configuration guidelines with cross-references to<br />
detailed configuration procedures. If you need more detail to complete a step, select the<br />
cross-reference in the step to drill-down to more detail. Return to the original procedure<br />
to complete the procedure. For a general overview of how to configure a VPN, see<br />
“General preparation steps” below.<br />
A VPN configuration defines relationships between the VPN devices and the private<br />
hosts, servers, or networks making up the VPN. Configuring a VPN involves gathering<br />
and recording the following information. You will need this information to configure the<br />
VPN.<br />
The private IP addresses of participating hosts, servers, and/or networks. These<br />
IP addresses represent the source addresses of traffic that is permitted to pass<br />
through the VPN. A IP source address can be an individual IP address, an address<br />
range, or a subnet address.<br />
The public IP addresses of the VPN end-point interfaces. The VPN devices<br />
establish tunnels with each other through these interfaces.<br />
The private IP addresses associated with the VPN-device interfaces to the<br />
private networks. Computers on the private networks behind the VPN gateways will<br />
connect to their VPN gateways through these interfaces.<br />
How to use this guide to configure an IPsec VPN<br />
This guide uses a task-based approach to provide all of the procedures needed to create<br />
different types of VPN configurations. Follow the step-by-step configuration procedures<br />
in this guide to set up the VPN.<br />
The following configuration procedures are common to all IPsec VPNs:<br />
1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote<br />
peers or clients and establish a secure a connection. See “Auto Key phase 1<br />
parameters” on page 39.<br />
2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel<br />
with a remote peer or dialup client. See “Phase 2 parameters” on page 57.<br />
3 Specify the source and destination addresses of IP packets that are to be transported<br />
through the VPN tunnel. See “Defining policy addresses” on page 63.<br />
4 Create an IPsec security policy to define the scope of permitted services between the<br />
IP source and destination addresses. See “Defining VPN security policies” on<br />
page 64.<br />
These steps assume you configure the FortiGate unit to generate unique IPsec encryption<br />
and authentication keys automatically. In situations where a remote VPN peer or client<br />
requires a specific IPsec encryption and authentication key, you must configure the<br />
FortiGate unit to use manual keys instead of performing Steps 1 and 2. For more<br />
information, see “Manual-key configurations” on page 183.<br />
IPsec VPNs for FortiOS 4.0 MR3<br />
24 01-434-112804-20120111<br />
http://docs.fortinet.com/