fortigate-ipsec-40-mr3

More documents

Recommendations

Info

Contents Auto Key phase 1 parameters 39 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Defining the tunnel ends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . <strong>40</strong> Choosing main mode or aggressive mode . . . . . . . . . . . . . . . . . . . . . . . <strong>40</strong> Choosing the IKE version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Authenticating the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Authenticating the FortiGate unit with digital certificates . . . . . . . . . . . . . 41 Authenticating the FortiGate unit with a pre-shared key. . . . . . . . . . . . . . 42 Authenticating remote peers and clients . . . . . . . . . . . . . . . . . . . . . . . 44 Enabling VPN access for specific certificate holders . . . . . . . . . . . . . . . 44 Before you begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuring certificate authentication for a VPN. . . . . . . . . . . . . . . . 45 Enabling VPN access by peer identifier . . . . . . . . . . . . . . . . . . . . . . 46 Enabling VPN access with user accounts and pre-shared keys. . . . . . . . . . 47 Defining IKE negotiation parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Generating keys to authenticate an exchange . . . . . . . . . . . . . . . . . . 49 Defining IKE negotiation parameters. . . . . . . . . . . . . . . . . . . . . . . . 50 NAT traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 NAT keepalive frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Dead peer detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Using XAuth authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Using the FortiGate unit as an XAuth server . . . . . . . . . . . . . . . . . . . . 54 Using the FortiGate unit as an XAuth client . . . . . . . . . . . . . . . . . . . . 55 Phase 2 parameters 57 Basic phase 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Advanced phase 2 settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 P2 Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Replay detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Perfect forward secrecy (PFS)(. . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Keylife . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Auto-negotiate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Autokey Keep Alive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 DHCP-IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Quick mode selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Configure the phase 2 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Specifying the phase 2 parameters . . . . . . . . . . . . . . . . . . . . . . . . 60 Defining VPN security policies 63 Defining policy addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Defining VPN security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Defining an IPsec security policy for a policy-based VPN . . . . . . . . . . . . . 65 Allow outbound and allow inbound . . . . . . . . . . . . . . . . . . . . . . 65 IPsec VPNs for FortiOS 4.0 MR3 4 01-434-112804-20120111 http://docs.fortinet.com/
Contents Outbound and inbound NAT. . . . . . . . . . . . . . . . . . . . . . . . . . 65 Source and destination addresses . . . . . . . . . . . . . . . . . . . . . . 65 Enabling other policy features . . . . . . . . . . . . . . . . . . . . . . . . . 65 Before you begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Defining multiple IPsec policies for the same tunnel . . . . . . . . . . . . . 67 Defining security policies for a route-based VPN . . . . . . . . . . . . . . . . . 68 Gateway-to-gateway configurations 69 Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Configuring the two VPN peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Configuring Phase 1 and Phase 2 for both peers . . . . . . . . . . . . . . . . . 71 Creating security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Creating firewall addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Creating route-based VPN security policies . . . . . . . . . . . . . . . . . . 74 Configuring a default route for VPN interface . . . . . . . . . . . . . . . . . 75 Creating policy-based VPN security policy . . . . . . . . . . . . . . . . . . 76 How to work with overlapping subnets . . . . . . . . . . . . . . . . . . . . . . . . 76 Solution for route-based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Solution for policy-based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Hub-and-spoke configurations 85 Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Hub-and-spoke infrastructure requirements . . . . . . . . . . . . . . . . . . . 86 Spoke gateway addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Protected networks addressing . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Using aggregated subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Using an address group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configure the hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Define the hub-spoke VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Define the hub-spoke security policies . . . . . . . . . . . . . . . . . . . . . . 88 Configuring communication between spokes (policy-based VPN) . . . . . . . . 90 Configuring communication between spokes (route-based VPN) . . . . . . . . . 90 Using a zone as a concentrator . . . . . . . . . . . . . . . . . . . . . . . . 90 Using a zone with a policy as a concentrator . . . . . . . . . . . . . . . . . 91 Using security policies as a concentrator . . . . . . . . . . . . . . . . . . . 91 Configure the spokes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Configuring security policies for hub-to-spoke communication . . . . . . . . . . 92 Policy-based VPN security policy . . . . . . . . . . . . . . . . . . . . . . 93 Configuring security policies for spoke-to-spoke communication. . . . . . . . . 93 Policy-based VPN security policy . . . . . . . . . . . . . . . . . . . . . . 94 IPsec VPNs for FortiOS 4.0 MR3 5 01-434-112804-20120111 http://docs.fortinet.com/
Page 1 and 2: IPsec VPNs FortiOS Handbook v3 for
Page 3: Contents FortiOS Handbook Introduct
Page 7 and 8: Contents Configure the FortiGate un
Page 9 and 10: Contents Site-to-site IPv6 over IPv
Page 11 and 12: Introduction How this guide is orga
Page 13 and 14: IPsec VPN concepts VPN tunnels Fort
Page 15 and 16: IPsec VPN concepts VPN gateways Fig
Page 17 and 18: IPsec VPN concepts Encryption Encry
Page 19 and 20: IPsec VPN concepts Security Associa
Page 21 and 22: IPsec VPN Overview Types of VPNs Ro
Page 23 and 24: IPsec VPN Overview Planning your VP
Page 25 and 26: FortiOS Handbook IPsec VPN in the w
Page 27 and 28: IPsec VPN in the web-based manager
Page 39 and 40: FortiOS Handbook Auto Key phase 1 p
Page 41 and 42: Auto Key phase 1 parameters Choosin
Page 43 and 44: Auto Key phase 1 parameters Authent
Page 49 and 50: Auto Key phase 1 parameters Definin
Page 55 and 56:
Auto Key phase 1 parameters Using X
Page 57 and 58:
Phase 2 parameters Basic phase 2 se
Page 59 and 60:
Phase 2 parameters Advanced phase 2
Page 61 and 62:
Phase 2 parameters Configure the ph
Page 63 and 64:
FortiOS Handbook Defining VPN secur
Page 65 and 66:
Defining VPN security policies Defi
Page 67 and 68:
Defining VPN security policies Defi
Page 69 and 70:
FortiOS Handbook Gateway-to-gateway
Page 71 and 72:
Gateway-to-gateway configurations G
Page 73 and 74:
Gateway-to-gateway configurations C
Page 75 and 76:
Gateway-to-gateway configurations C
Page 77 and 78:
Gateway-to-gateway configurations H
Page 79 and 80:
Gateway-to-gateway configurations H
Page 81 and 82:
Gateway-to-gateway configurations T
Page 83 and 84:
Gateway-to-gateway configurations T
Page 85 and 86:
FortiOS Handbook Hub-and-spoke conf
Page 87 and 88:
Hub-and-spoke configurations Config
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Hub-and-spoke configurations Dynami
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
FortiOS Handbook Dynamic DNS config
Page 103 and 104:
Dynamic DNS configuration Dynamic D
Page 105 and 106:
Dynamic DNS configuration Configure
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
FortiOS Handbook FortiClient dialup
Page 117 and 118:
FortiClient dialup-client configura
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
FortiGate dialup-client configurati
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
FortiOS Handbook Supporting IKE Mod
Page 143 and 144:
Supporting IKE Mode config clients
Page 145 and 146:
Supporting IKE Mode config clients
Page 147 and 148:
FortiOS Handbook Internet-browsing
Page 149 and 150:
Internet-browsing configuration Rou
Page 151 and 152:
FortiOS Handbook Redundant VPN conf
Page 153 and 154:
Redundant VPN configurations Config
Page 155 and 156:
Redundant VPN configurations Redund
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Redundant VPN configurations Partia
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Redundant VPN configurations Creati
Page 175 and 176:
FortiOS Handbook Transparent mode V
Page 177 and 178:
Transparent mode VPNs Configuration
Page 179 and 180:
Transparent mode VPNs Configure the
Page 181 and 182:
Transparent mode VPNs Configure the
Page 183 and 184:
FortiOS Handbook Manual-key configu
Page 185 and 186:
Manual-key configurations Specify t
Page 187 and 188:
IPv6 IPsec VPNs FortiOS Handbook Th
Page 189 and 190:
IPv6 IPsec VPNs Site-to-site IPv6 o
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
FortiOS Handbook L2TP and IPsec (Mi
Page 201 and 202:
L2TP and IPsec (Microsoft VPN) Conf
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
L2TP and IPsec (Microsoft VPN) Trou
Page 209 and 210:
L2TP and IPsec (Microsoft VPN) Trou
Page 211 and 212:
FortiOS Handbook GRE over IPsec (Ci
Page 213 and 214:
GRE over IPsec (Cisco VPN) configur
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
FortiOS Handbook Protecting OSPF wi
Page 223 and 224:
Protecting OSPF with IPsec OSPF ove
Page 225 and 226:
Protecting OSPF with IPsec OSPF ove
Page 227 and 228:
Protecting OSPF with IPsec Creating
Page 229 and 230:
FortiOS Handbook Hardware offloadin
Page 231 and 232:
Hardware offloading and acceleratio
Page 233 and 234:
Hardware offloading and acceleratio
Page 235 and 236:
FortiOS Handbook Monitoring and tro
Page 237 and 238:
Monitoring and troubleshooting Test
Page 239 and 240:
Monitoring and troubleshooting Logg
Page 241 and 242:
Monitoring and troubleshooting VPN
Page 243 and 244:
Index Numerics 3DES-Triple-DES, 51
Page 245 and 246:
IPcomp, 237 IPsec, 230 tunnel, 229
Page 247 and 248:
security association (SA), 230 secu
show all

fortigate-ipsec-40-mr3

Create successful ePaper yourself

Delete template?

Save as template?