fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Gateway-to-gateway configurations General configuration steps<br />
General configuration steps<br />
The FortiGate units at both ends of the tunnel must be operating in NAT mode and have<br />
static public IP addresses.<br />
When a FortiGate unit receives a connection request from a remote VPN peer, it uses<br />
IPsec phase 1 parameters to establish a secure connection and authenticate that VPN<br />
peer. Then, if the security policy permits the connection, the FortiGate unit establishes<br />
the tunnel using IPsec phase 2 parameters and applies the IPsec security policy. Key<br />
management, authentication, and security services are negotiated dynamically through<br />
the IKE protocol.<br />
To support these functions, the following general configuration steps must be performed<br />
by both FortiGate units:<br />
Define the phase 1 parameters that the FortiGate unit needs to authenticate the<br />
remote peer and establish a secure connection.<br />
Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel<br />
with the remote peer.<br />
Create security policies to control the permitted services and permitted direction of<br />
traffic between the IP source and destination addresses.<br />
Configuring the two VPN peers<br />
Configure the VPN peers as follows. Each step is required, but these are general steps.<br />
For more detailed information on each step follow the cross references. See “Auto Key<br />
phase 1 parameters” on page 39.<br />
All steps are required. Cross references point to required information that is repeated. No<br />
steps are optional.<br />
Configuring Phase 1 and Phase 2 for both peers<br />
This procedure applies to both peers. Repeat the procedure on each FortiGate unit, using<br />
the correct IP address for each. You may wish to vary the Phase 1 names but this is<br />
optional. Otherwise all steps are the same for each peer.<br />
The phase 1 configuration defines the parameters that FortiGate_1 will use to<br />
authenticate FortiGate_2 and establish a secure connection. For the purposes of this<br />
example, a preshared key will be used to authenticate FortiGate_2. The same preshared<br />
key must be specified at both FortiGate units.<br />
Before you define the phase 1 parameters, you need to:<br />
Reserve a name for the remote gateway.<br />
Obtain the IP address of the public interface to the remote peer.<br />
Reserve a unique value for the preshared key.<br />
The key must contain at least 6 printable characters and best practices dictate that it only<br />
be known by network administrators. For optimum protection against currently known<br />
attacks, the key must have a minimum of 16 randomly chosen alphanumeric characters.<br />
At the local FortiGate unit, define the phase 1 configuration needed to establish a secure<br />
connection with the remote peer. See “Phase 1 configuration” on page 26.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 71<br />
http://docs.fortinet.com/