FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

About this document Introduction Using the web-based manager and CLI to configure IPSec VPNs The FortiGate unit provides two user interfaces to configure operating parameters: the web-based manager, and the Command Line Interface (CLI). In the web-based manager: • IPSec VPN operating parameters are located on the following tabs: • VPN > IPSEC > Auto Key (IKE) • VPN > IPSEC > Manual Key • VPN > IPSEC > Concentrator • VPN > Certificates In the CLI, the following commands are available to configure comparable VPN settings: • config vpn ipsec phase1 • config vpn ipsec phase1-interface • config vpn ipsec phase2 • config vpn ipsec phase2-interface • config vpn ipsec manualkey • config vpn ipsec manualkey-interface • config vpn ipsec concentrator • config vpn ipsec forticlient • config vpn certificate • execute vpn certificate For detailed information about these CLI commands, refer to the “vpn” and “execute” chapters of the FortiGate CLI Reference. About this document Where possible, this document explains how to configure VPNs using the webbased manager. A few options can be configured only through the CLI. You can also configure VPNs entirely through the CLI. For detailed information about CLI commands, see the FortiGate CLI Reference. This document contains the following chapters: • Configuring IPSec VPNs provides a brief overview of IPSec technology and includes general information about how to configure IPSec VPNs using this guide. • Gateway-to-gateway configurations explains how to set up a basic gateway-togateway (site-to-site) IPSec VPN. In a gateway-to-gateway configuration, two FortiGate units create a VPN tunnel between two separate private networks. • Hub-and-spoke configurations describes how to set up hub-and-spoke IPSec VPNs. In a hub-and-spoke configuration, connections to a number of remote peers and/or clients radiate from a single, central FortiGate hub. • Dynamic DNS configurations describes how to configure a site-to-site VPN, in which one FortiGate unit has a static IP address and the other FortiGate unit has a static domain name and a dynamic IP address. FortiGate IPSec VPN Version 3.0 User Guide 10 01-30005-0065-20070716
Introduction About this document • FortiClient dialup-client configurations guides you through configuring a FortiClient dialup-client IPSec VPN. In a FortiClient dialup-client configuration, the FortiGate unit acts as a dialup server and VPN client functionality is provided by the FortiClient Host Security application installed on a remote host. • FortiGate dialup-client configurations explains how to set up a FortiGate dialup-client IPSec VPN. In a FortiGate dialup-client configuration, a FortiGate unit with a static IP address acts as a dialup server and a FortiGate unit having a dynamic IP address initiates a VPN tunnel with the FortiGate dialup server. • Internet-browsing configuration explains how to support secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. Remote users can access the private network behind the local FortiGate unit and browse the Internet securely. All traffic generated remotely is subject to the firewall policy that controls traffic on the private network behind the local FortiGate unit. • Redundant VPN configurations discusses the options for supporting redundant and partially redundant tunnels in an IPSec VPN configuration. A FortiGate unit can be configured to support redundant tunnels to the same remote peer if the FortiGate unit has more than one interface to the Internet. • Transparent mode VPNs describes transparent VPN configurations, in which two FortiGate units create a VPN tunnel between two separate private networks transparently. In Transparent mode, all interfaces of the FortiGate unit except the management interface are invisible at the network layer. • Manual-key configurations explains how to manually define cryptographic keys to establish an IPSec VPN tunnel. If one VPN peer uses specific authentication and encryption keys to establish a tunnel, both VPN peers must be configured to use the same encryption and authentication algorithms and keys. • IPv6 IPSec VPNs describes FortiGate unit VPN capabilities for networks based on IPv6 addressing. This includes IPv4-over-IPv6 and IPv6-over-IPv4 tunnelling configurations. • Auto Key phase 1 parameters provides detailed step-by-step procedures for configuring a FortiGate unit to accept a connection from a remote peer or dialup client. The basic phase 1 parameters identify the remote peer or clients and support authentication through preshared keys or digital certificates. You can increase VPN connection security further using peer identifiers, certificate distinguished names, group names, or the FortiGate extended authentication (XAuth) option for authentication purposes. • Phase 2 parameters provides detailed step-by-step procedures for configuring an IPSec VPN tunnel. During phase 2, the specific IPSec security associations needed to implement security services are selected and a tunnel is established. • Defining firewall policies explains how to specify the source and destination IP addresses of traffic transmitted through an IPSec VPN tunnel, and how to define a firewall encryption policy. Firewall policies control all IP traffic passing between a source address and a destination address. • Monitoring and testing VPNs provides some general monitoring and testing procedures for VPNs. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 11
Page 1 and 2: USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4: Contents Contents Introduction ....
Page 5 and 6: Contents Adding XAuth authenticatio
Page 7 and 8: Contents Defining IKE negotiation p
Page 9: Introduction About FortiGate IPSec
Page 13 and 14: Introduction Fortinet documentation
Page 15 and 16: Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18: Configuring IPSec VPNs General prep
Page 19 and 20: Gateway-to-gateway configurations C
Page 21 and 22: Gateway-to-gateway configurations G
Page 29 and 30: Gateway-to-gateway configurations H
Page 31 and 32: Gateway-to-gateway configurations H
Page 33 and 34: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 61 and 62:
FortiClient dialup-client configura
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
FortiGate dialup-client configurati
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Internet-browsing configuration Con
Page 81 and 82:
Internet-browsing configuration Rou
Page 83 and 84:
Redundant VPN configurations Config
Page 85 and 86:
Redundant VPN configurations Config
Page 87 and 88:
Redundant VPN configurations Redund
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Redundant VPN configurations Partia
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Transparent mode VPNs Configuration
Page 107 and 108:
Transparent mode VPNs Configuration
Page 109 and 110:
Transparent mode VPNs Configure the
Page 111 and 112:
Manual-key configurations Configura
Page 113 and 114:
Manual-key configurations Specify t
Page 115 and 116:
IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118:
IPv6 IPSec VPNs Site-to-site IPv6 o
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Auto Key phase 1 parameters Overvie
Page 129 and 130:
Auto Key phase 1 parameters Authent
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

Create successful ePaper yourself

Delete template?

Save as template?