FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Creating a backup IPSec interface Redundant VPN configurations 3 Select Create New, enter the following information, and select OK: Source Interface/Zone Source Address Name Destination Interface/Zone Destination Address Name Schedule Service Action Internal All Site_2_B All Always Any ACCEPT Creating a backup IPSec interface Starting in FortiOS 3.0 MR4, you can configure a route-based VPN that acts as a backup facility to another VPN. It is used only while your main VPN is out of service. This is desirable when the redundant VPN uses a more expensive facility. In FortiOS releases prior to 3.0 MR4, a backup VPN configuration is possible only if the backup connection is a modem in a Redundant mode configuration. You can configure a backup IPSec interface only in the CLI. The backup feature works only on interfaces with static addresses that have dead peer detection enabled. The monitor-phase1 option creates a backup VPN for the specified phase 1 configuration. In the following example, backup_vpn is a backup for main_vpn. config vpn ipsec phase1-interface edit main_vpn set dpd on set interface port1 set nattraversal enable set psksecret "hard-to-guess" set remote-gw 10.10.10.8 set type static end edit backup_vpn set dpd on set interface port2 set monitor-phase1 main_vpn set nattraversal enable set psksecret "hard-to-guess" set remote-gw 10.10.10.8 set type static end FortiGate IPSec VPN Version 3.0 User Guide 104 01-30005-0065-20070716
Transparent mode VPNs Configuration overview Transparent mode VPNs This section describes transparent VPN configurations, in which two FortiGate units create a VPN tunnel between two separate private networks transparently. The following topics are included in this section: • Configuration overview • Configure the VPN peers Configuration overview In Transparent mode, all interfaces of the FortiGate unit except the management interface (which by default is assigned IP address 10.10.10.1/255.255.255.0) are invisible at the network layer. Typically, when a FortiGate unit runs in Transparent mode, different network segments are connected to the FortiGate interfaces. Figure 19 shows the management station on the same subnet. The management station can connect to the FortiGate unit directly through the web-based manager. Figure 19: Management station on internal network Site_1 10.10.10.0/24 Management station 10.10.10.1 Internet Edge router FortiGate_1 An edge router typically provides a public connection to the Internet and one interface of the FortiGate unit is connected to the router. If the FortiGate unit is managed from an external address (see Figure 20 on page 106), the router must translate (NAT) a routable address to direct management traffic to the FortiGate management interface. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 105
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32:
Gateway-to-gateway configurations H
Page 33 and 34:
Hub-and-spoke configurations Config
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Hub-and-spoke configurations Dynami
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Dynamic DNS configurations Configur
Page 51 and 52:
Dynamic DNS configurations Configur
Page 53 and 54: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 101 and 102: Redundant VPN configurations Partia
Page 103: Redundant VPN configurations Partia
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129 and 130: Auto Key phase 1 parameters Authent
Page 137 and 138: Auto Key phase 1 parameters Definin
Page 139 and 140: Auto Key phase 1 parameters Definin
Page 141 and 142: Auto Key phase 1 parameters Using X
Page 143 and 144: Phase 2 parameters Basic phase 2 se
Page 145: Phase 2 parameters Advanced phase 2
Page 148 and 149: Configure the phase 2 parameters Ph
Page 150 and 151: Defining firewall policies Defining
Page 152 and 153: Defining firewall policies Defining
Page 154 and 155:
Defining firewall policies Defining
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

Create successful ePaper yourself

Delete template?

Save as template?