FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Configuration overview Transparent mode VPNs Figure 23: Destinations on remote networks behind internal routers Internet FortiGate_1 Router_1 Router_2 A Network_3 B Network_1 Network_2 Transparent VPN infrastructure requirements • The local FortiGate unit must be operating in Transparent mode. • The management IP address of the local FortiGate unit specifies the local VPN gateway. The management IP address is considered a static IP address for the local VPN peer. • If the local FortiGate unit is managed through the Internet, or if the VPN peer connects through the Internet, the edge router must be configured to perform inbound NAT and forward management traffic and/or encrypted packets to the FortiGate unit. • If the remote peer is operating in NAT/Route mode, it must have a static public IP address. A FortiGate unit operating in Transparent mode requires the following basic configuration to operate as a node on the IP network: • The unit must have sufficient routing information to reach the management station. • For any traffic to reach external destinations, a default static route to the edge router must be present in the FortiGate routing table. The router forwards packets to the Internet. • When all of the destinations are located on the external network, the FortiGate unit may route packets using a single default static route. If the network topology is more complex, one or more static routes in addition to the default static route may be required in the FortiGate routing table. Before you begin An IPSec VPN definition links a gateway with a tunnel and an IPSec policy. If your network topology includes more than one virtual domain, you must choose components that were created in the same virtual domain. Therefore, before you define a transparent VPN configuration, choose an appropriate virtual domain in which to create the required interfaces, firewall policies, and VPN components. For more information, see the “Using virtual domains” chapter of the FortiGate Administration Guide. FortiGate IPSec VPN Version 3.0 User Guide 108 01-30005-0065-20070716
Transparent mode VPNs Configure the VPN peers Configure the VPN peers The following procedure assumes that the local VPN peer operates in Transparent mode. The remote VPN peer may operate in NAT/Route mode or Transparent mode. 1 At the local FortiGate unit, define the phase 1 parameters needed to establish a secure connection with the remote peer. See “Auto Key phase 1 parameters” on page 127. Select Advanced and enter these settings in particular: Remote Gateway IP Address Advanced Select Static IP Address. Type the IP address of the public interface to the remote peer. If the remote peer is a FortiGate unit running in Transparent mode, type the IP address of the remote management interface. Select Nat-traversal, and type a value into the Keepalive Frequency field. These settings protect the headers of encrypted packets from being altered by external NAT devices and ensure that NAT address mappings do not change while the VPN tunnel is open. For more information, see “NAT traversal” on page 140 and “NAT keepalive frequency” on page 140. 2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer. See “Phase 2 parameters” on page 143. Enter these settings in particular: Phase 1 Select the set of phase 1 parameters that you defined for the remote peer. The name of the remote peer can be selected from the Static IP Address list. 3 Define the source and destination addresses of the IP packets that are to be transported through the VPN tunnel. See “Defining firewall addresses” on page 149. Enter these settings in particular: • For the originating address (source address), enter the IP address of the local management interface (for example, 10.10.10.1/32). • For the remote address (destination address), enter the IP address and netmask of the private network behind the remote peer (for example, 192.168.10.0/24). If the remote peer is a FortiGate unit running in Transparent mode, enter the IP address of the remote management interface instead. 4 Define an IPSec firewall policy to permit communications between the source and destination addresses. See “Defining firewall policies” on page 150. Enter these settings in particular: Source Interface/Zone Select the local interface to the internal (private) network. Source Address Name Select the source address that you defined in Step 3. Destination Interface/Zone Select the interface to the edge router. When you configure the IPSec firewall policy on a remote peer that operates in NAT/Route mode, you select the public interface to the external (public) network instead. Destination Address Name Select the destination address that you defined in Step 3. Action IPSEC VPN Tunnel Select the name of the phase 2 tunnel configuration that you created in Step 2. Select Allow inbound to enable traffic from the remote network to initiate the tunnel. Select Allow outbound to enable traffic from the local network to initiate the tunnel. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 109
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32:
Gateway-to-gateway configurations H
Page 33 and 34:
Hub-and-spoke configurations Config
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Hub-and-spoke configurations Dynami
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Dynamic DNS configurations Configur
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
FortiClient dialup-client configura
Page 57 and 58: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107: Transparent mode VPNs Configuration
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129 and 130: Auto Key phase 1 parameters Authent
Page 137 and 138: Auto Key phase 1 parameters Definin
Page 139 and 140: Auto Key phase 1 parameters Definin
Page 141 and 142: Auto Key phase 1 parameters Using X
Page 143 and 144: Phase 2 parameters Basic phase 2 se
Page 145: Phase 2 parameters Advanced phase 2
Page 148 and 149: Configure the phase 2 parameters Ph
Page 150 and 151: Defining firewall policies Defining
Page 156 and 157: Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?