FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Site-to-site IPv6 over IPv4 VPN example IPv6 IPSec VPNs Site-to-site IPv6 over IPv4 VPN example In this example, IPv6-addressed private networks communicate securely over IPv4 public infrastructure. Figure 26: Example IPv6-over-IPv4 VPN topology FortiGate A FortiGate B Internet Port3 Port 2 10.0.0.1/24 Port 2 10.0.1.1/24 Port3 fec0:0000:0000:0000::/64 fec0:0000:0000:0004::/64 Configure FortiGate A interfaces Port 2 connects to the IPv4 public network and port 3 connects to the IPv6 LAN. config system interface edit port2 set 10.0.0.1/24 next edit port3 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f3/64 end Configure FortiGate A IPSec settings The phase 1 configuration uses IPv4 addressing. config vpn ipsec phase1-interface edit toB set interface port2 set remote-gw 10.0.1.1 set dpd enable set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1 end The phase 2 configuration uses IPv6 selectors. By default, phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6. config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6 end FortiGate IPSec VPN Version 3.0 User Guide 124 01-30005-0065-20070716
IPv6 IPSec VPNs Site-to-site IPv6 over IPv4 VPN example Configure FortiGate A firewall policies IPv6 firewall policies are required to allow traffic between port3 and the IPsec interface toB in each direction. The address all6 must be defined using the firewall address6 command as ::/0. config firewall policy6 edit 1 set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always next edit 2 set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always end Configure FortiGate A routing Configure FortiGate B This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPSec interface toB using an IPv6 static route. A default route sends all IPv4 traffic, including the IPv4 IPSec packets, out on port2. config router static6 edit 1 set device toB set dst fec0:0000:0000:0004::/64 end config router static edit 1 set device port2 set dst 0.0.0.0/0 set gateway 10.0.0.254 end The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPSec interface toA is configured on port2 and its remote gateway is the IPv4 public IP address of FortiGate A. The IPSec phase 2 configuration has IPv6 selectors. IPv6 firewall policies enable traffic to pass between the private network and the IPSec interface. An IPv6 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv4 static route ensures that all IPv4 packets are routed to the public network. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 125
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32:
Gateway-to-gateway configurations H
Page 33 and 34:
Hub-and-spoke configurations Config
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Hub-and-spoke configurations Dynami
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Dynamic DNS configurations Configur
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
FortiClient dialup-client configura
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
FortiGate dialup-client configurati
Page 73 and 74: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 123: IPv6 IPSec VPNs Site-to-site IPv4 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129 and 130: Auto Key phase 1 parameters Authent
Page 137 and 138: Auto Key phase 1 parameters Definin
Page 139 and 140: Auto Key phase 1 parameters Definin
Page 141 and 142: Auto Key phase 1 parameters Using X
Page 143 and 144: Phase 2 parameters Basic phase 2 se
Page 145: Phase 2 parameters Advanced phase 2
Page 148 and 149: Configure the phase 2 parameters Ph
Page 150 and 151: Defining firewall policies Defining
Page 156 and 157: Monitoring VPN connections Monitori
Page 158 and 159: Logging VPN events Monitoring and t
Page 160 and 161: VPN troubleshooting tips Monitoring
Page 162 and 163: Index Encryption Algorithm, Manual
Page 164 and 165: Index remote peer authenticating wi
Page 166: www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?