FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Authenticating remote peers and clients Auto Key phase 1 parameters To enable access for a specific certificate holder or a group of certificate holders 1 At the FortiGate VPN server, go to VPN > IPSEC > Auto Key. 2 In the list of defined configurations, select the Edit button to edit the existing phase 1 configuration. 3 From the Authentication Method list, select RSA Signature. 4 From the Certificate Name list, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client 5 Under Peer Options, select one of these options: • To accept a specific certificate holder, select Accept this peer certificate only and select the name of the certificate that belongs to the remote peer or dialup client. The certificate DN must be added to the FortiGate configuration through CLI commands before it can be selected here. See “Before you begin” on page 132. • To accept dialup clients who are members of a certificate group, select Accept this peer certificate group only and select the name of the group. The group must be added to the FortiGate configuration through CLI commands before it can be selected here. See “Before you begin” on page 132. 6 If you want the FortiGate VPN server to supply the DN of a local server certificate for authentication purposes, select Advanced and then from the Local ID list, select the DN of the certificate that the FortiGate VPN server is to use. 7 Select OK. Enabling VPN access by peer identifier Whether you use certificates or pre-shared keys to authenticate the FortiGate unit, you can require that remote peers or clients have a particular peer ID. This adds another piece of information that is required to gain access to the VPN. More than one FortiGate/FortiClient dialup client may connect through the same VPN tunnel when the dialup clients share a preshared key and assume the same identifier. You cannot require a peer ID for a remote peer or client that uses a pre-shared key and has a static IP address. To authenticate remote peers or dialup clients using one peer ID 1 At the FortiGate VPN server, go to VPN > IPSEC > Auto Key (IKE). 2 In the list, select the Edit icon of a phase 1 configuration to edit its parameters. 3 Select Aggressive mode in any of the following cases: • the FortiGate VPN server authenticates a FortiGate dialup client that uses a dedicated tunnel • a FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service • FortiGate/FortiClient dialup clients sharing the same preshared key and local ID connect through the same VPN tunnel 4 Select Accept this peer ID and type the identifier into the corresponding field. 5 Select OK. FortiGate IPSec VPN Version 3.0 User Guide 134 01-30005-0065-20070716
Auto Key phase 1 parameters Authenticating remote peers and clients To assign an identifier (local ID) to a FortiGate unit Use this procedure to assign a peer ID to a FortiGate unit that acts as a remote peer or dialup client. 1 Go to VPN > IPSEC > Auto Key (IKE). 2 In the list, select the Edit icon of a phase 1 configuration to edit its parameters. 3 Select Advanced. 4 In the Local ID field, type the identifier that the FortiGate unit will use to identify itself. 5 Set Mode to Aggressive if any of the following conditions apply: • The FortiGate unit is a dialup client that will use a unique ID to connect to a FortiGate dialup server through a dedicated tunnel. • The FortiGate unit has a dynamic IP address, subscribes to a dynamic DNS service, and will use a unique ID to connect to the remote VPN peer through a dedicated tunnel. • The FortiGate unit is a dialup client that shares the specified ID with multiple dialup clients to connect to a FortiGate dialup server through the same tunnel. 6 Select OK. To configure the FortiClient Host Security application Follow this procedure to add a peer ID to an existing FortiClient configuration: 1 Start the FortiClient Host Security application. 2 Go to VPN > Connections, select the existing configuration, and then select Advanced > Edit. 3 Select Advanced. 4 Under Policy, select Config. 5 In the Local ID field, type the identifier that will be shared by all dialup clients. This value must match the Accept this peer ID value that you specified previously in the phase 1 gateway configuration on the FortiGate unit. 6 Select OK to close all dialog boxes. 7 Configure all dialup clients the same way using the same preshared key and local ID. Enabling VPN access using user accounts and pre-shared keys You can permit access only to remote peers or dialup clients that have pre-shared keys and/or peer IDs configured in user accounts on the FortiGate unit. If you want two VPN peers (or a FortiGate unit and a dialup client) to accept reciprocal connections based on peer IDs, you must enable the exchange of their identifiers when you define the phase 1 parameters. The following procedures assume that you already have an existing phase 1 configuration (see “Authenticating the FortiGate unit with digital certificates” on page 129). Follow the procedures below to add ID checking to the existing configuration. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 135
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32:
Gateway-to-gateway configurations H
Page 33 and 34:
Hub-and-spoke configurations Config
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Hub-and-spoke configurations Dynami
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Dynamic DNS configurations Configur
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
FortiClient dialup-client configura
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
FortiGate dialup-client configurati
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Internet-browsing configuration Con
Page 81 and 82:
Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129 and 130: Auto Key phase 1 parameters Authent
Page 131 and 132: Auto Key phase 1 parameters Authent
Page 133: Auto Key phase 1 parameters Authent
Page 137 and 138: Auto Key phase 1 parameters Definin
Page 139 and 140: Auto Key phase 1 parameters Definin
Page 141 and 142: Auto Key phase 1 parameters Using X
Page 143 and 144: Phase 2 parameters Basic phase 2 se
Page 145: Phase 2 parameters Advanced phase 2
Page 148 and 149: Configure the phase 2 parameters Ph
Page 150 and 151: Defining firewall policies Defining
Page 156 and 157: Monitoring VPN connections Monitori
Page 158 and 159: Logging VPN events Monitoring and t
Page 160 and 161: VPN troubleshooting tips Monitoring
Page 162 and 163: Index Encryption Algorithm, Manual
Page 164 and 165: Index remote peer authenticating wi
Page 166: www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?