FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Defining firewall policies<br />
Defining firewall addresses<br />
Defining firewall policies<br />
This section explains how to specify the source and destination IP addresses of<br />
traffic transmitted through an <strong>IPSec</strong> <strong>VPN</strong>, and how to define appropriate firewall<br />
policies.<br />
The following topics are included in this section:<br />
• Defining firewall addresses<br />
• Defining firewall policies<br />
Defining firewall addresses<br />
A <strong>VPN</strong> tunnel has two end points. These end points may be <strong>VPN</strong> peers such as<br />
two <strong>FortiGate</strong> gateways. Encrypted packets are transmitted between the end<br />
points. At each end of the <strong>VPN</strong> tunnel, a <strong>VPN</strong> peer intercepts encrypted packets,<br />
decrypts the packets, and forwards the decrypted IP packets to the intended<br />
destination.<br />
You need to define firewall addresses for the private networks behind each peer.<br />
You will use these addresses as the source or destination address depending on<br />
the firewall policy.<br />
In general:<br />
• In a gateway-to-gateway, hub-and-spoke, dynamic DNS, redundant-tunnel, or<br />
transparent configuration, you need to define a firewall address for the private<br />
IP address of the network behind the remote <strong>VPN</strong> peer (for example,<br />
192.168.10.0/255.255.255.0 or 192.168.10.0/24).<br />
• In a peer-to-peer configuration, you need to define a firewall address for the<br />
private IP address of a server or host behind the remote <strong>VPN</strong> peer (for<br />
example, 172.16.5.1/255.255.255.255 or 172.16.5.1/32 or<br />
172.16.5.1).<br />
• For a <strong>FortiGate</strong> dialup server in a dialup-client or Internet-browsing<br />
configuration:<br />
• If you are not using VIP addresses, or if the <strong>FortiGate</strong> dialup server assigns<br />
VIP addresses to FortiClient dialup clients through <strong>FortiGate</strong> DHCP relay,<br />
select the predefined destination address “all” in the firewall policy to refer<br />
to the dialup clients.<br />
• If you assign VIP addresses to FortiClient dialup clients manually, you need<br />
to define a firewall address for the VIP address assigned to the dialup client<br />
(for example, 10.254.254.1/32), or a subnet address from which the<br />
VIP addresses are assigned (for example, 10.254.254.0/24 or<br />
10.254.254.0/255.255.255.0).<br />
• For a <strong>FortiGate</strong> dialup client in a dialup-client or Internet-browsing<br />
configuration, you need to define a firewall address for the private IP address<br />
of a host, server, or network behind the <strong>FortiGate</strong> dialup server.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 149