FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring <strong>IPSec</strong> <strong>VPN</strong>s<br />
<strong>IPSec</strong> <strong>VPN</strong> overview<br />
Configuring <strong>IPSec</strong> <strong>VPN</strong>s<br />
This section provides a brief overview of <strong>IPSec</strong> technology and includes general<br />
information about how to configure <strong>IPSec</strong> <strong>VPN</strong>s using this guide.<br />
The following topics are included in this section:<br />
• <strong>IPSec</strong> <strong>VPN</strong> overview<br />
• Planning your <strong>VPN</strong><br />
• General preparation steps<br />
• How to use this guide to configure an <strong>IPSec</strong> <strong>VPN</strong><br />
<strong>IPSec</strong> <strong>VPN</strong> overview<br />
<strong>IPSec</strong> can be used to tunnel network-layer (layer 3) traffic between two <strong>VPN</strong><br />
peers or between a <strong>VPN</strong> server and its client. When an <strong>IPSec</strong> <strong>VPN</strong> tunnel is<br />
established between a <strong>FortiGate</strong> unit and a remote <strong>VPN</strong> peer or client, packets<br />
are transmitted using Encapsulated Security Payload (ESP) security in tunnel<br />
mode.<br />
Cleartext packets that originate from behind the <strong>FortiGate</strong> unit are encrypted as<br />
follows:<br />
• IP packets are encapsulated within <strong>IPSec</strong> packets to form a secure tunnel<br />
• the IP packet remains unaltered, but the header of the new <strong>IPSec</strong> packet<br />
refers to the end points of the <strong>VPN</strong> tunnel<br />
When a <strong>FortiGate</strong> unit receives a connection request from a remote peer, it uses<br />
phase 1 parameters to establish a secure connection and authenticate the <strong>VPN</strong><br />
peer. Then, if the firewall policy permits the connection, the <strong>FortiGate</strong> unit<br />
establishes the <strong>VPN</strong> tunnel using phase 2 parameters and applies the protection<br />
profile. Key management, authentication, and security services are negotiated<br />
dynamically through the IKE protocol.<br />
Planning your <strong>VPN</strong><br />
To save time later and be ready to configure a <strong>VPN</strong> correctly, it is a good idea to<br />
plan the <strong>VPN</strong> configuration ahead of time. All <strong>VPN</strong> configurations <strong>com</strong>prise a<br />
number of required and optional parameters. Before you begin, you need to<br />
determine:<br />
• where does the IP traffic originate, and where does it need to be delivered<br />
• which hosts, servers, or networks to include in the <strong>VPN</strong><br />
• which <strong>VPN</strong> devices to include in the configuration<br />
• through which interfaces the <strong>VPN</strong> devices <strong>com</strong>municate<br />
• through which interfaces do private networks access the <strong>VPN</strong> gateways<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 15