FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Defining firewall policies<br />
Defining firewall policies<br />
When used in conjunction with the natip CLI attribute (see the “config firewall”<br />
chapter of the <strong>FortiGate</strong> CLI Reference), outbound NAT enables you to change<br />
the source addresses of IP packets before they go into the tunnel. This feature is<br />
often used to resolve ambiguous routing when two or more of the private networks<br />
making up a <strong>VPN</strong> have the same or overlapping IP addresses. For examples of<br />
how to use these two features together, see the <strong>FortiGate</strong> Outbound NAT for<br />
<strong>IPSec</strong> VIP Technical Note and the <strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Subnet-address<br />
Translation Technical Note.<br />
When inbound NAT is enabled, inbound encrypted packets are intercepted and<br />
decrypted, and the source IP addresses of the decrypted packets are translated<br />
into the IP address of the <strong>FortiGate</strong> interface to the local private network before<br />
they are routed to the private network. If the <strong>com</strong>puters on the local private<br />
network can <strong>com</strong>municate only with devices on the local private network (that is,<br />
the <strong>FortiGate</strong> interface to the private network is not the default gateway) and the<br />
remote client (or remote private network) does not have an IP address in the<br />
same network address space as the local private network, enable inbound NAT.<br />
Most firewall policies control outbound IP traffic. An outbound policy usually has a<br />
source address originating on the private network behind the local <strong>FortiGate</strong> unit,<br />
and a destination address belonging to a dialup <strong>VPN</strong> client or a network behind<br />
the remote <strong>VPN</strong> peer. The source address that you choose for the firewall policy<br />
identifies from where outbound cleartext IP packets may originate, and also<br />
defines the local IP address or addresses that a remote server or client will be<br />
allowed to access through the <strong>VPN</strong> tunnel. The destination address that you<br />
choose for the firewall policy identifies where IP packets must be forwarded after<br />
they are decrypted at the far end of the tunnel, and determines the IP address or<br />
addresses that the local network will be able to access at the far end of the tunnel.<br />
You can fine-tune a policy for services such as HTTP, FTP, and POP3; enable<br />
logging, traffic shaping, antivirus protection, web filtering, email filtering, file<br />
transfer, and email services throughout the <strong>VPN</strong>; and optionally allow connections<br />
according to a predefined schedule. For more information, see the “Firewall<br />
Policy” chapter of the <strong>FortiGate</strong> Administration <strong>Guide</strong>.<br />
Note: As an option, differentiated services can be enabled in the firewall policy through CLI<br />
<strong>com</strong>mands. For more information, see the “firewall” chapter of the <strong>FortiGate</strong> CLI Reference.<br />
When a remote server or client attempts to connect to the private network behind<br />
a <strong>FortiGate</strong> gateway, the firewall policy intercepts the connection attempt and<br />
starts the <strong>VPN</strong> tunnel. The <strong>FortiGate</strong> unit uses the remote gateway specified in its<br />
phase 1 tunnel configuration to reply to the remote peer. When the remote peer<br />
receives a reply, it checks its own firewall policy, including the tunnel<br />
configuration, to determine which <strong>com</strong>munications are permitted. As long as one<br />
or more services are allowed through the <strong>VPN</strong> tunnel, the two peers begin to<br />
negotiate the tunnel.<br />
Before you begin<br />
Before you define the <strong>IPSec</strong> policy, you must:<br />
• Define the IP source and destination addresses. See “Defining firewall<br />
addresses” on page 149.<br />
• Specify the phase 1 authentication parameters. See “Auto Key phase 1<br />
parameters” on page 127.<br />
• Specify the phase 2 parameters. See “Phase 2 parameters” on page 143.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 151