FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Defining firewall policies Defining firewall policies To define an IP address 1 Go to Firewall > Address and select Create New. 2 In the Address Name field, type a descriptive name that represents the network, server(s), or host(s). 3 In the Subnet/IP Range field, type the corresponding IP address and subnet mask (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 for a server or host) or IP address range (for example, 192.168.10.[80-100] or 192.168.10.80-192.168.10.100). 4 Select OK. Defining firewall policies Firewall policies allow IP traffic to pass between interfaces on a FortiGate unit. You can limit communication to particular traffic by specifying source address and destination addresses. Policy-based and route-based VPNs require different firewall policies. • A policy-based VPN requires an IPSec firewall policy. You specify the interface to the private network, the interface to the remote peer and the VPN tunnel. A single policy can enable traffic inbound, outbound, or in both directions. • A route-based VPN requires an Accept firewall policy for each direction. As source and destination interfaces, you specify the interface to the private network and the virtual IPSec interface (phase 1 configuration) of the VPN. The IPSec interface is the destination interface for the outbound policy and the source interface for the inbound policy. There are examples of firewall policies for both policy-based and route-based VPNs throughout this guide. Defining an IPSec firewall policy for a policy-based VPN An IPSec firewall policy enables the transmission and reception of encrypted packets, specifies the permitted direction of VPN traffic, and selects the VPN tunnel. In most cases, a single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. In addition to these operations, firewall policies specify which IP addresses can initiate a tunnel. Traffic from computers on the local private network initiates the tunnel when the Allow outbound option is selected. Traffic from a dialup client or computers on the remote network initiates the tunnel when the Allow inbound option is selected. When a FortiGate unit runs in NAT/Route mode, you can also enable inbound or outbound NAT. Outbound NAT may be performed on outbound encrypted packets, or on IP packets before they are sent through the tunnel. Inbound NAT is performed on IP packets emerging from the tunnel. These options are not selected by default in firewall policies. FortiGate IPSec VPN Version 3.0 User Guide 150 01-30005-0065-20070716
Defining firewall policies Defining firewall policies When used in conjunction with the natip CLI attribute (see the “config firewall” chapter of the FortiGate CLI Reference), outbound NAT enables you to change the source addresses of IP packets before they go into the tunnel. This feature is often used to resolve ambiguous routing when two or more of the private networks making up a VPN have the same or overlapping IP addresses. For examples of how to use these two features together, see the FortiGate Outbound NAT for IPSec VIP Technical Note and the FortiGate IPSec VPN Subnet-address Translation Technical Note. When inbound NAT is enabled, inbound encrypted packets are intercepted and decrypted, and the source IP addresses of the decrypted packets are translated into the IP address of the FortiGate interface to the local private network before they are routed to the private network. If the computers on the local private network can communicate only with devices on the local private network (that is, the FortiGate interface to the private network is not the default gateway) and the remote client (or remote private network) does not have an IP address in the same network address space as the local private network, enable inbound NAT. Most firewall policies control outbound IP traffic. An outbound policy usually has a source address originating on the private network behind the local FortiGate unit, and a destination address belonging to a dialup VPN client or a network behind the remote VPN peer. The source address that you choose for the firewall policy identifies from where outbound cleartext IP packets may originate, and also defines the local IP address or addresses that a remote server or client will be allowed to access through the VPN tunnel. The destination address that you choose for the firewall policy identifies where IP packets must be forwarded after they are decrypted at the far end of the tunnel, and determines the IP address or addresses that the local network will be able to access at the far end of the tunnel. You can fine-tune a policy for services such as HTTP, FTP, and POP3; enable logging, traffic shaping, antivirus protection, web filtering, email filtering, file transfer, and email services throughout the VPN; and optionally allow connections according to a predefined schedule. For more information, see the “Firewall Policy” chapter of the FortiGate Administration Guide. Note: As an option, differentiated services can be enabled in the firewall policy through CLI commands. For more information, see the “firewall” chapter of the FortiGate CLI Reference. When a remote server or client attempts to connect to the private network behind a FortiGate gateway, the firewall policy intercepts the connection attempt and starts the VPN tunnel. The FortiGate unit uses the remote gateway specified in its phase 1 tunnel configuration to reply to the remote peer. When the remote peer receives a reply, it checks its own firewall policy, including the tunnel configuration, to determine which communications are permitted. As long as one or more services are allowed through the VPN tunnel, the two peers begin to negotiate the tunnel. Before you begin Before you define the IPSec policy, you must: • Define the IP source and destination addresses. See “Defining firewall addresses” on page 149. • Specify the phase 1 authentication parameters. See “Auto Key phase 1 parameters” on page 127. • Specify the phase 2 parameters. See “Phase 2 parameters” on page 143. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 151
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32:
Gateway-to-gateway configurations H
Page 33 and 34:
Hub-and-spoke configurations Config
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Hub-and-spoke configurations Dynami
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Dynamic DNS configurations Configur
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
FortiClient dialup-client configura
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
FortiGate dialup-client configurati
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Internet-browsing configuration Con
Page 81 and 82:
Internet-browsing configuration Rou
Page 83 and 84:
Redundant VPN configurations Config
Page 85 and 86:
Redundant VPN configurations Config
Page 87 and 88:
Redundant VPN configurations Redund
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129 and 130: Auto Key phase 1 parameters Authent
Page 137 and 138: Auto Key phase 1 parameters Definin
Page 139 and 140: Auto Key phase 1 parameters Definin
Page 141 and 142: Auto Key phase 1 parameters Using X
Page 143 and 144: Phase 2 parameters Basic phase 2 se
Page 145: Phase 2 parameters Advanced phase 2
Page 148 and 149: Configure the phase 2 parameters Ph
Page 152 and 153: Defining firewall policies Defining
Page 154 and 155: Defining firewall policies Defining
Page 156 and 157: Monitoring VPN connections Monitori
Page 158 and 159: Logging VPN events Monitoring and t
Page 160 and 161: VPN troubleshooting tips Monitoring
Page 162 and 163: Index Encryption Algorithm, Manual
Page 164 and 165: Index remote peer authenticating wi
Page 166: www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?