FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

VPN troubleshooting tips Monitoring and testing VPNs 3 Refer to Table 2 on page 160 to correct the problem. Table 2: VPN trouble-shooting tips Configuration problem Mode settings do not match. Peer ID or certificate name of the remote peer or dialup client is not recognized by FortiGate VPN server. Preshared keys do not match. Phase 1 or phase 2 key exchange proposals are mismatched. NAT traversal settings are mismatched. SPI settings for manual key tunnels are mismatched. Correction Select complementary mode settings. See “Choosing main mode or aggressive mode” on page 128. Go to VPN > Phase 1. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name (see “Authenticating remote peers and clients” on page 131). If you are configuring authentication parameters for FortiClient dialup clients, refer to the Authenticating FortiClient Dialup Clients Technical Note. Reenter the preshared key. See “Authenticating remote peers and clients” on page 131. Make sure that both VPN peers have at least one set of proposals in common for each phase. See “Defining IKE negotiation parameters” on page 137 and “Configure the phase 2 parameters” on page 146. Select or clear both options as required. See “NAT traversal” on page 140 and “NAT keepalive frequency” on page 140. Enter complementary SPI settings. See “Manual-key configurations” on page 111. A word about NAT devices When a device with NAT capabilities is located between two VPN peers or a VPN peer and a dialup client, the device must be NAT-T compatible for encrypted traffic to pass through the NAT device. For more information, see “NAT traversal” on page 140. FortiGate IPSec VPN Version 3.0 User Guide 160 01-30005-0065-20070716
Index Index A Accept peer ID in dialup group 136 Accept this peer certificate group only 134 Accept this peer certificate only 134 Accept this peer ID 134 address, IP address example 150 aggregated subnets for hub-and-spoke VPN 34 Allow inbound, encryption policy 150 Allow outbound, encryption policy 150 ambiguous routing resolving in FortiGate dialup-client configuration 72 authenticating based on peer IDs 134 IPsec VPN peers and clients 131 through IPSec certificate 129 through XAuth settings 141 authenticating FortiGate unit with pre-shared key 130 Authentication Algorithm, Manual Key 113 Authentication Key, Manual Key 113 authentication server, external for XAuth 141 Autokey Keep Alive IPSec interface mode 147 Autokey Keep Alive, Phase 2 145 B backup VPN 104 C Certificate Name, Phase 1 129 certificate, IPSec group 134 Local ID setting 134 using DN to establish access 132 viewing local DN 133 CLI using instead of web-based manager 10 CLI commands for VPN 10 comments, documentation 14 concentrator, defining 37 configuring dynamic DNS VPN 50 FortiClient dialup-client VPN 59 FortiClient in dialup-client VPN 64 FortiGate dialup-client VPN 74 FortiGate in dialup-client IPSec VPN 76 gateway-to-gateway IPSec VPN 21 hub-and-spoke IPSec VPN 33 manual keys 112 transparent mode IPSec VPN 109 customer service 14 D DDNS services, subscribing to 50 Dead Peer Detection, Phase 1 139, 140, 141 DH Group IPSec interface mode 147 DH Group, Phase 1 137, 139 DH Group, Phase 2 144 DHCP relay in FortiClient dialup-client configuration 62 in FortiGate dialup-client configuration 73 DHCP server in FortiClient dialup-client configuration 63 DHCP-IPSec IPSec interface mode 147 DHCP-IPSec, phase 2 145 dialup-client IPSec configuration configuration steps for FortiGate dialup clients 74 DHCP relay for FortiClient VIP 62 DHCP server for FortiClient VIP 63 dialup server for FortiClient dialup clients 59 dialup server for FortiGate dialup clients 75 FortiGate client configuration 76 infrastructure requirements for FortiClient access 58 infrastructure requirements for FortiGate client access 73 Diffie-Hellman algorithm 137, 144 DNS server, dynamic DNS configuration 49, 50 documentation commenting on 14 Fortinet 12 domain name, dynamic DNS configuration 49, 51 dynamic DNS configuration configuration steps 50 domain name configuration 51 infrastructure requirements 50 overview 49 remote VPN peer configuration 53 supported DDNS services 50 dynamic IP address for remote host 55 FortiGate DDNS peer 49 FortiGate dialup client 71 E Enable perfect forward secrecy (PFS) IPSec interface mode 147 Enable perfect forward secrecy (PFS), Phase 2 144 Enable replay detection IPSec interface mode 147 Enable replay detection, Phase 2 144 FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 161
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32:
Gateway-to-gateway configurations H
Page 33 and 34:
Hub-and-spoke configurations Config
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Hub-and-spoke configurations Dynami
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Dynamic DNS configurations Configur
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
FortiClient dialup-client configura
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
FortiGate dialup-client configurati
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Internet-browsing configuration Con
Page 81 and 82:
Internet-browsing configuration Rou
Page 83 and 84:
Redundant VPN configurations Config
Page 85 and 86:
Redundant VPN configurations Config
Page 87 and 88:
Redundant VPN configurations Redund
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Redundant VPN configurations Partia
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Transparent mode VPNs Configuration
Page 107 and 108:
Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129 and 130: Auto Key phase 1 parameters Authent
Page 137 and 138: Auto Key phase 1 parameters Definin
Page 139 and 140: Auto Key phase 1 parameters Definin
Page 141 and 142: Auto Key phase 1 parameters Using X
Page 143 and 144: Phase 2 parameters Basic phase 2 se
Page 145: Phase 2 parameters Advanced phase 2
Page 148 and 149: Configure the phase 2 parameters Ph
Page 150 and 151: Defining firewall policies Defining
Page 156 and 157: Monitoring VPN connections Monitori
Page 158 and 159: Logging VPN events Monitoring and t
Page 162 and 163: Index Encryption Algorithm, Manual
Page 164 and 165: Index remote peer authenticating wi
Page 166: www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?