FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

How to work with overlapping subnets Gateway-to-gateway configurations To configure the outbound firewall policy 1 Go to Firewall > Policy. 2 Select Create New, enter the following information, and then select OK: Source Interface/Zone Port 1 Source Address Name all Destination Interface/Zone FG1toFG2 Destination Address Name all Schedule As required. Service As required. Action ACCEPT NAT Enable To configure the inbound firewall policy 1 Go to Firewall > Policy. 2 Select Create New, enter the following information, and then select OK: Source Interface/Zone FG1toFG2 Source Address Name all Destination Interface/Zone Port 1 Destination Address Name my-vip Schedule As required. Service As required. Action ACCEPT NAT Disable To configure the route 1 Go to Router > Static. 2 Select Create New, enter the following information, and then select OK: Destination IP / Mask 10.0.2.0/24 on FortiGate_1 10.0.1.0/24 on FortiGate_2 Device FG1toFG2 Gateway Leave as default: 0.0.0.0. Distance Usually you can leave this at its default. FortiGate IPSec VPN Version 3.0 User Guide 30 01-30005-0065-20070716
Gateway-to-gateway configurations How to work with overlapping subnets Solution for policy-based VPN As with the route-based solution, users contact hosts at the other end of the VPN using an alternate subnet address. PC1 communicates with PC2 using IP address 10.0.2.100. PC2 communicates with PC1 using IP address 10.0.1.100. In this solution however, outbound NAT is used to translate the source address of packets from the 192.168.2.0/24 network to the alternate subnet address that hosts at the other end of the VPN use to reply. Inbound packets from the remote end have their destination addresses translated back to the 192.168.2.0/24 network. For example, PC1 uses the destination address 10.0.2.100 to contact PC2. Outbound NAT on FortiGate_1 translates the PC1 source address to 10.0.1.100. At the FortiGate_2 end of the tunnel, the outbound NAT configuration translates the destination address to the actual PC2 address of 192.168.2.100. Similarly, PC2 replies to PC1 using destination address 10.0.1.100, with the PC2 source address translated to 10.0.2.100. PC1 and PC2 can communicate over the VPN even though they both have the same IP address. You need to: • Configure IPSec Phase 1 as you usually would for a policy-based VPN. • Configure IPSec Phase 2 with the use-natip disable CLI option. • Define a firewall address for the local private network, 192.168.2.0/24. • Define a firewall address for the remote private network: • define a firewall address for 10.0.2.0/24 on FortiGate_1 • define a firewall address for 10.0.1.0/24 on FortiGate_2 • Configure an outgoing IPSec firewall policy with outbound NAT to map 192.168.2.0/24 source addresses: • to the 10.0.1.0/24 network on FortiGate_1 • to the 10.0.2.0/24 network on FortiGate_2 To configure IPSec Phase 2 In the CLI, enter the following commands: config vpn ipsec phase2 edit "FG1FG2_p2" set keepalive enable set pfs enable set phase1name FG1toFG2 set proposal 3des-sha1 3des-md5 set replay enable set use-natip disable end In this example, your phase 1 definition is named FG1toFG2. Because use-natip is set to disable, you can specify the source selector using the src-addr-type, src-start-ip / src-end-ip or src-subnet keywords. This example leaves these keywords at their default values, which specify the subnet 0.0.0.0/0. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 31
Page 1 and 2: USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4: Contents Contents Introduction ....
Page 5 and 6: Contents Adding XAuth authenticatio
Page 7 and 8: Contents Defining IKE negotiation p
Page 9 and 10: Introduction About FortiGate IPSec
Page 11 and 12: Introduction About this document
Page 13 and 14: Introduction Fortinet documentation
Page 15 and 16: Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18: Configuring IPSec VPNs General prep
Page 19 and 20: Gateway-to-gateway configurations C
Page 21 and 22: Gateway-to-gateway configurations G
Page 29: Gateway-to-gateway configurations H
Page 33 and 34: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82:
Internet-browsing configuration Rou
Page 83 and 84:
Redundant VPN configurations Config
Page 85 and 86:
Redundant VPN configurations Config
Page 87 and 88:
Redundant VPN configurations Redund
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Redundant VPN configurations Partia
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Transparent mode VPNs Configuration
Page 107 and 108:
Transparent mode VPNs Configuration
Page 109 and 110:
Transparent mode VPNs Configure the
Page 111 and 112:
Manual-key configurations Configura
Page 113 and 114:
Manual-key configurations Specify t
Page 115 and 116:
IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118:
IPv6 IPSec VPNs Site-to-site IPv6 o
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Auto Key phase 1 parameters Overvie
Page 129 and 130:
Auto Key phase 1 parameters Authent
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?