FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configure the spokes<br />
Hub-and-spoke configurations<br />
Configure the spokes<br />
Although this procedure assumes that the spokes are all <strong>FortiGate</strong> units, a spoke<br />
could also be <strong>VPN</strong> client software, such as FortiClient Host Security.<br />
Perform these steps at each <strong>FortiGate</strong> unit that will act as a spoke.<br />
To create the phase 1 configuration<br />
1 At the spoke, define the phase 1 parameters that the spoke will use to establish a<br />
secure connection with the hub. See “Auto Key phase 1 parameters” on<br />
page 127. Enter these settings in particular:<br />
Remote Gateway<br />
IP Address<br />
Enable <strong>IPSec</strong><br />
Interface Mode<br />
Select Static IP Address.<br />
Type the IP address of the interface that connects to the hub.<br />
Enable if you are creating a route-based <strong>VPN</strong>.<br />
Clear if you are creating a policy-based <strong>VPN</strong>.<br />
2 Create the phase 2 tunnel definition. See “Phase 2 parameters” on page 143.<br />
Enter these settings in particular:<br />
Remote Gateway<br />
Select the set of phase 1 parameters that you defined for the hub.<br />
You can select the name of the hub from the Static IP Address part<br />
of the list.<br />
Configuring firewall policies for hub-to-spoke <strong>com</strong>munication<br />
1 Create an address for this spoke. See “Defining firewall addresses” on page 149.<br />
Enter the IP address and netmask of the private network behind the spoke.<br />
2 Create an address to represent the hub. See “Defining firewall addresses” on<br />
page 149. Enter the IP address and netmask of the private network behind the<br />
hub.<br />
3 Define the firewall policy to enable <strong>com</strong>munication with the hub.<br />
Policy-based <strong>VPN</strong> firewall policy<br />
Define an <strong>IPSec</strong> firewall policy to permit <strong>com</strong>munications with the hub. See<br />
“Defining firewall policies” on page 150. Enter these settings in particular:<br />
Source Interface/Zone Select the spoke’s interface to the internal (private) network.<br />
Source Address Name Select the spoke address you defined in Step 1.<br />
Destination Interface/Zone Select the spoke’s interface to the external (public) network.<br />
Destination Address Name Select the hub address you defined in Step 2.<br />
Action<br />
Select IPSEC<br />
<strong>VPN</strong> Tunnel<br />
Select the name of the phase 1 configuration you defined.<br />
Select Allow inbound to enable traffic from the remote<br />
network to initiate the tunnel.<br />
Select Allow outbound to enable traffic from the local<br />
network to initiate the tunnel.<br />
Route-based <strong>VPN</strong> firewall policy<br />
Define two firewall policies to permit <strong>com</strong>munications to and from the hub. Enter<br />
these settings in particular:<br />
Source Interface/Zone Select the virtual <strong>IPSec</strong> interface you created.<br />
Source Address Name Select the hub address you defined in Step 1.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
40 01-30005-0065-20070716