FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Hub-and-spoke configurations<br />
Configure the spokes<br />
Destination Interface/Zone Select the spoke’s interface to the internal (private) network.<br />
Destination Address Name Select the spoke addresses you defined in Step 2.<br />
Action<br />
Select ACCEPT<br />
NAT<br />
Enable<br />
Source Interface/Zone Select the spoke’s interface to the internal (private) network.<br />
Source Address Name Select the spoke address you defined in Step 1.<br />
Destination Interface/Zone Select the virtual <strong>IPSec</strong> interface you created.<br />
Destination Address Name Select the hub destination addresses you defined in Step 2.<br />
Action<br />
Select ACCEPT<br />
NAT<br />
Enable<br />
Configuring firewall policies for spoke-to-spoke <strong>com</strong>munication<br />
Each spoke requires firewall policies to enable <strong>com</strong>munication with the other<br />
spokes. Instead of creating separate firewall policies for each spoke, you can<br />
create an address group that contains the addresses of the networks behind the<br />
other spokes. The firewall policy then applies to all of the spokes in the group.<br />
1 Define destination addresses to represent the networks behind each of the other<br />
spokes. Add these addresses to an address group. For more information, see<br />
“Configuring Address Groups” section in the “Firewall Address” chapter of the <strong>FortiGate</strong><br />
Administration <strong>Guide</strong>.<br />
2 Define the firewall policy to enable <strong>com</strong>munication between this spoke and the<br />
spokes in the address group you created.<br />
Policy-based <strong>VPN</strong> firewall policy<br />
Define an <strong>IPSec</strong> firewall policy to permit <strong>com</strong>munications with the other spokes.<br />
See “Defining firewall policies” on page 150. Enter these settings in particular:<br />
Source Interface/Zone Select this spoke’s internal (private) network interface.<br />
Source Address Name Select this spoke’s source address.<br />
Destination Interface/Zone Select the spoke’s interface to the external (public) network.<br />
Destination Address Name Select the spoke address group you defined in Step 1.<br />
Action<br />
<strong>VPN</strong> Tunnel<br />
Select IPSEC<br />
Select the name of the phase 1 configuration you defined.<br />
Select Allow inbound to enable traffic from the remote<br />
network to initiate the tunnel.<br />
Select Allow outbound to enable traffic from the local<br />
network to initiate the tunnel.<br />
Route-based <strong>VPN</strong> firewall policy<br />
Define two firewall policies to permit <strong>com</strong>munications to and from the other<br />
spokes. Enter these settings in particular:<br />
Source Interface/Zone Select the virtual <strong>IPSec</strong> interface you created.<br />
Source Address Name Select the spoke address group you defined in Step 1.<br />
Destination Interface/Zone Select the spoke’s interface to the internal (private) network.<br />
Destination Address Name Select this spoke’s address name.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 41