FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Configure the spokes Hub-and-spoke configurations Configure the spokes Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Host Security. Perform these steps at each FortiGate unit that will act as a spoke. To create the phase 1 configuration 1 At the spoke, define the phase 1 parameters that the spoke will use to establish a secure connection with the hub. See “Auto Key phase 1 parameters” on page 127. Enter these settings in particular: Remote Gateway IP Address Enable IPSec Interface Mode Select Static IP Address. Type the IP address of the interface that connects to the hub. Enable if you are creating a route-based VPN. Clear if you are creating a policy-based VPN. 2 Create the phase 2 tunnel definition. See “Phase 2 parameters” on page 143. Enter these settings in particular: Remote Gateway Select the set of phase 1 parameters that you defined for the hub. You can select the name of the hub from the Static IP Address part of the list. Configuring firewall policies for hub-to-spoke communication 1 Create an address for this spoke. See “Defining firewall addresses” on page 149. Enter the IP address and netmask of the private network behind the spoke. 2 Create an address to represent the hub. See “Defining firewall addresses” on page 149. Enter the IP address and netmask of the private network behind the hub. 3 Define the firewall policy to enable communication with the hub. Policy-based VPN firewall policy Define an IPSec firewall policy to permit communications with the hub. See “Defining firewall policies” on page 150. Enter these settings in particular: Source Interface/Zone Select the spoke’s interface to the internal (private) network. Source Address Name Select the spoke address you defined in Step 1. Destination Interface/Zone Select the spoke’s interface to the external (public) network. Destination Address Name Select the hub address you defined in Step 2. Action Select IPSEC VPN Tunnel Select the name of the phase 1 configuration you defined. Select Allow inbound to enable traffic from the remote network to initiate the tunnel. Select Allow outbound to enable traffic from the local network to initiate the tunnel. Route-based VPN firewall policy Define two firewall policies to permit communications to and from the hub. Enter these settings in particular: Source Interface/Zone Select the virtual IPSec interface you created. Source Address Name Select the hub address you defined in Step 1. FortiGate IPSec VPN Version 3.0 User Guide 40 01-30005-0065-20070716
Hub-and-spoke configurations Configure the spokes Destination Interface/Zone Select the spoke’s interface to the internal (private) network. Destination Address Name Select the spoke addresses you defined in Step 2. Action Select ACCEPT NAT Enable Source Interface/Zone Select the spoke’s interface to the internal (private) network. Source Address Name Select the spoke address you defined in Step 1. Destination Interface/Zone Select the virtual IPSec interface you created. Destination Address Name Select the hub destination addresses you defined in Step 2. Action Select ACCEPT NAT Enable Configuring firewall policies for spoke-to-spoke communication Each spoke requires firewall policies to enable communication with the other spokes. Instead of creating separate firewall policies for each spoke, you can create an address group that contains the addresses of the networks behind the other spokes. The firewall policy then applies to all of the spokes in the group. 1 Define destination addresses to represent the networks behind each of the other spokes. Add these addresses to an address group. For more information, see “Configuring Address Groups” section in the “Firewall Address” chapter of the FortiGate Administration Guide. 2 Define the firewall policy to enable communication between this spoke and the spokes in the address group you created. Policy-based VPN firewall policy Define an IPSec firewall policy to permit communications with the other spokes. See “Defining firewall policies” on page 150. Enter these settings in particular: Source Interface/Zone Select this spoke’s internal (private) network interface. Source Address Name Select this spoke’s source address. Destination Interface/Zone Select the spoke’s interface to the external (public) network. Destination Address Name Select the spoke address group you defined in Step 1. Action VPN Tunnel Select IPSEC Select the name of the phase 1 configuration you defined. Select Allow inbound to enable traffic from the remote network to initiate the tunnel. Select Allow outbound to enable traffic from the local network to initiate the tunnel. Route-based VPN firewall policy Define two firewall policies to permit communications to and from the other spokes. Enter these settings in particular: Source Interface/Zone Select the virtual IPSec interface you created. Source Address Name Select the spoke address group you defined in Step 1. Destination Interface/Zone Select the spoke’s interface to the internal (private) network. Destination Address Name Select this spoke’s address name. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 41
Page 1 and 2: USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4: Contents Contents Introduction ....
Page 5 and 6: Contents Adding XAuth authenticatio
Page 7 and 8: Contents Defining IKE negotiation p
Page 9 and 10: Introduction About FortiGate IPSec
Page 11 and 12: Introduction About this document
Page 13 and 14: Introduction Fortinet documentation
Page 15 and 16: Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18: Configuring IPSec VPNs General prep
Page 19 and 20: Gateway-to-gateway configurations C
Page 21 and 22: Gateway-to-gateway configurations G
Page 29 and 30: Gateway-to-gateway configurations H
Page 31 and 32: Gateway-to-gateway configurations H
Page 33 and 34: Hub-and-spoke configurations Config
Page 39: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 89 and 90: Redundant VPN configurations Redund
Page 91 and 92:
Redundant VPN configurations Redund
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Redundant VPN configurations Partia
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Transparent mode VPNs Configuration
Page 107 and 108:
Transparent mode VPNs Configuration
Page 109 and 110:
Transparent mode VPNs Configure the
Page 111 and 112:
Manual-key configurations Configura
Page 113 and 114:
Manual-key configurations Specify t
Page 115 and 116:
IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118:
IPv6 IPSec VPNs Site-to-site IPv6 o
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Auto Key phase 1 parameters Overvie
Page 129 and 130:
Auto Key phase 1 parameters Authent
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

Create successful ePaper yourself

Delete template?

Save as template?