FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Hub-and-spoke configurations<br />
Dynamic spokes configuration example<br />
Configure the hub (<strong>FortiGate</strong>_1)<br />
The phase 1 configuration defines the parameters that <strong>FortiGate</strong>_1 will use to<br />
authenticate spokes and establish secure connections.<br />
For the purposes of this example, one preshared key will be used to authenticate<br />
all of the spokes. Each key must contain at least 6 printable characters and should<br />
only be known by network administrators. For optimum protection against<br />
currently known attacks, each key should consist of a minimum of 16 randomly<br />
chosen alphanumeric characters.<br />
Define the IPsec configuration<br />
To define the phase 1 parameters<br />
1 At <strong>FortiGate</strong>_1, go to <strong>VPN</strong> > IPSEC > Auto Key.<br />
2 Define the phase 1 parameters that the hub will use to establish a secure<br />
connection to the spokes. Select Create Phase 1, enter the following information,<br />
and select OK:<br />
Name<br />
Remote Gateway<br />
Local Interface<br />
Mode<br />
Authentication Method<br />
Pre-shared Key<br />
Peer Options<br />
Type a name (for example, toSpokes).<br />
Dialup user<br />
External<br />
Main<br />
Preshared Key<br />
Enter the preshared key.<br />
Accept any peer ID<br />
The basic phase 2 settings associate <strong>IPSec</strong> phase 2 parameters with the phase 1<br />
configuration and specify the remote end points of the <strong>VPN</strong> tunnels.<br />
To define the phase 2 parameters<br />
1 Go to <strong>VPN</strong> > IPSEC > Auto Key.<br />
2 Create a phase 2 tunnel definition for the spokes. Select Create Phase 2, enter<br />
the following information, and select OK:<br />
Name<br />
Phase 1<br />
Enter a name for the phase 2 definition (for example,<br />
toSpokes_ph2).<br />
Select the Phase 1 configuration that you defined previously<br />
(for example, toSpokes).<br />
Define the firewall policies<br />
Firewall policies control all IP traffic passing between a source address and a<br />
destination address. For a route-based <strong>VPN</strong>, the policies are simpler than for a<br />
policy-based <strong>VPN</strong>. Instead of an IPSEC policy, you use an ACCEPT policy with<br />
the virtual <strong>IPSec</strong> interface as the external interface.<br />
Before you define firewall policies, you must first define firewall addresses to use<br />
in those policies. You need addresses for:<br />
• the HR network behind <strong>FortiGate</strong>_1<br />
• the aggregate subnet address for the protected networks<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 43