FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Hub-and-spoke configurations<br />
Dynamic spokes configuration example<br />
5 Select OK.<br />
To create a firewall policy for the zone<br />
1 Go to Firewall > Policy. Select Create New and enter these settings:<br />
2 Select OK.<br />
Configure the spokes<br />
Source Interface/Zone Select Our_<strong>VPN</strong>_zone.<br />
Source Address Name Select All.<br />
Destination Interface/Zone Select Our_<strong>VPN</strong>_zone.<br />
Destination Address Name Select All.<br />
Action<br />
Select ACCEPT.<br />
NAT<br />
Enable.<br />
Protection profile<br />
Select the appropriate protection profile.<br />
In this example, all spokes have nearly identical configuration, requiring the<br />
following:<br />
• phase 1 authentication parameters to initiate a connection with the hub<br />
• phase 2 tunnel creation parameters to establish a <strong>VPN</strong> tunnel with the hub<br />
• a source address that represents the network behind the spoke. This is the<br />
only part of the configuration that is different for each spoke.<br />
• a destination address that represents the aggregate protected network<br />
• a firewall policy to enable <strong>com</strong>munications between the spoke and the<br />
aggregate protected network<br />
Define the IPsec configuration<br />
At each spoke, create the following configuration.<br />
To define the phase 1 parameters<br />
1 At the spoke, go to <strong>VPN</strong> > IPSEC > Auto Key.<br />
2 Select Create Phase 1, enter the following information, and select OK:<br />
Name<br />
Type a name, for example, toHub).<br />
Remote Gateway Static IP Address<br />
IP Address 172.16.10.1<br />
Local Interface<br />
Port2<br />
Mode<br />
Main<br />
Authentication Method Preshared Key<br />
Pre-shared Key<br />
Enter the preshared key. The value must be identical to<br />
the preshared key that you specified previously in the<br />
<strong>FortiGate</strong>_1 configuration.<br />
Peer Options<br />
Accept any peer ID<br />
Enable <strong>IPSec</strong> Interface<br />
Mode<br />
Select Advanced to see this option. Enable the option<br />
to create a route-based <strong>VPN</strong>.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 45