FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
General configuration steps<br />
Dynamic DNS configurations<br />
Whenever the <strong>FortiGate</strong> unit detects that its IP address has changed, it notifies<br />
the dynamic DNS server and provides the new IP address to the server. The<br />
dynamic DNS server makes the updated IP address available to all DNS servers<br />
and the new IP address remains in effect until the <strong>FortiGate</strong> unit detects that its IP<br />
address has changed again.<br />
A <strong>FortiGate</strong> unit that has static domain name and a dynamic IP address can<br />
initiate <strong>VPN</strong> connections anytime—the remote peer replies to the <strong>FortiGate</strong> unit<br />
using the source IP address that was sent in the packet header. However,<br />
changes to a dynamic IP address must be resolved before a remote peer can<br />
establish a <strong>VPN</strong> connection to the domain name—the remote peer must request a<br />
DNS lookup for the matching IP address before initiating the connection.<br />
Dynamic DNS infrastructure requirements<br />
• A basic gateway-to-gateway configuration must be in place (see “Gateway-togateway<br />
configurations” on page 19) except one of the <strong>FortiGate</strong> units has a<br />
static domain name and a dynamic IP address instead of a static IP address.<br />
• A DNS server must be available to <strong>VPN</strong> peers that initiate connections to the<br />
domain name. For instructions about how to configure <strong>FortiGate</strong> units to look<br />
up the IP address of a domain name, see the “System Network DNS” section<br />
of the <strong>FortiGate</strong> Administration <strong>Guide</strong>.<br />
• The <strong>FortiGate</strong> unit with the domain name must subscribe to one of the<br />
supported dynamic DNS services. Contact one of the services to set up an<br />
account. For more information and instructions about how to configure the<br />
<strong>FortiGate</strong> unit to push its dynamic IP address to a dynamic DNS server, see<br />
the “System Network Interface” section of the <strong>FortiGate</strong> Administration <strong>Guide</strong>.<br />
General configuration steps<br />
When a <strong>FortiGate</strong> unit receives a connection request from a remote <strong>VPN</strong> peer, it<br />
uses <strong>IPSec</strong> phase 1 parameters to establish a secure connection and<br />
authenticate the <strong>VPN</strong> peer. Then, if the firewall policy permits the connection, the<br />
<strong>FortiGate</strong> unit establishes the tunnel using <strong>IPSec</strong> phase 2 parameters and applies<br />
the firewall policy. Key management, authentication, and security services are<br />
negotiated dynamically through the IKE protocol.<br />
To support these functions, the following general configuration steps must be<br />
performed:<br />
• Configure the <strong>FortiGate</strong> unit that has a domain name with a dynamic IP<br />
address. This unit uses a Local ID string to identify itself to the remote peer.<br />
See “Configure the dynamically-addressed <strong>VPN</strong> peer” on page 51.<br />
• Configure the fixed-address <strong>VPN</strong> peer. To initiate a <strong>VPN</strong> tunnel with the<br />
dynamically-addressed peer, this unit must retrieve the IP address for the<br />
domain from the dynamic DNS service. See “Configure the fixed-address <strong>VPN</strong><br />
peer” on page 53.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
50 01-30005-0065-20070716