FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Configuration overview FortiClient dialup-client configurations Peer identification By default the FortiClient dialup client has the same IP address as the host PC on which it runs. If the host connects directly to the Internet, this is a public IP address. If the host is behind a NAT device, such as a router, the IP address is a private IP address. The NAT device must be NAT-T compatible to pass encrypted packets (see “NAT traversal” on page 140). The FortiClient application also can be configured to use a virtual IP address (VIP). For the duration of the connection, the FortiClient application and the FortiGate unit both use the VIP address as the IP address of the FortiClient dialup client. The FortiClient application sends its encrypted packets to the VPN remote gateway, which is usually the public interface of the FortiGate unit. It also uses this address to download VPN settings from the FortiGate unit. See “Automatic configuration of FortiClient dialup clients” on page 56. The FortiClient application can establish an IPSec tunnel with a FortiGate unit configured to act as a dialup server. When the FortiGate unit acts as a dialup server, it does not identify the client using the phase 1 remote gateway address. The IPSec tunnel is established if authentication is successful and the IPSec firewall policy associated with the tunnel permits access. There are several different ways to authenticate dialup clients and restrict access to private networks based on client credentials. For more information, see “Authenticating remote peers and clients” on page 131. Automatic configuration of FortiClient dialup clients The FortiClient application can obtain its VPN settings from the FortiGate VPN server. FortiClient users need to know only the FortiGate VPN server IP address and their user name and password on the FortiGate unit. The FortiGate unit listens for VPN policy requests from clients on TCP port 8900. When the dialup client connects: • The client initiates a Secure Sockets Layer (SSL) connection to the FortiGate unit. • The FortiGate unit requests a user name and password from the FortiClient user. Using these credentials, it authenticates the client and determines which VPN policy applies to the client. • Provided that authentication is successful, the FortiGate unit downloads a VPN policy to the client over the SSL connection. The information includes IPSec phase 1 and phase 2 settings, and the IP addresses of the private networks that the client is authorized to access. • The client uses the VPN policy settings to establish an IPSec phase 1 connection and phase 2 tunnel with the FortiGate unit. How the FortiGate unit determines which settings to apply The FortiGate unit checks the virtual domain associated with the connection to determine which VPN policies have been configured in that domain. Each VPN policy specifies a user group and an IPSec tunnel. Next, the FortiGate unit selects the VPN policy that matches the dialup client’s user group and determines which tunnel is specified in the VPN policy. The FortiGate unit searches all IPSec firewall polices to determine which policies specify the tunnel. FortiGate IPSec VPN Version 3.0 User Guide 56 01-30005-0065-20070716
FortiClient dialup-client configurations Configuration overview Using virtual IP addresses Finally, the FortiGate unit searches the implicated IPSec firewall policies to determine which private network(s) the dialup clients may access. The rest of the VPN policy information is retrieved from the existing IPSec phase 1 and phase 2 parameters in the dialup-client configuration. When the FortiClient host PC is located behind a NAT device, unintended IP address overlap issues may arise between the private networks at the two ends of the tunnel. For example, the client’s host might receive a private IP address from a DHCP server on its network that by co-incidence is the same as a private IP address on the network behind the FortiGate unit. A conflict will occur in the host’s routing table and the FortiClient Host Security application will be unable to send traffic through the tunnel. Configuring virtual IP (VIP) addresses for FortiClient applications prevents this problem. Using VIPs ensures that client IP addresses are in a predictable range. You can then define firewall policies that allow access only to that source address range. If you do not use VIP, the firewall policies must allow all source addresses because you cannot predict the IP address for a remote mobile user. The FortiClient application must not have the same IP address as any host on the private network behind the FortiGate unit or any other connected FortiClient application. You can ensure this by reserving a range of IP addresses on the private network for FortiClient users. Or, you can assign FortiClient VIPs from an uncommonly used subnet such as 10.254.254.0/24 or 192.168.254.0/24. You can reserve a VIP address for a particular client according to its device MAC address and type of connection. The DHCP server then always assigns the reserved VIP address to the client. For more information about this feature, see the “dhcp reserved-address” section in the “system” chapter of the FortiGate CLI Reference. Note: To determine the VIP address that the FortiClient Host Security application is using, type ipconfig /all at the Windows Command Prompt on the FortiClient host. The output will also show the IP address that has been assigned to the host Network Interface Card (NIC). It is best to assign VIPs using DHCP over IPSec. The FortiGate dialup server can act as a DHCP server or relay requests to an external DHCP server. You can also configure VIPs manually on FortiClient applications, but it is more difficult to ensure that all clients use unique addresses. Note: If you assign a VIP on the private network behind the FortiGate unit and enable DHCP-IPsec (a phase 2 advanced option), the FortiGate unit acts as a proxy on the local private network for the FortiClient dialup client. Whenever a host on the network behind the dialup server issues an ARP request for the device MAC address of the FortiClient host, the FortiGate unit answers the ARP request on behalf of the FortiClient host and forwards the associated traffic to the FortiClient host through the tunnel. For more information, see “DHCP-IPSec” on page 145. Note: FortiGate units fully support RFC 3456, Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode. The FortiGate DHCP over IPSec feature can be enabled to allocate VIP addresses to FortiClient dialup clients using a FortiGate DHCP server if a policy-based VPN is configured. DHCP over IPSec is not compatible with FortiGate route-based VPNs. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 57
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6: Contents Adding XAuth authenticatio
Page 7 and 8: Contents Defining IKE negotiation p
Page 9 and 10: Introduction About FortiGate IPSec
Page 11 and 12: Introduction About this document
Page 13 and 14: Introduction Fortinet documentation
Page 15 and 16: Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18: Configuring IPSec VPNs General prep
Page 19 and 20: Gateway-to-gateway configurations C
Page 21 and 22: Gateway-to-gateway configurations G
Page 29 and 30: Gateway-to-gateway configurations H
Page 31 and 32: Gateway-to-gateway configurations H
Page 33 and 34: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55: FortiClient dialup-client configura
Page 59 and 60: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108:
Transparent mode VPNs Configuration
Page 109 and 110:
Transparent mode VPNs Configure the
Page 111 and 112:
Manual-key configurations Configura
Page 113 and 114:
Manual-key configurations Specify t
Page 115 and 116:
IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118:
IPv6 IPSec VPNs Site-to-site IPv6 o
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Auto Key phase 1 parameters Overvie
Page 129 and 130:
Auto Key phase 1 parameters Authent
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?