FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

FortiClient dialup-client configuration example FortiClient dialup-client configurations FortiClient dialup-client configuration example This example demonstrates how to set up a FortiClient dialup-client IPSec VPN that uses preshared keys for authentication purposes. In the example configuration, the DHCP over IPSec feature is enabled in the FortiClient Host Security application so that the FortiClient Host Security application can acquire a VIP address through FortiGate DHCP relay. Figure 12: Example FortiClient dialup-client configuration Server_1 192.168.12.1 FortiGate_1 Port 2 Internet Dialup_1 VIP address 10.254.254.100 Port 1 172.16.10.1 Dialup_2 VIP address 10.254.254.101 Configuring FortiGate_1 In the example configuration: • VIP addresses that are not commonly used (in this case, 10.254.254.0/24) are assigned to the FortiClient dialup clients using a DHCP server. • The dialup clients are provided access to Server_1 at IP address 192.168.12.1 behind FortiGate_1. • The other network devices are assigned IP addresses as shown in Figure 12. • NAT is enabled in the firewall policy to translate the source IP addresses of the decrypted inbound packets to the IP address of the FortiGate interface to the private network. When a FortiGate unit receives a connection request from a dialup client, it uses IPSec phase 1 parameters to establish a secure connection and authenticate the client. Then, if the firewall policy permits the connection, the FortiGate unit establishes the tunnel using IPSec phase 2 parameters and applies the IPSec firewall policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol. To support these functions, the following general configuration steps must be performed at the FortiGate unit: • Define the phase 1 parameters that the FortiGate unit needs to authenticate the dialup clients and establish a secure connection. See “Define the phase 1 parameters” on page 67. • Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel and enable all dialup clients having VIP addresses on the 10.254.254.0/24 network to connect using the same tunnel definition. See “Define the phase 2 parameters” on page 67. FortiGate IPSec VPN Version 3.0 User Guide 66 01-30005-0065-20070716
FortiClient dialup-client configurations FortiClient dialup-client configuration example • Create an IPSec firewall policy to control the permitted services and permitted direction of traffic between the IP source address and the dialup clients. A single policy controls both inbound and outbound IP traffic through the VPN tunnel. See “Define the IPSec firewall policy” on page 68. • Configure the FortiGate unit to relay DHCP requests from dialup clients to the DHCP server. See “Configure FortiGate_1 to assign VIPs” on page 69. Define the phase 1 parameters The phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate dialup clients and establish a secure connection. For the purposes of this example, a preshared key will be used to authenticate dialup clients. The same preshared key must be specified when you configure the FortiClient Host Security application on each remote host. Before you define the phase 1 parameters, you need to: • Reserve a name for the phase 1 configuration. • Reserve a unique value for the preshared key. The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. To define the phase 1 parameters 1 Go to VPN > IPSEC > Auto Key. 2 Select Create Phase 1, enter the following information, and select OK: Name Enter a name to identify the VPN tunnel (for example, FG1toDialupClients). Remote Gateway Dialup User Local Interface Port 1 Mode Main Authentication Method Preshared Key Pre-shared Key Enter the preshared key. Peer Options Accept any peer ID Advanced Enable IPSec Disable Interface Mode Define the phase 2 parameters The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the phase 2 parameters, you need to reserve a name for the tunnel. To define the phase 2 parameters 1 Go to VPN > IPSEC > Auto Key and select Create Phase 2. 2 Select Advanced, enter the following information, and select OK: FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 67
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16: Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18: Configuring IPSec VPNs General prep
Page 19 and 20: Gateway-to-gateway configurations C
Page 21 and 22: Gateway-to-gateway configurations G
Page 29 and 30: Gateway-to-gateway configurations H
Page 31 and 32: Gateway-to-gateway configurations H
Page 33 and 34: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 65: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118:
IPv6 IPSec VPNs Site-to-site IPv6 o
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Auto Key phase 1 parameters Overvie
Page 129 and 130:
Auto Key phase 1 parameters Authent
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

Create successful ePaper yourself

Delete template?

Save as template?