FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

FortiClient dialup-client configuration example FortiClient dialup-client configurations Name Phase 1 Advanced Enter a name for the phase 2 configuration (for example, FG1toDialupP2). Select the gateway that you defined previously (for example, FG1toDialupClients). Select DHCP-IPsec Enable. Define the IPSec firewall policy Firewall policies control all IP traffic passing between a source address and a destination address. An IPSec firewall policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. Before you define the policy, you must first specify the IP source address. The IP source address corresponds to the private IP address of Server_1 behind the FortiGate unit (for example, 192.168.12.1/32). Because VIP addresses are assigned through FortiGate DHCP relay, you do not need to define a specific destination address. Instead, you will select the predefined destination address “all” in the IPSec firewall policy to refer to dialup clients. To define the private IP address of Server_1 behind FortiGate_1 1 Go to Firewall > Address. 2 Select Create New, enter the following information, and select OK: Address Name Subnet/IP Range Enter an address name (for example, Server_1). Enter the private IP address of the server (for example 192.168.12.1/32). To define the firewall policy 1 Go to Firewall > Policy. 2 Select Create New, enter the following information, and select OK: Source Interface/Zone Port 2. Source Address Name Server_1 Destination Interface/Zone Port 1 Destination Address Name all Schedule As required. Service As required. Action IPSEC VPN Tunnel FG1toDialupClients. Allow Inbound Enable Allow Outbound Enable if you want to allow hosts on the private network behind the FortiGate unit to initiate communications with the FortiClient users after the tunnel is established. Inbound NAT Enable 3 Place the policy in the policy list above any other policies having similar source and destination addresses. FortiGate IPSec VPN Version 3.0 User Guide 68 01-30005-0065-20070716
FortiClient dialup-client configurations FortiClient dialup-client configuration example Configure FortiGate_1 to assign VIPs In the example configuration, dialup clients obtain VIP addresses through a FortiGate DHCP server. Note: You may optionally configure the FortiGate unit to act as a DHCP relay instead. See “To configure DHCP relay on the FortiGate unit” on page 62. To configure a DHCP server on the FortiGate unit 1 Go to System > DHCP > Service. 2 Expand the row that corresponds to Port 1. 3 In the Servers row beneath the interface name, select the Add DHCP Server icon. 4 Select IPSec, enter the following information and select OK: Name Enter a name for the DHCP server, ClientVIPs for example. Enable Select Type Select IPSEC. IP Range 10.254.254.1 - 10.254.254.100 Network Mask 255.255.255.0 Default Gateway Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients. Configuring the FortiClient Host Security application The following procedure explains how to configure the FortiClient Host Security application to connect to FortiGate_1 and broadcast a DHCP request. The dialup client uses the VIP address acquired through FortiGate DHCP relay as its IP source address for the duration of the connection. To configure FortiClient 1 At the remote host, start FortiClient. 2 Go to VPN > Connections and select Add. 3 In the Connection Name field, type a descriptive name for the connection. 4 In the Remote Gateway field, type the public static IP address of the FortiGate unit. 5 In the Remote Network fields, type the private IP address and netmask of the server that FortiClient needs to access behind the FortiGate unit (for example, 192.168.12.1/255.255.255.255). 6 From the Authentication Method list, select Preshared Key. 7 In the Preshared Key field, type the preshared key. The value must be identical to the preshared key that you specified previously in the FortiGate_1 configuration. 8 Select Advanced. 9 In the Advanced Settings dialog box, select Acquire virtual IP address and then select Config. 10 Verify that the Dynamic Host Configuration Protocol (DHCP) over IPSec option is selected, and then select OK. 11 Select OK twice to close the dialog boxes. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 69
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18: Configuring IPSec VPNs General prep
Page 19 and 20: Gateway-to-gateway configurations C
Page 21 and 22: Gateway-to-gateway configurations G
Page 29 and 30: Gateway-to-gateway configurations H
Page 31 and 32: Gateway-to-gateway configurations H
Page 33 and 34: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 67: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 119 and 120:
IPv6 IPSec VPNs Site-to-site IPv6 o
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Auto Key phase 1 parameters Overvie
Page 129 and 130:
Auto Key phase 1 parameters Authent
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

Create successful ePaper yourself

Delete template?

Save as template?