FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuration overview<br />
<strong>FortiGate</strong> dialup-client configurations<br />
Several different ways to authenticate dialup clients and restrict access to private<br />
networks based on client credentials are available. To authenticate <strong>FortiGate</strong><br />
dialup clients and help to distinguish them from FortiClient dialup clients when<br />
multiple clients will be connecting to the <strong>VPN</strong> through the same tunnel, we<br />
re<strong>com</strong>mend that you assign a unique identifier (local ID) to each <strong>FortiGate</strong> dialup<br />
client. For more information, see “Authenticating remote peers and clients” on<br />
page 131.<br />
Note: Whenever you add a unique identifier (local ID) to a <strong>FortiGate</strong> dialup client for<br />
identification purposes, you must select Aggressive mode on the <strong>FortiGate</strong> dialup server<br />
and also specify the identifier as a peer ID on the <strong>FortiGate</strong> dialup server. For more<br />
information, see “Enabling <strong>VPN</strong> access using user accounts and pre-shared keys” on<br />
page 135.<br />
<strong>User</strong>s behind the <strong>FortiGate</strong> dialup server cannot initiate the tunnel because the<br />
<strong>FortiGate</strong> dialup client does not have a static IP address. After the tunnel is<br />
initiated by users behind the <strong>FortiGate</strong> dialup client, traffic from the private<br />
network behind the <strong>FortiGate</strong> dialup server can be sent to the private network<br />
behind the <strong>FortiGate</strong> dialup client.<br />
Encrypted packets from the <strong>FortiGate</strong> dialup client are addressed to the public<br />
interface of the dialup server. Encrypted packets from the dialup server are<br />
addressed either to the public IP address of the <strong>FortiGate</strong> dialup client (if the<br />
dialup client connects to the Internet directly), or if the <strong>FortiGate</strong> dialup client is<br />
behind a NAT device, encrypted packets from the dialup server are addressed to<br />
the public IP address of the NAT device.<br />
Note: If a router with NAT capabilities is in front of the <strong>FortiGate</strong> dialup client, the router<br />
must be NAT-T <strong>com</strong>patible for encrypted traffic to pass through the NAT device. For more<br />
information, see “NAT traversal” on page 140.<br />
When the <strong>FortiGate</strong> dialup server decrypts a packet from the <strong>FortiGate</strong> dialup<br />
client, the source address in the IP header may be one of the following values,<br />
depending on the configuration of the network at the far end of the tunnel:<br />
• If the <strong>FortiGate</strong> dialup client connects to the Internet directly, the source<br />
address will be the private IP address of a host or server on the network<br />
behind the <strong>FortiGate</strong> dialup client.<br />
• If the <strong>FortiGate</strong> dialup client is behind a NAT device, the source address will be<br />
the public IP address of the NAT device.<br />
In some cases, <strong>com</strong>puters on the private network behind the <strong>FortiGate</strong> dialup<br />
client may (by co-incidence) have IP addresses that are already used by<br />
<strong>com</strong>puters on the network behind the <strong>FortiGate</strong> dialup server. In this type of<br />
situation (ambiguous routing), conflicts may occur in one or both of the <strong>FortiGate</strong><br />
routing tables and traffic destined for the remote network through the tunnel may<br />
not be sent.<br />
In many cases, <strong>com</strong>puters on the private network behind the <strong>FortiGate</strong> dialup<br />
client will most likely obtain IP addresses from a local DHCP server behind the<br />
<strong>FortiGate</strong> dialup client. However, unless the local and remote networks use<br />
different private network address spaces, unintended ambiguous routing and/or<br />
IP-address overlap issues may arise.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
72 01-30005-0065-20070716