FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

FortiGate dialup-client configuration steps FortiGate dialup-client configurations • Computers on the private network behind the FortiGate dialup client can obtain IP addresses either from a DHCP server behind the FortiGate dialup client, or a DHCP server behind the FortiGate dialup server. • If the DHCP server resides on the network behind the dialup client, the DHCP server must be configured to assign IP addresses that do not match the private network behind the FortiGate dialup server. • If the DHCP server resides on the network behind the FortiGate dialup server, the DHCP server must be configured to assign IP addresses that do not match the private network behind the FortiGate dialup client. In addition, the FortiGate dialup client routing table must contain a static route to the DHCP server (see the “Router Static” chapter of the FortiGate Administration Guide). FortiGate dialup-client configuration steps The procedures in this section assume that computers on the private network behind the FortiGate dialup client obtain IP addresses from a local DHCP server. The assigned IP addresses do not match the private network behind the FortiGate dialup server. Note: In situations where IP-address overlap between the local and remote private networks is likely to occur, FortiGate DHCP relay can be configured on the FortiGate dialup client to relay DHCP requests to a DHCP server behind the FortiGate dialup server. For more information, see “To configure DHCP relay on the FortiGate unit” on page 62. Configuring dialup client capability for FortiGate dialup clients involves the following general configuration steps: • Determine which IP addresses to assign to the private network behind the FortiGate dialup client, and add the IP addresses to the DHCP server behind the FortiGate dialup client. Refer to the software supplier’s documentation to configure the DHCP server. • Configure the FortiGate dialup server. See “Configure the server to accept FortiGate dialup-client connections” on page 75. • Configure the FortiGate dialup client. See “Configure the FortiGate dialup client” on page 76. FortiGate IPSec VPN Version 3.0 User Guide 74 01-30005-0065-20070716
FortiGate dialup-client configurations Configure the server to accept FortiGate dialup-client connections Configure the server to accept FortiGate dialup-client connections Before you begin, optionally reserve a unique identifier (peer ID) for the FortiGate dialup client. The dialup client will supply this value to the FortiGate dialup server for authentication purposes during the IPSec phase 1 exchange. In addition, the value will enable you to distinguish FortiGate dialup-client connections from FortiClient dialup-client connections. The same value must be specified on the dialup server and on the dialup client. 1 At the FortiGate dialup server, define the phase 1 parameters needed to authenticate the FortiGate dialup client and establish a secure connection. See “Auto Key phase 1 parameters” on page 127. Enter these settings in particular: Name Remote Gateway Local Interface Mode Peer Options Enable IPSec Interface Mode Enter a name to identify the VPN tunnel. This name appears in phase 2 configurations, firewall policies and the VPN monitor. Select Dialup User. Select the interface through which clients connect to the FortiGate unit. If you will be assigning an ID to the FortiGate dialup client, select Aggressive. If you will be assigning an ID to the FortiGate dialup client, select Accept this peer ID and type the identifier that you reserved for the FortiGate dialup client into the adjacent field. You must select Advanced to see this setting. If IPSec Interface Mode is enabled, the FortiGate unit creates a virtual IPSec interface for a route-based VPN. Disable this option if you want to create a policy-based VPN. After you select OK to create the phase 1 configuration, you cannot change this setting. 2 Define the phase 2 parameters needed to create a VPN tunnel with the FortiGate dialup client. See “Phase 2 parameters” on page 143. Enter these settings in particular: Name Phase 1 Enter a name to identify this phase 2 configuration. Select the name of the phase 1 configuration that you defined. 3 Define names for the addresses or address ranges of the private networks that the VPN links. See “Defining firewall addresses” on page 149. Enter these settings in particular: • Define an address name for the server, host, or network behind the FortiGate dialup server. • Define an address name for the private network behind the FortiGate dialup client. 4 Define the firewall policies to permit communications between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different firewall policies. For detailed information about creating firewall policies, see “Defining firewall policies” on page 150. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 75
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24: Gateway-to-gateway configurations C
Page 29 and 30: Gateway-to-gateway configurations H
Page 31 and 32: Gateway-to-gateway configurations H
Page 33 and 34: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 73: FortiGate dialup-client configurati
Page 77 and 78: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 125 and 126:
IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128:
Auto Key phase 1 parameters Overvie
Page 129 and 130:
Auto Key phase 1 parameters Authent
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?