FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Routing all remote traffic through the VPN tunnel Internet-browsing configuration Configuring a FortiGate remote peer to support Internet browsing The configuration changes to send all traffic through the VPN differ for policybased and route-based VPNs. To route all traffic through a policy-based VPN 1 At the FortiGate dialup client, go to Firewall > Policy. 2 Select the Edit icon in the row that corresponds to the IPSec firewall policy. 3 From the Address Name list under Destination, select all. 4 Select OK. All packets are routed through the VPN tunnel, not just packets destined for the protected private network. To route all traffic through a route-based VPN 1 At the FortiGate dialup client, go to Router > Static. 2 Select the Edit icon for the default route (destination IP 0.0.0.0). If there is no default route, select Create New. Enter the following information and select OK: Destination IP/Mask 0.0.0.0/0.0.0.0 Device Select the IPSec virtual interface. Gateway Enter the remote gateway IP address for the VPN. Distance Leave at default. All packets are routed through the VPN tunnel, not just packets destined for the protected private network. Configuring a FortiClient application to support Internet browsing By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN. To route all traffic through VPN - FortiClient application 1 At the remote host, start FortiClient. 2 Go to VPN > Connections. 3 Select the definition that connects FortiClient to the FortiGate dialup server. 4 Select Advanced and then select Edit. 5 In the Edit Connection dialog box, select Advanced. 6 In the Remote Network group, select Add. 7 In the IP and Subnet Mask fields, type 0.0.0.0/0.0.0.0 and select OK. The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel. 8 Select OK twice to close the dialog boxes. FortiGate IPSec VPN Version 3.0 User Guide 82 01-30005-0065-20070716
Redundant VPN configurations Configuration overview Redundant VPN configurations This section discusses the options for supporting redundant and partially redundant IPSec VPNs, using route-based approaches. The following topics are included in this section: • Configuration overview • General configuration steps • Configure the VPN peers - route-based VPN • Redundant route-based VPN configuration example • Partially-redundant route-based VPN example • Creating a backup IPSec interface Configuration overview A FortiGate unit with two interfaces to the Internet can be configured to support redundant VPNs to the same remote peer. If the primary connection fails, the FortiGate unit can establish a VPN using the other connection. A fully-redundant configuration requires redundant connections to the Internet on both peers. Figure 16 on page 84 shows an example of this. This is useful to create a reliable connection between two FortiGate units with static IP addresses. When only one peer has redundant connections, the configuration is partiallyredundant. For an example of this, see “Partially-redundant route-based VPN example” on page 98. This is useful for to provide reliable service from a FortiGate unit with static IP addresses that accepts connections from dialup IPSec VPN clients. In a fully-redundant VPN configuration with two interfaces on each peer, four distinct paths are possible for VPN traffic from end to end. Each interface on a peer can communicate with both interfaces on the other peer. This ensures that a VPN will be available as long as each peer has one working connection to the Internet. You configure a VPN and an entry in the routing table for each of the four paths. All of these VPNs are ready to carry data. You set different routing distances for each route and only the shortest distance route is used. If this route fails, the route with the next shortest distance is used. The redundant configurations described in this chapter use route-based VPNs, otherwise known as virtual IPSec interfaces. This means that the FortiGate unit must operate in NAT/Route mode. You must use auto-keying. A VPN that is created using manual keys (see “Manual-key configurations” on page 111) cannot be included in a redundant-tunnel configuration. FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 83
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32: Gateway-to-gateway configurations H
Page 33 and 34: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81: Internet-browsing configuration Rou
Page 85 and 86: Redundant VPN configurations Config
Page 87 and 88: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129 and 130: Auto Key phase 1 parameters Authent
Page 131 and 132: Auto Key phase 1 parameters Authent
Page 133 and 134:
Auto Key phase 1 parameters Authent
Page 135 and 136:
Auto Key phase 1 parameters Authent
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

Create successful ePaper yourself

Delete template?

Save as template?