FortiGate IPSec VPN User Guide - FirewallShop.com

More documents

Recommendations

Info

Configure the VPN peers - route-based VPN Redundant VPN configurations Path 4 Remote Gateway IP Address Select Static IP Address. Type the IP address of the secondary interface of the remote peer. Local Interface Select the secondary public interface of this peer. Enable IPSec Interface Mode Enable Dead Peer Detection Enable Other settings as required by VPN. For more information, see “Auto Key phase 1 parameters” on page 127. 3 Create a phase 2 definition for each path. See “Phase 2 parameters” on page 143. Enter these settings in particular: Phase 1 Select the phase 1 configuration (virtual IPSec interface) that you defined for this path. You can select the name from the Static IP Address part of the list. 4 Create a route for each path to the other peer. If there are two ports on each peer, there are four possible paths between the peer devices. Destination IP/Mask Device Distance The IP address and netmask of the private network behind the remote peer. One of the virtual IPSec interfaces on the local peer. For each path, enter a different value to prioritize the paths. 5 Define the firewall policy for the local primary interface. See “Defining firewall policies” on page 150. You need to create two policies for each path to enable communication in both directions. Enter these settings in particular: Source Interface/Zone Source Address Name Destination Interface/Zone Destination Address Name Schedule Service Action Source Interface/Zone Source Address Name Destination Interface/Zone Destination Address Name Schedule Service Action Select the local interface to the internal (private) network All Select one of the virtual IPSec interfaces you created in Step 2. All Always Any ACCEPT Select one of the virtual IPSec interfaces you created in Step 2. All Select the local interface to the internal (private) network. All Always Any ACCEPT 6 Place the policy in the policy list above any other policies having similar source and destination addresses. 7 Repeat this procedure at the remote FortiGate unit. FortiGate IPSec VPN Version 3.0 User Guide 86 01-30005-0065-20070716
Redundant VPN configurations Redundant route-based VPN configuration example Redundant route-based VPN configuration example This example demonstrates a fully redundant site-to-site VPN configuration using route-based VPNs. At each site, the FortiGate unit has two interfaces connected to the Internet through different ISPs. This means that there are four possible paths for communication between the two units. In this example, these paths, listed in descending priority, are: • FortiGate_1 WAN 1 to FortiGate_2 WAN 1 • FortiGate_1 WAN 1 to FortiGate_2 WAN 2 • FortiGate_1 WAN 2 to FortiGate_2 WAN 1 • FortiGate_1 WAN 2 to FortiGate_2 WAN 2 Figure 17: Example redundant route-based VPN configuration WAN2 172.16.20.2 WAN1 10.10.10.2 FortiGate_1 Finance Network 192.168.12.0/24 Internet FortiGate_2 WAN1 10.10.20.2 WAN2 172.16.30.2 HR Network 192.168.22.0/24 Configuring FortiGate_1 For each path, VPN configuration, firewall policies and routing are defined. By specifying a different routing distance for each path, the paths are prioritized. A VPN tunnel is established on each path, but only the highest priority one is used. If the highest priority path goes down, the traffic is automatically routed over the next highest priority path. You could use dynamic routing, but to keep this example simple, static routing is used. You must • configure the interfaces involved in the VPN • define the phase 1 configuration for each of the four possible paths, creating a virtual IPSec interface for each one FortiGate IPSec VPN Version 3.0 User Guide 01-30005-0065-20070716 87
Page 1 and 2:
USER GUIDE FortiGate IPSec VPN Vers
Page 3 and 4:
Contents Contents Introduction ....
Page 5 and 6:
Contents Adding XAuth authenticatio
Page 7 and 8:
Contents Defining IKE negotiation p
Page 9 and 10:
Introduction About FortiGate IPSec
Page 11 and 12:
Introduction About this document
Page 13 and 14:
Introduction Fortinet documentation
Page 15 and 16:
Configuring IPSec VPNs IPSec VPN ov
Page 17 and 18:
Configuring IPSec VPNs General prep
Page 19 and 20:
Gateway-to-gateway configurations C
Page 21 and 22:
Gateway-to-gateway configurations G
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Gateway-to-gateway configurations H
Page 31 and 32:
Gateway-to-gateway configurations H
Page 33 and 34:
Hub-and-spoke configurations Config
Page 35 and 36: Hub-and-spoke configurations Config
Page 43 and 44: Hub-and-spoke configurations Dynami
Page 49 and 50: Dynamic DNS configurations Configur
Page 55 and 56: FortiClient dialup-client configura
Page 71 and 72: FortiGate dialup-client configurati
Page 79 and 80: Internet-browsing configuration Con
Page 81 and 82: Internet-browsing configuration Rou
Page 83 and 84: Redundant VPN configurations Config
Page 85: Redundant VPN configurations Config
Page 89 and 90: Redundant VPN configurations Redund
Page 99 and 100: Redundant VPN configurations Partia
Page 105 and 106: Transparent mode VPNs Configuration
Page 107 and 108: Transparent mode VPNs Configuration
Page 109 and 110: Transparent mode VPNs Configure the
Page 111 and 112: Manual-key configurations Configura
Page 113 and 114: Manual-key configurations Specify t
Page 115 and 116: IPv6 IPSec VPNs Overview of IPv6 IP
Page 117 and 118: IPv6 IPSec VPNs Site-to-site IPv6 o
Page 127 and 128: Auto Key phase 1 parameters Overvie
Page 129 and 130: Auto Key phase 1 parameters Authent
Page 137 and 138:
Auto Key phase 1 parameters Definin
Page 139 and 140:
Auto Key phase 1 parameters Definin
Page 141 and 142:
Auto Key phase 1 parameters Using X
Page 143 and 144:
Phase 2 parameters Basic phase 2 se
Page 145:
Phase 2 parameters Advanced phase 2
Page 148 and 149:
Configure the phase 2 parameters Ph
Page 150 and 151:
Defining firewall policies Defining
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Monitoring VPN connections Monitori
Page 158 and 159:
Logging VPN events Monitoring and t
Page 160 and 161:
VPN troubleshooting tips Monitoring
Page 162 and 163:
Index Encryption Algorithm, Manual
Page 164 and 165:
Index remote peer authenticating wi
Page 166:
www.fortinet.com
show all

FortiGate IPSec VPN User Guide - FirewallShop.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?