IPSec VPN
IPSec VPN concentrators
FortiGate-50A Installation and Configuration Guide
197
If the VPN peer is a FortiGate unit functioning as the hub, or concentrator, it requires a
VPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings or
manual key settings, plus encrypt policies). It also requires a concentrator
configuration that groups the hub-and-spoke tunnels together. The concentrator
configuration defines the FortiGate unit as the hub in a hub-and-spoke network.
If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but
not to the other spokes). It also requires policies that control its encrypted connections
to the other spokes and its non-encrypted connections to other networks, such as the
Internet.
•
VPN concentrator (hub) general configuration steps
•
Adding a VPN concentrator
•
VPN spoke general configuration steps
VPN concentrator (hub) general configuration steps
A central FortiGate that is functioning as a hub requires the following configuration:
• A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration)
for each spoke.
• Destination addresses for each spoke.
• A concentrator configuration.
• An encrypt policy for each spoke.
To create a VPN concentrator configuration
1
Configure one of the following tunnels for each spoke:
• A manual key tunnel consists of a name for the tunnel, the IP address of the spoke
(client or gateway) at the opposite end of the tunnel, and the encryption and
authentication algorithms to use for the tunnel.
See
“Manual key IPSec VPNs” on page 181
.
• An AutoIKE tunnel consists of phase 1 and phase 2 parameters. The phase 1
parameters include the name of the spoke (client or gateway), designation of how
the spoke receives its IP address (static or dialup), encryption and authentication
algorithms, and the authentication method (either pre-shared keys or PKI
certificates). The phase 2 parameters include the name of the tunnel, selection of
the spoke (client or gateway) configured in phase 1, encryption and authentication
algorithms, and a number of security parameters.
See
“AutoIKE IPSec VPNs” on page 182
.
2
Add a destination address for each spoke. The destination address is the address of
the spoke (either a client on the Internet or a network located behind a gateway).
See
“Adding a source address” on page 194
.
3
Add the concentrator configuration. This step groups the tunnels together on the
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part
of the AutoIKE phase 2 configuration or the manual key configuration.
See
“Adding a VPN concentrator” on page 198
.
Note:
Add the concentrator configuration to the central FortiGate unit (the hub) after adding the
tunnels for all spokes.
Содержание FortiGate 50A
Страница 12: ...Contents 12 Fortinet Inc ...
Страница 32: ...32 Fortinet Inc Next steps Getting started ...
Страница 40: ...40 Fortinet Inc Completing the configuration NAT Route mode installation ...
Страница 72: ...72 Fortinet Inc Session list System status ...
Страница 112: ...112 Fortinet Inc Configuring the modem interface Network configuration ...
Страница 120: ...120 Fortinet Inc Adding RIP filters RIP configuration ...
Страница 170: ...170 Fortinet Inc Content profiles Firewall configuration ...
Страница 224: ...224 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS ...
Страница 230: ...230 Fortinet Inc Viewing the virus list Antivirus protection ...
Страница 244: ...244 Fortinet Inc Exempt URL list Web filtering ...
Страница 262: ...262 Fortinet Inc Glossary ...
Страница 272: ...272 Fortinet Inc Index ...