290
01-28006-0092-20041105
Fortinet Inc.
Configuring IPSec virtual IP addresses
VPN
Configure the two FortiGate units with symmetrical settings for their connections to the
Internet. For example, if the remote FortiGate unit has two external interfaces grouped
in one zone, then the local FortiGate unit should have two external interfaces grouped
in one zone. Similarly, if the remote FortiGate has two external interfaces in separate
zones, then the local FortiGate unit should have two external interfaces in separate
zones.
The configuration is simpler if all external interfaces are grouped in one zone, rather
than multiple zones. However, this might not always be possible because of security
considerations or other reasons.
After you define the Internet connections for both FortiGate units, you can configure
the VPN tunnel.
To configure a redundant IPSec VPN
1
Add the phase 1 parameters for up to three VPN connections.
Enter identical values for each VPN connection, with the exception of the Gateway
Name and IP Address. Make sure that the remote VPN peer (Remote Gateway) has a
static IP address. See
“Phase 1” on page 248
.
2
Add the phase 2 parameters (VPN tunnel) for up to three VPN connections.
• If the Internet connections are in the same zone, add one VPN tunnel and add the
remote gateways to it. You can add up to three remote gateways.
• If the Internet connections are in separate zones or assigned to unique interfaces,
add a VPN tunnel for each remote gateway entered.
See
“Phase 2” on page 252
.
3
Add the source and destination addresses. See
“To add an address” on page 202
.
4
Add encrypt policies for up to three VPN connections.
• If the VPN connections are in the same zone, add one outgoing encrypt policy.
Add the AutoIKE key tunnel to this policy.
• If the VPN connections are in different zones, add a separate outgoing encrypt
policy for each connection. The source and destination of both policies must be the
same. Add a different AutoIKE key tunnel to each policy.
See
“To add a firewall policy” on page 198
.
Configuring IPSec virtual IP addresses
Use the FortiGate unit’s IPSec VIP feature to enable hosts on physically different
networks to communicate with each other as if they were connected to the same
private network. This feature can be configured manually through CLI commands.
When the destination IP address in a local ARP request matches an entry in the
FortiGate unit’s virtual IP (VIP) table, the FortiGate unit responds with its own MAC
address and forwards traffic to the correct destination at the other end of the VPN
tunnel afterward.
Содержание FortiGate FortiGate-300A
Страница 46: ...46 01 28006 0092 20041105 Fortinet Inc Changing the FortiGate firmware System status ...
Страница 72: ...72 01 28006 0092 20041105 Fortinet Inc FortiGate IPv6 support System network ...
Страница 80: ...80 01 28006 0092 20041105 Fortinet Inc Dynamic IP System DHCP ...
Страница 110: ...110 01 28006 0092 20041105 Fortinet Inc FortiManager System config ...
Страница 116: ...116 01 28006 0092 20041105 Fortinet Inc Access profiles System administration ...
Страница 246: ...246 01 28006 0092 20041105 Fortinet Inc CLI configuration Users and authentication ...
Страница 322: ...322 01 28006 0092 20041105 Fortinet Inc CLI configuration Antivirus ...
Страница 370: ...370 01 28006 0092 20041105 Fortinet Inc CLI configuration Log Report ...
Страница 384: ...384 01 28006 0092 20041105 Fortinet Inc Glossary ...
Страница 392: ...392 01 28006 0092 20041105 Fortinet Inc Index ...