172
Fortinet Inc.
IPSec VPN concentrators
IPSec VPN
To create a VPN concentrator configuration:
1
Configure a tunnel for each spoke. Choose between a manual key tunnel or an
AutoIKE tunnel.
• A manual key tunnel consists of a name for the tunnel, the IP address of the spoke
(client or gateway) at the opposite end of the tunnel, and the encryption and
authentication algorithms to use for the tunnel.
See
“Manual key IPSec VPNs” on page 155
.
• An AutoIKE tunnel consists of phase 1 and phase 2 parameters. The phase 1
parameters include the name of the spoke (client or gateway), designation of how
the spoke receives its IP address (static or dialup), encryption and authentication
algorithms, and the authentication method—either pre-shared keys or PKI
certificates. The phase 2 parameters include the name of the tunnel, selection of
the spoke (client or gateway) configured in phase 1, encryption and authentication
algorithms, and a number of security parameters.
See
“AutoIKE IPSec VPNs” on page 157
.
2
Add a destination addresses for each spoke. The destination address is the address
of the spoke (either a client on the Internet or a network located behind a gateway).
See
“Adding a source address” on page 169
.
3
Add the concentrator configuration. This step groups the tunnels together on the
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part
of the AutoIKE phase 2 configuration or the manual key configuration.
See
“Adding a VPN concentrator” on page 173
.
4
Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic
through the hub and allow inbound and outbound VPN connections between the hub
and the spokes. The encrypt policy for each spoke must include the tunnel name of
the spoke. The source address must be Internal_All. Use the following configuration
for the encrypt policies:
See
“Adding an encrypt policy” on page 169
.
5
Arrange the policies in the following order:
• encrypt policies
• default non-encrypt policy (Internal_All -> External_All)
Note:
Add the concentrator configuration to the central FortiGate unit (the hub) after adding the
tunnels for all spokes.
Source
Internal_All
Destination
The VPN spoke address.
Action
ENCRYPT
VPN Tunnel
The VPN spoke tunnel name.
Allow inbound
Select allow inbound.
Allow outbound
Select allow outbound
Inbound NAT
Select inbound NAT if required.
Outbound NAT
Select outbound NAT if required.
Содержание FortiGate FortiGate-50
Страница 16: ...16 Fortinet Inc Customer service and technical support Introduction...
Страница 32: ...32 Fortinet Inc Next steps Getting started...
Страница 40: ...40 Fortinet Inc Completing the configuration NAT Route mode installation...
Страница 88: ...88 Fortinet Inc Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration...
Страница 112: ...112 Fortinet Inc Customizing replacement messages System configuration...
Страница 144: ...144 Fortinet Inc Content profiles Firewall configuration...
Страница 202: ...202 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS...
Страница 216: ...216 Fortinet Inc Exempt URL list Web filtering...
Страница 228: ...228 Fortinet Inc Configuring alert email Logging and reporting...
Страница 232: ...232 Fortinet Inc Glossary...