VPN IPSEC Overview of IPSec interface mode
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 285
VPN IPSEC
This section provides information about policy-based (tunnel-mode) and route-
based (interface mode) Internet Protocol Security (IPSec) VPN options available
through the web-based manager. FortiGate units implement the Encapsulated
Security Payload (ESP) protocol. The encrypted packets look like ordinary
packets that can be routed through any IP network. Internet Key Exchange (IKE)
is performed automatically based on pre-shared keys or X.509 digital certificates.
As an option, you can specify manual keys. Interface mode is supported in
NAT/Route mode only. It creates a virtual interface for the local end of a VPN
tunnel.
The following topics are included in this section:
• Overview of IPSec interface mode
• Auto Key
• Manual Key
• Concentrator
• Monitor
Overview of IPSec interface mode
When you define a route-based (interface mode) IPSec tunnel, a virtual IPSec
interface is created automatically. Regardless of whether you choose to have IKE
keys generated automatically or you specify the keys manually, the virtual IPSec
interface is created as a subinterface to the local FortiGate physical, aggregate, or
VLAN interface that you select when you define IPSec phase 1 parameters.
An IPSec virtual interface is considered to be up when it can establish a phase 1
connection with a VPN peer or client. However, the virtual IPSec interface cannot
be used to send traffic through a tunnel until it is bound to a phase 2 definition.
Virtual IPSec interface bindings are shown on the System > Network > Interface
page. The names of all tunnels bound to physical interfaces are displayed under
their associated physical interface names in the Name column. For more
information about the Interface page, see “Interface” on page 69.
After an IPSec virtual interface has been bound to a tunnel, traffic can be routed to
the interface using specific metrics for both static routes and policy routes. In
addition, you can create a firewall policy having the virtual IPSec interface as the
source or destination interface.
Note: You can bind a virtual IPSec interface to a zone.
To Next Page
Loading...
