FortiGate Version 3.0 MR4 Administration Guide
286 01-30004-0203-20070102
Overview of IPSec interface mode VPN IPSEC
You can create the equivalent of a tunnel-mode concentrator in any of the
following ways:
• Define a firewall policy between each pair of IPSec interfaces that you want to
concentrate. For dialup, the same interface can be both source and
destination. This can become tedious if you have many site-to-site
connections.
• Put all the IPSec interfaces into a zone and then define a single zone-to-zone
policy.
• Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must
be more than one IPSec interface.
For more information and an example, see the FortiGate IPSec VPN User Guide.
When IP traffic that originates from behind a local FortiGate unit reaches an
outbound FortiGate interface that acts as the local end of an IPSec tunnel (that is,
IPSec interface mode is enabled on the interface), the traffic is encapsulated by
the tunnel and forwarded through the physical interface to which the IPSec virtual
interface is bound. When encapsulated traffic from a remote VPN peer or client
reaches a local FortiGate physical interface, the FortiGate unit determines if an
IPSec virtual interface is associated with the physical interface through selectors
in the traffic. If the traffic matches predefined selectors, it is decapsulated and
forwarded to the IPSec virtual interface.
In the outbound direction, the FortiGate unit performs a route lookup to find the
interface through which it must forward traffic to reach the next hop router. If the
FortiGate unit finds a route through a virtual interface that is bound to a specific
VPN tunnel, the traffic is encrypted and sent through the VPN tunnel. In the
inbound direction, the FortiGate unit identifies a VPN tunnel using the destination
IP address and the Security Parameter Index (SPI) in the ESP datagram to match
a phase 2 Security Association (SA). If a matching SA is found, the datagram is
decrypted and the associated IP traffic is redirected through the IPSec virtual
interface.
The firewall policy associated with a specific path is responsible for controlling all
IP traffic passing between the source and destination addresses. If required, you
can configure more than one firewall policy to regulate the flow of traffic going into
and/or emerging from a route-based VPN tunnel. Two firewall policies are needed
to support bidirectional traffic through a route-based IPSec tunnel: one to control
traffic in the outbound direction, and the other to control traffic in the inbound
direction.
Route-based VPNs help to simplify the implementation of VPN tunnel redundancy.
You can configure a route for the same IP traffic using different route metrics. You
can also configure the exchange of dynamic (RIP, OSPF, or BGP) routing
information through VPN tunnels. If the primary VPN connection fails or the
priority of a route changes through dynamic routing, an alternative route will be
selected to forward traffic using the redundant connection.
To Next Page
Loading...
Need help?
General