IPSec VPN Overview of IPSec VPN configuration
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 611
http://docs.fortinet.com/ • Feedback
IPSec VPN
This section provides information about Internet Protocol Security (IPSec) VPN
configuration options available through the web-based manager. FortiGate units support
both policy-based (tunnel-mode) and route-based (interface mode) VPNs.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is configured
separately for each virtual domain. For details, see “Using virtual domains” on page 159.
This section describes:
• Overview of IPSec VPN configuration
• Policy-based versus route-based VPNs
• Auto Key
• Manual Key
• Internet browsing configuration
• Concentrator
• Monitoring VPNs
Overview of IPSec VPN configuration
FortiGate units implement the Encapsulated Security Payload (ESP) protocol. The
encrypted packets look like ordinary packets that can be routed through any IP network.
Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or
X.509 digital certificates. As an option, you can specify manual keys. Interface mode,
supported in NAT/Route mode only, creates a virtual interface for the local end of a VPN
tunnel.
Use the following configuration procedures for all IPSec VPNs:
1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote
peers or clients and establish a secure a connection. See “Creating a new phase 1
configuration” on page 614.
2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel
with a remote peer or dialup client. See “Creating a new phase 2 configuration” on
page 619.
3 Create a firewall policy to permit communication between your private network and the
VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interface-
based VPN, the firewall policy action is ACCEPT. See “Configuring firewall policies” on
page 391.
Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN
User Guide.
Note: You must use steps 1 and 2 if you want the FortiGate unit to generate unique
IPSec encryption and authentication keys automatically. If a remote VPN peer or client
requires a specific IPSec encryption or authentication key, you must configure the
FortiGate unit to use manual keys instead. For more information, see “Manual Key” on
page 622.
To Next Page
Loading...
Need help?
General
