196 Fortinet Inc.
Obtaining a CA certificate IPSec VPN
Configuring encrypt policiesA VPN connects the local, internal network to a remote, external network. The
principal role of the encrypt policy is to define (and limit) which addresses on these
networks can use the VPN.
A VPN requires only one encrypt policy to control both inbound and outbound
connections. Depending on how you configure it, the policy controls whether users on
your internal network can establish a tunnel to the remote network (the outbound
connection), and whether users on the remote network can establish a tunnel to your
internal network (the inbound connection). This flexibility allows a single encrypt policy
to do the job of two regular firewall policies.
Although the encrypt policy controls both incoming and outgoing connections, it must
always be configured as an outgoing policy. An outgoing policy has a source address
on an internal network and a destination address on an external network. The source
address identifies which addresses on the internal network are part of the VPN. The
destination address identifies which addresses on the remote network are part of the
VPN. Typical outgoing policies include Internal-to-External and DMZ-to-External.
In addition to defining membership in the VPN by address, you can configure the
encrypt policy for services such as DNS, FTP, and POP3, and to allow connections
according to a predefined schedule (by the time of the day or the day of the week,
month, or year). You can also configure the encrypt policy for:
• Inbound NAT to translate the source of incoming packets.
• Outbound NAT to translate the source address of outgoing packets.
• Traffic shaping to control the bandwidth available to the VPN and the priority of the
VPN.
• Content profiles to apply antivirus protection, web filtering, and email filtering to
web, file transfer, and email services in the VPN.
• Logging so that the FortiGate unit logs all connections that use the VPN.
The policy must also include the VPN tunnel that you created to communicate with the
remote FortiGate VPN gateway. When users on your internal network attempt to
connect to the network behind the remote VPN gateway, the encrypt policy intercepts
the connection attempt and starts the VPN tunnel added to the policy. The tunnel uses
the remote gateway added to its configuration to connect to the remote VPN gateway.
When the remote VPN gateway receives the connection attempt, it checks its own
policy, gateway and tunnel configuration. If the configuration is allowed, an IPSec VPN
tunnel is negotiated between the two VPN peers.
•Adding a source address
•Adding a destination address
•Adding an encrypt policy
Note: The destination address can be a VPN client address on the Internet or the address of a
network behind a remote VPN gateway.