Manuals / Fortinet / Computer Equipment / Network Router

Fortinet 100 user manual 204, See Adding a phase 1 configuration for an AutoIKE VPN on

Models: 100

1 272
Download 272 pages 22.37 Kb
Page 204
Image 204

Configuring redundant IPSec VPN

IPSec VPN

 

 

Configure the two FortiGate units with symmetrical settings for their connections to the Internet. For example, if the remote FortiGate unit has two external interfaces grouped within one zone, then the local FortiGate unit should have two external interfaces grouped within one zone.

Similarly, if the remote FortiGate has two external interfaces in separate zones, then the local FortiGate unit should have two external interfaces in separate zones.

Configuration is made simpler if all external interfaces are grouped within a single zone, rather than multiple zones. However, this may not always be possible due to security considerations or other reasons.

After you have defined the Internet connections for both FortiGate units, you can proceed to configure the VPN tunnel.

To configure IPSec redundancy:

1Add the phase 1 parameters for up to three VPN connections.

Enter identical values for each VPN connection, with the exception of the Gateway Name and IP Address. Make sure that the remote VPN peer (Remote Gateway) has a static IP address.

See “Adding a phase 1 configuration for an AutoIKE VPN” on page 185.

2Add the phase 2 parameters (VPN tunnel) for up to three VPN connections.

If the Internet connections are in the same zone, add one VPN tunnel and add the remote gateways to it. You can add up to three remote gateways.

If the Internet connections are in separate zones or assigned to unique interfaces, add a VPN tunnel for each remote gateway entered.

See “Adding a phase 2 configuration for an AutoIKE VPN” on page 189.

3Add the source and destination addresses. See “Adding a source address” on page 197. See “Adding a destination address” on page 197.

4Add encrypt policies for up to three VPN connections.

If the VPN connections are in the same zone, add one outgoing encrypt policy; for example an Internal->External policy. Add the AutoIKE key tunnel to this policy.

If the VPN connections are in different zones, add a separate outgoing encrypt policy for each connection; for example, an Internal->External and an Internal- >DMZ policy. The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy.

See “Adding an encrypt policy” on page 197.

204

Fortinet Inc.

Page 203 Page 205
Page 204
Image 204
Fortinet 100 user manual 204, See Adding a phase 1 configuration for an AutoIKE VPN on
Page 203 Page 205