Configuring encrypt policies

IPSec VPN

 

 

Configuring encrypt policies

A VPN connects the local, internal network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on these networks can use the VPN.

A VPN requires only one encrypt policy to control both inbound and outbound connections. Depending on how you configure it, the policy controls whether users on your internal network can establish a tunnel to the remote network (the outbound connection), and whether users on the remote network can establish a tunnel to your internal network (the inbound connection). This flexibility allows a single encrypt policy to do the job of two regular firewall policies.

Although the encrypt policy controls both incoming and outgoing connections, it must always be configured as an outgoing policy. An outgoing policy has a source address on an internal network and a destination address on an external network. The source address identifies which addresses on the internal network are part of the VPN. The destination address identifies which addresses on the remote network are part of the VPN. Typical outgoing policies include Internal-to-External and DMZ-to-External.

Note: The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway.

In addition to defining membership in the VPN by address, you can configure the encrypt policy for services such as DNS, FTP, and POP3, and to allow connections according to a predefined schedule (by the time of the day or the day of the week, month, or year). You can also configure the encrypt policy for:

Inbound NAT to translate the source of incoming packets.

Outbound NAT to translate the source address of outgoing packets.

Traffic shaping to control the bandwidth available to the VPN and the priority of the VPN.

Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN.

Logging so that the FortiGate unit logs all connections that use the VPN.

The policy must also include the VPN tunnel that you created to communicate with the remote FortiGate VPN gateway. When users on your internal network attempt to connect to the network behind the remote VPN gateway, the encrypt policy intercepts the connection attempt and starts the VPN tunnel added to the policy. The tunnel uses the remote gateway added to its configuration to connect to the remote VPN gateway. When the remote VPN gateway receives the connection attempt, it checks its own policy, gateway and tunnel configuration. If the configuration is allowed, an IPSec VPN tunnel is negotiated between the two VPN peers.

Adding a source address

Adding a destination address

Adding an encrypt policy

224

Fortinet Inc.

Page 223 Page 225
Page 224
Image 224
Fortinet 400 manual Configuring encrypt policies, 224
Page 223 Page 225
Top Page Image Contents