IPSec VPN concentrators

IPSec VPN

 

 

To create a VPN concentrator configuration:

1Configure a tunnel for each spoke. Choose between a manual key tunnel or an AutoIKE tunnel.

A manual key tunnel consists of a name for the tunnel, the IP address of the spoke (client or gateway) at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel.

See “Manual key IPSec VPNs” on page 211.

An AutoIKE tunnel consists of phase 1 and phase 2 parameters. The phase 1 parameters include the name of the spoke (client or gateway), designation of how the spoke receives its IP address (static or dialup), encryption and authentication algorithms, and the authentication method—either pre-shared keys or PKI certificates. The phase 2 parameters include the name of the tunnel, selection of the spoke (client or gateway) configured in phase 1, encryption and authentication algorithms, and a number of security parameters.

See “AutoIKE IPSec VPNs” on page 213.

2Add a destination addresses for each spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway). See “Adding a source address” on page 225.

3Add the concentrator configuration. This step groups the tunnels together on the FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration.

See “Adding a VPN concentrator” on page 229.

Note: Add the concentrator configuration to the central FortiGate unit (the hub) after adding the tunnels for all spokes.

4Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic through the hub and allow inbound and outbound VPN connections between the hub and the spokes. The encrypt policy for each spoke must include the tunnel name of the spoke. The source address must be Internal_All. Use the following configuration for the encrypt policies:

Source

Internal_All

Destination

The VPN spoke address.

Action

ENCRYPT

VPN Tunnel

The VPN spoke tunnel name.

Allow inbound

Select allow inbound.

Allow outbound Select allow outbound

Inbound NAT

Select inbound NAT if required.

Outbound NAT

Select outbound NAT if required.

See “Adding an encrypt policy” on page 225.

5Arrange the policies in the following order:

encrypt policies

default non-encrypt policy (Internal_All -> External_All)

228

Fortinet Inc.

Page 227 Page 229
Page 228
Image 228
Fortinet 400 manual 228, Source InternalAll Destination VPN spoke address Action
Page 227 Page 229
Top Page Image Contents