IPSec VPN

Configuring encrypt policies

 

 

4Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer.

5Select OK to save the destination address.

Adding an encrypt policy

To add an encrypt policy

1Go to Firewall > Policy.

2Select the Int->Ext policy list.

3Select New to add a new policy.

4Set Source to the source address.

5Set Destination to the destination address.

6Set Service to control the services allowed over the VPN connection.

You can select ANY to allow all supported services over the VPN connection or select a specific service or service group to limit the services allowed over the VPN connection.

7Set Action to ENCRYPT.

8Configure the ENCRYPT parameters.

VPN Tunnel Select an Auto Key tunnel for this encrypt policy.

Allow inbound Select Allow inbound to enable inbound users to connect to the source address.

Allow outbound Select Allow outbound to enable outbound users to connect to the destination address.

Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network. Typically, this is an internal interface of the FortiGate unit. Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts (hosts located on the network behind the remote VPN gateway).

Outbound NAT The FortiGate unit translates the source address of outgoing packets to the IP address of the FortiGate interface connected to the destination address network. Typically, this is an external interface of the FortiGate unit.

Outbound NAT makes it impossible for remote hosts to see the IP addresses of local hosts (hosts located on the network behind the local VPN gateway).

If Outbound NAT is implemented, it is subject to these limitations: Configure Outbound NAT only at one end of the tunnel.

The end that does not implement Outbound NAT requires an internal to external policy that specifies the remote external interface as the Destination (usually a public IP address).

The tunnel, and the traffic within the tunnel, can only be initiated at the end that implements Outbound NAT.

For information about configuring the remaining policy settings, see “Adding firewall policies” on page 140.

9Select OK to save the encrypt policy.

FortiGate-50A Installation and Configuration Guide

195

Page 195
Image 195
Fortinet 50A user manual Adding an encrypt policy, 195, To add an encrypt policy Go to Firewall Policy