IPSec VPN concentrators

IPSec VPN

 

 

4Add a separate outbound encrypt policy for each remote VPN spoke. These policies control the encrypted connections initiated by the local VPN spoke.

The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1. Use the following configuration:

Source

The local VPN spoke address.

Destination

The remote VPN spoke address.

Action

ENCRYPT

VPN Tunnel

The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt

 

policies.)

Allow inbound

Do not enable.

Allow outbound Select allow outbound

Inbound NAT

Select inbound NAT if required.

Outbound NAT

Select outbound NAT if required.

See “Adding an encrypt policy” on page 195.

5Add an inbound encrypt policy. This policy controls the encrypted connections initiated by the remote VPN spokes.

The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step 1. Use the following configuration:

Source

The local VPN spoke address.

Destination

External_All

Action

ENCRYPT

VPN Tunnel

The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt

 

policies.)

Allow inbound

Select allow inbound.

Allow outbound Do not enable.

Inbound NAT

Select inbound NAT if required.

Outbound NAT

Select outbound NAT if required.

See “Adding an encrypt policy” on page 195.

6Arrange the policies in the following order:

outbound encrypt policies

inbound encrypt policy

default non-encrypt policy (Internal_All -> External_All)

Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.

200

Fortinet Inc.

Page 200
Image 200
Fortinet 50A user manual 200, VPN Tunnel, Policies