IPSec VPN | AutoIKE IPSec VPNs |
|
|
AutoIKE IPSec VPNs
FortiGate units support two methods of Automatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with
•General configuration steps for an AutoIKE VPN
•Adding a phase 1 configuration for an AutoIKE VPN
•Adding a phase 2 configuration for an AutoIKE VPN
General configuration steps for an AutoIKE VPN
An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
To create an AutoIKE VPN configuration
Note: Prior to configuring an AutoIKE VPN that uses digital certificates, you must add the CA and local certificates to the FortiGate unit. For information about digital certificates, see “Managing digital certificates” on page 242.
1Add the phase 1 parameters. See “Adding a phase 1 configuration for an AutoIKE VPN” on page 235.
2Add the phase 2 parameters. See “Adding a phase 2 configuration for an AutoIKE VPN” on page 240.
3Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See “Configuring encrypt policies” on page 245.
Adding a phase 1 configuration for an AutoIKE VPN
When you add a phase 1 configuration, you define the terms by which the FortiGate unit and a remote VPN peer (gateway or client) authenticate themselves to each other prior to establishing an IPSec VPN tunnel.
The phase 1 configuration is related to the phase 2 configuration. In phase 1 the VPN peers are authenticated; in phase 2 the tunnel is established. You have the option to use the same phase 1 parameters to establish multiple tunnels. In other words, the same remote VPN peer (gateway or client) can have multiple tunnels to the local VPN peer (the FortiGate unit).
When the FortiGate unit receives an IPSec VPN connection request, it authenticates the VPN peers according to the phase 1 parameters. Then, depending on the source and destination addresses of the request, it starts an IPSec VPN tunnel and applies an encrypt policy.
To add a phase 1 configuration
1Go to VPN > IPSEC > Phase 1.
2Select New to add a new phase 1 configuration.
235 |