IPSec VPN

AutoIKE IPSec VPNs

 

 

AutoIKE IPSec VPNs

FortiGate units support two methods of Automatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.

General configuration steps for an AutoIKE VPN

Adding a phase 1 configuration for an AutoIKE VPN

Adding a phase 2 configuration for an AutoIKE VPN

General configuration steps for an AutoIKE VPN

An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.

To create an AutoIKE VPN configuration

Note: Prior to configuring an AutoIKE VPN that uses digital certificates, you must add the CA and local certificates to the FortiGate unit. For information about digital certificates, see “Managing digital certificates” on page 242.

1Add the phase 1 parameters. See “Adding a phase 1 configuration for an AutoIKE VPN” on page 235.

2Add the phase 2 parameters. See “Adding a phase 2 configuration for an AutoIKE VPN” on page 240.

3Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See “Configuring encrypt policies” on page 245.

Adding a phase 1 configuration for an AutoIKE VPN

When you add a phase 1 configuration, you define the terms by which the FortiGate unit and a remote VPN peer (gateway or client) authenticate themselves to each other prior to establishing an IPSec VPN tunnel.

The phase 1 configuration is related to the phase 2 configuration. In phase 1 the VPN peers are authenticated; in phase 2 the tunnel is established. You have the option to use the same phase 1 parameters to establish multiple tunnels. In other words, the same remote VPN peer (gateway or client) can have multiple tunnels to the local VPN peer (the FortiGate unit).

When the FortiGate unit receives an IPSec VPN connection request, it authenticates the VPN peers according to the phase 1 parameters. Then, depending on the source and destination addresses of the request, it starts an IPSec VPN tunnel and applies an encrypt policy.

To add a phase 1 configuration

1Go to VPN > IPSEC > Phase 1.

2Select New to add a new phase 1 configuration.

FortiGate-800 Installation and Configuration Guide

235

Page 235
Image 235
Fortinet FortiGate-800 manual AutoIKE IPSec VPNs, General configuration steps for an AutoIKE VPN, 235