Configuring encrypt policies

IPSec VPN

 

 

Note: The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway.

In addition to defining membership in the VPN by address, you can configure the encrypt policy for services such as DNS, FTP, and POP3, and to allow connections according to a predefined schedule (by the time of the day or the day of the week, month, or year). You can also configure the encrypt policy for:

Inbound NAT to translate the source of incoming packets.

Outbound NAT to translate the source address of outgoing packets.

Traffic shaping to control the bandwidth available to the VPN and the priority of the VPN.

Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN.

Logging so that the FortiGate unit logs all connections that use the VPN.

The policy must also include the VPN tunnel that you created to communicate with the remote FortiGate VPN gateway. When users on your internal network attempt to connect to the network behind the remote VPN gateway, the encrypt policy intercepts the connection attempt and starts the VPN tunnel added to the policy. The tunnel uses the remote gateway added to its configuration to connect to the remote VPN gateway. When the remote VPN gateway receives the connection attempt, it checks its own policy, gateway, and tunnel configuration. If the configuration is allowed, an IPSec VPN tunnel is negotiated between the two VPN peers.

Adding a source address

Adding a destination address

Adding an encrypt policy

Adding a source address

The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network.

To add a source address

1Go to Firewall > Address.

2Select an internal interface.

3Select New to add an address.

4Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer.

5Select OK to save the source address.

246

Fortinet Inc.

Page 246
Image 246
Fortinet FortiGate-800 manual Adding a source address, 246, To add a source address Go to Firewall Address