VPN IPSEC and its implemention on Fortigate

Configuration overview

In a gateway-to-gateway configuration, two FortiGate units create a VPN tunnel between two separate private networks. All traffic between the two networks is encrypted and protected by FortiGate security policies.

Figure 120: Example gateway-to-gateway configuration

  

General configuration steps

The FortiGate units at both ends of the tunnel must be operating in NAT mode and have static public IP addresses.

When a FortiGate unit receives a connection request from a remote VPN peer, it uses IPsec phase 1 parameters to establish a secure connection and authenticate that VPN peer. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec phase 2 parameters and applies the IPsec security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed by both FortiGate units:

•	Define the phase 1 parameters that the FortiGate unit needs to authenticate the remote peer and establish a secure connection.

•	Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with the remote peer.

•

Create security policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses.  To create phase 1 to establish a secure connection with the remote peer 1 Go to VPN > IPsec > Auto Key (IKE). 2 Select Create Phase 1. 3 Enter the following information, and select OK. Name Enter peer_1. A name to identify the VPN tunnel. This name appears in phase 2 configurations, security policies and the VPN monitor. Remote Gateway Select Static IP Address. IP Address Enter 172.20.0.2 when configuring FortiGate_1. Enter 172.18.0.2 when configuring FortiGate_2. The IP address of the remote peer public interface. Local Interface Select wan1. The FortiGate unit’s public interface. This interface cannot be a loopback interface. Enable IPsec Interface Mode Select Advanced to see this setting. Enable IPsec Interface Mode to have the FortiGate unit create a virtual IPsec interface for a route-based VPN. Disable this option to create a policy-based VPN. For more information, see “Comparing policy-based or route-based VPNs”. After you select OK to create the phase 1 configuration, you cannot change this setting. The basic phase 2 settings associate IPsec phase 2 parameters with the phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the phase 2 parameters, you need to reserve a name for the tunnel. See “Phase 2 configuration”. To configure phase 2 settings 1 Go to VPN > IPsec > Auto Key (IKE). 2 Select Create Phase 2. 3 Enter the following information, and select OK. Name Enter peer_1_p2. A name to identify this phase 2 configuration. Phase 1 Select peer_1. The name of the phase 1 configuration. Creating policy-based VPN security policy Define an IPsec security policy to permit communications between the source and destination addresses. Source Interface/Zone Select internal. The interface that connects to the private network behind this FortiGate unit. Source Address Name Select Finance_network when configuring FortiGate_1. Select HR_network when configuring FortiGate_2. The address name defined for the private network behind this FortiGate unit. Destination Interface/Zone Select wan1. The FortiGate unit’s public interface. Destination Address Name Select HR_network when configuring FortiGate_1. Select Finance_network when configuring FortiGate_2. The address name that you defined in Step  for the private network behind the remote peer. Action Select IPSEC. VPN Tunnel Select peer_1. The name of the phase 1 configuration that you created earlier. Select Allow inbound to enable traffic from the remote network to initiate the tunnel. Select Allow outbound to enable traffic from the local network to initiate the tunnel. Comment Bidirectional policy-based VPN policy