Click here to load reader

FortiGate IPsec VPN Guide

  • View
    231

  • Download
    3

Embed Size (px)

Text of FortiGate IPsec VPN Guide

  • FortiOS Handbook IPsec VPN for FortiOS 5.0

  • IPsec VPN for FortiOS 5.0

    26 August 2015

    01-504-112804-20150826

    Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

    Technical Documentation docs.fortinet.com

    Knowledge Base kb.fortinet.com

    Customer Service & Support support.fortinet.com

    Training Services training.fortinet.com

    FortiGuard fortiguard.com

    Document Feedback [email protected]

    http://docs.fortinet.comhttp://kb.fortinet.comhttps://support.fortinet.comhttp://training.fortinet.comhttp://www.fortiguard.com/mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

  • Table of contentsIntroduction..................................................................................................... 10How this guide is organized................................................................................... 10

    IPsec VPN concepts....................................................................................... 12VPN tunnels ........................................................................................................... 12

    VPN gateways........................................................................................................ 13

    Clients, servers, and peers .................................................................................... 14

    Encryption.............................................................................................................. 15

    Authentication........................................................................................................ 15Preshared keys ................................................................................................ 15Additional authentication ................................................................................. 16

    Phase 1 and Phase 2 settings ............................................................................... 16Phase 1 ............................................................................................................ 16Phase 2 ............................................................................................................ 16

    Security Association .............................................................................................. 17

    IPsec VPN Overview....................................................................................... 18Types of VPNs ....................................................................................................... 18

    Route-based VPNs .......................................................................................... 18Policy-based VPNs .......................................................................................... 19Comparing policy-based or route-based VPNs............................................... 19

    Planning your VPN ................................................................................................ 19Network topologies ......................................................................................... 20

    General preparation steps .................................................................................... 21

    How to use this guide to configure an IPsec VPN................................................. 21

    IPsec VPN in the web-based manager......................................................... 22Auto Key (IKE) ........................................................................................................ 22

    Phase 1 configuration ...................................................................................... 23Phase 1 advanced configuration settings........................................................ 24Phase 2 configuration ...................................................................................... 27Phase 2 advanced configuration settings........................................................ 27FortiClient VPN ................................................................................................ 30

    Manual Key ............................................................................................................ 31Manual key configuration settings ................................................................... 31

    Concentrator ......................................................................................................... 33

    IPsec Monitor......................................................................................................... 33

    Auto Key phase 1 parameters ...................................................................... 35Overview ................................................................................................................ 35

    Defining the tunnel ends ........................................................................................ 36Page 3

  • Choosing main mode or aggressive mode............................................................ 36

    Choosing the IKE version ...................................................................................... 37

    Authenticating the FortiGate unit........................................................................... 37Authenticating the FortiGate unit with digital certificates ................................ 37Authenticating the FortiGate unit with a pre-shared key ................................. 38

    Authenticating remote peers and clients .............................................................. 40Enabling VPN access for specific certificate holders ..................................... 40Enabling VPN access by peer identifier........................................................... 42Enabling VPN access with user accounts and pre-shared keys ..................... 43

    Defining IKE negotiation parameters ..................................................................... 44Generating keys to authenticate an exchange ............................................... 45Defining IKE negotiation parameters ............................................................... 45

    Using XAuth authentication ................................................................................... 48Using the FortiGate unit as an XAuth server.................................................... 49Using the FortiGate unit as an XAuth client ..................................................... 49

    Phase 2 parameters ...................................................................................... 51Basic phase 2 settings........................................................................................... 51

    Advanced phase 2 settings ................................................................................... 51P2 Proposals.................................................................................................... 51Replay detection .............................................................................................. 52Perfect forward secrecy (PFS) ......................................................................... 52Keylife .............................................................................................................. 52Auto-negotiate ................................................................................................. 52Autokey Keep Alive .......................................................................................... 52DHCP-IPsec .................................................................................................... 53Quick mode selectors ..................................................................................... 53

    Configure the phase 2 parameters ........................................................................ 54Specifying the phase 2 parameters ................................................................ 54

    Defining VPN security policies ...................................................................... 57Defining policy addresses...................................................................................... 57

    Defining VPN security policies............................................................................... 58Defining an IPsec security policy for a policy-based VPN............................... 59Defining security policies for a route-based VPN ............................................ 61

    Gateway-to-gateway configurations ........................................................... 63Configuration overview ....................................................