IPSEC config - Fortigate

IPsec VPNs

FortiOS Handbook v2for FortiOS 4.0 MR2

FortiOS Handbook: IPsec VPNsv219 October 201001-420-112804-20101019for FortiOS 4.0 MR2 Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

F0hContents

Introduction 13Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Example Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 18Cautions, Notes and Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20CLI command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . 20

Entering FortiOS configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . 22Entering text strings (names). . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Entering numeric values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Selecting options from a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Enabling or disabling options. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 23

Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . . 24Fortinet Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . 24

Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 24

IPsec VPN concepts 25IP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

VPN tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

VPN gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Clients, servers, and peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Preshared keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Additional authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 3ttp://docs.fortinet.com/ Feedback

ContentsPhase 1 and Phase 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Phase 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Phase 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Security Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

FortiGate IPsec VPN Overview 33About FortiGate VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Planning your VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Network topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Choosing policy-based or route-based VPNs . . . . . . . . . . . . . . . . . . . . . 34

General preparation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

How to use this guide to configure an IPsec VPN . . . . . . . . . . . . . . . . . . . 35

Gateway-to-gateway configurations 37Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Gateway-to-gateway infrastructure requirements . . . . . . . . . . . . . . . . . 39

General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configure the VPN peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Define the phase 1 parameters on FortiGate_1 . . . . . . . . . . . . . . . . . . 41Define the phase 2 parameters on FortiGate_1 . . . . . . . . . . . . . . . . . . 42Define the firewall policy on FortiGate_1 . . . . . . . . . . . . . . . . . . . . . . 42Configure FortiGate_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

How to work with overlapping subnets . . . . . . . . . . . . . . . . . . . . . . . . . 46Solution for route-based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Solution for policy-based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Hub-and-spoke configurations 51Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Hub-and-spoke infrastructure requirements . . . . . . . . . . . . . . . . . . . . 52Spoke gateway addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Protected networks addressing . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Using aggregated subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Using an address group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53IPsec VPNs for FortiOS 4.0 MR24 01-420-112804-20101019

http://docs.fortinet.com/ Feedback

ContentsConfigure the hub. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Define the hub-spoke VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Define the hub-spoke firewall policies . . . . . . . . . . . . . . . . . . . . . . . 54Configuring communication between spokes (policy-based VPN) . . . . . . . . . 55Configuring communication between spokes (route-based VPN) . . . . . . . . . 56

Using a zone as a concentrator . . . . . . . . . . . . . . . . . . . . . . . . 56Using a zone with a policy as a concentrator . . . . . . . . . . . . . . . . . 56Using firewall policies as a concentrator . . . . . . . . . . . . . . . . . . . . 57

Configure the spokes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Configuring firewall policies for hub-to-spoke communication . . . . . . . . . . . 57Configuring firewall policies for spoke-to-spoke communication . . . . . . . . . . 58

Dynamic spokes configuration example . . . . . . . . . . . . . . . . . . . . . . . . 60Configure the hub (FortiGate_1) . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Define the IPsec configuration . . . . . . . . . . . . . . . . . . . . . . . . . 60Define the firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configure communication between spokes . . . . . . . . . . . . . . . . . . 62

Configure the spokes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Define the IPsec configuration . . . . . . . . . . . . . . . . . . . . . . . . . 63Define the firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Dynamic DNS configurations 65Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Dynamic DNS infrastructure requirements . . . . . . . . . . . . . . . . . . . . 66

General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Configure the dynamically-addressed VPN peer . . . . . . . . . . . . . . . . . . . . 67

Configure the fixed-address VPN peer . . . . . . . . . . . . . . . . . . . . . . . . 69

FortiClient dialup-client configurations 71Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Peer identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Automatic configuration of FortiClient dialup clients . . . . . . . . . . . . . . . . 72

How the FortiGate unit determines which settings to apply. . . . . . . . 72Using virtual IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Assigning VIPs by RADIUS user group . . . . . . . . . . . . . . . . . . . . 74FortiClient dialup-client infrastructure requirements . . . . . . . . . . . . . . . . 75

FortiClient-to-FortiGate VPN configuration steps . . . . . . . . . . . . . . . . . . . 75

Configure the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Configuring FortiGate unit VPN settings . . . . . . . . . . . . . . . . . . . . . . 76Configuring the FortiGate unit as a VPN policy server . . . . . . . . . . . . . . . 78Configuring DHCP service on the FortiGate unit . . . . . . . . . . . . . . . . . . 78IPsec VPNs for FortiOS 4.0 MR25 01-420-112804-20101019


ContentsConfigure the FortiClient Endpoint Security application . . . . . . . . . . . . . . . . 80Configuring FortiClient to work with VPN policy distribution . . . . . . . . . . . . 80Configuring FortiClient manually . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Adding XAuth authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

FortiClient dialup-client configuration example . . . . . . . . . . . . . . . . . . . . . 82Configuring FortiGate_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Configuring the FortiClient Endpoint Security application . . . . . . . . . . . . . 85

FortiGate dialup-client configurations 87Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

FortiGate dialup-client infrastructure requirements . . . . . . . . . . . . . . . . 89

FortiGate dialup-client configuration steps . . . . . . . . . . . . . . . . . . . . . . . 90

Configure the server to accept FortiGate dialup-client connections . . . . . . . . . . 90

Configure the FortiGate dialup client . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Supporting IKE Mode config clients 95Automatic configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

IKE Mode Config overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring IKE Mode Config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Configuring an IKE Mode Config client. . . . . . . . . . . . . . . . . . . . . . . 96Configuring an IKE Mode Config server . . . . . . . . . . . . . . . . . . . . . . 96

IP address assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Example: FortiGate unit as IKE Mode Config server . . . . . . . . . . . . . . . . . . 97

Example: FortiGate unit as IKE Mode Config client . . . . . . . . . . . . . . . . . . 98

Internet-browsing configuration 99Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Creating an Internet browsing firewall policy . . . . . . . . . . . . . . . . . . . . . . 100

Routing all remote traffic through the VPN tunnel . . . . . . . . . . . . . . . . . . . 101Configuring a FortiGate remote peer to support Internet browsing . . . . . . . . 101Configuring a FortiClient application to support Internet browsing . . . . . . . . . 102

Redundant VPN configurations 103Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configure the VPN peers - route-based VPN . . . . . . . . . . . . . . . . . . . . . 105IPsec VPNs for FortiOS 4.0 MR26 01-420-112804-20101019


ContentsRedundant route-based VPN configuration example. . . . . . . . . . . . . . . . . . 106Configuring FortiGate_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Configuring FortiGate_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Partially-redundant route-based VPN example. . . . . . . . . . . . . . . . . . . . . 117Configuring FortiGate_1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Configuring FortiGate_2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Creating a backup IPsec interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Transparent mode VPNs 125Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Transparent VPN infrastructure requirements . . . . . . . . . . . . . . . . . . . 128Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Configure the VPN peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Manual-key configurations 131Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Specify the manual keys for creating a tunnel . . . . . . . . . . . . . . . . . . . . . 131

IPv6 IPsec VPNs 133Overview of IPv6 IPsec support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Configuring IPv6 IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Phase 1 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Phase 2 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Site-to-site IPv6 over IPv6 VPN example. . . . . . . . . . . . . . . . . . . . . . . . 135Configure FortiGate A interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 135Configure FortiGate A IPsec settings . . . . . . . . . . . . . . . . . . . . . . . 136Configure FortiGate A firewall policies . . . . . . . . . . . . . . . . . . . . . . . 136Configure FortiGate A routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Configure FortiGate B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Site-to-site IPv4 over IPv6 VPN example. . . . . . . . . . . . . . . . . . . . . . . . 138Configure FortiGate A interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 139Configure FortiGate A IPsec settings . . . . . . . . . . . . . . . . . . . . . . . 139Configure FortiGate A firewall policies . . . . . . . . . . . . . . . . . . . . . . . 139Configure FortiGate A routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Configure FortiGate B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140IPsec VPNs for FortiOS 4.0 MR27 01-420-112804-20101019


ContentsSite-to-site IPv6 over IPv4 VPN example. . . . . . . . . . . . . . . . . . . . . . . . 141Configure FortiGate A interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 142Configure FortiGate A IPsec settings . . . . . . . . . . . . . . . . . . . . . . . 142Configure FortiGate A firewall policies . . . . . . . . . . . . . . . . . . . . . . . 142Configure FortiGate A routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Configure FortiGate B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

L2TP and IPsec (Microsoft VPN) configurations 145Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Configuring the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Configuring users and user group . . . . . . . . . . . . . . . . . . . . . . . . . 146

Creating user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Creating a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Configuring L2TP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Configuring IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Configuring firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring the Windows PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Quick checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Setting up logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Understanding the log messages . . . . . . . . . . . . . . . . . . . . . . . . . 152Using the FortiGate unit debug commands . . . . . . . . . . . . . . . . . . . . 153

Typical L2TP over IPsec session startup log entries - raw format . . . . . . . 154

GRE over IPsec (Cisco VPN) configurations 157Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Configuring the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Enabling overlapping subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Configuring the IPsec VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Adding IPsec tunnel end addresses . . . . . . . . . . . . . . . . . . . . . . 160Configuring the GRE tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Adding GRE tunnel end addresses . . . . . . . . . . . . . . . . . . . . . . 160Configuring firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Configuring routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Configuring the Cisco router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Quick checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Setting up logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Understanding the log messages . . . . . . . . . . . . . . . . . . . . . . . . . 164Using diagnostic commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164IPsec VPNs for FortiOS 4.0 MR28 01-420-112804-20101019


Contents

F0hProtecting OSPF with IPsec 167Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

OSPF over IPsec configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Configuring the IPsec VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Configuring static routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

FortiGate_1 OSPF configuration. . . . . . . . . . . . . . . . . . . . . . . . 169FortiGate_2 OSPF configuration. . . . . . . . . . . . . . . . . . . . . . . . 171

Creating a redundant configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 173Adding the second IPsec tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . 173Adding the OSPF interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Auto Key phase 1 parameters 175Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Defining the tunnel ends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Choosing main mode or aggressive mode . . . . . . . . . . . . . . . . . . . . . . . 176

Choosing the IKE version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Authenticating the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Authenticating the FortiGate unit with digital certificates . . . . . . . . . . . . . . 177Authenticating the FortiGate unit with a pre-shared key . . . . . . . . . . . . . . 178

Authenticating remote peers and clients . . . . . . . . . . . . . . . . . . . . . . . . 179Enabling VPN access for specific certificate holders . . . . . . . . . . . . . . . 180

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Configuring certificate authentication for a VPN . . . . . . . . . . . . . . . . 181

Enabling VPN access by peer identifier . . . . . . . . . . . . . . . . . . . . . . 182Enabling VPN access using user accounts and pre-shared keys . . . . . . . . . 183

Defining IKE negotiation parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 184Generating keys to authenticate an exchange . . . . . . . . . . . . . . . . . . 185Defining IKE negotiation parameters . . . . . . . . . . . . . . . . . . . . . . . . 185

Defining the remaining phase 1 options . . . . . . . . . . . . . . . . . . . . . . . . 186NAT traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187NAT keepalive frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Dead peer detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Using XAuth authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Using the FortiGate unit as an XAuth server . . . . . . . . . . . . . . . . . . . . 188Authenticating the FortiGate unit as a client with XAuth . . . . . . . . . . . . . . 189

Phase 2 parameters 191Basic phase 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 9ttp://docs.fortinet.com/ Feedback

ContentsAdvanced phase 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191P2 Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Replay detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Perfect forward secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Keylife . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Auto-negotiate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Autokey Keep Alive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193DHCP-IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Quick mode selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Configure the phase 2 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Specifying the phase 2 parameters . . . . . . . . . . . . . . . . . . . . . . . . 194

Defining firewall policies 197Defining firewall addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Defining firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Defining an IPsec firewall policy for a policy-based VPN . . . . . . . . . . . . . 198

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Defining multiple IPsec policies for the same tunnel . . . . . . . . . . . . . 200

Defining firewall policies for a route-based VPN . . . . . . . . . . . . . . . . . . 201

Hardware offloading and acceleration 203Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

IPsec session offloading requirements . . . . . . . . . . . . . . . . . . . . . . . 203Packet requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204IPsec encryption offloading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204HMAC check offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

IPsec offloading configuration examples . . . . . . . . . . . . . . . . . . . . . . . . 205Accelerated route-based VPN configuration . . . . . . . . . . . . . . . . . . . . 205Accelerated policy-based VPN configuration. . . . . . . . . . . . . . . . . . . . 206

Monitoring and troubleshooting VPNs 209Monitoring VPN connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Monitoring connections to remote peers . . . . . . . . . . . . . . . . . . . . . . 209Monitoring dialup IPsec connections . . . . . . . . . . . . . . . . . . . . . . . . 209

Monitoring IKE sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Testing VPN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Logging VPN events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

VPN troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213A word about NAT devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214IPsec VPNs for FortiOS 4.0 MR210 01-420-112804-20101019


Contents

F0hIndex 215ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 11ttp://docs.fortinet.com/ Feedback

ContentsIPsec VPNs for FortiOS 4.0 MR212 01-420-112804-20101019


F0hIntroductionWelcome and thank you for selecting Fortinet products for your network protection.This chapter contains the following topics: Before you begin How this guide is organized Document conventions Entering FortiOS configuration data Registering your Fortinet product Fortinet products End User License Agreement Training Documentation Customer service and technical support

Before you beginThis FortiOS Handbook chapter contains the following sections: You have administrative access to the web-based manager and/or CLI. The FortiGate unit is integrated into your network. The operation mode has been configured. The system time, DNS settings, administrator password, and network interfaces have

been configured. Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed.While using the instructions in this guide, note that: Administrators are assumed to be super_admin administrators unless otherwise

specified. Some restrictions will apply to other administrators.

How this guide is organizedThis FortiOS Handbook chapter contains the following sections: IPsec VPN concepts explains the basic concepts that you need to understand about

virtual private networks (VPNs). FortiGate IPsec VPN Overview provides a brief overview of IPsec technology and

includes general information about how to configure IPsec VPNs using this guide. Gateway-to-gateway configurations explains how to set up a basic gateway-to-

gateway (site-to-site) IPsec VPN. In a gateway-to-gateway configuration, two FortiGate units create a VPN tunnel between two separate private networks.

Hub-and-spoke configurations describes how to set up hub-and-spoke IPsec VPNs. In a hub-and-spoke configuration, connections to a number of remote peers and/or ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 13ttp://docs.fortinet.com/ Feedback

clients radiate from a single, central FortiGate hub.

How this guide is organized Introduction Dynamic DNS configurations describes how to configure a site-to-site VPN, in which one FortiGate unit has a static IP address and the other FortiGate unit has a static domain name and a dynamic IP address.

FortiClient dialup-client configurations guides you through configuring a FortiClient dialup-client IPsec VPN. In a FortiClient dialup-client configuration, the FortiGate unit acts as a dialup server and VPN client functionality is provided by the FortiClient Endpoint Security application installed on a remote host.

FortiGate dialup-client configurations explains how to set up a FortiGate dialup-client IPsec VPN. In a FortiGate dialup-client configuration, a FortiGate unit with a static IP address acts as a dialup server and a FortiGate unit having a dynamic IP address initiates a VPN tunnel with the FortiGate dialup server.

Supporting IKE Mode config clients explains how to set up a FortiGate unit as either an IKE Mode Config server or client. IKE Mode Config is an alternative to DHCP over IPsec.

Internet-browsing configuration explains how to support secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. Remote users can access the private network behind the local FortiGate unit and browse the Internet securely. All traffic generated remotely is subject to the firewall policy that controls traffic on the private network behind the local FortiGate unit.

Redundant VPN configurations discusses the options for supporting redundant and partially redundant tunnels in an IPsec VPN configuration. A FortiGate unit can be configured to support redundant tunnels to the same remote peer if the FortiGate unit has more than one interface to the Internet.

Transparent mode VPNs describes transparent VPN configurations, in which two FortiGate units create a VPN tunnel between two separate private networks transparently. In Transparent mode, all interfaces of the FortiGate unit except the management interface are invisible at the network layer.

Manual-key configurations explains how to manually define cryptographic keys to establish an IPsec VPN tunnel. If one VPN peer uses specific authentication and encryption keys to establish a tunnel, both VPN peers must be configured to use the same encryption and authentication algorithms and keys.

IPv6 IPsec VPNs describes FortiGate unit VPN capabilities for networks based on IPv6 addressing. This includes IPv4-over-IPv6 and IPv6-over-IPv4 tunnelling configurations. IPv6 IPsec VPNs are available in FortiOS 3.0 MR5 and later.

L2TP and IPsec (Microsoft VPN) configurations explains how to support Microsoft Windows native VPN clients.

GRE over IPsec (Cisco VPN) configurations explains how to interoperate with Cisco VPNs that use Generic Routing Encapsulation (GRE) protocol with IPsec.

Protecting OSPF with IPsec provides an example of protecting OSPF links with IPsec. Auto Key phase 1 parameters provides detailed step-by-step procedures for

configuring a FortiGate unit to accept a connection from a remote peer or dialup client. The basic phase 1 parameters identify the remote peer or clients and support authentication through preshared keys or digital certificates. You can increase VPN connection security further using peer identifiers, certificate distinguished names, group names, or the FortiGate extended authentication (XAuth) option for authentication purposes.

Phase 2 parameters provides detailed step-by-step procedures for configuring an IPsec VPN tunnel. During phase 2, the specific IPsec security associations needed to implement security services are selected and a tunnel is established. IPsec VPNs for FortiOS 4.0 MR2 14 01-420-112804-20101019


Introduction How this guide is organized

F0h Defining firewall policies explains how to specify the source and destination IP addresses of traffic transmitted through an IPsec VPN tunnel, and how to define a firewall encryption policy. Firewall policies control all IP traffic passing between a source address and a destination address.

Hardware offloading and acceleration explains how to make use of FortiASIC network processor IPsec accelerated processing capabilities.

Monitoring and troubleshooting VPNs provides some general monitoring and testing procedures for VPNs.

Where possible, this document explains how to configure VPNs using the web-based manager. A few options can be configured only through the CLI. You can also configure VPNs entirely through the CLI. For detailed information about CLI commands, see the FortiGate CLI Reference.ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 15ttp://docs.fortinet.com/ Feedback

Document conventionsDocument conventionsFortinet technical documentation uses the conventions described below.

IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.Most of the examples in this document use the following IP addressing: IP addresses are made up of A.B.C.D A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918. B - 168, or the branch / device / virtual device number.

Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other. Device or virtual device - allows multiple FortiGate units in this address space

(VDOMs). Devices can be from x01 to x99.

C - interface - FortiGate units can have up to 40 interfaces, potentially more than one on the same subnet 001 - 099- physical address ports, and non -virtual interfaces 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.

D - usage based addresses, this part is determined by what device is doing The following gives 16 reserved, 140 users, and 100 servers in the subnet. 001 - 009 - reserved for networking hardware, like routers, gateways, etc. 010 - 099 - DHCP range - users 100 - 109 - FortiGate devices - typically only use 100 110 - 199 - servers in general (see later for details) 200 - 249 - static range - users 250 - 255 - reserved (255 is broadcast, 000 not used) The D segment servers can be farther broken down into:

110 - 119 - Email servers 120 - 129 - Web servers 130 - 139 - Syslog servers 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc) 150 - 159 - VoIP / SIP servers / managers 160 - 169 - FortiAnalyzers 170 - 179 - FortiManagers 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.) 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.) Fortinet products, non-FortiGate, are found from 160 - 189. FortiOS 4.0 MR2 16 01-420-99686-20101019


Document conventions

F0hThe following table shows some examples of how to choose an IP number for a device based on the information given. For internal and dmz, it is assumed in this case there is only one interface being used.

Table 1: Examples of the IP numbering

Location and device Internal Dmz ExternalHead Office, one FortiGate 10.011.101.100 10.011.201.100 172.20.120.191Head Office, second FortiGate 10.012.101.100 10.012.201.100 172.20.120.192Branch Office, one FortiGate 10.021.101.100 10.021.201.100 172.20.120.193Office 7, one FortiGate with 9 VDOMs

10.079.101.100 10.079.101.100 172.20.120.194

Office 3, one FortiGate, web server

n/a 10.031.201.110 n/a

Bob in accounting on the corporate user network (dhcp) at Head Office, one FortiGate

10.0.11.101.200 n/a n/a

Router outside the FortiGate n/a n/a 172.20.120.195ortiOS Handbook v21-420-99686-20101019 17ttp://docs.fortinet.com/ Feedback

Document conventionsExample Network configurationThe network configuration shown in Figure 1 or variations on it is used for many of the examples in this document. In this example, the 172.20.120.0 network is equivalent to the Internet. The network consists of a head office and two branch offices.

Figure 1: Example network configuration

FortiGate-620BHA cluster

Port 1172.20.120.141

Port 2

10.11.101.100

Port 2and 3

Switch

10

Internal network

FortiMail-100C

INT10.11.101.101FortiWiFi-80CM

WLAN: 10.12.101.100SSID: example.comPassword: supermarineDHCP range: 10.12.101.200-249

Port 2

10.11.101.102

Port 1 (sniffer mode)

172.20.120.141

Port 8(mir

ror of p

orts 2 a

nd 3)

FortiGate-82CSwitchFortiAnalyzer-100B

Port 210.11.101.130

Port 1

10.11.101.110

Port 1

Linux PC10.21.101.10

Port 110.21.101.101

Port 1

10.21.10

1.160

FortiGate-3810A

FortiManager-3000B

Engineering network10.22.101.0

Port 4

10.22.10

1.100

ClusterPort 1: 10.21.101.102

FortiGate-5005FA2Port 1: 10.21.101.102

FortiGate-5005FA2Port 1: 10.21.101.103

FortiSwitch-5003APort 1: 10.21.101.161

FortiGate-5050-SMPort 1: 10.21.101.104

WAN1

172.20.120.122

Internal10.31.101.100

Windows PC10.31.101.10

FortiGate-51B

Linux PC10.11.101.20

Windows PC10.11.101.10

Branch office

Branch office

Head office FortiOS 4.0 MR2 18 01-420-99686-20101019



F0hCautions, Notes and TipsFortinet technical documentation uses the following guidance and styles for cautions, notes and tips.

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Note: Presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.

Tip: Highlights useful additional information, often tailored to your workplace activity.ortiOS Handbook v21-420-99686-20101019 19ttp://docs.fortinet.com/ Feedback

Document conventionsTypographical conventionsFortinet documentation uses the following typographical conventions:

CLI command syntax conventionsThis guide uses the following conventions to describe the syntax to use when entering commands in the Command Line Interface (CLI).Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as , indicate which data types or string patterns are acceptable value input.

Table 2: Typographical conventions in Fortinet technical documentation

Convention ExampleButton, menu, text box, field, or check box label

From Minimum log level, select Notification.

CLI input config system dnsset primary

endCLI output FGT-602803030703 # get system settings

comments : (null)opmode : nat

Emphasis HTTP connections are not secure and can be intercepted by a third party.

File content Firewall AuthenticationYou must authenticate to use this service.

Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.

Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.

Navigation Go to VPN > IPSEC > Auto Key (IKE).Publication For details, see the FortiOS Handbook.

Table 3: Command syntax notation

Convention DescriptionSquare brackets [ ] A non-required word or series of words. For example:

[verbose {1 | 2 | 3}]indicates that you may either omit or type both the verbose word and its accompanying option, such as:verbose 3 FortiOS 4.0 MR2 20 01-420-99686-20101019



F0hAngle brackets < > A word constrained by data type.To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:

indicates that you should enter a number of retries, such as 5.Data types include: : A name referring to another part of the

configuration, such as policy_A. : An index number referring to another part of the

configuration, such as 0 for the first static route. : A regular expression or word with wild cards

that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

: A fully qualified domain name (FQDN), such as mail.example.com.

: An email address, such as [email protected].

: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/.

: An IPv4 address, such as 192.168.1.99. : A dotted decimal IPv4 netmask, such as

255.255.255.0. : A dotted decimal IPv4 address and netmask

separated by a space, such as 192.168.1.99 255.255.255.0.

: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.168.1.99/24.

: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

: An IPv6 netmask, such as /96. : An IPv6 address and netmask separated by a

space. : A string of characters that is not another data type,

such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences.

: An integer number that is not another data type, such as 15 for the number of minutes.

Table 3: Command syntax notation (Continued)

Convention DescriptionortiOS Handbook v21-420-99686-20101019 21ttp://docs.fortinet.com/ Feedback

Entering FortiOS configuration dataEntering FortiOS configuration dataThe configuration of a FortiGate unit is stored as a series of configuration settings in the FortiOS configuration database. To change the configuration you can use the web-based manager or CLI to add, delete or change configuration settings. These configuration changes are stored in the configuration database as they are made. Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).

Entering text strings (names)Text strings are used to name entities in the configuration. For example, the name of a firewall address, administrative user, and so on. You can enter any character in a FortiGate configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text strings in FortiGate configuration names cannot include the following characters:

" (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than)You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the web-based manager or CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, firewall address names can contain up to 64 characters. When you add a firewall address to the web-based manager you are limited to entering 64 characters in the firewall address name field. From the CLI you can do the following to confirm that the firewall address name field allows 64 characters.

config firewall addresstree-- [address] --*name (64) |- subnet |- type |- start-ip |- end-ip

Curly braces { } A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].

Options delimited by vertical bars |

Mutually exclusive options. For example:{enable | disable}indicates that you must enter either enable or disable, but must not enter both.

Options delimited by spaces

Non-mutually exclusive options. For example:{http https ping snmp ssh telnet}indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:ping https sshNote: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:ping https snmp sshIf the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.

Table 3: Command syntax notation (Continued)

Convention Description FortiOS 4.0 MR2 22 01-420-99686-20101019


Registering your Fortinet product

F0h |- fqdn (256) |- cache-ttl (0,86400) |- wildcard |- comment (64 xss) |- associated-interface (16) +- color (0,32)

Note that the tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully-qualified domain name (fqdn) field can contain up to 256 characters.

Entering numeric valuesNumeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal numbers.Most web-based manager numeric value configuration fields limit the number of numeric digits that you can add or contain extra information to make it easier to add the acceptable number of digits and to add numbers in the allowed range. CLI help includes information about allowed numeric value ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers.

Selecting options from a listIf a configuration field can only contain one of a number of selected options, the web-based manager and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI you must spell the selection name correctly.

Enabling or disabling optionsIf a configuration field can only be on or off (enabled or disabled) the web-based manager presents a check box or other control that can only be enabled or disabled. From the CLI you can set the option to enable or disable.

Registering your Fortinet productBefore you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.

Fortinet products End User License AgreementSee the Fortinet products End User License Agreement.ortiOS Handbook v21-420-99686-20101019 23ttp://docs.fortinet.com/ Feedback

TrainingTrainingFortinet Training Services provides courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide.To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email [email protected].

Documentation The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.

Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Base The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to [email protected].

Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide - Technical Support Requirements. FortiOS 4.0 MR2 24 01-420-99686-20101019


F0hIPsec VPN conceptsVirtual Private Network (VPN) technology enables users to connect to private networks in a secure way. For example, an employee traveling or working from home can access the office network through the Internet. The use of a VPN ensures that unauthorized parties cannot access the office network and cannot intercept any of the information that is exchanged with the employee. It is also common to use a VPN to connect the private networks of two or more offices.Fortinet offers VPN capabilities in the FortiGate Unified Threat Management appliance and in the FortiClient Endpoint Security application. A FortiGate unit can be installed on a private network, and FortiClient software is installed on the users computer. It is also possible to use a FortiGate unit to connect to the private network instead of FortiClient software.This chapter discusses terms and concepts you are likely to encounter while working with VPNs: IP packets VPN tunnels VPN gateways Clients, servers, and peers Encryption Authentication Phase 1 and Phase 2 settings Security Association

IP packetsIn network terminology, data is sent in something called an IP packet. Packets have a fixed size, typically about 1500 bytes. Larger amounts of data are sent and received as a sequence of packets.

Figure 2: IP addresses can be compared to street addressesortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 25ttp://docs.fortinet.com/ Feedback

VPN tunnels IPsec VPN conceptsAn IP packet contains data, a source address, and a destination address. Conceptually, source and destination addresses can be compared to street and/or apartment addresses (see Figure 2). When a letter is mailed, it is delivered to a street and/or apartment address (destination address). The return address (source address) is printed on the envelope.The source address corresponds to the computer that sent the data, and the destination address corresponds to the computer that will use the data. Computers use source and destination addresses to determine where a packet came from and where it is going. Figure 3 shows a network version of the street-address analogy.

Figure 3: Network version of street-address analogy

IP addresses can be static or dynamic. A static IP address is fixed, like the street address of a home or business. Your Internet Service Provider (ISP) might provide a dynamic address instead. In that case, you are assigned an IP address only when you connect to the network. The address can be different each time you connect. Whether your IP address is static or dynamic determines the types of VPN configurations that you can support.Packets exchanged over an insecure network can be intercepted. A VPN encrypts data to secure it. Encryption transforms the data so that it appears random and meaningless to anyone who does not have the correct key to decrypt it. See Encryption on page 29.VPNs also address the issue of authentication. You want to ensure that only authorized users can connect to your private network. See Authentication on page 30.There are several types of VPN. This guide discusses only Internet Protocol Security (IPsec) VPN technology.

VPN tunnelsThe data path between a users computer and a private network through a VPN is often referred to as a tunnel. Like a tunnel, the route is accessible only at the ends. In the telecommuting scenario, the tunnel runs between the FortiClient application on the users PC and the FortiGate unit that connects the office private network to the Internet.What makes this possible is encapsulation. The IPsec packets that pass from one end of the tunnel to the other contain the data packets that are exchanged between the remote user and the private network. Encryption of the data packets ensures that any third-party intercepting the IPsec packets has no access to the data. This idea is shown conceptually in Figure 4.IPsec VPNs for FortiOS 4.0 MR2 26 01-420-112804-20101019


IPsec VPN concepts VPN gateways

F0hFigure 4: Encoded data going through a VPN tunnel

You can create a VPN tunnel between: a PC equipped with the FortiClient application and a FortiGate unit two FortiGate unitsIt is also possible to create a VPN tunnel with some types of third-party VPN software or hardware and either a FortiGate unit or the FortiClient application. The Fortinet Knowledge Base contains articles on this topic.

VPN gatewaysA gateway is a router that connects the local network to other networks. The default gateway setting in your computers TCP/IP properties specifies the gateway for your local network. A VPN gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets, decrypts the encapsulated data packets and passes the data packets to the local network. Also, it encrypts data packets destined for the other end of the VPN tunnel, encapsulates them, and sends the IPsec packets to the other VPN gateway.The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet. Optionally, you can define a secondary IP address for the interface and use that address as the local VPN gateway address.The following diagram shows a VPN between two private networks with FortiGate units acting as the VPN gateways.

Figure 5: VPN tunnel between two private networks

Site B VPN gateway

(FortiGate unit)Site A

VPN g

ateway

(FortiGa

te unit)

Site A network10.10.1.0/24

Site B network

192.168.10.0/24

A VP

rtiGaGat

ete u unin t)t)

PN g(FortiGate

VPN tunnel

a.1.2.3 b.4.5.6ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 27ttp://docs.fortinet.com/ Feedback

VPN gateways IPsec VPN conceptsAlthough the IPsec traffic may actually pass through many Internet routers, you can think of the VPN tunnel as a simple secure connection between the two FortiGate units.Users on the two private networks do not need to be aware of the VPN tunnel. The applications on their computers generate packets with the appropriate source and destination addresses, as they normally do. The FortiGate units manage all the details of encrypting, encapsulating and sending the packets to the remote VPN gateway.The data is encapsulated in IPsec packets only in the VPN tunnel between the two VPN gateways. Between the users computer and the gateway, the data is in regular IP packets.For example, User1 at Site A, IP address 10.10.1.7 sends packets with destination IP address 192.168.10.8, the address of User2 at Site B. The Site A FortiGate unit is configured to send packets with destinations on the 192.168.10.0 network through the VPN, encrypted and encapsulated, of course. Similarly, the Site B FortiGate unit is configured to send packets with destinations on the 10.10.1.0 network through the VPN tunnel to the Site A VPN gateway.In the site-to-site VPN shown in Figure 5, the FortiGate units have static (fixed) IP addresses and either unit can initiate communication. You can also create a VPN tunnel between an individual PC running the FortiClient application and a FortiGate unit, as shown below:

Figure 6: VPN tunnel between a FortiClient PC and a FortiGate unit

On the PC, the FortiClient application acts as the local VPN gateway. Packets destined for the office network are encrypted, encapsulated into IPsec packets, and sent through the VPN tunnel to the FortiGate unit. Packets for other destinations are routed to the Internet as usual. IPsec packets arriving through the tunnel are decrypted to recover the original IP packets.

FortiClient PCOffi

ce FortiG

ate unit

Office network10.10.1.0/24

fice For

tiGa

VPN tunnel

a.1.2.3 b.4.5.6IPsec VPNs for FortiOS 4.0 MR2 28 01-420-112804-20101019


IPsec VPN concepts Clients, servers, and peers

F0hClients, servers, and peersA FortiGate unit in a VPN can have one of the following roles:

The site-to-site VPN shown in Figure 5 is a peer-to-peer relationship. Either FortiGate unit VPN gateway can establish the tunnel and initiate communications. The FortiClient-to-FortiGate VPN shown in Figure 6 is a client-server relationship. The FortiGate unit establishes a tunnel when the FortiClient PC requests one.A FortiGate unit cannot be a VPN server if it has a dynamically-assigned IP address. VPN clients need to be configured with a static IP address for the server.A FortiGate unit acts only as a server when the remote VPN gateway has a dynamic IP address or is a client-only device or application, such as the FortiClient application.As a VPN server, a FortiGate unit can also offer automatic configuration for FortiClient PCs. The user needs to know only the IP address of the FortiGate VPN server and a valid user name/password. The FortiClient application downloads the VPN configuration settings from the FortiGate VPN server. For information about configuring a FortiGate unit as a VPN server, see the FortiClient Administration Guide.

EncryptionEncryption mathematically transforms data to look like meaningless random numbers. The original data is called plaintext and the encrypted data is called ciphertext. The opposite process, called decryption, performs the inverse operation of recovering the original plaintext from the ciphertext.

The process by which the plaintext is transformed to ciphertext and back again is called an algorithm. All algorithms use a small piece of information, known as a key, in the arithmetic process of converted plaintext to ciphertext, or vice-versa. IPsec uses symmetrical algorithms, in which the same key is used to both encrypt and decrypt the data. The security of an encryption algorithm is determined by the length of the key that it uses. FortiGate IPsec VPNs offer the following encryption algorithms, in descending order of security: AES256 a 128-bit block algorithm that uses a 256-bit key. AES192 a 128-bit block algorithm that uses a 192-bit key. AES128 a 128-bit block algorithm that uses a 128-bit key. 3DES Triple-DES, in which plain text is DES-encrypted three times by three keys. DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.The default encryption algorithms provided on FortiGate units make recovery of encrypted data almost impossible without the proper encryption keys. There is a human factor in the security of encryption. The key must be kept secret, known only to the sender and receiver of the messages. Also, the key must not be something that unauthorized parties might guess, such as the senders name or birthday or a simple sequence like 123456.

server responds to a request to establish a VPN tunnelclient contacts a remote VPN gateway and requests a VPN tunnelpeer brings up a VPN tunnel or responds to a request to do soortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 29ttp://docs.fortinet.com/ Feedback

Authentication IPsec VPN conceptsAuthenticationIn addition to protecting data through encryption, a VPN must ensure that only authorized users can access the private network. You must use either a preshared key on both VPN gateways or RSA X.509 security certificates. The examples in this guide use only preshared key authentication.

Preshared keysA preshared key contains at least 6 randomly chosen alphanumeric characters. Users of the VPN must obtain the preshared key from the person who manages the VPN server and add the preshared key to their VPN client configuration. Although it looks like a password, the preshared key, also known as a shared secret, is never sent by either gateway. The preshared key is used in the calculations at each end that generate the encryption keys. As soon as the VPN peers attempt to exchange encrypted data, preshared keys that do not match will cause the process to fail.

Additional authenticationTo increase security, you can use require additional means of authentication: an identifier, called a peer ID or a local ID extended authentication (XAUTH) which imposes an additional user name/password

requirementA Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID of a peer is called a Peer ID.

Phase 1 and Phase 2 settingsA VPN tunnel is established in two phases: Phase 1 and Phase 2. Several parameters determine how this is done. Except for IP addresses, the settings simply need to match at both VPN gateways and there are defaults that are appropriate for most cases.

Phase 1In Phase 1, the two VPN gateways exchange information about the encryption algorithms that they support and then establish a temporary secure connection to exchange authentication information.When you configure your FortiGate unit or FortiClient application, you must specify the following settings for Phase 1:

Note: The FortiClient application distinguishes between Phase 1 and Phase 2 only in the VPN Advanced settings and uses different terms. Phase 1 is called the IKE Policy. Phase 2 is called the IPsec Policy.

Remote Gateway the remote VPN gateways address. FortiGate units also have the option of operating only as a server by selecting the Dialup User option.

Preshared key this must be the same at both ends. It is used to encrypt phase 1 authentication information.

Local interface the network interface that connects to the other VPN gateway. This applies on a FortiGate unit only. IPsec VPNs for FortiOS 4.0 MR2 30 01-420-112804-20101019


IPsec VPN concepts Security Association

F0hAll other Phase 1 settings have default values. These settings mainly configure the types of encryption to be used. The default settings on FortiGate units and in the FortiClient application are compatible. The examples in this guide use these defaults.For more detailed information about Phase 1 settings, see the Auto Key phase 1 parameters chapter of the FortiGate IPsec VPN User Guide.

Phase 2Similar to the Phase 1 process, the two VPN gateways exchange information about the encryption algorithms that they support for Phase 2. Phase 1 and Phase 2 can use different encryption. If both gateways have at least one encryption algorithm in common, a VPN tunnel is established. To configure default Phase 2 settings on a FortiGate unit, you need only select the name of the corresponding Phase 1 configuration. In the FortiClient application, no action is required to enable default Phase 2 settings.For more detailed information about Phase 2 settings, see the Phase 2 parameters chapter of the FortiGate IPsec VPN User Guide.

Security AssociationThe establishment of a Security Association (SA) is the successful outcome of Phase 1 negotiations. Each peer maintains a database of information about VPN connections. The information in each SA can include cryptographic algorithms and keys, keylife, and the current packet sequence number. This information is kept synchronized as the VPN operates. Each SA has a Security Parameter Index (SPI) that is provided to the remote peer at the time the SA is established. Subsequent IPsec packets from the peer always reference the relevant SPI. It is possible for peers to have multiple VPNs active simultaneously.ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 31ttp://docs.fortinet.com/ Feedback

Security Association IPsec VPN conceptsIPsec VPNs for FortiOS 4.0 MR2 32 01-420-112804-20101019


F0hFortiGate IPsec VPN OverviewThis section provides a brief overview of IPsec technology and includes general information about how to configure IPsec VPNs using this guide.The following topics are included in this section: About FortiGate VPNs Planning your VPN General preparation steps How to use this guide to configure an IPsec VPN

About FortiGate VPNsVPN configurations interact with the firewall component of the FortiGate unit. There must be a firewall policy in place to permit traffic to pass between the private network and the VPN tunnel.Firewall policies for VPNs specify: the FortiGate interface that provides the connection to the remote VPN gateway,

usually an interface connected to the Internet the FortiGate interface that connects to the private network the IP addresses associated with data that has to be encrypted and decrypted optionally, a schedule that restricts when the VPN can operate optionally, the services (types of data) that can be sentWhen the first packet of data meeting all of the conditions of the policy arrives at the FortiGate unit, a VPN tunnel may be initiated and the encryption/decryption of data is performed automatically afterward.FortiGate unit VPNs can be policy-based or route-based. There is little functional difference between the two types. In both cases, you specify phase 1 and phase 2 settings, but there is a difference in implementation. A route-based VPN creates a virtual IPsec network interface that applies encryption or decryption as needed to any traffic that it carries. That is why route-based VPNs are also known as interface-based VPNs. A policy-based VPN is implemented through a special firewall policy that applies the encryption you specified in the phase 1 and phase 2 settings.For a route-based VPN, you need to create two firewall policies between the virtual IPsec interface and the interface that connects to the private network. In one policy the virtual interface is the source. In the other policy the virtual interface is the destination. The Action for both policies is Accept. For a policy-based VPN, one firewall policy enables communication in both directions. You must select IPSEC as the Action and then select the VPN tunnel you defined in the phase 1 settings. You can then enable inbound and outbound traffic as needed.ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 33ttp://docs.fortinet.com/ Feedback

Planning your VPN FortiGate IPsec VPN OverviewPlanning your VPN To save time later and be ready to configure a VPN correctly, it is a good idea to plan the VPN configuration ahead of time. All VPN configurations comprise a number of required and optional parameters. Before you begin, you need to determine: where does the IP traffic originate, and where does it need to be delivered which hosts, servers, or networks to include in the VPN which VPN devices to include in the configuration through which interfaces the VPN devices communicate through which interfaces do private networks access the VPN gatewaysOnce you have this information, you can select a VPN topology that meets the requirements of your situation. For more information, see Network topologies on page 34.

Network topologies The topology of your network will determine how remote peers and clients connect to the VPN and how VPN traffic is routed. You can read about various network topologies and find the high-level procedures needed to configure IPsec VPNs in one of these sections: Gateway-to-gateway configurations Hub-and-spoke configurations Dynamic DNS configurations FortiClient dialup-client configurations FortiGate dialup-client configurations Internet-browsing configuration Redundant VPN configurations Transparent mode VPNs Manual-key configurationsThese sections contain high-level configuration guidelines with cross-references to detailed configuration procedures. If you need more detail to complete a step, select the cross-reference in the step to drill-down to more detail. Return to the original procedure to complete the procedure. For a general overview of how to configure a VPN, see General preparation steps below.

Choosing policy-based or route-based VPNsThere are two broad types of IPsec VPNs available on FortiGate units: policy-based and route-based. For both of these VPN types you create phase 1 and phase 2 configurations. The main difference is in the firewall policy.You create a policy-based VPN by defining an IPSEC firewall policy between two network interfaces and associating it with the VPN tunnel (phase 1) configuration.You create a route-based VPN by enabling IPsec interface mode in the VPN phase 1 configuration. This creates a virtual IPsec interface. You then define a regular ACCEPT firewall policy to permit traffic to flow between the virtual IPsec interface and another network interface.IPsec VPNs for FortiOS 4.0 MR2 34 01-420-112804-20101019


FortiGate IPsec VPN Overview General preparation steps

F0hWhere possible, create route-based VPNs. Generally, route-based VPNs are more flexible and easier to configure than policy-based VPNs. However, the two types have different requirements that limit where they can be used.

General preparation steps A VPN configuration defines relationships between the VPN devices and the private hosts, servers, or networks making up the VPN. Configuring a VPN involves gathering and recording the following information. You will need this information to configure the VPN. Identify the private IP address(es) of traffic generated by participating hosts, servers,

and/or networks. These IP addresses represent the source addresses of traffic that is permitted to pass through the VPN. A IP source address can be an individual IP address, an address range, or a subnet address.

Identify the public IP addresses of the VPN end-point interfaces. The VPN devices establish tunnels with each other through these interfaces.

Identify the private IP address(es) associated with the VPN-device interfaces to the private networks. Computers on the private network(s) behind the VPN gateways will connect to their VPN gateways through these interfaces.

How to use this guide to configure an IPsec VPNThis guide uses a task-based approach to provide all of the procedures needed to create different types of VPN configurations. Follow the step-by-step configuration procedures in this guide to set up the VPN. The following configuration procedures are common to all IPsec VPNs:1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote

peers or clients and establish a secure a connection. See Auto Key phase 1 parameters on page 175.

2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with a remote peer or dialup client. See Phase 2 parameters on page 191.

3 Specify the source and destination addresses of IP packets that are to be transported through the VPN tunnel. See Defining firewall addresses on page 197.

4 Create an IPsec firewall policy to define the scope of permitted services between the IP source and destination addresses. See Defining firewall policies on page 198.

Table 4: Comparison of policy-based and route-based VPNs

Policy-based Route-basedAvailable in NAT/Route or Transparent mode Available only in NAT/Route mode

Requires a firewall policy with IPSEC action that specifies the VPN tunnel. One policy controls connections in both directions.

Requires only a simple firewall policy with ACCEPT action. A separate policy is required for connections in each direction.

Supports L2TP-over-IPsec configuration Does not support L2TP-over-IPsec configuration

Doesnt support GRE-over-IPsec configuration Supports GRE-over-IPsec configuration

Note: The steps given above assume that you will perform Steps 1 and 2 to have the FortiGate unit generate unique IPsec encryption and authentication keys automatically. In situations where a remote VPN peer or client requires a specific IPsec encryption and/or authentication key, you must configure the FortiGate unit to use manual keys instead of performing Steps 1 and 2. For more information, see Manual-key configurations on page 131.ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 35ttp://docs.fortinet.com/ Feedback

How to use this guide to configure an IPsec VPN FortiGate IPsec VPN OverviewIPsec VPNs for FortiOS 4.0 MR2 36 01-420-112804-20101019


F0hGateway-to-gateway configurations This section explains how to set up a basic gateway-to-gateway (site-to-site) IPsec VPN.The following topics are included in this section: Configuration overview General configuration steps Configure the VPN peers Configuration example How to work with overlapping subnets

Configuration overviewIn a gateway-to-gateway configuration, two FortiGate units create a VPN tunnel between two separate private networks. All traffic between the two networks is encrypted and protected by FortiGate firewall policies.

Figure 7: Example gateway-to-gateway configuration

FortiGate_2Fort

iGate_1

Site_1 Site_2

FortiGa

te_rtiGate_2

Note: In some cases, computers on the private network behind one VPN peer may (by co-incidence) have IP addresses that are already used by computers on the network behind the other VPN peer. In this type of situation (ambiguous routing), conflicts may occur in one or both of the FortiGate routing tables and traffic destined for the remote network through the tunnel may not be sent. To resolve issues related to ambiguous routing, see How to work with overlapping subnets on page 46.In other cases, computers on the private network behind one VPN peer may obtain IP addresses from a local DHCP server. However, unless the local and remote networks use different private network address spaces, unintended ambiguous routing and/or IP-address overlap issues may arise. For a discussion of the related issues, see FortiGate dialup-client configurations on page 87.ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 37ttp://docs.fortinet.com/ Feedback

You can set up a fully meshed or partially meshed configuration (see Figure 8 and Figure 9).

Configuration overview Gateway-to-gateway configurationsFigure 8: Fully meshed configuration

In a fully meshed network, all VPN peers are connected to each other, with one hop between peers. This topology is the most fault-tolerant: if one peer goes down, the rest of the network is not affected. This topology is difficult to scale because it requires connections between all peers. In addition, unnecessary communication can occur between peers. We recommend a hub-and-spoke configuration instead (see Hub-and-spoke configurations on page 51).

Figure 9: Partially meshed configuration

A partially meshed network is similar to a fully meshed network, but instead of having tunnels between all peers, tunnels are only configured between peers that communicate with each other regularly.

FortiGate_3FortiGa

te_2

FortiGa

te_

FortiGa

te_5

FoFoFoFoFoFoFo trtrtrtrtrtrtiGiGiGiGiGGiGaa

ttatatatatee_e_555

FortiGa

te_1

FortiGa

te_

rtiGate_3

FortiGate_4

rtiGate_4

FortiGate_3FortiGa

te_2

FortiGa

te_

FortiGa

te_5

FoFoFoFoFoFoFo trtrtrtrtrtrtiGiGiGiGiGGiGaa

ttatatatatee_e_555

FortiGa

te_1

FortiGa

te_

rtiGate_3

FortiGate_4

rtiGate_4IPsec VPNs for FortiOS 4.0 MR2 38 01-420-112804-20101019


Gateway-to-gateway configurations General configuration steps

F0hGateway-to-gateway infrastructure requirements The FortiGate units at both ends of the tunnel must be operating in NAT/Route mode

and have static public IP addresses.

General configuration stepsWhen a FortiGate unit receives a connection request from a remote VPN peer, it uses IPsec phase 1 parameters to establish a secure connection and authenticate the VPN peer. Then, if the firewall policy permits the connection, the FortiGate unit establishes the tunnel using IPsec phase 2 parameters and applies the IPsec firewall policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.To support these functions, the following general configuration steps must be performed both FortiGate units: Define the phase 1 parameters that the FortiGate unit needs to authenticate the

remote peer and establish a secure connection. Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel

with the remote peer. Create firewall policies to control the permitted services and permitted direction of

traffic between the IP source and destination addresses. For more information, see Configure the VPN peers below.

Configure the VPN peersConfigure the VPN peers as follows:1 At the local FortiGate unit, define the phase 1 configuration needed to establish a

secure connection with the remote peer. See Auto Key phase 1 parameters on page 175. Enter these settings in particular:

2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer. See Phase 2 parameters on page 191. Enter these settings in particular:

Name Enter a name to identify the VPN tunnel. This name appears in phase 2 configurations, firewall policies and the VPN monitor.

Remote Gateway Select Static IP Address.IP Address Type the IP address of the remote peer public interface. Local Interface Select the FortiGate units public interface.Enable IPsec Interface Mode

You must select Advanced to see this setting. If IPsec Interface Mode is enabled, the FortiGate unit creates a virtual IPsec interface for a route-based VPN. Disable this option if you want to create a policy-based VPN. For more information, see Choosing policy-based or route-based VPNs on page 34. After you select OK to create the phase 1 configuration, you cannot change this setting.

Name Enter a name to identify this phase 2 configuration.Phase 1 Select the name of the phase 1 configuration that you defined. ortiOS Handbook v2: IPsec VPNs1-420-112804-20101019 39ttp://docs.fortinet.com/ Feedback

Configure the VPN peers Gateway-to-gateway configurations3 Define names for the addresses or address ranges of the private networks that the VPN links. These addresses are used in the firewall policies that permit communication between the networks. For more information, see Defining firewall addresses on page 197. Enter these settings in particular:

Define an address name for the IP address and netmask of the private network behind the local FortiGate unit.

Define an address name for the IP address and netmask of the private network behind the remote peer.

4 Define firewall policies to permit communication between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different firewall policies. For detailed information about creating firewall policies, see Defining firewall policies on page 198.Route-based VPN firewall policiesDefine an ACCEPT firewall policy to permit communications between the source and destination addresses. Enter these settings in particular:

To permit the remote client to initiate communication, you need to define a firewall policy for communication in that direction. Enter these settings in particular:

Policy-based VPN firewall policyDefine an IPsec firewall policy to permit communications between the source and destination addresses. Enter these settings in particular:

Source Interface/Zone Select the interface that connects to the private network behind this FortiGate unit.

Source Address Name Select the address name that you defined in Step 3 for the private network behind this FortiGate unit.

Destination Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in Step 1.

Destination Address Name Select the address name that you defined in Step 3 for the private network behind the remote peer.

Action Select ACCEPT.NAT Disable.

Source Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in Step 1.

Source Address Name Select the address name that you defined in Step 3 for the private network behind the remote peer.

Destination Interface/Zone Select the interface that connects to the private network behind t

IPSEC config - Fortigate

Documents

fortigate vpns

ipsec vpn concepts

trademarks of fortinet

vpn peers

policybased vpn

fortinet tools

ipsec vpns1

ipsec vpnsv219