Policy-Based Versus Route-Based Vpns - Fortinet FortiGate Series Administration Manual
Hide thumbs
Also See for FortiGate Series:
- Administration manual (60 pages) ,
- Install manual (51 pages) ,
- Quick start manual (14 pages)
Table of Contents
Advertisement
Policy-based versus route-based VPNs
Policy-based versus route-based VPNs
Hub-and-spoke configurations
612
For more information about configuring IPSec VPNs, see the
Guide.
FortiGate units support both policy-based and route-based VPNs. Generally, you can
configure route-based VPNs more easily than policy-based VPNs. However, the two types
have different requirements that limit where you can use them, as shown in
Table 57: Comparison of policy-based and route-based VPNs
Policy-based
Available in NAT/Route or Transparent
mode
Requires a firewall policy with IPSEC
action that specifies the VPN tunnel. One
policy controls connections in both
directions.
You create a policy-based VPN by defining an IPSEC firewall policy between two network
interfaces and associating it with the VPN tunnel (phase 1 or manual key) configuration.
You need only one firewall policy, even if either end of the VPN can initiate a connection.
You create a route-based VPN by enabling IPSec interface mode when you create the
VPN phase 1 or manual key configuration. This creates a virtual IPSec interface that is
bound to the local interface you selected. You then define an ACCEPT firewall policy to
permit traffic to flow between the virtual IPSec interface and another network interface. If
either end of the VPN can initiate the connection, you need two firewall policies, one for
each direction.
Virtual IPSec interface bindings are shown on the network interfaces page. (Go to System
> Network > Interface.) The names of all tunnels bound to physical, aggregate, VLAN,
inter-VDOM link or wireless interfaces are displayed under their associated interface
names in the Name column. For more information, see
page
177. As with other interfaces, you can include a virtual IPSec interface in a zone.
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a
concentrator function. This is available only for policy-based VPNs, but you can create the
equivalent function for a route-based VPN in any of the following ways:
•
Define a firewall policy between each pair of IPSec interfaces that you want to
concentrate. This can be time-consuming to maintain if you have many site-to-site
connections, since the number of policies required increases rapidly as the number of
spokes increases.
•
Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy.
•
Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more
than one IPSec interface in the zone.
For more information and an example, see the
FortiGate IPSec VPN User
Route-based
Available only in NAT/Route mode
Requires only a simple firewall policy with
ACCEPT action. A separate policy is required
for connections in each direction.
"Configuring interfaces" on
FortiGate IPSec VPN User
FortiGate Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/
IPSec VPN
Table
57.
Guide.
01-410-89802-20090903
•
Feedback
Advertisement
Table of Contents
