Ipsec Vpn In Transparent Mode; Special Rules - Fortinet FortiGate FortiGate-1000 Administration Manual
Fortinet fortigate fortigate-1000: user guide
Hide thumbs
Also See for FortiGate FortiGate-1000:
- Install manual (66 pages) ,
- Installation manual (56 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
VPN
IPSec VPN in Transparent mode
Special rules
FortiGate-1000 Administration Guide
In Transparent mode, a FortiGate unit becomes transparent at the data link layer (OSI
layer 2)—it looks like a network bridge. A FortiGate unit operating in Transparent
mode requires the following basic configuration to operate as a node on the IP
network:
•
The unit must be configured with an IP address to permit management access. For
related information, see the "Management" section in the "System Network"
chapter of the FortiGate Administration Guide.
•
The unit must have sufficient routing information to reach the management station.
•
For any traffic to reach external destinations, a static (default) route to the router
must be present in the FortiGate routing table. The router forwards packets to the
Internet.
•
When all of the destinations are located on the external network, the FortiGate unit
may route packets using a single default route. If the network topology is more
complex, one or more static routes in addition to the default route may be required
in the FortiGate routing table.
To configure IPSec VPN in Transparent mode
1
Add a phase 1 configuration to define the parameters used to authenticate the remote
VPN peer.
2
Set other phase 1 options as required. See
3
Add the phase 2 configuration to define the parameters used to create and maintain
the AutoKey VPN tunnel. See
4
Add the firewall configuration required for the VPN. See
IPSec VPN tunnels" on page
The management IP address of the FortiGate unit is used as the IPSec gateway. This
should be used as the static gateway IP when configuring the peer.
The FortiGate unit must have a default route for packets that are generated locally by
the FortiGate unit to have somewhere to go.
The subnets being linked by an IPSec tunnel must be disjoint, and there must be at
least one router separating the two Transparent mode FortiGate units (they can be
directly connected if the default router does ICMP redirect).
The FortiGate unit management IP address may or may not be within the same
subnet as the address range that is used in the encrypt policy.
If there are additional routers behind the firewall, the FortiGate unit must have routes
for any subnets that are not directly connected (if they will be used in an encrypt
policy).
IPSec involves linkages between gateways, tunnels, and encrypt policies. Whenever
these items refer to each other, they must be in the same virtual domain.
"Phase 2" on page
282.
01-28006-0009-20041105
IPSec VPN in Transparent mode
"Phase 1" on page
248.
252.
"Adding firewall policies for
285
Advertisement
Table of Contents
