Gateway-to-gateway configurations

Leave a reply

Using a zone with a policy as a concentrator

If you put all of the hub IPsec interfaces involved in the VPN into a zone, you can enable communication among all of the spokes and apply UTM features with just one security policy.

 

To create a zone for the VPN

1. Go to Network > Interfaces.

2. Select the down-arrow on the Create New button and select Zone.

3. In the Zone Name field, enter a name, such as Our_VPN_zone.

4. Select Block intra-zone traffic.

5. In the Interface Members list, select the IPsec interfaces that are part of your VPN.

6. Select OK.

 

To create a security policy for the zone

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the settings: and select OK.

Incoming Interface                   Select the zone you created for your VPN.

Source Address                        Select All.

Outgoing Interface                   Select the zone you created for your VPN.

Destination Address                 Select All.

Action                                         Select ACCEPT.

Enable NAT                                Enable.

 

Using security policies as a concentrator

To enable communication between two spokes, you need to define an ACCEPT security policy for them. To allow either spoke to initiate communication, you must create a policy for each direction. This procedure describes a security policy for communication from Spoke 1 to Spoke 2. Others are similar.

1. Define names for the addresses or address ranges of the private networks behind each spoke. For more information, see Defining VPN security policies on page 1648.

2. Go to Policy & Objects > IPv4 Policy and select Create New.

3. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

4. Enter the settings and select OK.

Incoming Interface                   Select the IPsec interface that connects to Spoke 1.

Source Address                        Select the address of the private network behind Spoke 1.

Outgoing Interface                   Select the IPsec interface that connects to Spoke 2.

Destination Address                 Select the address of the private network behind Spoke 2.

Action                                         Select ACCEPT.

Enable NAT                                Enable.

 

Configure the spokes

Although this procedure assumes that the spokes are all FortiGate units, a spoke could also be VPN client software, such as FortiClient Endpoint Security.

Perform these steps at each FortiGate unit that will act as a spoke.

 

To create the Phase 1 and phase_2 configurations

1. At the spoke, define the Phase 1 parameters that the spoke will use to establish a secure connection with the hub.

See Phase 1 parameters on page 1624. Enter these settings:

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the interface that connects to the hub.

2. Create the Phase 2 tunnel definition. See Phase 2 parameters on page 1642. Select the set of Phase 1 parameters that you defined for the hub. You can select the name of the hub from the Static IP Address part of the list.

 

Configuring security policies for hub-to-spoke communication

1. Create an address for this spoke. See Defining VPN security policies on page 1648. Enter the IP address and netmask of the private network behind the spoke.

2. Create an address to represent the hub. See Defining VPN security policies on page 1648. Enter the IP address and netmask of the private network behind the hub.

3. Define the security policy to enable communication with the hub.

 

Routebased VPN security policy

Define two security policies to permit communications to and from the hub.

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter these settings:

Incoming Interface                   Select the virtual IPsec interface you created.

Source Address                        Select the hub address you defined in Step 1.

Outgoing Interface                   Select the spoke’s interface to the internal (private) network.

Destination Address                 Select the spoke addresses you defined in Step 2.

Action                                         Select ACCEPT.

Enable NAT                                Enable

Incoming Interface                   Select the spoke’s interface to the internal (private) network.

Source Address                        Select the spoke address you defined in Step 1.

Outgoing Interface                   Select the virtual IPsec interface you created.

Destination Address                 Select the hub destination addresses you defined in Step 2.

Action                                         Select ACCEPT.

Enable NAT                                Enable

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.