Gateway-to-gateway configurations

Leave a reply

Creating route-based VPN security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses.

 

To create route-based VPN security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following, and select OK.

Incoming Interface                           Select internal.

The interface that connects to the private network behind this FortiGate unit.

Source Address                                Select Finance_network when configuring FortiGate_1.

Select HR_network when configuring FortiGate_2.

The address name for the private network behind this FortiGate unit.

Outgoing Interface                           Select peer_1.

The VPN Tunnel (IPsec Interface) you configured earlier.

Destination Address                         Select HR_network when configuring FortiGate_1.

Select Finance_network when configuring FortiGate_2. The address name that you defined for the private network behind the remote peer.

Action                                         Select ACCEPT.

Enable NAT                                Disable.

Comments                                  Allow Internal to remote VPN network traffic.

4. Optionally, configure any additional features you may want, such as UTM or traffic shaping.

5. Select Create New to create another policy for the other direction.

6. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

7. Enter the following information, and select OK.

Incoming Interface                           Select peer_1.

The VPN Tunnel (IPsec Interface) you configured.

Source Address                                Select HR_network when configuring FortiGate_1.

Select Finance_Network when configuring FortiGate_2.

The address name defined for the private network behind the remote peer.

Outgoing Interface                           Select internal.

The interface that connects to the private network behind this FortiGate unit.

Destination Address                         Select Finance_Network when configuring FortiGate_1.

Select HR_network when configuring FortiGate_2.

The address name defined for the private network behind this FortiGate unit.

Action                                         Select ACCEPT.

Enable NAT                                Disable.

Comments                                  Allow remote VPN network traffic to Internal.

8. Configure any additional features such as UTM or traffic shaping you may want. (optional).

 

Configuring a default route for VPN interface

All network traffic must have a static route to direct its traffic to the proper destination. Without a route, traffic will not flow even if the security policies are configured properly. You may need to create a static route entry for both directions of VPN traffic if your security policies allow bi-directional tunnel initiation.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.