advertisement
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2
IPSec VPN
A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can employ a VPN to create a secure tunnel between the offices. Similarly, a teleworker can use a VPN client to gain remote access to his private office network. In both cases, the secure connection appears to the user as a private network communication, even though the communication is carried over a public network.
Secure VPN connections are enabled by a combination of tunneling, data encryption and authentication. Tunneling encapsulates data so that it can be transferred over the public network. Instead of being sent in its original format, the data frames are encapsulated within an additional header and then routed between tunnel endpoints.
Upon arrival at the destination endpoint, the data is decapsulated and forwarded to its destination within the private network.
Encryption transforms data stream from clear text (something that a human or a program can interpret) to cipher text (something that cannot be interpreted). The information is encrypted and decrypted using mathematical algorithms know as keys.
Authentication provides a means to verify the origin of a packet and the integrity of its contents. Authentication is completed using checksums calculated with keyed hash function algorithms.
This chapter provides an overview of how to configure FortiGate IPSec VPN. For a complete description of FortiGate VPN, see the FortiGate VPN Guide.
•
•
•
•
•
•
•
•
Monitoring and Troubleshooting VPNs
FortiGate-400 Installation and Configuration Guide
209
Key management IPSec VPN
Key management
There are three basic elements in any encryption system:
• an algorithm which changes information into code,
• a cryptographic key which serves as a secret starting point for the algorithm,
• a management system to control the key.
IPSec provides two ways to handle key exchange and management: manual keying and IKE for automated key management.
•
•
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
Manual Keys
When manual keys are employed, matching security parameters must be entered at both ends of the tunnel. These settings, which include both the encryption and authentication keys, must be kept secret so that unauthorized parties cannot decrypt the data, even if they know which encryption algorithm is being used.
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
To facilitate deployment of multiple tunnels, an automated system of key management is required. IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is typically referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates.
AutoIKE with pre-shared keys
When both peers in a session have been configured with the same pre-shared key, they can use it to authenticate themselves to each other. The peers do not actually send the key to each other. Instead, as part of the security negotiation process, they use it in combination with a Diffie-Hellman group to create a session key. The session key is used for encryption and authentication purposes, and is automatically regenerated during the communication session by IKE.
Pre-shared keys are similar to the manual keys in that they require the network administrator to distribute and manage matching information at the VPN peer sites.
Whenever a pre-shared key changes, the administrator must update both sites.
AutoIKE with certificates
This method of key management involves the participation of a trusted third party, the certificate authority (CA). Each peer in a VPN is first required to generate a set of keys, known as a public/private key pair. The CA signs the public key for each peer, creating a signed digital certificate. The peer then contacts the CA to retrieve their own certificates, plus that of the CA itself. Once the certificates have been uploaded to the
FortiGate units and appropriate IPSec tunnels and policies have been configured, the peers are ready to start communicating. As they do, IKE manages the exchange of certificates, transmitting signed digital certificates from one peer to another. The signed digital certificates are validated by the presence of the CA certificate at each end. With authentication complete, the IPSec tunnel is then established.
In some respects, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments.
210
Fortinet Inc.
IPSec VPN Manual key IPSec VPNs
Manual key IPSec VPNs
When manual keys are employed, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers.
With other methods the SPI is generated automatically but with the manual key configuration it must be entered as part of the VPN setup.
The encryption and authentication keys must match on the local and remote peers; the SPI values must be mirror images of each other. After you enter these values, the
VPN tunnel can start without any need for the authentication and encryption algorithms to be negotiated. So long as you have entered correct, complementary values, the tunnel will be established between the peers. In essence, the tunnel already exists between the peers. As a result, when traffic matches a policy requiring the tunnel, it can be authenticated and encrypted immediately.
•
General configuration steps for a manual key VPN
•
Adding a manual key VPN tunnel
General configuration steps for a manual key VPN
1
2
A manual key VPN configuration consists of a manual key VPN tunnel, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
To create a manual key VPN configuration:
Add a manual key VPN tunnel. See “Adding a manual key VPN tunnel” on page 211
.
Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See
“Configuring encrypt policies” on page 224
.
Adding a manual key VPN tunnel
1
2
3
4
Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote IPSec VPN client or gateway that is also using manual key.
To add a manual key VPN tunnel:
To add a manual key VPN tunnel:
Go to VPN > IPSec > Manual Key.
Select New to add a new manual key VPN tunnel.
Enter a VPN Tunnel Name.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Enter the Local SPI.
The Local Security Parameter Index is a hexadecimal number of up to eight digits
(digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Remote SPI at the opposite end of the tunnel.
FortiGate-400 Installation and Configuration Guide
211
Manual key IPSec VPNs IPSec VPN
5
6
7
8
9
10
11
Enter the Remote SPI.
The Remote Security Parameter Index is a hexadecimal number of up to eight digits
(digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel.
Enter the Remote Gateway.
This is the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel.
Select an Encryption Algorithm from the list.
Use the same algorithm at both ends of the tunnel.
Enter the Encryption Key.
Each two character combination entered in hexadecimal format represents one byte.
Depending on the encryption algorithm you have selected, you may be required to enter the key in multiple segments. Use the same encryption key at both ends of the tunnel.
DES
3DES
AES128
AES192
AES256
Enter a 16 character (8 byte) hexadecimal number (0-9, A-F).
Enter a 48 character (24 byte) hexadecimal number (0-9, A-F). Separate the number into three segments of 16 characters.
Enter a 32 character (16 byte) hexadecimal number (0-9, A-F). Separate the number into two segments of 16 characters.
Enter a 48 character (24 byte) hexadecimal number (0-9, A-F). Separate the number into three segments of 16 characters.
Enter a 64 character (32 byte) hexadecimal number (0-9, A-F). Separate the number into four segments of 16 characters.
Select an Authentication Algorithm from the list.
Use the same algorithm at both ends of the tunnel.
Enter the Authentication Key.
Each two character combination entered in hexadecimal format represents one byte.
Use the same authentication key at both ends of the tunnel.
MD5
SHA1
Enter a 32 character (16 byte) hexadecimal number (0-9, A-F). Separate the number into two segments of 16 characters.
Enter a 40 character (20 byte) hexadecimal number (0-9, A-F). Separate the number into two segments—the first of 16 characters; the second of 24 characters.
Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. See
“Adding a VPN concentrator” on page 229 .
Select OK to save the manual key VPN tunnel.
212
Fortinet Inc.
IPSec VPN AutoIKE IPSec VPNs
AutoIKE IPSec VPNs
Fortunate supports two methods of Automatic Internet Key Exchange (AutoIKE) for the purpose of establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and
AutoIKE with digital certificates.
•
General configuration steps for an AutoIKE VPN
•
Adding a phase 1 configuration for an AutoIKE VPN
•
Adding a phase 2 configuration for an AutoIKE VPN
General configuration steps for an AutoIKE VPN
An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
To create an AutoIKE VPN configuration:
1
2
3
Note: Prior to configuring an AutoIKE VPN that uses digital certificates, you must add the CA
.
Add the phase 1 parameters. See
“Adding a phase 1 configuration for an AutoIKE
.
Add the phase 2 parameters. See
“Adding a phase 2 configuration for an AutoIKE
.
Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See
“Configuring encrypt policies” on page 224
.
Adding a phase 1 configuration for an AutoIKE VPN
1
2
When you add a phase 1 configuration, you define the terms by which the FortiGate unit and a remote VPN peer (gateway or client) authenticate themselves to each other prior to the establishment of an IPSec VPN tunnel.
The phase 1 configuration is related to the phase 2 configuration. In phase 1 the VPN peers are authenticated; in phase 2 the tunnel is established. You have the option to use the same phase 1 parameters to establish multiple tunnels. In other words, the same remote VPN peer (gateway or client) can have multiple tunnels to the local VPN peer (the FortiGate unit).
When the FortiGate unit receives an IPSec VPN connection request, it authenticates the VPN peers according to the phase 1 parameters. Then, depending on the source and destination addresses of the request, it starts an IPSec VPN tunnel and applies an encrypt policy.
To add a phase 1 configuration:
Go to VPN > IPSEC > Phase 1.
Select New to add a new phase 1 configuration.
FortiGate-400 Installation and Configuration Guide
213
AutoIKE IPSec VPNs IPSec VPN
3
4
Enter a Gateway Name for the remote VPN peer.
The remote VPN peer can be either a gateway to another network or an individual client on the Internet.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select a Remote Gateway address type.
• If the remote VPN peer has a static IP address, select Static IP Address.
• If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), or if the remote VPN peer has a static IP address that is not required in the peer identification process, select Dialup User.
Depending upon the Remote Gateway address type you have selected, other fields become available.
IP Address
Remote Gateway: Static IP Address
If you select Static IP Address, the IP Address field appears. Enter the IP address of the remote IPSec VPN gateway or client that can connect to the
FortiGate unit. This is a mandatory entry.
Peer Options
Remote Gateway: Dialup User f you select Dialup User, the Peer Options become available under
Advanced Options. Use the Peer Options to authenticate remote VPN peers with peer IDs during phase 1 negotiations. For details, see step
5
6
7
8
9
Select Aggressive or Main (ID Protection) mode.
When using aggressive mode, the VPN peers exchange identifying information in the clear. When using main mode, identifying information is hidden.
The VPN peers must use the same mode.
Configure the P1 Proposal.
Select up to three encryption and authentication algorithm combinations to propose for phase 1.
The VPN peers must use the same P1 proposal settings.
Select the DH Group(s).
Select one or more Diffie-Hellman groups to propose for phase 1.
As a general rule, the VPN peers should use the same DH Group settings.
Enter the Keylife.
The keylife is the amount of time in seconds before the phase 1 encryption key expires. When the key expires, a new key is generated without interrupting service.
P1 proposal keylife can be from 120 to 172,800 seconds.
For Authentication Method, select Preshared Key or RSA Signature.
• If you select Preshared key, enter a that is shared by the VPN peers. The key must contain at least 6 printable characters and should only be known by network administrators. To protect against the best-known attacks, a good pre-shared key should consist of a minimum of 16 randomly chosen alpha-numeric characters.
• If you select RSA Signature, select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiGate unit, see
“Obtaining a signed local certificate” on page 219
.
214
Fortinet Inc.
IPSec VPN AutoIKE IPSec VPNs
10
1
2
3
Optionally, enter the Local ID of the FortiGate unit.
The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer. (If you do not add a local ID, the
FortiGate unit will transmit its IP address.)
Configure the local ID only with pre-shared keys and aggressive mode. Do not configure the local ID with certificates or main mode.
Configuring advanced options
Select Advanced Options.
Optionally, select a Peer Option.
Use the Peer Options to authenticate remote VPN peers by the ID that they transmit during phase 1.
Accept any peer ID
Accept this peer ID
Accept peer ID in dialup group
Select to accept any peer ID (and therefore not authenticate remote VPN peers by peer ID).
Select to authenticate a specific VPN peer or a group of VPN peers with a shared user name (ID) and password (pre-shared key). Also add the peer ID. Also add the peer ID.
Select to authenticate each remote VPN peer with a unique user name (ID) and password (pre-shared key). Also select a dialup group (user group).
Configure the user group prior to configuring this peer option.
Optionally, configure XAuth.
XAuth (IKE eXtended Authentication) authenticates VPN peers at the user level. If the the FortiGate unit (the local VPN peer) is configured as an XAuth server, it will authenticate remote VPN peers by referring to a user group. The users contained in the user group can be configured locally on the FortiGate unit or on remotely located
LDAP or RADIUS servers. If the FortiGate unit is configured as an XAuth client, it will provide a user name and password when it is challenged.
Name
Password
XAuth: Enable as a Client
Enter the user name the local VPN peer uses to authenticate itself to the remote VPN peer.
Enter the password the local VPN peer uses to authenticate itself to the remote VPN peer.
Encryption method
Usergroup
XAuth: Enable as a Server
Select the encryption method used between the XAuth client, the FortiGate unit and the authentication server.
PAP— Password Authentication Protocol.
CHAP—Challenge-Handshake Authentication Protocol.
MIXED—Select MIXED to use PAP between the XAuth client and the
FortiGate unit, and CHAP between the FortiGate unit and the authentication server.
Use CHAP whenever possible. Use PAP if the authentication server does not support CHAP. (Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet
Remote VPN Client.).
Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or
RADIUS servers.
The user group must be added to the FortiGate configuration before it can be selected here.
FortiGate-400 Installation and Configuration Guide
215
AutoIKE IPSec VPNs IPSec VPN
4
5
6
Optionally, configure NAT Traversal.
Enable
Keepalive
Frequency
Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal will have no effect. Both ends of the VPN (both VPN peers) must have the same NAT traversal setting.
If you enable NAT-traversal, you can change the number of seconds in the
Keepalive Frequency field. This number specifies, in seconds, how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 keylife expires. The keepalive frequency can be from 0 to 900 seconds.
Optionally, configure Dead Peer Detection.
Use these settings to monitor the status of the connection between VPN peers. DPD allows dead connections to be cleaned up and new VPN tunnels established. DPD is not supported by all vendors.
Enable
Short Idle
Retry Count
Retry Interval
Long Idle
Select Enable to enable DPD between the local and remote peers.
Set the time, in seconds, that a link must remain unused before the local
VPN peer considers it to be idle. After this period of time expires, whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link. To control the length of time that the FortiGate unit takes to detect a dead peer with DPD probes, configure the Retry Count and the Retry Interval.
Set the number of times that the local VPN peer will retry the DPD probe before it considers the channel to be dead and tears down the security association (SA). To avoid false negatives due to congestion or other transient failures, set the retry count to a sufficiently high value for your network.
Set the time, in seconds, that the local VPN peer unit waits between retrying DPD probes.
Set the period of time, in seconds, that a link must remain unused before the local VPN peer pro-actively probes its state. After this period of time expires, the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer.
Select OK to save the phase 1 parameters.
216
Fortinet Inc.
IPSec VPN
Figure 21: Adding a phase 1 configuration
AutoIKE IPSec VPNs
Adding a phase 2 configuration for an AutoIKE VPN
Add a phase 2 configuration to specify the parameters used to create and maintain a
VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer
(the VPN gateway or client).
Note: Adding a Phase 2 configuration is the same for pre-shared key and certification VPNs.
1
2
3
To add a phase 2 configuration:
Go to VPN > IPSEC > Phase 2.
Select New to add a new phase 2 configuration.
Enter a Tunnel Name.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
FortiGate-400 Installation and Configuration Guide
217
AutoIKE IPSec VPNs IPSec VPN
4
5
6
7
8
9
10
11
12
Select a Remote Gateway to associate with the VPN tunnel.
A remote gateway can be either a gateway to another network or an individual client on the Internet. Remote gateways are added as part of the phase 1 configuration. For details, see
“Adding a phase 1 configuration for an AutoIKE VPN” on page 213 .
Choose either a single DIALUP remote gateway, or up to three STATIC remote gateways. Multiple STATIC remote gateways are necessary if you are configuring
IPSec redundancy. For information about IPSec redundancy, see
Configure the P2 Proposal.
Select up to three encryption and authentication algorithm combinations to propose for phase 2.
The VPN peers must use the same P2 proposal settings.
Optionally, enable Replay Detection.
Replay detection protects the VPN tunnel from replay attacks.
Note: Do not select replay detection if you have also selected Null Authentication for the P2
Proposal.
Optionally, enable Perfect Forward Secrecy (PFS).
PFS improves security by forcing a new Diffie-Hellman exchange whenever keylife expires.
Select the DH Group(s).
The VPN peers must use the same DH Group settings.
Enter the Keylife.
The keylife causes the phase 2 key to expire after a specified amount of time, after a specified number of kbytes of data have been processed by the VPN tunnel, or both. If you select both, the key does not expire until both the time has passed and the number of kbytes have been processed.
When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 kbytes.
Optionally, enable Autokey Keep Alive.
Enable Autokey Keep Alive to keep the VPN tunnel running even if no data is being processed.
Optionally, select a concentrator.
Select a concentrator if you want the tunnel to be part of a hub and spoke VPN
configuration. If you use the procedure, “Adding a VPN concentrator” on page 229
to add the tunnel to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you have added the tunnel.
Select OK to save the AutoIKE key VPN tunnel.
218
Fortinet Inc.
IPSec VPN
Figure 22: Adding a phase 2 configuration
Managing digital certificates
Managing digital certificates
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants.
Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
•
Obtaining a signed local certificate
•
Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation.
Obtaining a signed local certificate
The signed local certificate provides the FortiGate unit with a means to authenticate itself to other devices.
Note: The VPN peers must use digital certificates that adhere to the X.509 standard.
FortiGate-400 Installation and Configuration Guide
219
Managing digital certificates IPSec VPN
1
2
3
4
5
6
7
Generating the certificate request
With this procedure, you generate a private and public key pair. The public key is the base component of the certificate request.
To generate the certificate request:
Go to VPN > Local Certificates.
Select Generate.
Enter a Certificate Name.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Configure the Subject Information that identifies the object being certified.
Preferably use an IP address or domain name. If this is impossible (such as with a dialup client), use an e-mail address.
Host IP
Domain Name
For Host IP, enter the IP address of the FortiGate unit being certified.
For Domain name, enter the fully qualified domain name of the FortiGate unit being certified. Do not include the protocol specification (http://) or any port number or path names.
For E-mail, enter the email address of the owner of the FortiGate unit being certified. Typically, e-mail addresses are entered only for clients, not gateways.
Configure the Optional Information to further identify the object being certified.
Organization Unit Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit (such as
Manufacturing or MF).
Organization
Locality
Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet).
Enter the name of the city or town where the FortiGate unit is located
(such as Vancouver).
State/Province
Country
Enter the name of the state or province where the FortiGate unit is located
(such as California or CA).
Select the country where the FortiGate unit is located. e-mail Enter a contact e-mail address for the FortiGate unit. Typically, e-mail addresses are entered only for clients, not gateways.
Configure the key .
Key Type
Key Size
Select RSA as the key encryption type. No other key type is supported.
Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but more secure. Not all products support all three key sizes.
Select OK to generate the private and public key pair and the certificate request.
The private/public key pair will be generated and the certificate request will be displayed on the Local Certificates list with a status of Pending.
220
Fortinet Inc.
IPSec VPN
Figure 23: Adding a Local Certificate
Managing digital certificates
3
4
1
2
Downloading the certificate request
With this procedure, you download the certificate request from the FortiGate unit to the management computer.
To download the certificate request:
Go to VPN > Local Certificates.
Select Download to download the local certificate to the management computer.
Select Save.
Name the file and save it in a directory on the management computer.
1
2
3
Requesting the signed local certificate
With this procedure, you copy and paste the certificate request from the management computer to the CA web server.
To request the signed local certificate:
On the management computer, open the local certificate request in a text editor.
Copy the certificate request.
Connect the CA web server.
FortiGate-400 Installation and Configuration Guide
221
Managing digital certificates IPSec VPN
4 Request the signed local certificate.
Follow the CA web server instructions to:
• add a base64 encoded PKCS#10 certificate request to the CA web server,
• paste the certificate request to the CA web server,
• submit the certificate request to the CA web server.
The certificate request is submitted to the CA for it to sign.
Figure 24: Opening a certificate request in a text editor
222
1
2
3
4
Retrieving the signed local certificate
With this procedure, you connect to the CA web server and download the signed local certificate to the management computer. (Do this after receiving notification from the
CA that it has signed the certificate request.)
To retrieve the signed local certificate:
Connect the CA web server.
Follow the CA web server instructions to download the signed local certificate.
The File Download dialog will display.
Select Save.
Save the file in a directory on the management computer.
1
2
Importing the signed local certificate
With this procedure, you import the signed local certificate from the management computer to the FortiGate unit.
To import the signed local certificate:
Go to VPN > Local Certificates.
Select Import.
Fortinet Inc.
IPSec VPN Managing digital certificates
3
4
Enter the path or browse to locate the signed local certificate on the management computer.
Select OK.
The signed local certificate will be displayed on the Local Certificates list with a status of OK.
Obtaining a CA certificate
For the VPN peers to authenticate themselves to each other, they must both obtain a
CA certificate from the same certificate authority. The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices.
The FortiGate unit obtains the CA certificate in order to validate the digital certificate that it receives from the remote VPN peer. The remote VPN peer obtains the CA certificate in order to validate the digital certificate that it receives from the FortiGate unit.
Note: The CA certificate must adhere to the X.509 standard.
1
2
3
4
3
4
1
2
Retrieving a CA certificate
Connect to the CA web server and download the CA certificate to the management computer.
To retrieve the CA certificate:
Connect the CA web server.
Follow the CA web server instructions to download the CA certificate.
The File Download dialog will display.
Select Save.
Save the CA certificate in a directory on the management computer.
Importing a CA certificate
Import the signed local certificate from the management computer to the FortiGate unit.
To import the CA certificate:
Go to VPN > CA Certificates.
Select Import.
Enter the path or browse to locate the CA certificate on the management computer.
Select OK.
The CA will be displayed on the CA Certificates list.
FortiGate-400 Installation and Configuration Guide
223
Configuring encrypt policies IPSec VPN
Configuring encrypt policies
A VPN connects the local, internal network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on these networks can use the VPN.
A VPN requires only one encrypt policy to control both inbound and outbound connections. Depending on how you configure it, the policy controls whether users on your internal network can establish a tunnel to the remote network (the outbound connection), and whether users on the remote network can establish a tunnel to your internal network (the inbound connection). This flexibility allows a single encrypt policy to do the job of two regular firewall policies.
Although the encrypt policy controls both incoming and outgoing connections, it must always be configured as an outgoing policy. An outgoing policy has a source address on an internal network and a destination address on an external network. The source address identifies which addresses on the internal network are part of the VPN. The destination address identifies which addresses on the remote network are part of the
VPN. Typical outgoing policies include Internal-to-External and DMZ-to-External.
Note: The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway.
In addition to defining membership in the VPN by address, you can configure the encrypt policy for services such as DNS, FTP, and POP3, and to allow connections according to a predefined schedule (by the time of the day or the day of the week, month, or year). You can also configure the encrypt policy for:
• Inbound NAT to translate the source of incoming packets.
• Outbound NAT to translate the source address of outgoing packets.
• Traffic shaping to control the bandwidth available to the VPN and the priority of the
VPN.
• Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN.
• Logging so that the FortiGate unit logs all connections that use the VPN.
The policy must also include the VPN tunnel that you created to communicate with the remote FortiGate VPN gateway. When users on your internal network attempt to connect to the network behind the remote VPN gateway, the encrypt policy intercepts the connection attempt and starts the VPN tunnel added to the policy. The tunnel uses the remote gateway added to its configuration to connect to the remote VPN gateway.
When the remote VPN gateway receives the connection attempt, it checks its own policy, gateway and tunnel configuration. If the configuration is allowed, an IPSec VPN tunnel is negotiated between the two VPN peers.
•
•
•
224
Fortinet Inc.
IPSec VPN Configuring encrypt policies
Adding a source address
1
2
3
4
5
The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network.
Go to Firewall > Address.
Select an internal interface. (Methods will differ slightly between FortiGate models.)
Select New to add an address.
Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer.
Select OK to save the source address.
Adding a destination address
1
2
3
4
5
The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway.
Go to Firewall > Address.
Select an external interface. (Methods will differ slightly between FortiGate models.)
Select New to add an address.
Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer.
Select OK to save the source address.
Adding an encrypt policy
5
6
3
4
7
8
1
2
Go to Firewall > Policy.
Use the policy grid to choose the policy list to which to add the policy.
For example, port1
-> port2 or port3
-> port2.
Select New to add a new policy.
Set Source to the source address.
Set Destination to the destination address.
Set Service to control the services allowed over the VPN connection.
You can select ANY to allow all supported services over the VPN connection or select a specific service or service group to limit the services allowed over the VPN connection.
Set Action to ENCRYPT.
Configure the ENCRYPT parameters.
VPN Tunnel Select an Auto Key tunnel for this encrypt policy.
Allow inbound Select Allow inbound to enable inbound users to connect to the source address.
Allow outbound Select Allow outbound to enable outbound users to connect to the destination address.
FortiGate-400 Installation and Configuration Guide
225
Configuring encrypt policies IPSec VPN
9
Inbound NAT The FortiGate unit translates the source address of incoming packets to the
IP address of the FortiGate interface connected to the source address network. Typically, this is an internal interface of the FortiGate unit.
Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts (hosts located on the network behind the remote VPN gateway).
Outbound NAT The FortiGate unit translates the source address of outgoing packets to the
IP address of the FortiGate interface connected to the destination address network. Typically, this is an external interface of the FortiGate unit.
Outbound NAT makes it impossible for remote hosts to see the IP addresses of local hosts (hosts located on the network behind the local VPN gateway).
If Outbound NAT is implemented, it is subject to these limitations:
— Configure Outbound NAT only at one end of the tunnel.
— The end which does not implement Outbound NAT requires an Int->Ext policy which specifies the other end’s external interface as the Destination.
(This will be a public IP address.)
— The tunnel, and the traffic within the tunnel, can only be initiated at the end which implements Outbound NAT.
Refer to the FortiGate Installation and Configuration Guide to configure the remaining policy settings.
Select OK to save the encrypt policy.
To make sure that the encrypt policy is matched for VPN connections, arrange the encrypt policy above other policies with similar source and destination addresses and services in the policy list.
Figure 25: Adding an encrypt policy
226
Fortinet Inc.
IPSec VPN IPSec VPN concentrators
IPSec VPN concentrators
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes.
The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules. Also, a hub-and-spoke network provides some processing efficiencies, particularly on the spokes. The disadvantage of a huband-spoke network is its reliance on a single peer to handle management of all VPNs.
If this peer goes down, all encrypted communication in the network is impossible.
A hub-and-spoke VPN network requires a special configuration. Setup varies depending on the role that the VPN peer is serving. If the VPN peer is a FortiGate unit functioning as the hub, or concentrator, it requires a VPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings or manual key settings, plus encrypt policies). It also requires a concentrator configuration that groups the hub-and-spoke tunnels together. The concentrator configuration defines the FortiGate unit as the hub in a hub-and-spoke network.
If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes). It also requires policies that control its encrypted connections to the other spokes and its non-encrypted connections to other networks, such as the
Internet.
•
VPN concentrator (hub) general configuration steps
•
•
VPN spoke general configuration steps
VPN concentrator (hub) general configuration steps
A central FortiGate that is functioning as a hub requires the following configuration:
• A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for each spoke.
• Destination addresses for each spoke.
• A concentrator configuration.
• An encrypt policy for each spoke.
FortiGate-400 Installation and Configuration Guide
227
IPSec VPN concentrators IPSec VPN
1
2
3
4
5
To create a VPN concentrator configuration:
Configure a tunnel for each spoke. Choose between a manual key tunnel or an
AutoIKE tunnel.
• A manual key tunnel consists of a name for the tunnel, the IP address of the spoke
(client or gateway) at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel.
See
“Manual key IPSec VPNs” on page 211 .
• An AutoIKE tunnel consists of phase 1 and phase 2 parameters. The phase 1 parameters include the name of the spoke (client or gateway), designation of how the spoke receives its IP address (static or dialup), encryption and authentication algorithms, and the authentication method—either pre-shared keys or PKI certificates. The phase 2 parameters include the name of the tunnel, selection of the spoke (client or gateway) configured in phase 1, encryption and authentication algorithms, and a number of security parameters.
See
“AutoIKE IPSec VPNs” on page 213
.
Add a destination addresses for each spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway).
See
“Adding a source address” on page 225 .
Add the concentrator configuration. This step groups the tunnels together on the
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration.
See
“Adding a VPN concentrator” on page 229 .
Note: Add the concentrator configuration to the central FortiGate unit (the hub) after adding the tunnels for all spokes.
Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic through the hub and allow inbound and outbound VPN connections between the hub and the spokes. The encrypt policy for each spoke must include the tunnel name of the spoke. The source address must be Internal_All. Use the following configuration for the encrypt policies:
Source
Destination
Action
VPN Tunnel
Internal_All
The VPN spoke address.
ENCRYPT
The VPN spoke tunnel name.
Allow inbound Select allow inbound.
Allow outbound Select allow outbound
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
See
“Adding an encrypt policy” on page 225
.
Arrange the policies in the following order:
• encrypt policies
• default non-encrypt policy (Internal_All -> External_All)
228
Fortinet Inc.
IPSec VPN IPSec VPN concentrators
Adding a VPN concentrator
1
2
3
4
5
6
To add a VPN concentrator configuration:
Go to VPN > IPSec > Concentrator.
Select New to add a VPN concentrator.
Enter the name of the new concentrator in the Concentrator Name field.
To add tunnels to the VPN concentrator, select a VPN tunnel from the Available
Tunnels list and select the right arrow.
To remove tunnels from the VPN concentrator, select the tunnel in the Members list and select the left arrow.
Select OK to add the VPN concentrator.
Figure 26: Adding a VPN concentrator
FortiGate-400 Installation and Configuration Guide
229
IPSec VPN concentrators IPSec VPN
VPN spoke general configuration steps
1
2
3
4
A remote VPN peer that is functioning as a spoke requires the following configuration:
• A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub.
• The source address of the local VPN spoke.
• The destination address of each remote VPN spoke.
• A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections.
• A single inbound encrypt policy. This policy allows the local VPN spoke to accept encrypted connections.
To create a VPN spoke configuration:
Configure a tunnel between the spoke and the hub.
Choose between a manual key tunnel or an AutoIKE tunnel.
• To add a manual key tunnel, see
“Manual key IPSec VPNs” on page 211
.
• To add an AutoIKE tunnel, see:
“AutoIKE IPSec VPNs” on page 213
.
Add the source address. One source address is required for the local VPN spoke.
See
“Adding a source address” on page 225 .
Add a destination addresses for each remote VPN spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway).
See
“Adding a destination address” on page 225
Add a separate outbound encrypt policy for each remote VPN spoke. These policies control the encrypted connections initiated by the local VPN spoke.
The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step
. Use the following configuration:
5
Source
Destination
The local VPN spoke address.
The remote VPN spoke address.
Action
VPN Tunnel
ENCRYPT
The VPN tunnel name added in step
1 . (Use the same tunnel for all encrypt
policies.)
Allow inbound Do not enable.
Allow outbound Select allow outbound
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
See
“Adding an encrypt policy” on page 225
.
Add an inbound encrypt policy. This policies controls the encrypted connections initiated by the remote VPN spokes.
The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step
. Use the following configuration:
Source
Destination
The local VPN spoke address.
External_All
230
Fortinet Inc.
IPSec VPN Redundant IPSec VPNs
6
Action
VPN Tunnel
ENCRYPT
The VPN tunnel name added in step
1 . (Use the same tunnel for all encrypt
policies.)
Allow inbound Select allow inbound.
Allow outbound Do not enable.
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
See
“Adding an encrypt policy” on page 225
.
Arrange the policies in the following order:
• outbound encrypt policies
• inbound encrypt policy
• default non-encrypt policy (Internal_All -> External_All)
Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Redundant IPSec VPNs
To ensure the continuous availability of an IPSec VPN tunnel, you can configure multiple connections between the local the FortiGate unit and the remote VPN peer
(remote gateway). With a redundant configuration, if one connection fails the
FortiGate unit will establish a tunnel using the other connection.
Configuration depends on the number of connections that each VPN peer has to the
Internet. For example, if the local VPN peer has two connections to the Internet, then it can provide two redundant connections to the remote VPN peer.
A single VPN peer can be configured with up to three redundant connections.
The VPN peers are not required to have a matching number of Internet connections.
For example, between two VPN peers, one can have multiple Internet connections while the other has only one Internet connection. Of course, with an asymmetrical configuration, the level redundancy will vary from one end of the VPN to the other.
Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that authenticate themselves to each other with pre-shared keys or digital certificates. It is not available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it available to VPN peers that use manual keys.
Configuring redundant IPSec VPN
Prior to configuring the VPN, make sure that both FortiGate units have multiple connections to the Internet. For each unit, first add multiple (two or more) external interfaces. Then assign each interface to an external zone. Finally, add a route to the
Internet through each interface.
FortiGate-400 Installation and Configuration Guide
231
Redundant IPSec VPNs IPSec VPN
1
2
3
4
Configure the two FortiGate units with symmetrical settings for their connections to the
Internet. For example, if the remote FortiGate unit has two external interfaces grouped within one zone, then the local FortiGate unit should have two external interfaces grouped within one zone.
Similarly, if the remote FortiGate has two external interfaces in separate zones, then the local FortiGate unit should have two external interfaces in separate zones.
Configuration is made simpler if all external interfaces are grouped within a single zone, rather than multiple zones. However, this may not always be possible due to security considerations or other reasons.
After you have defined the Internet connections for both FortiGate units, you can proceed to configure the VPN tunnel.
To configure IPSec redundancy:
Add the phase 1 parameters for up to three VPN connections.
Enter identical values for each VPN connection, with the exception of the Gateway
Name and IP Address. Make sure that the remote VPN peer (Remote Gateway) has a static IP address.
See
“Adding a phase 1 configuration for an AutoIKE VPN” on page 213
.
Add the phase 2 parameters (VPN tunnel) for up to three VPN connections.
• If the Internet connections are in the same zone, add one VPN tunnel and add the remote gateways to it. You can add up to three remote gateways.
• If the Internet connections are in separate zones or assigned to unique interfaces, add a VPN tunnel for each remote gateway entered.
See
“Adding a phase 2 configuration for an AutoIKE VPN” on page 217 .
Add the source and destination addresses.
See
“Adding a source address” on page 225 .
See
“Adding a destination address” on page 225
.
Add encrypt policies for up to three VPN connections.
• If the VPN connections are in the same zone, add one outgoing encrypt policy; for example an Internal
->
External policy. Add the AutoIKE key tunnel to this policy.
• If the VPN connections are in different zones, add a separate outgoing encrypt policy for each connection; for example, an Internal
->
External and an Internal
-
>
DMZ policy. The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy.
See
“Adding an encrypt policy” on page 225
.
232
Fortinet Inc.
IPSec VPN Monitoring and Troubleshooting VPNs
Monitoring and Troubleshooting VPNs
This section provides a number of general maintenance and monitoring procedures for VPNs.
This section describes:
•
•
Viewing dialup VPN connection status
•
Viewing VPN tunnel status
1
You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key
VPN tunnels. For each tunnel, the list shows the status of each tunnel as well as the tunnel time out.
To view VPN tunnel status:
Go to VPN > IPSEC > AutoIKE Key.
The Status column displays the status of each tunnel. If Status is Up, the tunnel is active. If Status is Down, the tunnel is not active.
The Timeout column displays the time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife.
Figure 27: AutoIKE key tunnel status
Viewing dialup VPN connection status
You can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway. The monitor also lists the tunnel lifetime, timeout, proxy ID source, and proxy ID destination for each tunnel.
FortiGate-400 Installation and Configuration Guide
233
Monitoring and Troubleshooting VPNs IPSec VPN
1
To view dialup connection status:
Go to VPN > IPSec > Dialup.
The Lifetime column displays how long the connection has been up.
The Timeout column displays the time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife.
The Proxy ID Source column displays the actual IP address or subnet address of the remote peer.
The Proxy ID Destination column displays the actual IP address or subnet address of the local peer.
Figure 28: Dialup Monitor
Testing a VPN
To confirm that a VPN between two networks has been configured correctly, use the ping command from one internal network to connect to a computer on the other internal network. The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the FortiGate unit.
To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the ping command to connect to a computer on the internal network. The VPN tunnel initializes automatically when the client makes a connection attempt. You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network.
234
Fortinet Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
