VPN
Special rules
FortiGate-100A Administration Guide
01-28006-0068-20041105
283
IPSec VPN in Transparent mode
In Transparent mode, a FortiGate unit becomes transparent at the data link layer (OSI
layer 2)—it looks like a network bridge. A FortiGate unit operating in Transparent
mode requires the following basic configuration to operate as a node on the IP
network:
• The unit must be configured with an IP address to permit management access. For
related information, see the “Management” section in the “System Network”
chapter of the
FortiGate Administration Guide
.
• The unit must have sufficient routing information to reach the management station.
• For any traffic to reach external destinations, a static (default) route to the router
must be present in the FortiGate routing table. The router forwards packets to the
Internet.
• When all of the destinations are located on the external network, the FortiGate unit
may route packets using a single default route. If the network topology is more
complex, one or more static routes in addition to the default route may be required
in the FortiGate routing table.
To configure IPSec VPN in Transparent mode
1
Add a phase 1 configuration to define the parameters used to authenticate the remote
VPN peer.
2
Set other phase 1 options as required. See
“Phase 1” on page 246
.
3
Add the phase 2 configuration to define the parameters used to create and maintain
the AutoKey VPN tunnel. See
“Phase 2” on page 250
.
4
Add the firewall configuration required for the VPN. See
“Adding firewall policies for
IPSec VPN tunnels” on page 280
.
Special rules
The management IP address of the FortiGate unit is used as the IPSec gateway. This
should be used as the static gateway IP when configuring the peer.
The FortiGate unit must have a default route for packets that are generated locally by
the FortiGate unit to have somewhere to go.
The subnets being linked by an IPSec tunnel must be disjoint, and there must be at
least one router separating the two Transparent mode FortiGate units (they can be
directly connected if the default router does ICMP redirect).
The FortiGate unit management IP address may or may not be within the same
subnet as the address range that is used in the encrypt policy.
If there are additional routers behind the firewall, the FortiGate unit must have routes
for any subnets that are not directly connected (if they will be used in an encrypt
policy).
IPSec involves linkages between gateways, tunnels, and encrypt policies. Whenever
these items refer to each other, they must be in the same virtual domain.
Summary of Contents for FortiGate FortiGate-100A
Page 24: ...24 01 28006 0068 20041105 Fortinet Inc FortiLog documentation Introduction...
Page 72: ...72 01 28006 0068 20041105 Fortinet Inc Transparent mode VLAN settings System network...
Page 80: ...80 01 28006 0068 20041105 Fortinet Inc DHCP IP MAC binding settings System DHCP...
Page 114: ...114 01 28006 0068 20041105 Fortinet Inc Access profile options System administration...
Page 232: ...232 01 28006 0068 20041105 Fortinet Inc CLI configuration Firewall...
Page 244: ...244 01 28006 0068 20041105 Fortinet Inc peergrp Users and authentication...
Page 320: ...320 01 28006 0068 20041105 Fortinet Inc service smtp Antivirus...
Page 366: ...366 01 28006 0068 20041105 Fortinet Inc syslogd setting Log Report...
Page 380: ...380 01 28006 0068 20041105 Fortinet Inc Glossary...
Page 388: ...388 01 28006 0068 20041105 Fortinet Inc Index...