Fortinet black logo

Handbook

Configuration overview

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:931254
Download PDF

Configuration overview

A VPN provides secure access to a private network behind the FortiGate unit. You can also enable VPN clients to access the Internet securely. The FortiGate unit inspects and processes all traffic between the VPN clients and hosts on the Internet according to the Internet browsing policy. This is accomplished even though the same FortiGate interface is used for both encrypted VPN client traffic and unencrypted Internet traffic.

In the figure below, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2, which could be a VPN peer or a dialup client.

Example Internet-browsing configuration

You can adapt any of the following configurations to provide secure Internet browsing:

The procedures in this section assume that one of these configurations is in place, and that it is operating properly.

To create an internet-browsing configuration based on an existing gateway-to-gateway configuration, you must edit the gateway-to-gateway configuration as follows:

Creating an Internet browsing security policy

On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.

Creating an Internet browsing policy - policy-based VPN
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and then select OK:
  3. Name

    Enter an appropriate name for the policy.

    Incoming Interface

    The interface to which the VPN tunnel is bound.

    Outgoing Interface

    The interface to which the VPN tunnel is bound.

    Source

    The internal range address of the remote spoke site.

    Destination Address

    all

    Action

    Select IPsec. Under VPN Tunnel, select the tunnel that provides access to the private network behind the FortiGate unit. Select Allow traffic to be initiated from the remote site.

    NAT

    Enable NAT.

Creating an Internet browsing policy - route-based VPN
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and then select OK:
  3. Name

    Enter an appropriate name for the policy.

    Incoming Interface

    The IPsec VPN interface.

    Outgoing Interface

    The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface.

    Source

    The internal range address of the remote spoke site.

    Destination Address

    all

    Action

    ACCEPT

    NAT

    Enable NAT.

    The VPN clients must be configured to route all Internet traffic through the VPN tunnel.

Routing all remote traffic through the VPN tunnel

To make use of the Internet browsing configuration on the VPN server, the VPN peer or client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the private network behind the FortiGate VPN server is sent through the tunnel.

The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-to-gateway configuration, or a FortiClient application that protects an individual client PC.

These procedures assume that your VPN connection to the protected private network is working and that you have configured the FortiGate VPN server for Internet browsing as described in Creating an Internet browsing security policy.

Configuring a FortiGate remote peer to support Internet browsing

The configuration changes to send all traffic through the VPN differ for policy-based and route-based VPNs.

Routing all traffic through a policy-based VPN
  1. At the FortiGate dialup client, go to Policy & Objects > IPv4 Policy.
  2. Select the IPsec security policy and then select Edit.
  3. From the Destination Address list, select all.
  4. Select OK.

Packets are routed through the VPN tunnel, not just those destined for the protected private network.

Routing all traffic through a route-based VPN
  1. At the FortiGate dialup client, go to Network > Static Routes.
  2. Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no default route, select Create New. Enter the following information and select OK:
  3. Destination IP/Mask

    Set to Subnet and enter 0.0.0.0/0.0.0.0 in the field provided.

    Device

    Select the IPsec virtual interface.

    Administrative Distance

    Leave at default.

    All packets are routed through the VPN tunnel, not just packets destined for the protected private network.

Configuring a FortiClient application to support Internet browsing

By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN.

Routing all traffic through VPN - FortiClient application
  1. At the remote host, start FortiClient.
  2. Go to Remote Access.
  3. Select the definition that connects FortiClient to the FortiGate dialup server, select the Settings icon, and select Edit the selected connection.
  4. In the Edit VPN Connection dialog box, select Advanced Settings.
  5. In the Remote Network group, select Add.
  6. In the IP and Subnet Mask fields, type 0.0.0.0/0.0.0.0 and select OK.
  7. The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel.

  8. Select OK.

Configuration overview

A VPN provides secure access to a private network behind the FortiGate unit. You can also enable VPN clients to access the Internet securely. The FortiGate unit inspects and processes all traffic between the VPN clients and hosts on the Internet according to the Internet browsing policy. This is accomplished even though the same FortiGate interface is used for both encrypted VPN client traffic and unencrypted Internet traffic.

In the figure below, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2, which could be a VPN peer or a dialup client.

Example Internet-browsing configuration

You can adapt any of the following configurations to provide secure Internet browsing:

The procedures in this section assume that one of these configurations is in place, and that it is operating properly.

To create an internet-browsing configuration based on an existing gateway-to-gateway configuration, you must edit the gateway-to-gateway configuration as follows:

Creating an Internet browsing security policy

On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.

Creating an Internet browsing policy - policy-based VPN
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and then select OK:
  3. Name

    Enter an appropriate name for the policy.

    Incoming Interface

    The interface to which the VPN tunnel is bound.

    Outgoing Interface

    The interface to which the VPN tunnel is bound.

    Source

    The internal range address of the remote spoke site.

    Destination Address

    all

    Action

    Select IPsec. Under VPN Tunnel, select the tunnel that provides access to the private network behind the FortiGate unit. Select Allow traffic to be initiated from the remote site.

    NAT

    Enable NAT.

Creating an Internet browsing policy - route-based VPN
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and then select OK:
  3. Name

    Enter an appropriate name for the policy.

    Incoming Interface

    The IPsec VPN interface.

    Outgoing Interface

    The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface.

    Source

    The internal range address of the remote spoke site.

    Destination Address

    all

    Action

    ACCEPT

    NAT

    Enable NAT.

    The VPN clients must be configured to route all Internet traffic through the VPN tunnel.

Routing all remote traffic through the VPN tunnel

To make use of the Internet browsing configuration on the VPN server, the VPN peer or client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the private network behind the FortiGate VPN server is sent through the tunnel.

The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-to-gateway configuration, or a FortiClient application that protects an individual client PC.

These procedures assume that your VPN connection to the protected private network is working and that you have configured the FortiGate VPN server for Internet browsing as described in Creating an Internet browsing security policy.

Configuring a FortiGate remote peer to support Internet browsing

The configuration changes to send all traffic through the VPN differ for policy-based and route-based VPNs.

Routing all traffic through a policy-based VPN
  1. At the FortiGate dialup client, go to Policy & Objects > IPv4 Policy.
  2. Select the IPsec security policy and then select Edit.
  3. From the Destination Address list, select all.
  4. Select OK.

Packets are routed through the VPN tunnel, not just those destined for the protected private network.

Routing all traffic through a route-based VPN
  1. At the FortiGate dialup client, go to Network > Static Routes.
  2. Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no default route, select Create New. Enter the following information and select OK:
  3. Destination IP/Mask

    Set to Subnet and enter 0.0.0.0/0.0.0.0 in the field provided.

    Device

    Select the IPsec virtual interface.

    Administrative Distance

    Leave at default.

    All packets are routed through the VPN tunnel, not just packets destined for the protected private network.

Configuring a FortiClient application to support Internet browsing

By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN.

Routing all traffic through VPN - FortiClient application
  1. At the remote host, start FortiClient.
  2. Go to Remote Access.
  3. Select the definition that connects FortiClient to the FortiGate dialup server, select the Settings icon, and select Edit the selected connection.
  4. In the Edit VPN Connection dialog box, select Advanced Settings.
  5. In the Remote Network group, select Add.
  6. In the IP and Subnet Mask fields, type 0.0.0.0/0.0.0.0 and select OK.
  7. The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel.

  8. Select OK.