Fortinet black logo

Administration Guide

Home FortiProxy 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

IPsec Wizard

IPsec Wizard

To set up an IPsec VPN:

  1. Go to VPN > IPsec Wizard.

  2. Configure the VPN setup and then select Next:

    Name

    Enter a unique descriptive name (15 characters or less) for the VPN tunnel.

    Template Type

    Select Site to Site or Custom:

    • Site to Site—Static tunnel between this FortiProxy unit and a remote FortiProxy unit through the Internet.

    • Custom—No template. See Create a custom VPN tunnel.

    NAT Configuration

    If you selected Site to Site, select No NAT between sites, This site is behind NAT, or The remote site is behind NAT.

    Remote Device type

    If you selected Site to Site, select FortiProxy or Cisco.

  3. Configure the authentication and then select Next:

    Remote Device

    If you selected Site to Site for the template type, select IP Address or Dynamic DNS.

    Remote IP Address

    If you selected IP Address for the remote address, enter the IP address of the remote peer.

    FQDN

    If you selected Dynamic DNS for the remote address, enter the domain name of the remote peer.

    Outgoing Interface

    If you selected Site to Site for the template type, select the outgoing interface from the drop-down list.

    Incoming Interface

    If you selected Remote Access for the template type, select the incoming interface from the drop-down list.

    Authentication Method

    Select Pre-shared Key or Signature:

    • Pre-shared Key—A preshared key contains at least six random alphanumeric characters. Users of the VPN must obtain the preshared key from the person who manages the VPN server and add the preshared key to their VPN client configuration.

    • Signature—Use one or more certificates for authentication.

    Pre-shared Key

    If you selected Pre-shared Key for the authentication method, enter the pre-shared key that the FortiProxy unit will use to authenticate itself to the remote peer or dial-up client during Phase 1 negotiations. You must define the same key at the remote peer or client.

    The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

    Certificate Name

    If you selected Signature for the authentication method, select + and then select one or more certificates that the FortiProxy unit will use to authenticate itself.

    Peer Certificate CA

    If you selected Signature for the authentication method, select a peer certificate authority.

  4. Configure the policy and routing settings:

    Local Interface

    Select the name of the interface through which remote peers or dial-up clients connect to the FortiProxy unit.

    Local Subnets

    If you selected Site to Site for the template type, enter a local subnet. Select + to enter another local subnet.

    Remote Subnets

    Enter a remote subnet. Select + to enter another remote subnet.

    Internet Access

    Select None, Share Local, or Use Remote.

    • None—Site-to-site devices communicate over the VPN, but Internet access does not require VPN.

    • Share Local—Allow the remote site to use this FortiProxy as an Internet gateway.

    • Use Remote—This FortiProxy unit will use a tunnel for Internet access from the remote location.

    Shared WAN

    If you selected Share Local for Internet access, select the WAN interface.

    Local Gateway

    If you selected Use Remote for Internet access, enter the local gateway address.

  5. Select Create.

  6. Select Add Another to start at the beginning of the IPsec Wizard or select Show Tunnel List to see the available IPsec tunnels.

Previous
Next

IPsec Wizard

To set up an IPsec VPN:

  1. Go to VPN > IPsec Wizard.

  2. Configure the VPN setup and then select Next:

    Name

    Enter a unique descriptive name (15 characters or less) for the VPN tunnel.

    Template Type

    Select Site to Site or Custom:

    • Site to Site—Static tunnel between this FortiProxy unit and a remote FortiProxy unit through the Internet.

    • Custom—No template. See Create a custom VPN tunnel.

    NAT Configuration

    If you selected Site to Site, select No NAT between sites, This site is behind NAT, or The remote site is behind NAT.

    Remote Device type

    If you selected Site to Site, select FortiProxy or Cisco.

  3. Configure the authentication and then select Next:

    Remote Device

    If you selected Site to Site for the template type, select IP Address or Dynamic DNS.

    Remote IP Address

    If you selected IP Address for the remote address, enter the IP address of the remote peer.

    FQDN

    If you selected Dynamic DNS for the remote address, enter the domain name of the remote peer.

    Outgoing Interface

    If you selected Site to Site for the template type, select the outgoing interface from the drop-down list.

    Incoming Interface

    If you selected Remote Access for the template type, select the incoming interface from the drop-down list.

    Authentication Method

    Select Pre-shared Key or Signature:

    • Pre-shared Key—A preshared key contains at least six random alphanumeric characters. Users of the VPN must obtain the preshared key from the person who manages the VPN server and add the preshared key to their VPN client configuration.

    • Signature—Use one or more certificates for authentication.

    Pre-shared Key

    If you selected Pre-shared Key for the authentication method, enter the pre-shared key that the FortiProxy unit will use to authenticate itself to the remote peer or dial-up client during Phase 1 negotiations. You must define the same key at the remote peer or client.

    The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

    Certificate Name

    If you selected Signature for the authentication method, select + and then select one or more certificates that the FortiProxy unit will use to authenticate itself.

    Peer Certificate CA

    If you selected Signature for the authentication method, select a peer certificate authority.

  4. Configure the policy and routing settings:

    Local Interface

    Select the name of the interface through which remote peers or dial-up clients connect to the FortiProxy unit.

    Local Subnets

    If you selected Site to Site for the template type, enter a local subnet. Select + to enter another local subnet.

    Remote Subnets

    Enter a remote subnet. Select + to enter another remote subnet.

    Internet Access

    Select None, Share Local, or Use Remote.

    • None—Site-to-site devices communicate over the VPN, but Internet access does not require VPN.

    • Share Local—Allow the remote site to use this FortiProxy as an Internet gateway.

    • Use Remote—This FortiProxy unit will use a tunnel for Internet access from the remote location.

    Shared WAN

    If you selected Share Local for Internet access, select the WAN interface.

    Local Gateway

    If you selected Use Remote for Internet access, enter the local gateway address.

  5. Select Create.

  6. Select Add Another to start at the beginning of the IPsec Wizard or select Show Tunnel List to see the available IPsec tunnels.

Previous
Next