IPsec VPN concepts
Virtual Private Network (VPN) technology enables remote users to connect to private computer networks to gain access to their resources in a secure way. For example, an employee traveling or working from home can use a VPN to securely access the office network through the Internet.
Instead of remotely logging on to a private network using an unencrypted and unsecure Internet connection, the use of a VPN ensures that unauthorized parties cannot access the office network and cannot intercept any of the information that is exchanged between the employee and the office. It is also common to use a VPN to connect the private networks of two or more offices.
Fortinet offers VPN capabilities in the FortiGate Unified Threat Management (UTM) appliance and in the
FortiClient Endpoint Security suite of applications. A FortiGate unit can be installed on a private network, and FortiClient software can be installed on the user’s computer. It is also possible to use a FortiGate unit to connect to the private network instead of using FortiClient software.
This chapter discusses VPN terms and concepts including:
VPN tunnels
VPN gateways
Clients, servers, and peers
Encryption
Authentication
Phase 1 and Phase 2 settings
IKE and IPsec packet processing
VPN tunnels
The data path between a user’s computer and a private network through a VPN is referred to as a tunnel. Like a physical tunnel, the data path is accessible only at both ends. In the telecommuting scenario, the tunnel runs between the FortiClient application on the user’s PC, or a FortiGate unit or other network device and the FortiGate unit on the office private network.
Encapsulation makes this possible. IPsec packets pass from one end of the tunnel to the other and contain data packets that are exchanged between the local user and the remote private network. Encryption of the data packets ensures that any third-party who intercepts the IPsec packets can not access the data.
VPN tunnels
Encoded data going through a VPN tunnel
You can create a VPN tunnel between:
- A PC equipped with the FortiClient application and a FortiGate unit l Two FortiGate units
- Third-party VPN software and a FortiGate unit
For more information on third-party VPN software, refer to the Fortinet Knowledge Base for more information.
Tunnel templates
Several tunnel templates are available in the IPsec VPN Wizard that cover a variety of different types of IPsec VPN. A list of these templates appear on the first page of the Wizard, located at VPN > IPsec Wizard. The tunnel template list follows.
IPsec VPN Wizard options
| VPN Type Remote Device Type | NAT Options | Description | ||
| Site to Site | FortiGate | l No NAT between sites
l This site is behind NAT l The remote site is behind NAT |
Static tunnel between this FortiGate and a remote FortiGate. | |
| Cisco | l No NAT between sites
l This site is behind NAT l The remote site is behind NAT |
Static tunnel between this FortiGate and a remote Cisco firewall. | ||
| VPN Type | Remote Device Type | NAT Options | Description | |
| Remote Access | Clientbased
Native |
FortiClient VPN for OS X, Windows, and Android | N/A | On-demand tunnel for users using the
FortiClient software. |
| Cisco AnyConnect | N/A | On-demand tunnel for users using the Cisco IPsec client. | ||
| iOS Native | N/A | On-demand tunnel for iPhone/iPad users using the native iOS IPsec client. | ||
| Android Native | N/A | On-demand tunnel for Android users using the native L2TP/IPsec client. | ||
| Windows Native | N/A | On-demand tunnel for Android users using the native L2TP/IPsec client. | ||
| Custom | N/A | N/A | No Template. | |
In FortiOS 5.6.4+, the first step of the VPN Creation Wizard (VPN > IPsec Wizard) delineates the Remote Device Type (for Remote Access templates) between Client-based and Native in order to distinguish FortiClient and Cisco device options from native OS device options.
VPN tunnel list
Once you create an IPsec VPN tunnel, it appears in the VPN tunnel list at VPN > IPsec Tunnels. By default, the tunnel list indicates the name of the tunnel, its interface binding, the tunnel template used, and the tunnel status. If you right-click on the table header row, you can include columns for comments, IKE version, mode (aggressive vs main), phase 2 proposals, and reference number. The tunnel list page also includes the option to create a new tunnel, as well as the options to edit or delete a highlighted tunnel.
FortiView VPN tunnel map
A geospatial map can be found under FortiView > VPN Map to help visualize IPsec (and SSL) VPN connections to a FortiGate using Google Maps. This feature adds a geographical-IP API service for resolving spatial locations from IP addresses.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Hi Mike,
Have a quick question and it would be great if you could point me in the right direction.
We have a Fortinet 60E appliance and are looking to set up 2 VPNs as follows.
VPN1
Allows access to servers A, B and C (all on 192.168.1.0/24)
VPN2
Allow access to server D (also on 192.168.1.0/24) only. Users on this tunnel should not have access to servers A, B or C.
We have a single WAN Internet connection coming in on the WAN1 port.
Is this possible to setup?
Any help would be greatly appreciated. If you already have a cheat sheet or video available, that would be great.
Thanks,
Nick
End Users are using dial up IPSEC or is this a site to site?
Dial up IPSec.